Security Self-Assessment: [STRIDE-TAMPER-1] Produce a SBoM

[randomvariable]

User Story

As a cluster operator, i want to know the list of dependencies Cluster API brings for assurance within our organisation's software supply chain.

Detailed Description

• Create SBoM of all the Cluster API components and verify checksum as a post build action

cc @PushkarJ for adding more details.

/kind feature /area security

[PushkarJ]

Thanks for creating this Naadir. Automated SBoM generation as part of container image building with ko just came out: https://blog.chainguard.dev/auto-sboms-with-ko/ .

We could explore if its a good option for generating SBoMs for cluster-api container images.

[sbueringer]

/milestone v1.2

[sbueringer]

Similar CAPA issue: https://github.com/kubernetes-sigs/cluster-api-provider-aws/issues/3325

[PushkarJ]

/retitle Security Self-Assessment: [STRIDE-TAMPER-1] Produce a SBoM /sig security

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[fabriziopandini]

/lifecycle frozen /triage accepted /help

Still a valid point to implement, but IMO we should rely on the same tooling used for k/k whatever it is

[k8s-ci-robot]

@fabriziopandini: This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to [this](https://github.com/kubernetes-sigs/cluster-api/issues/6153): >/lifecycle frozen >/triage accepted >/help > >Still a valid point to implement, but IMO we should rely on the same tooling used for k/k whatever it is Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[chrischdi]

@furkatgofurov7 , according #8418 you are at this. Is there already any process or plans?

Upstream makes use of https://github.com/kubernetes-sigs/bom via their krel tool.

[furkatgofurov7]

Generate SBOM and sign release artefacts kubernetes-sigs/cluster-api-provider-aws#3325

@chrischdi hey, yes this one is being discussed in a bit wider context in CAPA and CAPA issue kind of waiting/stuck on upstream k/k issue

[furkatgofurov7]

Based on the agreement during the call triaging https://github.com/kubernetes-sigs/cluster-api/issues/9104, setting the priority to:

/priority backlog

[furkatgofurov7]

/assign @kranurag7

[k8s-ci-robot]

@furkatgofurov7: GitHub didn't allow me to assign the following users: kranurag7.

Note that only kubernetes-sigs members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. For more information please see the contributor guide

In response to [this](https://github.com/kubernetes-sigs/cluster-api/issues/6153#issuecomment-1688263494): >/assign @kranurag7 Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[kranurag7]

Hey All, Here's the approach I'm thinking as of now. I've included an example below. Please let me know if you've any comments here.

copying image to an ephemeral registry (only for the demo)

```bash $ crane copy registry.k8s.io/cluster-api/cluster-api-controller:v1.5.3 ttl.sh/capi/cluster-api-controller:v1.5.3 2023/11/07 11:31:57 Copying from registry.k8s.io/cluster-api/cluster-api-controller:v1.5.3 to ttl.sh/capi/cluster-api-controller:v1.5.3 2023/11/07 11:32:03 pushed blob: sha256:fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58 2023/11/07 11:32:03 pushed blob: sha256:fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265 2023/11/07 11:32:03 pushed blob: sha256:07a64a71e01156f8f99039bc246149925c6d1480d3957de78510bbec6ec68f7a 2023/11/07 11:32:03 pushed blob: sha256:b003b463d7505c8e5cfe7034cacbeed297d6463c8b7f468037ee76a289510b3a 2023/11/07 11:32:03 pushed blob: sha256:80e67ac685eeb7befa915840c12736fc942bdef272a81f3d004b4778a39a2c15 2023/11/07 11:32:03 pushed blob: sha256:8e1543693df8dd7a3ece7533b81811c049df644dc6ec06bc12923f2a4b5e9af3 2023/11/07 11:32:03 pushed blob: sha256:b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db 2023/11/07 11:32:07 pushed blob: sha256:e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0 2023/11/07 11:32:07 pushed blob: sha256:1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c 2023/11/07 11:32:07 pushed blob: sha256:4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f 2023/11/07 11:32:07 pushed blob: sha256:7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c 2023/11/07 11:32:10 pushed blob: sha256:5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a 2023/11/07 11:32:11 pushed blob: sha256:67a9c54d71a8def7a53619740731daff3b3151ee44a1292b2bce66641310f629 2023/11/07 11:32:11 pushed blob: sha256:c33362eddd5b5c83647d1d756590c10d7b0d223bc316f54790e1896f7f711514 2023/11/07 11:32:11 pushed blob: sha256:996ea472db0ba7f1918e97e1060bffe7833b37bdb9a37e4a2d57eaf6d2921cd7 2023/11/07 11:32:11 pushed blob: sha256:5f5cae1244d6a3aa0e8302311c0f3e2a70597415484f355f8a6f3492c92fe9aa 2023/11/07 11:32:12 pushed blob: sha256:65823ab9e087b46e1f9a72383f9c0d1cecfe4b7174f9a650a0f049482b8c72a5 2023/11/07 11:32:13 pushed blob: sha256:1ca66b61c047575552fac25da11214305319e88cf816567602158570ac91c06c 2023/11/07 11:32:14 pushed blob: sha256:5c2266c14d5d54411d78e843fa1ce8bbd51a50543901758cb2da18f936d09be1 2023/11/07 11:32:14 ttl.sh/capi/cluster-api-controller@sha256:cc9ee9fe0b3379543952716f1962637a02e565010e6855b69e82d088e1879622: digest: sha256:cc9ee9fe0b3379543952716f1962637a02e565010e6855b69e82d088e1879622 size: 2403 2023/11/07 11:32:14 pushed blob: sha256:e468415629950b492cb41d9bd2d6f45e4c13392d522f2a74fdec39c9ae2b9462 2023/11/07 11:32:15 ttl.sh/capi/cluster-api-controller@sha256:7a73b889a8ec7fcade0891de745a75359d10701f3cf335110ff7e3642f1bc8b4: digest: sha256:7a73b889a8ec7fcade0891de745a75359d10701f3cf335110ff7e3642f1bc8b4 size: 2403 2023/11/07 11:32:15 ttl.sh/capi/cluster-api-controller@sha256:3be91f952558612b7674c000d45b5859083064e27da59f9249f6ce6ac05ba42c: digest: sha256:3be91f952558612b7674c000d45b5859083064e27da59f9249f6ce6ac05ba42c size: 2403 2023/11/07 11:32:15 ttl.sh/capi/cluster-api-controller@sha256:d7d8933366c0fd71d17437e77569937747b9db938e08d96b46f39703d71eb667: digest: sha256:d7d8933366c0fd71d17437e77569937747b9db938e08d96b46f39703d71eb667 size: 2403 2023/11/07 11:32:18 pushed blob: sha256:367ac81626c1869a1cdbb6380236a0e03ff2b45c6670244f620b0b34e22cabfc 2023/11/07 11:32:18 pushed blob: sha256:75c00bd33aea99bec4abb16ec6ee95f1e3ee4cb226ed02c6e10095e92508b024 2023/11/07 11:32:21 pushed blob: sha256:d5617b617c7261e7a7be0edf901deffb8a9b0c365eedda6afac9fab682d91a0f 2023/11/07 11:32:23 ttl.sh/capi/cluster-api-controller@sha256:a8c26f25a18673b069cfa19ebcf4bff4f3417012acf75538b7c8c6eb1d66dd02: digest: sha256:a8c26f25a18673b069cfa19ebcf4bff4f3417012acf75538b7c8c6eb1d66dd02 size: 2403 2023/11/07 11:32:24 ttl.sh/capi/cluster-api-controller:v1.5.3: digest: sha256:d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42 size: 1728 ```

generating SBOM using kubernetes-sigs/bom project

```bash $ ./bom-amd64-linux generate -i ttl.sh/capi/cluster-api-controller:v1.5.3 -o capi_sbom.spdx INFO bom v0.5.1: Generating SPDX Bill of Materials INFO Processing image reference: ttl.sh/capi/cluster-api-controller:v1.5.3 INFO Reference ttl.sh/capi/cluster-api-controller:v1.5.3 points to an index INFO Reference image index points to 5 manifests INFO Adding image ttl.sh/capi/cluster-api-controller@sha256:cc9ee9fe0b3379543952716f1962637a02e565010e6855b69e82d088e1879622 (amd64/linux) INFO Adding image ttl.sh/capi/cluster-api-controller@sha256:d7d8933366c0fd71d17437e77569937747b9db938e08d96b46f39703d71eb667 (arm/linux) INFO Adding image ttl.sh/capi/cluster-api-controller@sha256:7a73b889a8ec7fcade0891de745a75359d10701f3cf335110ff7e3642f1bc8b4 (arm64/linux) INFO Adding image ttl.sh/capi/cluster-api-controller@sha256:3be91f952558612b7674c000d45b5859083064e27da59f9249f6ce6ac05ba42c (ppc64le/linux) INFO Adding image ttl.sh/capi/cluster-api-controller@sha256:a8c26f25a18673b069cfa19ebcf4bff4f3417012acf75538b7c8c6eb1d66dd02 (s390x/linux) INFO Generating SBOM for multiarch image ttl.sh/capi/cluster-api-controller@sha256:d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42 INFO Generating SPDX package from image tarball /tmp/doc-build-2839633603/d7d8933366c0fd71d17437e77569937747b9db938e08d96b46f39703d71eb667.tar INFO Successfully extracted 12 files from image tarball /tmp/doc-build-2839633603/d7d8933366c0fd71d17437e77569937747b9db938e08d96b46f39703d71eb667.tar INFO Package describes image ttl.sh/capi/cluster-api-controller:d7d8933366c0fd71d17437e77569937747b9db938e08d96b46f39703d71eb667 INFO Generating SPDX package from tarball /tmp/doc-build-2839633603/d7d8933366c0fd71d17437e77569937747b9db938e08d96b46f39703d71eb667.tar INFO Image manifest lists 10 layers INFO etc/os-release is a symlink, following to usr/lib/os-release INFO Writing usr/lib/os-release to /tmp/os-release-2783548601 INFO Scan of container layers found debian base image INFO dbdata is blank INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/8e1543693df8dd7a3ece7533b81811c049df644dc6ec06bc12923f2a4b5e9af3.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/e468415629950b492cb41d9bd2d6f45e4c13392d522f2a74fdec39c9ae2b9462.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from image tarball /tmp/doc-build-2839633603/cc9ee9fe0b3379543952716f1962637a02e565010e6855b69e82d088e1879622.tar INFO Successfully extracted 12 files from image tarball /tmp/doc-build-2839633603/cc9ee9fe0b3379543952716f1962637a02e565010e6855b69e82d088e1879622.tar INFO Package describes image ttl.sh/capi/cluster-api-controller:cc9ee9fe0b3379543952716f1962637a02e565010e6855b69e82d088e1879622 INFO Generating SPDX package from tarball /tmp/doc-build-2839633603/cc9ee9fe0b3379543952716f1962637a02e565010e6855b69e82d088e1879622.tar INFO Image manifest lists 10 layers INFO etc/os-release is a symlink, following to usr/lib/os-release INFO Writing usr/lib/os-release to /tmp/os-release-2826246521 INFO Scan of container layers found debian base image INFO dbdata is blank INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/07a64a71e01156f8f99039bc246149925c6d1480d3957de78510bbec6ec68f7a.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/65823ab9e087b46e1f9a72383f9c0d1cecfe4b7174f9a650a0f049482b8c72a5.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from image tarball /tmp/doc-build-2839633603/3be91f952558612b7674c000d45b5859083064e27da59f9249f6ce6ac05ba42c.tar INFO Successfully extracted 12 files from image tarball /tmp/doc-build-2839633603/3be91f952558612b7674c000d45b5859083064e27da59f9249f6ce6ac05ba42c.tar INFO Package describes image ttl.sh/capi/cluster-api-controller:3be91f952558612b7674c000d45b5859083064e27da59f9249f6ce6ac05ba42c INFO Generating SPDX package from tarball /tmp/doc-build-2839633603/3be91f952558612b7674c000d45b5859083064e27da59f9249f6ce6ac05ba42c.tar INFO Image manifest lists 10 layers INFO etc/os-release is a symlink, following to usr/lib/os-release INFO Writing usr/lib/os-release to /tmp/os-release-1526654301 INFO Scan of container layers found debian base image INFO dbdata is blank INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/80e67ac685eeb7befa915840c12736fc942bdef272a81f3d004b4778a39a2c15.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/5c2266c14d5d54411d78e843fa1ce8bbd51a50543901758cb2da18f936d09be1.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from image tarball /tmp/doc-build-2839633603/7a73b889a8ec7fcade0891de745a75359d10701f3cf335110ff7e3642f1bc8b4.tar INFO Successfully extracted 12 files from image tarball /tmp/doc-build-2839633603/7a73b889a8ec7fcade0891de745a75359d10701f3cf335110ff7e3642f1bc8b4.tar INFO Package describes image ttl.sh/capi/cluster-api-controller:7a73b889a8ec7fcade0891de745a75359d10701f3cf335110ff7e3642f1bc8b4 INFO Generating SPDX package from tarball /tmp/doc-build-2839633603/7a73b889a8ec7fcade0891de745a75359d10701f3cf335110ff7e3642f1bc8b4.tar INFO Image manifest lists 10 layers INFO etc/os-release is a symlink, following to usr/lib/os-release INFO Writing usr/lib/os-release to /tmp/os-release-2470474997 INFO Scan of container layers found debian base image INFO dbdata is blank INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/b003b463d7505c8e5cfe7034cacbeed297d6463c8b7f468037ee76a289510b3a.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/1ca66b61c047575552fac25da11214305319e88cf816567602158570ac91c06c.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from image tarball /tmp/doc-build-2839633603/a8c26f25a18673b069cfa19ebcf4bff4f3417012acf75538b7c8c6eb1d66dd02.tar INFO Successfully extracted 12 files from image tarball /tmp/doc-build-2839633603/a8c26f25a18673b069cfa19ebcf4bff4f3417012acf75538b7c8c6eb1d66dd02.tar INFO Package describes image ttl.sh/capi/cluster-api-controller:a8c26f25a18673b069cfa19ebcf4bff4f3417012acf75538b7c8c6eb1d66dd02 INFO Generating SPDX package from tarball /tmp/doc-build-2839633603/a8c26f25a18673b069cfa19ebcf4bff4f3417012acf75538b7c8c6eb1d66dd02.tar INFO Image manifest lists 10 layers INFO etc/os-release is a symlink, following to usr/lib/os-release INFO Writing usr/lib/os-release to /tmp/os-release-84148163 INFO Scan of container layers found debian base image INFO dbdata is blank INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/75c00bd33aea99bec4abb16ec6ee95f1e3ee4cb226ed02c6e10095e92508b024.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/d5617b617c7261e7a7be0edf901deffb8a9b0c365eedda6afac9fab682d91a0f.tar.gz INFO Not performing deep image analysis (opts.AnalyzeLayers = false) WARN Document has no name defined, automatically set to SBOM-SPDX-51f5cd9e-2d33-461b-9c4d-1b6fb1b17e98 INFO Package SPDXRef-Package-sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42 has 5 relationships defined INFO Package SPDXRef-Package-sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42-sha256-d7d8933366c0fd71d17437e77569937747b9db938e08d96b46f39703d71eb667 has 11 relationships defined INFO Package SPDXRef-Package-sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42-sha256-cc9ee9fe0b3379543952716f1962637a02e565010e6855b69e82d088e1879622 has 11 relationships defined INFO Package SPDXRef-Package-sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42-sha256-3be91f952558612b7674c000d45b5859083064e27da59f9249f6ce6ac05ba42c has 11 relationships defined INFO Package SPDXRef-Package-sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42-sha256-7a73b889a8ec7fcade0891de745a75359d10701f3cf335110ff7e3642f1bc8b4 has 11 relationships defined INFO Package SPDXRef-Package-sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42-sha256-a8c26f25a18673b069cfa19ebcf4bff4f3417012acf75538b7c8c6eb1d66dd02 has 11 relationships defined ```

outlining SBOM

```bash $ ./bom-amd64-linux document outline capi_sbom.spdx _ ___ _ __ __| |_ __ / __| '_ \ / _` \ \/ / \__ \ |_) | (_| |> < |___/ .__/ \__,_/_/\_\ |_| 📂 SPDX Document SBOM-SPDX-51f5cd9e-2d33-461b-9c4d-1b6fb1b17e98 │ │ 📦 DESCRIBES 1 Packages │ ├ sha256:d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42 │ │ 🔗 5 Relationships │ ├ CONTAINS PACKAGE sha256:d7d8933366c0fd71d17437e77569937747b9db938e08d96b46f39703d71eb667 │ │ │ 🔗 11 Relationships │ │ ├ CONTAINS PACKAGE sha256:8e1543693df8dd7a3ece7533b81811c049df644dc6ec06bc12923f2a4b5e9af3 │ │ ├ CONTAINS PACKAGE sha256:fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58 │ │ ├ CONTAINS PACKAGE sha256:b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db │ │ ├ CONTAINS PACKAGE sha256:fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265 │ │ ├ CONTAINS PACKAGE sha256:e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0 │ │ ├ CONTAINS PACKAGE sha256:1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c │ │ ├ CONTAINS PACKAGE sha256:4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f │ │ ├ CONTAINS PACKAGE sha256:7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c │ │ ├ CONTAINS PACKAGE sha256:5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a │ │ ├ CONTAINS PACKAGE sha256:e468415629950b492cb41d9bd2d6f45e4c13392d522f2a74fdec39c9ae2b9462 │ │ └ VARIANT_OF PACKAGE sha256:d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42 │ │ │ ├ CONTAINS PACKAGE sha256:cc9ee9fe0b3379543952716f1962637a02e565010e6855b69e82d088e1879622 │ │ │ 🔗 11 Relationships │ │ ├ CONTAINS PACKAGE sha256:07a64a71e01156f8f99039bc246149925c6d1480d3957de78510bbec6ec68f7a │ │ ├ CONTAINS PACKAGE sha256:fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58 │ │ ├ CONTAINS PACKAGE sha256:b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db │ │ ├ CONTAINS PACKAGE sha256:fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265 │ │ ├ CONTAINS PACKAGE sha256:e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0 │ │ ├ CONTAINS PACKAGE sha256:1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c │ │ ├ CONTAINS PACKAGE sha256:4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f │ │ ├ CONTAINS PACKAGE sha256:7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c │ │ ├ CONTAINS PACKAGE sha256:5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a │ │ ├ CONTAINS PACKAGE sha256:65823ab9e087b46e1f9a72383f9c0d1cecfe4b7174f9a650a0f049482b8c72a5 │ │ └ VARIANT_OF PACKAGE sha256:d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42 │ │ │ ├ CONTAINS PACKAGE sha256:3be91f952558612b7674c000d45b5859083064e27da59f9249f6ce6ac05ba42c │ │ │ 🔗 11 Relationships │ │ ├ CONTAINS PACKAGE sha256:80e67ac685eeb7befa915840c12736fc942bdef272a81f3d004b4778a39a2c15 │ │ ├ CONTAINS PACKAGE sha256:fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58 │ │ ├ CONTAINS PACKAGE sha256:b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db │ │ ├ CONTAINS PACKAGE sha256:fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265 │ │ ├ CONTAINS PACKAGE sha256:e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0 │ │ ├ CONTAINS PACKAGE sha256:1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c │ │ ├ CONTAINS PACKAGE sha256:4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f │ │ ├ CONTAINS PACKAGE sha256:7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c │ │ ├ CONTAINS PACKAGE sha256:5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a │ │ ├ CONTAINS PACKAGE sha256:5c2266c14d5d54411d78e843fa1ce8bbd51a50543901758cb2da18f936d09be1 │ │ └ VARIANT_OF PACKAGE sha256:d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42 │ │ │ ├ CONTAINS PACKAGE sha256:7a73b889a8ec7fcade0891de745a75359d10701f3cf335110ff7e3642f1bc8b4 │ │ │ 🔗 11 Relationships │ │ ├ CONTAINS PACKAGE sha256:b003b463d7505c8e5cfe7034cacbeed297d6463c8b7f468037ee76a289510b3a │ │ ├ CONTAINS PACKAGE sha256:fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58 │ │ ├ CONTAINS PACKAGE sha256:b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db │ │ ├ CONTAINS PACKAGE sha256:fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265 │ │ ├ CONTAINS PACKAGE sha256:e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0 │ │ ├ CONTAINS PACKAGE sha256:1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c │ │ ├ CONTAINS PACKAGE sha256:4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f │ │ ├ CONTAINS PACKAGE sha256:7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c │ │ ├ CONTAINS PACKAGE sha256:5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a │ │ ├ CONTAINS PACKAGE sha256:1ca66b61c047575552fac25da11214305319e88cf816567602158570ac91c06c │ │ └ VARIANT_OF PACKAGE sha256:d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42 │ │ │ └ CONTAINS PACKAGE sha256:a8c26f25a18673b069cfa19ebcf4bff4f3417012acf75538b7c8c6eb1d66dd02 │ │ │ 🔗 11 Relationships │ │ ├ CONTAINS PACKAGE sha256:75c00bd33aea99bec4abb16ec6ee95f1e3ee4cb226ed02c6e10095e92508b024 │ │ ├ CONTAINS PACKAGE sha256:fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58 │ │ ├ CONTAINS PACKAGE sha256:b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db │ │ ├ CONTAINS PACKAGE sha256:fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265 │ │ ├ CONTAINS PACKAGE sha256:e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0 │ │ ├ CONTAINS PACKAGE sha256:1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c │ │ ├ CONTAINS PACKAGE sha256:4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f │ │ ├ CONTAINS PACKAGE sha256:7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c │ │ ├ CONTAINS PACKAGE sha256:5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a │ │ ├ CONTAINS PACKAGE sha256:d5617b617c7261e7a7be0edf901deffb8a9b0c365eedda6afac9fab682d91a0f │ │ └ VARIANT_OF PACKAGE sha256:d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42 │ │ │ └ 📄 DESCRIBES 0 Files ```

attaching SBOM to the images

```bash $ cosign attach sbom --sbom capi_sbom.spdx ttl.sh/capi/cluster-api-controller:v1.5.3 WARNING: Attaching SBOMs this way does not sign them. If you want to sign them, use 'cosign attest --predicate capi_sbom.spdx --key ' or 'cosign sign --key --attachment sbom '. Uploading SBOM file for [ttl.sh/capi/cluster-api-controller:v1.5.3] to [ttl.sh/capi/cluster-api-controller:sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42.sbom] with mediaType [text/spdx]. ```

cosign tree

```bash cosign tree ttl.sh/capi/cluster-api-controller:v1.5.3 📦 Supply Chain Security Related artifacts for an image: ttl.sh/capi/cluster-api-controller:v1.5.3 └── 📦 SBOMs for an image tag: ttl.sh/capi/cluster-api-controller:sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42.sbom └── 🍒 sha256:07b03386fa05eab559319a91b55539ae978feef69be413e292bbb4b9b301018f ```

signing SBOMs

```bash $ cosign generate-key-pair Enter password for private key: Enter password for private key again: Private key written to cosign.key Public key written to cosign.pub $ cosign sign --key cosign.key ttl.sh/capi/cluster-api-controller:sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42.sbom Enter password for private key: WARNING: Image reference ttl.sh/capi/cluster-api-controller:sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42.sbom uses a tag, not a digest, to identify the image to sign. This can lead you to sign a different image than the intended one. Please use a digest (example.com/ubuntu@sha256:abc123...) rather than tag (example.com/ubuntu:latest) for the input to cosign. The ability to refer to images by tag will be removed in a future release. The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/. Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record. This may include the email address associated with the account with which you authenticate your contractual Agreement. This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/. By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above. Are you sure you would like to continue? [y/N] y tlog entry created with index: 48162409 Pushing signature to: ttl.sh/capi/cluster-api-controller $ crane ls ttl.sh/capi/cluster-api-controller sha256-40a035c0267ceb003dfd5d310b76da6d6df1dc905fa4d13656f32abf7a5d9405.sig sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42.sbom sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42.sig v1.5.3 ```

In signing, we can use ephemeral keys generated by an issuer(google in this case) to sign the SBOM similar to what we use for image.

$ cosign verify registry.k8s.io/cluster-api/cluster-api-controller:v1.5.0 --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com --certificate-oidc-issuer https://accounts.google.com | jq .
# truncated
      "Issuer": "https://accounts.google.com",
      "Subject": "krel-trust@k8s-releng-prod.iam.gserviceaccount.com",

• One question from community meeting was if we can leverage GitHub actions to generate and attach SBOMs. We should generate and attach the SBOM in the same build environment where we are building the image.

// cc @nawazkh

[sbueringer]

Q: How is k/k doing this? As far as I can tell the entire image promotion/publishing is build on top of Prow / Google Cloud Build.

I'm really hesitant to add a GitHub action for this sort of stuff, except if k/k is doing the same.

[kranurag7]

How is k/k doing this? As far as I can tell the entire image promotion/publishing is build on top of Prow / Google Cloud Build.

I see kubernetes project use bom as a library. Ref: https://github.com/kubernetes/release/blob/9a0d9bde19d674d7f60649721c8c50fc68c6c522/pkg/anago/stage.go#L769 I've limited insights on how kubernetes release is done from projects perspective.

I'm really hesitant to add a GitHub action for this sort of stuff, except if k/k is doing the same.

Yes, We shouldn't do this. We should generate SBOMs in the build environment itself, and for us, it's not GitHub actions.

[sbueringer]

Yup, but we basically don't have our own build environment. We use the same build and image promotion/publishing jobs as other parts of Kubernetes: https://github.com/kubernetes/test-infra/tree/807378e23980a2f493845952ea624edf6aa6d74a/config/jobs/image-pushing

This is the reason why I'm trying to say that we should do the same as they do, because we currently just use their process / build environment / etc.

[furkatgofurov7]

Yup, but we basically don't have our own build environment. We use the same build and image promotion/publishing jobs as other parts of Kubernetes: https://github.com/kubernetes/test-infra/tree/807378e23980a2f493845952ea624edf6aa6d74a/config/jobs/image-pushing

This is the reason why I'm trying to say that we should do the same as they do, because we currently just use their process / build environment / etc.

I think we need to spend some time on investigating things like:

• how k/k does generate sbom, like, does it generate sbom as part of the release process?
• what tools does it use and how (as part of the release notes tool, i.e krel)?
• where are those spdx files are stored?

In general, https://github.com/kubernetes/release/issues/1837 seems to be the tracking issue upstream k/k used to introduce SBOM

[sbueringer]

Just an additional hint - assuming we don't do this already. It's absolutely fine to ask around in Slack. I'm pretty sure there are a lot of people with the knowledge about k/k processes that are happy to help / share information.

[stmcginnis]

One small pointer, since I just recently looked in to it. The tool used is bom that is owned by the k8s community: https://github.com/kubernetes-sigs/bom

[adilGhaffarDev]

I would like to work on this task. /assign @adilGhaffarDev

[kranurag7]

I was working on it during the last release and tried completing it in the last phase of the release. The conclusion was that this work depends on sig-release and going forward we will leverage the same tooling by sig-release down the line.

xref: https://kubernetes.slack.com/archives/C2C40FMNF/p1701928413351249

@sbueringer Should we still go forward with this given after Q1 (as per sig-release), we will get it natively supported with the existing release tooling that we use for releasing?

Happy to pair up on this one if this needs to be done now or at any point in the future.

[sbueringer]

If we can choose between building a custom solution or waiting a few months. Let's wait

[adilGhaffarDev]

xref: https://kubernetes.slack.com/archives/C2C40FMNF/p1701928413351249

Oh, I didn't know about this slack thread. @kranurag7 Do we have an issue or PR that we can add here for tracking?

[cahillsf]

from reading through the linked thread it doesn't seem like the goal stated in this current issue has changed -- we will still need to put in the work on our end to have the SBOM attached to the staging images so they can be picked up by the promo tool. have just bumped the thread to make sure this is still the intention. or am i reading the rec incorrectly?

My recomendation would be to generate the SBOMs and attach them to the staging registry now.

[cahillsf]

👋 @kranurag7 -- are you still interested in working on this?

[akshay196]

I am interested in working on this. I will go through relevant discussions and get back here for next steps. /assign

[akshay196]

I am unable to find time for this. 😞 /unassign

[fabriziopandini]

/triage accepted @kubernetes-sigs/cluster-api-release-team to re-assess

[jayesh-srivastava]

I would like to take this up. Will go through the relevant docs. /assign