saschagrunert
commented
2 years ago @puerco what means outside of krel? I could assume that we add a third intermediate cloudbuild step to the existing krel stage and release. Is this the intention?
Open puerco opened 2 years ago
saschagrunert
commented
2 years ago @puerco what means outside of krel? I could assume that we add a third intermediate cloudbuild step to the existing krel stage and release. Is this the intention?
puerco
commented
2 years ago I missed your comment @saschagrunert but yes, this is what I was considering too :D:D
My current thinking is that we should add a step before and after each stage and release. This way we can catch the parameters and commit sha from k/release (where our build as code config lies) in a partial attestation. The, after the build is done, we complete the attestation by reading the produced artifacts from the SBOM and sign it outside of the build process.
puerco
commented
2 years ago To make it more clear to the rest of @kubernetes/release-engineering this is what we do today to create the attestations:
flowchart TB
subgraph krel["<h2>krel</h2>"]
direction TB
style krel fill:#eee,stroke:#ccc,stroke-width:2px,font-weight:bold,font-size:120%
subgraph staging["<h3>staging</h3>"]
s1[build]-->s2["generate+publish staging attestation"]
end
subgraph release["<h3>release</h3>"]
r1["check staging attestations"]-->r2["release"]
r2-->r3["generate+publish release attestations"]
end
staging-->release
endThere are several problems with untrusted data flowing into the attestations using this approach. By splitting the generation and signing outside of the stage and release steps, we block access to signing credentials to any process running while building and we have true visibility into the parameters, source repo and evironment we are using to run krel. The process would look like this:
flowchart TB
subgraph builder["<h2>Provenance Builder</h2>"]
style builder fill:#eee,stroke:#ccc,stroke-width:2px,font-weight:bold,font-size:120%
subgraph PreS["<h3>Pre-Staging Step</h3>"]
b1["generate attestation with staging invocation"]-->b2["persist to disk"]
b2-->b3["exit to wait for staging run"]
end
subgraph PostS["<h3>Post-Staging Step</h3>"]
b3-. sleep .-b4["read+verify subjects<br>from staging SBOM"]
b4-->b5["read stored attestation from volume"]
b5-->b6["complete stored attestation<br>from stored predicate + subjects<br>read from SBOM"]
b6-->b7["sign attestation"]
b7-->b8["push to staging bucket"]
end
subgraph PreR["<h3>Pre-Release Step</h3>"]
bb1["generate attestation<br>with release invocation"]-->bb2["persist to disk"]
bb2-->bb3["exit to wait for release run"]
end
subgraph PostR["<h3>Post-Release Step</h3>"]
bb3-. sleep .-bb4["read+verify subjects<br>from release SBOM"]
bb4-->bb5["read stored attestation from volume"]
bb5-->bb6["complete stored attestation<br>from stored predicate + subjects<br>read from SBOM"]
bb6-->bb7["sign attestation"]
bb7-->bb8["push to release bucket"]
end
end
subgraph krel["<h2>krel</h2>"]
style krel fill:#eee,stroke:#ccc,stroke-width:2px,font-weight:bold,font-size:120%
subgraph S["<h3>staging<h3>"]
s1["build release"]-->s2["generate staging SBOM"]
end
subgraph R["<h4>release</h4>"]
direction TB
r1["check staging attestations"]-->r2["release artifacts"]
r2-->r3["write release SBOMs"]
end
end
PreS==>S
S==>PostS
PostS=====>PreR
PreR==>R
R==>PostR
k8s-triage-robot
commented
1 year ago The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
lifecycle/stale is appliedlifecycle/stale was applied, lifecycle/rotten is appliedlifecycle/rotten was applied, the issue is closedYou can:
/remove-lifecycle stale/lifecycle rotten/closePlease send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
puerco
commented
1 year ago remove-lifecycle stale
k8s-triage-robot
commented
1 year ago The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
lifecycle/stale is appliedlifecycle/stale was applied, lifecycle/rotten is appliedlifecycle/rotten was applied, the issue is closedYou can:
/remove-lifecycle rotten/closePlease send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
xmudrii
commented
1 year ago /remove-lifecycle rotten
k8s-triage-robot
commented
1 year ago The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale is appliedlifecycle/stale was applied, lifecycle/rotten is appliedlifecycle/rotten was applied, the issue is closedYou can:
/remove-lifecycle stale/closePlease send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
k8s-triage-robot
commented
1 year ago The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale is appliedlifecycle/stale was applied, lifecycle/rotten is appliedlifecycle/rotten was applied, the issue is closedYou can:
/remove-lifecycle rotten/closePlease send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
puerco
commented
1 year ago /remove-lifecycle rotten
k8s-triage-robot
commented
1 year ago The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale is appliedlifecycle/stale was applied, lifecycle/rotten is appliedlifecycle/rotten was applied, the issue is closedYou can:
/remove-lifecycle stale/closePlease send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
puerco
commented
1 year ago /remove-lifecycle stale
k8s-triage-robot
commented
7 months ago The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale is appliedlifecycle/stale was applied, lifecycle/rotten is appliedlifecycle/rotten was applied, the issue is closedYou can:
/remove-lifecycle stale/closePlease send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
xmudrii
commented
7 months ago /remove-lifecycle stale
k8s-triage-robot
commented
4 months ago The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale is appliedlifecycle/stale was applied, lifecycle/rotten is appliedlifecycle/rotten was applied, the issue is closedYou can:
/remove-lifecycle stale/closePlease send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
xmudrii
commented
4 months ago /lifecycle frozen
What would you like to be added:
As we move towards signing files, we need to move the generation of provenance attestations to happen outside of our builder (
krel).Why is this needed:
We are currently generating the SLSA provenance attestations inside of krel. This is not a secure practice as a compromised krel build could falsify the provenance data. It is also a blocker for SLSA3.
/cc @kubernetes/release-engineering