SLSA3 Missing pieces

[puerco]

This issue is meant to track the remaining work needed to push towards SLSA3 in our release process. This initial dump is meant to dump the remaining tasks before we prioritize them. Please note that pushing towards SLSA level 3 means effectively complying with level 2, thus all L2 tasks are folded into this list.

These remaining items are based on our SLSA Compliance Assessment tracking sheet.

Remaining SLSA Level 3 Compliance Tasks:

Provenance - Service Generated

• Generate provenance attestations outside of builder #2611
• Builder: Support for writing initial, partial attestation and "sleeping" (persisting it to disk)
• Builder: Complete persisted attestations: Read build-generated subjects and assemble pending statement
• GCB: Attach a volume to write and retrieve provenance metadata
• GCB: Add step to write initial attestation before staging
• GCB: Add step to complete provenance attestation after staging
• GCB: Add step to write initial attestation before release
• GCB: Add step to complete provenance attestation after release

Build as Code

• Builder: Run from a configuration file. (It was tasked in our initial assessment, ticked as we are running already from GCB configuration files)

Provenance - Non-falsifiable

• Builder: Implement attestation signing to sign in post-stage and post-release steps
• Determine which identity we should use to sign binaries and other files #2617

Identify Entry Point

• Write entry point (k/release commit) is recorded in attestations

Related Efforts:

Ensure Integrity of Our Builder!

• Sign k8s-cloud-builder image
• GCB: Verify k8s-cloud-builder image before stage
• GCB: Verify k8s-cloud-builder image before release
• sign: Implement attestation signing kubernetes-sigs/release-sdk#94

File Signing

• Implement file signing step #2618

Sign & Promote SBOMs

• Carry over .att layers at promotion time kubernetes-sigs/promo-tools#600
• Sign attached SBOMs kubernetes-sigs/promo-tools#601

*Note: tasks prefixed with Builder: are part of an upcoming provenance builder proposal (not ready yet)

[ameukam]

Infra: Plan signer account and access

I think it's kubernetes/k8s.io#3854

[puerco]

@ameukam sorry the one liner may be a bit misleading. I think this point needs a little more clarification so I've opened #2617 to expand the idea and discuss!

[saschagrunert]

I guess everything except #2618 belongs to the SLSA KEP: https://github.com/kubernetes/enhancements/tree/master/keps/sig-release/3027-slsa-compliance

Do we have to update it?

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[saschagrunert]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[cpanato]

/remove-lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[xmudrii]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[xmudrii]

/lifecycle frozen