Security Self-Assessment: [STRIDE-TAMPER-1] Produce a SBoM

[randomvariable]

User Story

As a cluster operator, i want to know the list of dependencies Cluster API brings for assurance within our organisation's software supply chain.

Detailed Description

• Create SBoM of all the Cluster API components and verify checksum as a post build action

cc @PushkarJ for adding more details.

/kind feature
/area security

[PushkarJ]

Thanks for creating this Naadir. Automated SBoM generation as part of container image building with ko just came out: https://blog.chainguard.dev/auto-sboms-with-ko/ .

We could explore if its a good option for generating SBoMs for cluster-api container images.

[sbueringer]

/milestone v1.2

[sbueringer]

Similar CAPA issue: kubernetes-sigs/cluster-api-provider-aws#3325

[PushkarJ]

/retitle Security Self-Assessment: [STRIDE-TAMPER-1] Produce a SBoM
/sig security

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[fabriziopandini]

/lifecycle frozen
/triage accepted
/help

Still a valid point to implement, but IMO we should rely on the same tooling used for k/k whatever it is

[k8s-ci-robot]

@fabriziopandini:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/lifecycle frozen
/triage accepted
/help

Still a valid point to implement, but IMO we should rely on the same tooling used for k/k whatever it is

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[chrischdi]

@furkatgofurov7 , according #8418 you are at this. Is there already any process or plans?

Upstream makes use of https://github.com/kubernetes-sigs/bom via their krel tool.

[furkatgofurov7]

Generate SBOM and sign release artefacts kubernetes-sigs/cluster-api-provider-aws#3325

@chrischdi hey, yes this one is being discussed in a bit wider context in CAPA and CAPA issue kind of waiting/stuck on upstream k/k issue

[furkatgofurov7]

Based on the agreement during the call triaging #9104, setting the priority to:

/priority backlog

[furkatgofurov7]

/assign @kranurag7

[k8s-ci-robot]

@furkatgofurov7: GitHub didn't allow me to assign the following users: kranurag7.

Note that only kubernetes-sigs members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @kranurag7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[kranurag7]

Hey All,
Here's the approach I'm thinking as of now. I've included an example below.
Please let me know if you've any comments here.

copying image to an ephemeral registry (only for the demo)

$ crane copy registry.k8s.io/cluster-api/cluster-api-controller:v1.5.3 ttl.sh/capi/cluster-api-controller:v1.5.3 
2023/11/07 11:31:57 Copying from registry.k8s.io/cluster-api/cluster-api-controller:v1.5.3 to ttl.sh/capi/cluster-api-controller:v1.5.3
2023/11/07 11:32:03 pushed blob: sha256:fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58
2023/11/07 11:32:03 pushed blob: sha256:fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265
2023/11/07 11:32:03 pushed blob: sha256:07a64a71e01156f8f99039bc246149925c6d1480d3957de78510bbec6ec68f7a
2023/11/07 11:32:03 pushed blob: sha256:b003b463d7505c8e5cfe7034cacbeed297d6463c8b7f468037ee76a289510b3a
2023/11/07 11:32:03 pushed blob: sha256:80e67ac685eeb7befa915840c12736fc942bdef272a81f3d004b4778a39a2c15
2023/11/07 11:32:03 pushed blob: sha256:8e1543693df8dd7a3ece7533b81811c049df644dc6ec06bc12923f2a4b5e9af3
2023/11/07 11:32:03 pushed blob: sha256:b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db
2023/11/07 11:32:07 pushed blob: sha256:e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0
2023/11/07 11:32:07 pushed blob: sha256:1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c
2023/11/07 11:32:07 pushed blob: sha256:4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f
2023/11/07 11:32:07 pushed blob: sha256:7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c
2023/11/07 11:32:10 pushed blob: sha256:5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a
2023/11/07 11:32:11 pushed blob: sha256:67a9c54d71a8def7a53619740731daff3b3151ee44a1292b2bce66641310f629
2023/11/07 11:32:11 pushed blob: sha256:c33362eddd5b5c83647d1d756590c10d7b0d223bc316f54790e1896f7f711514
2023/11/07 11:32:11 pushed blob: sha256:996ea472db0ba7f1918e97e1060bffe7833b37bdb9a37e4a2d57eaf6d2921cd7
2023/11/07 11:32:11 pushed blob: sha256:5f5cae1244d6a3aa0e8302311c0f3e2a70597415484f355f8a6f3492c92fe9aa
2023/11/07 11:32:12 pushed blob: sha256:65823ab9e087b46e1f9a72383f9c0d1cecfe4b7174f9a650a0f049482b8c72a5
2023/11/07 11:32:13 pushed blob: sha256:1ca66b61c047575552fac25da11214305319e88cf816567602158570ac91c06c
2023/11/07 11:32:14 pushed blob: sha256:5c2266c14d5d54411d78e843fa1ce8bbd51a50543901758cb2da18f936d09be1
2023/11/07 11:32:14 ttl.sh/capi/cluster-api-controller@sha256:cc9ee9fe0b3379543952716f1962637a02e565010e6855b69e82d088e1879622: digest: sha256:cc9ee9fe0b3379543952716f1962637a02e565010e6855b69e82d088e1879622 size: 2403
2023/11/07 11:32:14 pushed blob: sha256:e468415629950b492cb41d9bd2d6f45e4c13392d522f2a74fdec39c9ae2b9462
2023/11/07 11:32:15 ttl.sh/capi/cluster-api-controller@sha256:7a73b889a8ec7fcade0891de745a75359d10701f3cf335110ff7e3642f1bc8b4: digest: sha256:7a73b889a8ec7fcade0891de745a75359d10701f3cf335110ff7e3642f1bc8b4 size: 2403
2023/11/07 11:32:15 ttl.sh/capi/cluster-api-controller@sha256:3be91f952558612b7674c000d45b5859083064e27da59f9249f6ce6ac05ba42c: digest: sha256:3be91f952558612b7674c000d45b5859083064e27da59f9249f6ce6ac05ba42c size: 2403
2023/11/07 11:32:15 ttl.sh/capi/cluster-api-controller@sha256:d7d8933366c0fd71d17437e77569937747b9db938e08d96b46f39703d71eb667: digest: sha256:d7d8933366c0fd71d17437e77569937747b9db938e08d96b46f39703d71eb667 size: 2403
2023/11/07 11:32:18 pushed blob: sha256:367ac81626c1869a1cdbb6380236a0e03ff2b45c6670244f620b0b34e22cabfc
2023/11/07 11:32:18 pushed blob: sha256:75c00bd33aea99bec4abb16ec6ee95f1e3ee4cb226ed02c6e10095e92508b024
2023/11/07 11:32:21 pushed blob: sha256:d5617b617c7261e7a7be0edf901deffb8a9b0c365eedda6afac9fab682d91a0f
2023/11/07 11:32:23 ttl.sh/capi/cluster-api-controller@sha256:a8c26f25a18673b069cfa19ebcf4bff4f3417012acf75538b7c8c6eb1d66dd02: digest: sha256:a8c26f25a18673b069cfa19ebcf4bff4f3417012acf75538b7c8c6eb1d66dd02 size: 2403
2023/11/07 11:32:24 ttl.sh/capi/cluster-api-controller:v1.5.3: digest: sha256:d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42 size: 1728

generating SBOM using kubernetes-sigs/bom project

$ ./bom-amd64-linux generate -i ttl.sh/capi/cluster-api-controller:v1.5.3 -o capi_sbom.spdx
INFO bom v0.5.1: Generating SPDX Bill of Materials 
INFO Processing image reference: ttl.sh/capi/cluster-api-controller:v1.5.3 
INFO Reference ttl.sh/capi/cluster-api-controller:v1.5.3 points to an index 
INFO Reference image index points to 5 manifests  
INFO Adding image ttl.sh/capi/cluster-api-controller@sha256:cc9ee9fe0b3379543952716f1962637a02e565010e6855b69e82d088e1879622 (amd64/linux) 
INFO Adding image ttl.sh/capi/cluster-api-controller@sha256:d7d8933366c0fd71d17437e77569937747b9db938e08d96b46f39703d71eb667 (arm/linux) 
INFO Adding image ttl.sh/capi/cluster-api-controller@sha256:7a73b889a8ec7fcade0891de745a75359d10701f3cf335110ff7e3642f1bc8b4 (arm64/linux) 
INFO Adding image ttl.sh/capi/cluster-api-controller@sha256:3be91f952558612b7674c000d45b5859083064e27da59f9249f6ce6ac05ba42c (ppc64le/linux) 
INFO Adding image ttl.sh/capi/cluster-api-controller@sha256:a8c26f25a18673b069cfa19ebcf4bff4f3417012acf75538b7c8c6eb1d66dd02 (s390x/linux) 
INFO Generating SBOM for multiarch image ttl.sh/capi/cluster-api-controller@sha256:d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42 
INFO Generating SPDX package from image tarball /tmp/doc-build-2839633603/d7d8933366c0fd71d17437e77569937747b9db938e08d96b46f39703d71eb667.tar 
INFO Successfully extracted 12 files from image tarball /tmp/doc-build-2839633603/d7d8933366c0fd71d17437e77569937747b9db938e08d96b46f39703d71eb667.tar 
INFO Package describes image ttl.sh/capi/cluster-api-controller:d7d8933366c0fd71d17437e77569937747b9db938e08d96b46f39703d71eb667 
INFO Generating SPDX package from tarball /tmp/doc-build-2839633603/d7d8933366c0fd71d17437e77569937747b9db938e08d96b46f39703d71eb667.tar 
INFO Image manifest lists 10 layers               
INFO etc/os-release is a symlink, following to usr/lib/os-release 
INFO Writing usr/lib/os-release to /tmp/os-release-2783548601 
INFO Scan of container layers found debian base image 
INFO dbdata is blank                              
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/8e1543693df8dd7a3ece7533b81811c049df644dc6ec06bc12923f2a4b5e9af3.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-103721762/e468415629950b492cb41d9bd2d6f45e4c13392d522f2a74fdec39c9ae2b9462.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from image tarball /tmp/doc-build-2839633603/cc9ee9fe0b3379543952716f1962637a02e565010e6855b69e82d088e1879622.tar 
INFO Successfully extracted 12 files from image tarball /tmp/doc-build-2839633603/cc9ee9fe0b3379543952716f1962637a02e565010e6855b69e82d088e1879622.tar 
INFO Package describes image ttl.sh/capi/cluster-api-controller:cc9ee9fe0b3379543952716f1962637a02e565010e6855b69e82d088e1879622 
INFO Generating SPDX package from tarball /tmp/doc-build-2839633603/cc9ee9fe0b3379543952716f1962637a02e565010e6855b69e82d088e1879622.tar 
INFO Image manifest lists 10 layers               
INFO etc/os-release is a symlink, following to usr/lib/os-release 
INFO Writing usr/lib/os-release to /tmp/os-release-2826246521 
INFO Scan of container layers found debian base image 
INFO dbdata is blank                              
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/07a64a71e01156f8f99039bc246149925c6d1480d3957de78510bbec6ec68f7a.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-4134339363/65823ab9e087b46e1f9a72383f9c0d1cecfe4b7174f9a650a0f049482b8c72a5.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from image tarball /tmp/doc-build-2839633603/3be91f952558612b7674c000d45b5859083064e27da59f9249f6ce6ac05ba42c.tar 
INFO Successfully extracted 12 files from image tarball /tmp/doc-build-2839633603/3be91f952558612b7674c000d45b5859083064e27da59f9249f6ce6ac05ba42c.tar 
INFO Package describes image ttl.sh/capi/cluster-api-controller:3be91f952558612b7674c000d45b5859083064e27da59f9249f6ce6ac05ba42c 
INFO Generating SPDX package from tarball /tmp/doc-build-2839633603/3be91f952558612b7674c000d45b5859083064e27da59f9249f6ce6ac05ba42c.tar 
INFO Image manifest lists 10 layers               
INFO etc/os-release is a symlink, following to usr/lib/os-release 
INFO Writing usr/lib/os-release to /tmp/os-release-1526654301 
INFO Scan of container layers found debian base image 
INFO dbdata is blank                              
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/80e67ac685eeb7befa915840c12736fc942bdef272a81f3d004b4778a39a2c15.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-2199105238/5c2266c14d5d54411d78e843fa1ce8bbd51a50543901758cb2da18f936d09be1.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from image tarball /tmp/doc-build-2839633603/7a73b889a8ec7fcade0891de745a75359d10701f3cf335110ff7e3642f1bc8b4.tar 
INFO Successfully extracted 12 files from image tarball /tmp/doc-build-2839633603/7a73b889a8ec7fcade0891de745a75359d10701f3cf335110ff7e3642f1bc8b4.tar 
INFO Package describes image ttl.sh/capi/cluster-api-controller:7a73b889a8ec7fcade0891de745a75359d10701f3cf335110ff7e3642f1bc8b4 
INFO Generating SPDX package from tarball /tmp/doc-build-2839633603/7a73b889a8ec7fcade0891de745a75359d10701f3cf335110ff7e3642f1bc8b4.tar 
INFO Image manifest lists 10 layers               
INFO etc/os-release is a symlink, following to usr/lib/os-release 
INFO Writing usr/lib/os-release to /tmp/os-release-2470474997 
INFO Scan of container layers found debian base image 
INFO dbdata is blank                              
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/b003b463d7505c8e5cfe7034cacbeed297d6463c8b7f468037ee76a289510b3a.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-909770386/1ca66b61c047575552fac25da11214305319e88cf816567602158570ac91c06c.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from image tarball /tmp/doc-build-2839633603/a8c26f25a18673b069cfa19ebcf4bff4f3417012acf75538b7c8c6eb1d66dd02.tar 
INFO Successfully extracted 12 files from image tarball /tmp/doc-build-2839633603/a8c26f25a18673b069cfa19ebcf4bff4f3417012acf75538b7c8c6eb1d66dd02.tar 
INFO Package describes image ttl.sh/capi/cluster-api-controller:a8c26f25a18673b069cfa19ebcf4bff4f3417012acf75538b7c8c6eb1d66dd02 
INFO Generating SPDX package from tarball /tmp/doc-build-2839633603/a8c26f25a18673b069cfa19ebcf4bff4f3417012acf75538b7c8c6eb1d66dd02.tar 
INFO Image manifest lists 10 layers               
INFO etc/os-release is a symlink, following to usr/lib/os-release 
INFO Writing usr/lib/os-release to /tmp/os-release-84148163 
INFO Scan of container layers found debian base image 
INFO dbdata is blank                              
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/75c00bd33aea99bec4abb16ec6ee95f1e3ee4cb226ed02c6e10095e92508b024.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
INFO Generating SPDX package from tarball /tmp/spdx-tar-extract-414321627/d5617b617c7261e7a7be0edf901deffb8a9b0c365eedda6afac9fab682d91a0f.tar.gz 
INFO Not performing deep image analysis (opts.AnalyzeLayers = false) 
WARN Document has no name defined, automatically set to SBOM-SPDX-51f5cd9e-2d33-461b-9c4d-1b6fb1b17e98 
INFO Package SPDXRef-Package-sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42 has 5 relationships defined 
INFO Package SPDXRef-Package-sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42-sha256-d7d8933366c0fd71d17437e77569937747b9db938e08d96b46f39703d71eb667 has 11 relationships defined 
INFO Package SPDXRef-Package-sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42-sha256-cc9ee9fe0b3379543952716f1962637a02e565010e6855b69e82d088e1879622 has 11 relationships defined 
INFO Package SPDXRef-Package-sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42-sha256-3be91f952558612b7674c000d45b5859083064e27da59f9249f6ce6ac05ba42c has 11 relationships defined 
INFO Package SPDXRef-Package-sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42-sha256-7a73b889a8ec7fcade0891de745a75359d10701f3cf335110ff7e3642f1bc8b4 has 11 relationships defined 
INFO Package SPDXRef-Package-sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42-sha256-a8c26f25a18673b069cfa19ebcf4bff4f3417012acf75538b7c8c6eb1d66dd02 has 11 relationships defined

outlining SBOM

$ ./bom-amd64-linux document outline capi_sbom.spdx 
               _      
 ___ _ __   __| |_  __
/ __| '_ \ / _` \ \/ /
\__ \ |_) | (_| |>  < 
|___/ .__/ \__,_/_/\_\
    |_|               

 📂 SPDX Document SBOM-SPDX-51f5cd9e-2d33-461b-9c4d-1b6fb1b17e98
  │ 
  │ 📦 DESCRIBES 1 Packages
  │ 
  ├ sha256:d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42
  │  │ 🔗 5 Relationships
  │  ├ CONTAINS PACKAGE sha256:d7d8933366c0fd71d17437e77569937747b9db938e08d96b46f39703d71eb667
  │  │  │ 🔗 11 Relationships
  │  │  ├ CONTAINS PACKAGE sha256:8e1543693df8dd7a3ece7533b81811c049df644dc6ec06bc12923f2a4b5e9af3
  │  │  ├ CONTAINS PACKAGE sha256:fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58
  │  │  ├ CONTAINS PACKAGE sha256:b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db
  │  │  ├ CONTAINS PACKAGE sha256:fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265
  │  │  ├ CONTAINS PACKAGE sha256:e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0
  │  │  ├ CONTAINS PACKAGE sha256:1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c
  │  │  ├ CONTAINS PACKAGE sha256:4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f
  │  │  ├ CONTAINS PACKAGE sha256:7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c
  │  │  ├ CONTAINS PACKAGE sha256:5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a
  │  │  ├ CONTAINS PACKAGE sha256:e468415629950b492cb41d9bd2d6f45e4c13392d522f2a74fdec39c9ae2b9462
  │  │  └ VARIANT_OF PACKAGE sha256:d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42
  │  │ 
  │  ├ CONTAINS PACKAGE sha256:cc9ee9fe0b3379543952716f1962637a02e565010e6855b69e82d088e1879622
  │  │  │ 🔗 11 Relationships
  │  │  ├ CONTAINS PACKAGE sha256:07a64a71e01156f8f99039bc246149925c6d1480d3957de78510bbec6ec68f7a
  │  │  ├ CONTAINS PACKAGE sha256:fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58
  │  │  ├ CONTAINS PACKAGE sha256:b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db
  │  │  ├ CONTAINS PACKAGE sha256:fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265
  │  │  ├ CONTAINS PACKAGE sha256:e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0
  │  │  ├ CONTAINS PACKAGE sha256:1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c
  │  │  ├ CONTAINS PACKAGE sha256:4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f
  │  │  ├ CONTAINS PACKAGE sha256:7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c
  │  │  ├ CONTAINS PACKAGE sha256:5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a
  │  │  ├ CONTAINS PACKAGE sha256:65823ab9e087b46e1f9a72383f9c0d1cecfe4b7174f9a650a0f049482b8c72a5
  │  │  └ VARIANT_OF PACKAGE sha256:d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42
  │  │ 
  │  ├ CONTAINS PACKAGE sha256:3be91f952558612b7674c000d45b5859083064e27da59f9249f6ce6ac05ba42c
  │  │  │ 🔗 11 Relationships
  │  │  ├ CONTAINS PACKAGE sha256:80e67ac685eeb7befa915840c12736fc942bdef272a81f3d004b4778a39a2c15
  │  │  ├ CONTAINS PACKAGE sha256:fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58
  │  │  ├ CONTAINS PACKAGE sha256:b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db
  │  │  ├ CONTAINS PACKAGE sha256:fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265
  │  │  ├ CONTAINS PACKAGE sha256:e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0
  │  │  ├ CONTAINS PACKAGE sha256:1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c
  │  │  ├ CONTAINS PACKAGE sha256:4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f
  │  │  ├ CONTAINS PACKAGE sha256:7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c
  │  │  ├ CONTAINS PACKAGE sha256:5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a
  │  │  ├ CONTAINS PACKAGE sha256:5c2266c14d5d54411d78e843fa1ce8bbd51a50543901758cb2da18f936d09be1
  │  │  └ VARIANT_OF PACKAGE sha256:d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42
  │  │ 
  │  ├ CONTAINS PACKAGE sha256:7a73b889a8ec7fcade0891de745a75359d10701f3cf335110ff7e3642f1bc8b4
  │  │  │ 🔗 11 Relationships
  │  │  ├ CONTAINS PACKAGE sha256:b003b463d7505c8e5cfe7034cacbeed297d6463c8b7f468037ee76a289510b3a
  │  │  ├ CONTAINS PACKAGE sha256:fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58
  │  │  ├ CONTAINS PACKAGE sha256:b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db
  │  │  ├ CONTAINS PACKAGE sha256:fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265
  │  │  ├ CONTAINS PACKAGE sha256:e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0
  │  │  ├ CONTAINS PACKAGE sha256:1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c
  │  │  ├ CONTAINS PACKAGE sha256:4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f
  │  │  ├ CONTAINS PACKAGE sha256:7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c
  │  │  ├ CONTAINS PACKAGE sha256:5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a
  │  │  ├ CONTAINS PACKAGE sha256:1ca66b61c047575552fac25da11214305319e88cf816567602158570ac91c06c
  │  │  └ VARIANT_OF PACKAGE sha256:d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42
  │  │ 
  │  └ CONTAINS PACKAGE sha256:a8c26f25a18673b069cfa19ebcf4bff4f3417012acf75538b7c8c6eb1d66dd02
  │  │  │ 🔗 11 Relationships
  │  │  ├ CONTAINS PACKAGE sha256:75c00bd33aea99bec4abb16ec6ee95f1e3ee4cb226ed02c6e10095e92508b024
  │  │  ├ CONTAINS PACKAGE sha256:fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58
  │  │  ├ CONTAINS PACKAGE sha256:b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db
  │  │  ├ CONTAINS PACKAGE sha256:fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265
  │  │  ├ CONTAINS PACKAGE sha256:e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0
  │  │  ├ CONTAINS PACKAGE sha256:1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c
  │  │  ├ CONTAINS PACKAGE sha256:4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f
  │  │  ├ CONTAINS PACKAGE sha256:7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c
  │  │  ├ CONTAINS PACKAGE sha256:5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a
  │  │  ├ CONTAINS PACKAGE sha256:d5617b617c7261e7a7be0edf901deffb8a9b0c365eedda6afac9fab682d91a0f
  │  │  └ VARIANT_OF PACKAGE sha256:d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42
  │  │ 
  │ 
  └ 📄 DESCRIBES 0 Files

attaching SBOM to the images

$ cosign attach sbom --sbom capi_sbom.spdx ttl.sh/capi/cluster-api-controller:v1.5.3
WARNING: Attaching SBOMs this way does not sign them. If you want to sign them, use 'cosign attest --predicate capi_sbom.spdx --key <key path>' or 'cosign sign --key <key path> --attachment sbom <image uri>'.
Uploading SBOM file for [ttl.sh/capi/cluster-api-controller:v1.5.3] to [ttl.sh/capi/cluster-api-controller:sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42.sbom] with mediaType [text/spdx].

cosign tree

cosign tree ttl.sh/capi/cluster-api-controller:v1.5.3
📦 Supply Chain Security Related artifacts for an image: ttl.sh/capi/cluster-api-controller:v1.5.3
└── 📦 SBOMs for an image tag: ttl.sh/capi/cluster-api-controller:sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42.sbom
   └── 🍒 sha256:07b03386fa05eab559319a91b55539ae978feef69be413e292bbb4b9b301018f

signing SBOMs

$ cosign generate-key-pair
Enter password for private key: 
Enter password for private key again: 
Private key written to cosign.key
Public key written to cosign.pub

$ cosign sign --key cosign.key ttl.sh/capi/cluster-api-controller:sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42.sbom
Enter password for private key: 
WARNING: Image reference ttl.sh/capi/cluster-api-controller:sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42.sbom uses a tag, not a digest, to identify the image to sign.
    This can lead you to sign a different image than the intended one. Please use a
    digest (example.com/ubuntu@sha256:abc123...) rather than tag
    (example.com/ubuntu:latest) for the input to cosign. The ability to refer to
    images by tag will be removed in a future release.


	The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
	Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
	This may include the email address associated with the account with which you authenticate your contractual Agreement.
	This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
Are you sure you would like to continue? [y/N] y
tlog entry created with index: 48162409
Pushing signature to: ttl.sh/capi/cluster-api-controller 

$ crane ls ttl.sh/capi/cluster-api-controller
sha256-40a035c0267ceb003dfd5d310b76da6d6df1dc905fa4d13656f32abf7a5d9405.sig
sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42.sbom
sha256-d272e1321bbcdea05568021cfa67450700085084d33b9b9113211aa73a39dc42.sig
v1.5.3

In signing, we can use ephemeral keys generated by an issuer(google in this case) to sign the SBOM similar to what we use for image.

$ cosign verify registry.k8s.io/cluster-api/cluster-api-controller:v1.5.0 --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com --certificate-oidc-issuer https://accounts.google.com | jq .
# truncated
      "Issuer": "https://accounts.google.com",
      "Subject": "krel-trust@k8s-releng-prod.iam.gserviceaccount.com",

• One question from community meeting was if we can leverage GitHub actions to generate and attach SBOMs.
  We should generate and attach the SBOM in the same build environment where we are building the image.

// cc @nawazkh

[sbueringer]

Q: How is k/k doing this? As far as I can tell the entire image promotion/publishing is build on top of Prow / Google Cloud Build.

I'm really hesitant to add a GitHub action for this sort of stuff, except if k/k is doing the same.

[kranurag7]

How is k/k doing this? As far as I can tell the entire image promotion/publishing is build on top of Prow / Google Cloud Build.

I see kubernetes project use bom as a library.
Ref: https://github.com/kubernetes/release/blob/9a0d9bde19d674d7f60649721c8c50fc68c6c522/pkg/anago/stage.go#L769
I've limited insights on how kubernetes release is done from projects perspective.

I'm really hesitant to add a GitHub action for this sort of stuff, except if k/k is doing the same.

Yes, We shouldn't do this. We should generate SBOMs in the build environment itself, and for us, it's not GitHub actions.

[sbueringer]

Yup, but we basically don't have our own build environment. We use the same build and image promotion/publishing jobs as other parts of Kubernetes: https://github.com/kubernetes/test-infra/tree/807378e23980a2f493845952ea624edf6aa6d74a/config/jobs/image-pushing

This is the reason why I'm trying to say that we should do the same as they do, because we currently just use their process / build environment / etc.

[furkatgofurov7]

Yup, but we basically don't have our own build environment. We use the same build and image promotion/publishing jobs as other parts of Kubernetes: https://github.com/kubernetes/test-infra/tree/807378e23980a2f493845952ea624edf6aa6d74a/config/jobs/image-pushing

This is the reason why I'm trying to say that we should do the same as they do, because we currently just use their process / build environment / etc.

I think we need to spend some time on investigating things like:

• how k/k does generate sbom, like, does it generate sbom as part of the release process?
• what tools does it use and how (as part of the release notes tool, i.e krel)?
• where are those spdx files are stored?

In general, kubernetes/release#1837 seems to be the tracking issue upstream k/k used to introduce SBOM

[sbueringer]

Just an additional hint - assuming we don't do this already. It's absolutely fine to ask around in Slack. I'm pretty sure there are a lot of people with the knowledge about k/k processes that are happy to help / share information.

[stmcginnis]

One small pointer, since I just recently looked in to it. The tool used is bom that is owned by the k8s community: https://github.com/kubernetes-sigs/bom

[adilGhaffarDev]

I would like to work on this task.
/assign @adilGhaffarDev

[kranurag7]

I was working on it during the last release and tried completing it in the last phase of the release.
The conclusion was that this work depends on sig-release and going forward we will leverage the same tooling by sig-release down the line.

xref: https://kubernetes.slack.com/archives/C2C40FMNF/p1701928413351249

@sbueringer Should we still go forward with this given after Q1 (as per sig-release), we will get it natively supported with the existing release tooling that we use for releasing?

Happy to pair up on this one if this needs to be done now or at any point in the future.

[sbueringer]

If we can choose between building a custom solution or waiting a few months. Let's wait

[adilGhaffarDev]

xref: https://kubernetes.slack.com/archives/C2C40FMNF/p1701928413351249

Oh, I didn't know about this slack thread. @kranurag7 Do we have an issue or PR that we can add here for tracking?

[cahillsf]

from reading through the linked thread it doesn't seem like the goal stated in this current issue has changed -- we will still need to put in the work on our end to have the SBOM attached to the staging images so they can be picked up by the promo tool. have just bumped the thread to make sure this is still the intention. or am i reading the rec incorrectly?

My recomendation would be to generate the SBOMs and attach them to the staging registry now.

[cahillsf]

👋 @kranurag7 -- are you still interested in working on this?

[akshay196]

I am interested in working on this. I will go through relevant discussions and get back here for next steps.
/assign

[akshay196]

I am unable to find time for this. 😞
/unassign

[fabriziopandini]

/triage accepted
@kubernetes-sigs/cluster-api-release-team to re-assess