Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KEP-3027: SLSA Level 3 Compliance in the Kubernetes Release Process #3051

Merged
merged 16 commits into from
Dec 17, 2021
Merged

KEP-3027: SLSA Level 3 Compliance in the Kubernetes Release Process #3051

merged 16 commits into from
Dec 17, 2021

Conversation

puerco
Copy link
Member

@puerco puerco commented Nov 18, 2021

  • One-line PR description: Initial Draft
  • Other comments:

@puerco
KEP-3027: Initial Draft
53980cd 
First draft of KEP-3027, proposing an ehnacement to make the kubernetes
releas process SLSA compliant.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
KEP-3027: Link to roadmap
c8f9156 
Rework the motivations of the kep to remark the parallels with
our roadmap and vision as suggested by Sascha Grunert.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
KEP-3027: SLSA level work items
37ccc10 
The KEP text now describes in a broad sense the required
work to reach each of the SLSA levels. No attempt is made
to make comprehensive descriptions, just to provide a
rough guide to what we need to work to achieve each level.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory labels Nov 18, 2021
@k8s-ci-robot k8s-ci-robot added sig/release Categorizes an issue or PR as relevant to SIG Release. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Nov 18, 2021
@puerco
KEP-3027: Add one line motivation and update TOC
d72b89f 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Rename hosting WG to Supply Chain Integrity WG
247e444 
Since the first draft, The Digital Identity Attestation and Developer Identity WG
was renamed to Supply Chain Integrity WG. This commit corrects the name.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@justaugustus
Copy link
Member

/hold for discussion
/cc
cc: @kubernetes/release-engineering @kubernetes/sig-security

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 18, 2021
@saschagrunert saschagrunert mentioned this pull request Nov 19, 2021
Closed
7 tasks
saschagrunert
saschagrunert reviewed Nov 19, 2021
View reviewed changes
Copy link
Member

@saschagrunert saschagrunert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work! I left some review nits.

keps/sig-release/3027-slsa-compliance/README.md Outdated Show resolved Hide resolved
keps/sig-release/3027-slsa-compliance/README.md Show resolved Hide resolved
keps/sig-release/3027-slsa-compliance/README.md Show resolved Hide resolved
keps/sig-release/3027-slsa-compliance/README.md Outdated Show resolved Hide resolved
keps/sig-release/3027-slsa-compliance/README.md Outdated Show resolved Hide resolved
keps/sig-release/3027-slsa-compliance/README.md Outdated Show resolved Hide resolved
keps/sig-release/3027-slsa-compliance/README.md Show resolved Hide resolved
keps/sig-release/3027-slsa-compliance/README.md Outdated Show resolved Hide resolved
keps/sig-release/3027-slsa-compliance/README.md Outdated Show resolved Hide resolved
puerco and others added 7 commits November 21, 2021 11:34
@puerco @saschagrunert
Reword KEP Goal from plan to target higher levels
a21ce83 
Co-authored-by: Sascha Grunert <sgrunert@redhat.com>
@puerco @saschagrunert
Remove double SLSA definition
02c5b71 
Co-authored-by: Sascha Grunert <sgrunert@redhat.com>
@puerco @saschagrunert
Match number of problems in paragraph
18bf8e2 
Co-authored-by: Sascha Grunert <sgrunert@redhat.com>
@puerco
Change summary from guide to plan, include other projects
7a24c5d 
As suggested in the discussion, the language in the KEP has
been modified to reflect a plan rather than a guide.

It also states that SIG Release will recommend SLSA to
other projects and share practices and tools.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Link roadmap to last commit in master
d0497ce 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Add wording to note that well update roadmap to show state
97daef3 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Add full documentation as a goal
01ce6eb 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@k8s-ci-robot k8s-ci-robot added the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label Dec 7, 2021
@justaugustus
Copy link
Member

Keywords which can automatically close issues and at(@) or hashtag(#) mentions are not allowed in commit messages.

The list of commits with invalid commit messages:

* [373fd87](https://github.com/kubernetes/enhancements/commits/373fd877f23ada4de9f89d1ee27967fd5921f7e3) Update suggestions from @JTarasovic

* [d90a9e8](https://github.com/kubernetes/enhancements/commits/d90a9e8ea8c3a7ef8cad34435e2d3178f68e08a0) Scope KEP to SLSA 3

@puerco -- ^^

@puerco @JTarasovic
Update with suggestions from JTarasovic
0d6cd92 
Co-authored-by: Jason Tarasovic <JTarasovic@users.noreply.github.com>
@puerco puerco changed the title KEP-3027: Initial Draft of SLSA Compliance KEP KEP-3027: SLSA Level 3 Compliance in the Kubernetes Release Process Dec 10, 2021
@puerco
Scope KEP to SLSA 3
a1305c8 
As suggested by tpepper, the KEP is now scoped to SLSA level3. Level 4
is mentioned as not implementable.

Also, the dual graduation criteria has been removed in favor of a push
towards the more realistic SLSA 3 goal.

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Add cpanato and saschagrunert as reviewers
1ff3e43 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Update reviewers list
9af0f78 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label Dec 10, 2021
justaugustus
justaugustus approved these changes Dec 17, 2021
View reviewed changes
Copy link
Member

@justaugustus justaugustus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work here, @puerco!
/lgtm
/approve

Hold to removed at EOD.

keps/sig-release/3027-slsa-compliance/kep.yaml
Comment on lines +6 to +8
participating-sigs:
- sig-release
- sig-security
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
participating-sigs:
- sig-release
- sig-security
participating-sigs:
- sig-security

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 17, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: justaugustus, puerco

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@justaugustus
Copy link
Member

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 17, 2021
@k8s-ci-robot k8s-ci-robot merged commit b5b6720 into kubernetes:master Dec 17, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.24 milestone Dec 17, 2021
@cpanato
Copy link
Member

cpanato commented Dec 19, 2021

late /lgtm
this is very cool

@puerco puerco deleted the slsa-kep branch December 21, 2021 19:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saschagrunert saschagrunert saschagrunert left review comments

@JTarasovic JTarasovic JTarasovic left review comments

@justaugustus justaugustus justaugustus approved these changes

@cpanato cpanato Awaiting requested review from cpanato

@jeremyrickard jeremyrickard Awaiting requested review from jeremyrickard

Assignees

@justaugustus justaugustus

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/release Categorizes an issue or PR as relevant to SIG Release. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
v1.24
Development

Successfully merging this pull request may close these issues.
6 participants
@puerco @justaugustus @k8s-ci-robot @cpanato @saschagrunert @JTarasovic