Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Epic] SLSA Level 3 #856

Closed
flavio opened this issue Aug 29, 2024 · 4 comments
Closed

[Epic] SLSA Level 3 #856

flavio opened this issue Aug 29, 2024 · 4 comments
Assignees
@jvanz @viccuad
Labels
area/automation kind/epic
Milestone
1.18

Comments

@flavio
Copy link
Member

flavio commented Aug 29, 2024

The SLSA requirements define that the provenance must unambiguously identify the output package by cryptographic digest, while also describing how the package was produced. Although SLSA Provenance v1 is recommended, there are no hard requirements on provenance format. Note that Docker buildx only supports v0.2, the upgrade is already on their backlog.

Both the SPDX SBOM and the Provenance can be embedded on a container image at building time by adding two flags to the docker buildx build command:

docker buildx build --push --sbom=true --attest type=provenance,mode=max -t "${IMAGE}" -f Dockerfile .

The provenance must account for the entire build process. When the build process is happening within the Docker buildx context, for example, the building of binaries or fetching of external dependencies must take place within one of the layers of a multi-staged container image.

No pre-built artefacts should be copied into a container image, unless that is tied to a specific version followed by some level of integrity checks. This is something to keep in mind while building the Policy Server container image, since right now the policy-server binary is built with cross-rs and then copied into the image.

The GitHub action docker/build-push-action, can enable the provenance and SBOM by adding these two lines:

     - name: Build and push image
       uses: docker/build-push-action@v6
       with:
         sbom: true
         provenance: mode=max
@viccuad viccuad moved this to Todo in Kubewarden Sep 27, 2024
@viccuad viccuad added this to the 1.18 milestone Sep 27, 2024
@viccuad viccuad self-assigned this Sep 27, 2024
@viccuad
Copy link
Member

viccuad commented Sep 30, 2024
edited by flavio
Loading

List of artifacts:

@viccuad viccuad mentioned this issue Sep 30, 2024
Closed
This was referenced Sep 30, 2024
Closed
Closed
@flavio flavio changed the title [Epic] provenance generation [Epic] SLSA Level 3 Oct 4, 2024
@viccuad
Copy link
Member

viccuad commented Oct 7, 2024

For our kubectl image used in helm charts, as suggested by Flavio we could use the official kuberlr image, or the rancher/kuberlr-kubectl image. The latter has matching kubectl binaries pre-cached inside to be in lockstep with Rancher. This facilitates Kubewarden's airgap story too, hence I side with this approach.

@jvanz jvanz mentioned this issue Oct 7, 2024
Closed
@jvanz jvanz self-assigned this Oct 7, 2024
This was referenced Oct 9, 2024
Open
Closed
@jvanz jvanz mentioned this issue Oct 11, 2024
Merged
@viccuad
Copy link
Member

viccuad commented Oct 21, 2024

Policies can wait until later date.

@viccuad viccuad mentioned this issue Oct 23, 2024
Closed
@flavio
Copy link
Member Author

flavio commented Oct 25, 2024

Closing, everything has been done

@flavio flavio closed this as completed Oct 25, 2024
@github-project-automation github-project-automation bot moved this from Todo to Done in Kubewarden Oct 25, 2024
@viccuad viccuad mentioned this issue Oct 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jvanz jvanz

@viccuad viccuad

Labels
area/automation kind/epic
Projects
Kubewarden
Archived in project
Milestone
1.18
Development

No branches or pull requests
3 participants
@flavio @jvanz @viccuad