Security Self-Assessment: [STRIDE-TAMPER-1] Produce a SBoM

[randomvariable]

User Story

As a cluster operator, i want to know the list of dependencies Cluster API brings for assurance within our organisation's software supply chain.

Detailed Description

• Create SBoM of all the Cluster API components and verify checksum as a post build action

cc @PushkarJ for adding more details.

/kind feature
/area security

[PushkarJ]

Thanks for creating this Naadir. Automated SBoM generation as part of container image building with ko just came out: https://blog.chainguard.dev/auto-sboms-with-ko/ .

We could explore if its a good option for generating SBoMs for cluster-api container images.

[sbueringer]

/milestone v1.2

[sbueringer]

Similar CAPA issue: kubernetes-sigs/cluster-api-provider-aws#3325

[PushkarJ]

/retitle Security Self-Assessment: [STRIDE-TAMPER-1] Produce a SBoM
/sig security

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[fabriziopandini]

/lifecycle frozen
/triage accepted
/help

Still a valid point to implement, but IMO we should rely on the same tooling used for k/k whatever it is

[k8s-ci-robot]

@fabriziopandini:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/lifecycle frozen
/triage accepted
/help

Still a valid point to implement, but IMO we should rely on the same tooling used for k/k whatever it is

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[chrischdi]

@furkatgofurov7 , according #8418 you are at this. Is there already any process or plans?

Upstream makes use of https://github.com/kubernetes-sigs/bom via their krel tool.

[adilGhaffarDev]

I would like to work on this task.
/assign @adilGhaffarDev

[kranurag7]

I was working on it during the last release and tried completing it in the last phase of the release.
The conclusion was that this work depends on sig-release and going forward we will leverage the same tooling by sig-release down the line.

xref: https://kubernetes.slack.com/archives/C2C40FMNF/p1701928413351249

@sbueringer Should we still go forward with this given after Q1 (as per sig-release), we will get it natively supported with the existing release tooling that we use for releasing?

Happy to pair up on this one if this needs to be done now or at any point in the future.

[sbueringer]

If we can choose between building a custom solution or waiting a few months. Let's wait

[adilGhaffarDev]

xref: https://kubernetes.slack.com/archives/C2C40FMNF/p1701928413351249

Oh, I didn't know about this slack thread. @kranurag7 Do we have an issue or PR that we can add here for tracking?

[cahillsf]

from reading through the linked thread it doesn't seem like the goal stated in this current issue has changed -- we will still need to put in the work on our end to have the SBOM attached to the staging images so they can be picked up by the promo tool. have just bumped the thread to make sure this is still the intention. or am i reading the rec incorrectly?

My recomendation would be to generate the SBOMs and attach them to the staging registry now.

[cahillsf]

👋 @kranurag7 -- are you still interested in working on this?

[akshay196]

I am interested in working on this. I will go through relevant discussions and get back here for next steps.
/assign

[akshay196]

I am unable to find time for this. 😞
/unassign

[fabriziopandini]

/triage accepted
@kubernetes-sigs/cluster-api-release-team to re-assess

[jayesh-srivastava]

I would like to take this up. Will go through the relevant docs.
/assign

[jayesh-srivastava]

Ref: https://kubernetes.slack.com/archives/C2C40FMNF/p1701928413351249

I see according to this thread, there were talks about redesigning SBOMs for Kubernetes, and attaching the SBOM to the staging registry was one of the suggestions. Are we going with this suggestion?

Any other suggestions folks?

cc: @adilGhaffarDev @Sunnatillo @fabriziopandini

[adilGhaffarDev]

I see according to this thread, there were talks about redesigning SBOMs for Kubernetes, and attaching the SBOM to the staging registry was one of the suggestions. Are we going with this suggestion?

This should still be valid unless there is some changes on k/release side regarding tooling, you can inform in the same slack thread that you are starting work on it and attaching SBOM to staging images, lets see is they have any helpful suggestion. I would say check k8s release workflow and try to reuse any script that they are already using for creating sboms.