Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement container image signing MVP (KEP-3031) #2383

Closed
saschagrunert opened this issue Jan 11, 2022 · 6 comments
Closed

Implement container image signing MVP (KEP-3031) #2383

saschagrunert opened this issue Jan 11, 2022 · 6 comments
Assignees
@saschagrunert @ameukam @puerco @jimangel @palnabarun @xmudrii
Labels
area/release-eng Issues or PRs related to the Release Engineering subproject kind/feature Categorizes issue or PR as related to a new feature. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/release Categorizes an issue or PR as relevant to SIG Release. sig/security Categorizes an issue or PR as relevant to SIG Security.
Milestone
v1.24

Comments

@saschagrunert
Copy link
Member

saschagrunert commented Jan 11, 2022
edited
Loading

We're now able to implement a Minimum Viable Product (MVP) after the merge of the release artifact signing KEP proposal:

This issue is part of #2227, which covers the whole topic from a release engineering perspective.

As a first iteration, we decided to sign the official Kubernetes container images using cosigns keyless signing feature: https://github.com/sigstore/cosign/blob/main/KEYLESS.md

Implementation details and constraints:

  • It's fine to use the default root trust for singing in the MVP, we will switch to our own in later iterations.
  • The main implementation should be done in kubernetes-sigs/release-sdk
    with keeping in mind that it will be reused by krel as well as kpromo
  • We assume that we sign in a Google Cloud Build environment (the same where we push the images around) for simplicity reasons
  • We should check if we can use cosign as a golang library rather than having the binary as direct dependency
  • There is a documentation requirement for end-users to verify the signatures

cc @kubernetes/release-engineering

Tracking the effort

KEP updates

Implementation into release-sdk

Integration into krel

Integration into the Container Image Promoter

Infrastructure changes

End user documentation

Other relevant implementations
@saschagrunert saschagrunert added kind/feature Categorizes issue or PR as related to a new feature. sig/release Categorizes an issue or PR as relevant to SIG Release. area/release-eng Issues or PRs related to the Release Engineering subproject labels Jan 11, 2022
This was referenced Jan 11, 2022
Closed
Merged
@saschagrunert saschagrunert added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-priority labels Jan 11, 2022
@saschagrunert saschagrunert added this to the v1.24 milestone Jan 11, 2022
@puerco
Copy link
Member

puerco commented Jan 11, 2022

About this:

We should check if we can use cosign as a golang library rather than having the binary as direct dependency

Yes, cosign can be used as a library, the end goal is to make all functionality available to other programs. If something is missing we can certainly add it. Everything here is intended to be improtable:

https://github.com/sigstore/cosign/tree/main/pkg/cosign

@saschagrunert
Copy link
Member Author

saschagrunert commented Jan 12, 2022
edited
Loading

As per slack discussion thread, @jimangel, @palnabarun and @xmudrii are happy to work on this one with guidance from @puerco and myself.

I think a good first step would be to implement the raw code bits converted from the keyless signing doc in release-sdk and add (mockable) unit tests for them. This way we can define an API and review if it would fit for the MVP (and future) use cases.

Yes, cosign can be used as a library

My question was more is it made to be used as a library. So to say, we can contribute back if we encounter any usability issues anyway. 👍

This was referenced Jan 19, 2022
Merged
Merged
Closed
Closed
Closed
Closed
Closed
Closed
@saschagrunert saschagrunert changed the title Implement container image signing MVP Implement container image signing MVP (KEP-3031) Jan 27, 2022
@PushkarJ
Copy link
Member

RelEng team, It is so great to see this coming together.

@saschagrunert are there are any meeting minutes / slack channels / calendar invites I can subscribe to so that I can keep up to date with the progress and discussions around this KEP implementation?

/sig security

@k8s-ci-robot k8s-ci-robot added the sig/security Categorizes an issue or PR as relevant to SIG Security. label Jan 27, 2022
@saschagrunert
Copy link
Member Author

@saschagrunert are there are any meeting minutes / slack channels / calendar invites I can subscribe to so that I can keep up to date with the progress and discussions around this KEP implementation?

Thank you for considering to help us with the effort! We have a Release Engineering meeting every other week where we discuss the current progress and sync: https://bit.ly/k8s-releng-meeting

@saschagrunert saschagrunert mentioned this issue Feb 3, 2022
Merged
This was referenced Feb 3, 2022
Closed
Closed
@puerco puerco mentioned this issue Feb 8, 2022
Merged
@saschagrunert saschagrunert mentioned this issue Feb 9, 2022
Closed
This was referenced Feb 14, 2022
Merged
Merged
@puerco puerco pinned this issue Feb 16, 2022
@puerco puerco mentioned this issue Feb 16, 2022
Merged
@justaugustus justaugustus mentioned this issue Feb 23, 2022
Closed
@puerco puerco mentioned this issue Mar 5, 2022
Merged
@PushkarJ PushkarJ mentioned this issue Mar 10, 2022
Merged
@puerco puerco mentioned this issue Mar 21, 2022
Merged
@saschagrunert saschagrunert mentioned this issue Mar 22, 2022
Closed
@sedefsavas sedefsavas mentioned this issue Mar 23, 2022
Open
@ReillyBrogan ReillyBrogan mentioned this issue Mar 31, 2022
Closed
This was referenced Apr 5, 2022
Merged
Merged
Merged
@saschagrunert
Copy link
Member Author

Only #2417 is missing, otherwise we can consider this one as done 🥳

@saschagrunert
Copy link
Member Author

We can do #2417 in a different scope. Since 1.24 will be released today we now consider this EPIC is done. 🥳

This was referenced May 3, 2022
Closed
Closed
@saschagrunert saschagrunert unpinned this issue Jun 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@saschagrunert saschagrunert

@ameukam ameukam

@puerco puerco

@jimangel jimangel

@palnabarun palnabarun

@xmudrii xmudrii

Labels
area/release-eng Issues or PRs related to the Release Engineering subproject kind/feature Categorizes issue or PR as related to a new feature. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/release Categorizes an issue or PR as relevant to SIG Release. sig/security Categorizes an issue or PR as relevant to SIG Security.
Projects
None yet
Milestone
v1.24
Development

No branches or pull requests
8 participants
@saschagrunert @ameukam @PushkarJ @puerco @jimangel @palnabarun @xmudrii @k8s-ci-robot