[eks] [request]: Sign release artifacts with Sigstore

stevehipwell commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request I'd like all artifacts created for EKS to be signed with Sigstore so we can verify that they are what they say they are. This would align EKS with upstream Kubernetes which as of v1.24.0 is using Sigstore for all release artifacts.

Which service(s) is this request for? EKS.

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? I'd like to be able to verify the EKS artifacts with the same tools as for upstream Kubernetes, other OSS projects and internal services; Sigstore is the OpenSSF solution for this.

Are you currently working around this issue? n/a

Additional context This is related to https://github.com/aws/containers-roadmap/issues/43 for storing the signatures.

Attachments n/a

stevehipwell commented 1 year ago

Given that this has now been blogged about from an end-user perspective shouldn't all of the AWS images be signed by Cosign?

CC @dlorenc

dlorenc commented 1 year ago

I'd love to see this happen and would be willing to help out! Sorry I missed the ping @stevehipwell.

stevehipwell commented 1 year ago

I think there are a number of repo types which would need to be covered by this; AWS internal (e.g. kube-proxy), AWS open source (e.g. AWS VPC CNI) & Kubernetes SIGs (e.g. AWS EBS CSI Driver).

@dlorenc is there a reference repo for doing this correctly? And is there an implementation in kubernetes-sigs so Prow is being used? I've got a reference implementation based purely on GitHub Actions but I didn't get the attestation working correctly.

dlorenc commented 1 year ago

cc @cpanato @puerco

cpanato commented 1 year ago

@stevehipwell lets talk :) some examples are in the sigstore repos itself, but we see how you are using GH actions so we can adapt. :)

in k8s we dont use prow, we have krel and promo-tools to do the release/promotion release artifacts

stevehipwell commented 1 year ago

@cpanato are there any repos in kubernetes (not kubernetes/kubernetes) or kubernetes-sigswhere this has been implemented to act as patterns?

stevehipwell commented 1 year ago

I think the following containers would be in scope for this (based on my own clusters), with each group potentially needing slightly different tooling and the core images signing needing to be done directly by AWS.

EKS Core Images

kube-proxy
coredns
pause

AWS Images

amazon-k8s-cni
amazon-k8s-cni-init
aws-node-termination-handler
karpenter

AWS Kubernetes SIGS Images

aws-load-balancer-controller
aws-ebs-csi-driver
aws-efs-csi-driver

cpanato commented 1 year ago

@cpanato are there any repos in kubernetes (not kubernetes/kubernetes) or kubernetes-sigswhere this has been implemented to act as patterns?

sorry for the delay

In K8s organization, we use the promo-tools (https://github.com/kubernetes-sigs/promo-tools), which promote the images from staging to the production registry, and during this process, it signs the image.

How are your images being built? In GitHub actions or using something internal? I am super happy to help to implement this

stevehipwell commented 1 year ago

@cpanto the SIGs images are likely the best place to start and could then be used as a template for the images with private builds which would need to be implemented by AWS employees.

vsabelli commented 2 weeks ago

+1 to this very useful request!

Is there any estimated delivery for the feature?

Thank you!

aws / containers-roadmap