Improve security hygiene and documentation

[ricardoapl]

What would you like to be added:

Similar to what was proposed in https://github.com/kubernetes-sigs/prometheus-adapter/issues/638 for prometheus-adapter, I suggest we implement the following for metrics-server:

• Generating an SBOM automatically when a new release is tagged, so that users have a better understanding of whether or not they're affected by a particular vulnerability
• Generating SLSA/provenance attestation automatically for each new release, so that users can verify the authenticity and trustworthiness of the build process
• Initializing VEX feed and generating OpenVEX data on each release, so that users have a better understanding of which vulnerabilities present a genuine risk

We should probably also follow up on CLOMonitor security checks previously configured in https://github.com/cncf/clomonitor/pull/1407:

• https://clomonitor.io/projects/cncf/metrics-server#metrics-server_security

Why is this needed:

I believe this relates to https://github.com/kubernetes/sig-release/blob/193a3cdf8d73e0888c7f6829eea3716918a5af4a/roadmap.md

/kind feature

[dgrisonnet]

@ricardoapl you mentioned over on Slack that Manuel had done the CLOMonitor integration. Is there anything more to do?

[ricardoapl]

Yes, I suggest the following based on Security Slam: Kubernetes Lightning Round

Release to Community Infrastructure

• [x] Task 1: Releases are being made via CI (https://github.com/kubernetes-sigs/metrics-server/pull/460)
• [x] Task 2: Check that Images are Staged and Promoted Using Community Infra (https://github.com/kubernetes/k8s.io/pull/384)

Automate Security Documentation

• [ ] Task 3: Ensure SBOMs are Generated by Kubernetes BOM
• [ ] Task 4: Ensure SLSA Attestations are Generated when Possible
• [ ] Task 5: Ensure the Project has a VEX Feed

CLOMonitor: Secure Development Practices

• [x] Task 7: Set up CLOMonitor Tracking (https://github.com/cncf/clomonitor/pull/1407)
• [x] Task 8: Check for Binary Artifacts (no binaries found in the repo)
• [x] Task 9: Review the Code Review (all changesets reviewed)
• [x] Task 10: Dangerous Workflow (no dangerous workflow patterns detected)
• [ ] Task 11: Security Insights
• [ ] Task 12: Dependencies Policy
• [x] Task 13: Dependency update tool (update tool detected, dependabot)
• [ ] Task 15: Token Permissions

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[ricardoapl]

/remove-lifecycle stale

[dashpole]

/assign @ricardoapl /triage accepted