From d1f4fc972fbbf93b6d401cdb68231a2bdf5a8567 Mon Sep 17 00:00:00 2001 From: Sascha Grunert Date: Mon, 30 May 2022 10:51:51 +0200 Subject: [PATCH] Graduate release artifact signing to beta Signed-off-by: Sascha Grunert --- keps/prod-readiness/sig-release/3031.yaml | 2 + .../3031-signing-release-artifacts/README.md | 259 ++---------------- .../3031-signing-release-artifacts/kep.yaml | 32 +-- 3 files changed, 34 insertions(+), 259 deletions(-) diff --git a/keps/prod-readiness/sig-release/3031.yaml b/keps/prod-readiness/sig-release/3031.yaml index 3642572482b3..52fc3608415c 100644 --- a/keps/prod-readiness/sig-release/3031.yaml +++ b/keps/prod-readiness/sig-release/3031.yaml @@ -1,3 +1,5 @@ kep-number: 3031 alpha: approver: "@ehashman" +beta: + approver: "@ehashman" diff --git a/keps/sig-release/3031-signing-release-artifacts/README.md b/keps/sig-release/3031-signing-release-artifacts/README.md index 8e0b53bc409a..14c82c953ff2 100644 --- a/keps/sig-release/3031-signing-release-artifacts/README.md +++ b/keps/sig-release/3031-signing-release-artifacts/README.md @@ -8,6 +8,8 @@ - [Goals](#goals) - [Non-Goals](#non-goals) - [Proposal](#proposal) + - [Alpha implementation](#alpha-implementation) + - [Beta graduation](#beta-graduation) - [User Stories (Optional)](#user-stories-optional) - [Risks and Mitigations](#risks-and-mitigations) - [Test Plan](#test-plan) @@ -35,16 +37,12 @@ Items marked with (R) are required _prior to targeting to a milestone / release_ - [x] (R) KEP approvers have approved the KEP status as `implementable` - [x] (R) Design details are appropriately documented - [x] (R) Test plan is in place, giving consideration to SIG Architecture and SIG Testing input (including test refactors) - - [ ] e2e Tests for all Beta API Operations (endpoints) - - [ ] (R) Ensure GA e2e tests for meet requirements for [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md) - - [ ] (R) Minimum Two Week Window for GA e2e tests to prove flake free - [x] (R) Graduation criteria is in place - - [ ] (R) [all GA Endpoints](https://github.com/kubernetes/community/pull/1806) must be hit by [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md) - [x] (R) Production readiness review completed - [x] (R) Production readiness review approved - [x] "Implementation History" section is up-to-date for milestone -- [ ] User-facing documentation has been created in [kubernetes/website], for publication to [kubernetes.io] -- [ ] Supporting documentation—e.g., additional design documents, links to mailing list discussions/SIG meetings, relevant PRs/issues, release notes +- [x] User-facing documentation has been created in [kubernetes/website], for publication to [kubernetes.io] +- [x] Supporting documentation—e.g., additional design documents, links to mailing list discussions/SIG meetings, relevant PRs/issues, release notes [kubernetes.io]: https://kubernetes.io/ [kubernetes/enhancements]: https://git.k8s.io/enhancements @@ -77,7 +75,8 @@ artifacts. Every Kubernetes release produces a set of artifacts. We define artifacts as something consumable by end users. Artifacts can be binaries, container images, checksum files, documentation, provenance metadata, or the software bill of -materials. None of those end-user resources are signed right now. +materials (SBOM). Only the official Kubernetes container images are signed right +now. The overall goal of SIG Release is to unify the way how to sign artifacts. This will be done by relying on the tools of the Linux Foundations digital signing @@ -102,6 +101,20 @@ discussions about how to utilize the existing Google infrastructure as well as consider utilizing keyless signing via workload identities. Nevertheless, this KEP focuses more on the "What" aspects rather than the "How". +### Alpha implementation + +The alpha phase of the proposal is about signing the official Kubernetes +container images and providing a minimum infrastructure to achieve that goal. + +### Beta graduation + +Graduation the KEP to beta means that we will now sign all artifacts which got +created during the release process. This includes binary artifacts, source code +tarballs, documentation and the SBOM. + +This explicitly exudes the provenance data, which will be signed into a +different location once we graduate the feature to GA. + ### User Stories (Optional) - As an end user, I would like to be able to verify the Kubernetes release @@ -146,13 +159,15 @@ feedback. #### Beta -- Standard Kubernetes release artifacts (binaries and container images) are +- Standard Kubernetes release artifacts (binaries, container images, etc.) are signed. #### GA - All Kubernetes artifacts are signed. This does exclude everything which gets build outside of the main Kubernetes repository. +- Kubernetes owned infrastructure is used for the signing (root trust) and + verification (transparency log) process. ## Production Readiness Review Questionnaire @@ -185,240 +200,23 @@ No, not on a cluster level. We test the signatures during the release process. ### Rollout, Upgrade and Rollback Planning - - -###### How can a rollout or rollback fail? Can it impact already running workloads? - - - -###### What specific metrics should inform a rollback? - - - -###### Were upgrade and rollback tested? Was the upgrade->downgrade->upgrade path tested? - - - -###### Is the rollout accompanied by any deprecations and/or removals of features, APIs, fields of API types, flags, etc.? - - +Not required. ### Monitoring Requirements - - -###### How can an operator determine if the feature is in use by workloads? - - - -###### How can someone using this feature know that it is working for their instance? - - - -- [ ] Events - - Event Reason: -- [ ] API .status - - Condition name: - - Other field: -- [ ] Other (treat as last resort) - - Details: - -###### What are the reasonable SLOs (Service Level Objectives) for the enhancement? - - - -###### What are the SLIs (Service Level Indicators) an operator can use to determine the health of the service? - - - -- [ ] Metrics - - Metric name: - - [Optional] Aggregation method: - - Components exposing the metric: -- [ ] Other (treat as last resort) - - Details: - -###### Are there any missing metrics that would be useful to have to improve observability of this feature? - - +Not required. ### Dependencies - - -###### Does this feature depend on any specific services running in the cluster? - - +Not required. ### Scalability - - -###### Will enabling / using this feature result in any new API calls? - - - -###### Will enabling / using this feature result in introducing new API types? - - - -###### Will enabling / using this feature result in any new calls to the cloud provider? - - - -###### Will enabling / using this feature result in increasing size or count of the existing API objects? - - - -###### Will enabling / using this feature result in increasing time taken by any operations covered by existing SLIs/SLOs? - - - -###### Will enabling / using this feature result in non-negligible increase of resource usage (CPU, RAM, disk, IO, ...) in any components? - - +Not required. ### Troubleshooting - - -###### How does this feature react if the API server and/or etcd is unavailable? - -###### What are other known failure modes? - - - -###### What steps should be taken if SLOs are not being met to determine the problem? +Not required. ## Drawbacks @@ -432,5 +230,6 @@ For each of them, fill in the following information by copying the below templat ## Implementation History +- 2022-05-30 Graduate to beta - 2022-01-27 Updated to contain test plan and correct milestones - 2021-11-29 Initial Draft diff --git a/keps/sig-release/3031-signing-release-artifacts/kep.yaml b/keps/sig-release/3031-signing-release-artifacts/kep.yaml index 380ceaa47327..668e72ced94e 100644 --- a/keps/sig-release/3031-signing-release-artifacts/kep.yaml +++ b/keps/sig-release/3031-signing-release-artifacts/kep.yaml @@ -14,36 +14,10 @@ reviewers: approvers: - "@cpanato" - "@justaugustus" - -##### WARNING !!! ###### -# prr-approvers has been moved to its own location -# You should create your own in keps/prod-readiness -# Please make a copy of keps/prod-readiness/template/nnnn.yaml -# to keps/prod-readiness/sig-xxxxx/00000.yaml (replace with kep number) -#prr-approvers: - -# see-also: -# - "/keps/sig-aaa/1234-we-heard-you-like-keps" -# - "/keps/sig-bbb/2345-everyone-gets-a-kep" -# replaces: -# - "/keps/sig-ccc/3456-replaced-kep" - -# The target maturity stage in the current dev cycle for this KEP. -stage: alpha - -# The most recent milestone for which work toward delivery of this KEP has been -# done. This can be the current (upcoming) milestone, if it is being actively -# worked on. -latest-milestone: "v1.24" - -# The milestone at which this feature was, or is targeted to be, at each stage. +stage: beta +latest-milestone: "v1.25" milestone: alpha: "v1.24" - # beta: "v1.20" + beta: "v1.25" # stable: "v1.22" - disable-supported: true - -# The following PRR answers are required at beta release -# metrics: -# - my_feature_metric