search

CycloneDX / cyclonedx-property-taxonomy

A taxonomy of all official CycloneDX property namespaces and names
https://cyclonedx.github.io/cyclonedx-property-taxonomy/
Apache License 2.0
14 stars 33 forks source link

[WIP] add `cdx:k8s` taxonomy #61

Open itaysk opened 1 year ago

itaysk commented 1 year ago

Add cdx:k8s taxonomy. Motivation has been discussed in #59.

Comments:

  1. I've decided to start simple and declare just one property that we actually need right now. I do expect us suggesting more fields in the future but to avoid premature discussion, I thought it would be best to declare only what's implemented right now.
  2. I've received some light feedback that role might be confused with "RBAC Role" in k8s context. 2.1 "type"/"kind" are ambiguous especially in this context. 2.2 cdx:components:component is semantically most accurate but possibly less readable 2.3 Overall I think role is fine, but happy feedback welcome.
  3. k8s is commonly used (by the kubernetes community) to abbreviate Kubernetes, especially in use cases like this. LMK if you prefer kubernetes instead.

Close: #59

jkowalleck commented 1 year ago

Would you mind signing-off your commit, to show that you agree to publishing your contribution under the license of this very project? Please read the instructions here: https://github.com/CycloneDX/cyclonedx-property-taxonomy/pull/61/checks?check_run_id=14340419670

itaysk commented 1 year ago

After some further discussion and feedback, I have slightly modified the PR:

  1. component type to identify if this is a control plane/node/other (unlabeled). note that Addon is omitted, since the definition of addon is unclear and even conflicting within the k8s documentation. users are still welcome to use this as value, but we don't think it should be encouraged.
  2. component name to identify the component. note the well known examples don't follow the linked doc by the letter since we found it to be out of touch with how k8s distros choose to label the core components

based on this I would also remove the link from the field descriptions and keep it only as a general reference at the namespace description, if you think it makes sense

jkowalleck commented 1 year ago

@nscuro may I ask for your opinion on this PR?

nscuro commented 1 year ago

@jkowalleck Just wanted to ping you that I saw your request and I have it on my list, just didn't have time yet to dig into this. Will provide some feedback this weekend.

jkowalleck commented 1 year ago

KSOK also has an Kubernetes taxonomy: https://github.com/ksoclabs/kbom/blob/main/docs/taxonomy.md I asked for corporation to join efforts

CC @mateuszdyminski

jkowalleck commented 1 year ago

see also: https://blog.aquasec.com/introducing-kbom-kubernetes-bill-of-materials

jkowalleck commented 1 year ago

@itaysk how is the status on this pull request, from your perspective?