Add GitHub Actions security policy requiring SHA pinning#8911
Conversation
k8s-ci-robot
added
the
area/github-management
k8s-ci-robot
added
approved
|
cc: @dims /hold |
k8s-ci-robot
added
the
do-not-merge/hold
|
cc: @kubernetes/owners, @PushkarJ |
|
cc: @kubernetes/sig-security for review as well. |
PushkarJ
left a comment
PushkarJ
left a comment
There was a problem hiding this comment.
@Priyankasaggu11929 Left two comments to provide more clarity. Is there a plan from GitHub Admins to create a prow job that runs on PR or on schedule that checks for these policy violations? If yes, I am happy to co-maintain (or co-create) it with you all if you think it's worth doing.
| 1. All `uses:` statements in workflow files MUST reference actions using 40-character commit SHA hashes | ||
| 2. New workflows MUST comply before merge | ||
| 3. Existing workflows MUST be updated to comply | ||
| 4. Repositories SHOULD enable Dependabot for GitHub Actions to automatically update SHA-pinned actions to newer versions |
There was a problem hiding this comment.
Will dependabot PR automatically know the right SHA to upgrade to or will default to version tags that are mutable? Although there is benefit in auto-upgrades if dependabot behavior is not going to be consistent to our policy, then it might be best to remove this point from the list.
There was a problem hiding this comment.
Dependabot works with this particular style:
https://github.com/kubernetes-sigs/kind/blob/446e36866289a5b727f854011afe8e54c57da66d/.github/workflows/nerdctl.yaml#L33
There was a problem hiding this comment.
Would it be possible to provide an example (or point at one) for dependabot?
https://github.com/kubernetes-sigs/kind/blob/main/.github/dependabot.yml is super helpful to me and I'll likely copy-pasta it into my project
There was a problem hiding this comment.
I'm not sure if we should have been including ok-to-test
There was a problem hiding this comment.
I'm not sure if we should have been including ok-to-test
Ah, just re-read it.
You meant this dependabot yaml adding ok-to-test - https://github.com/kubernetes-sigs/kind/blob/main/.github/dependabot.yml
I think, we should not and let some project maintainer do it going forward?
(that would need a further cleanup but I also think it is worth it?)
@PushkarJ, @adrianmoisey - I kept the dependabot pointers, because even after enforcing the policy at enterprise level, we will still need to continue maintaining them and that's where dependabot will help.
Added example reference from the github docs on how to setup.
There was a problem hiding this comment.
Yeah. Actions being able to forcibly apply labels is a big problem for our label based workflows, there are probably repos adding lgtm and approved as well ...
|
Hey, GitHub has setting to enforce this and activating it should be sufficient. |
|
Thanks for the review folks. @PushkarJ - addressing the above comments here. Yes, the plan was to add a periodic job that scans and flags for the unintended gh actions usage across our gh orgs. But I think with the suggestion from @upodroid, we will covered. Will also remove the dependabot reference. And add the common branches (master, main) for clarity. @upodroid - could you provide a pointer on the setting (in a DM or a docs link here - either would work), i will toggle it tomorrow and we can announce it on dev@... mailing list. For this week, I am trying to focus on all immediate things we need either fixing or enforcing to address the impact. but yes, over the next month, i can try to add more periodic jobs if we would still need some. |
|
I would probably activate it on the enterprise directly. |
|
Sounds good @Priyankasaggu11929, I can LGTM once the PR is updated and yes, good call on taking care of preventive and detective steps after we finish the immediate task at hand. @upodroid thanks for the pointer. Good to know about this feature! |
| @@ -0,0 +1,33 @@ | |||
| The purpose of this policy is to establish mandatory security requirements while using GitHub Actions in workflow files across all repositories under all Kubernetes github organizations. | |||
There was a problem hiding this comment.
Apparently we can enforce this via org policy (via @upodroid ), I think we should pursue that route.
It's hard to get people to read more 😅
There was a problem hiding this comment.
Maybe both? This documents the rationale behind the org level policy and then once enforced we add a link to actual org level setting in this sharing that it's in effect.
There was a problem hiding this comment.
Yes, it can be. (ref for GH admins: https://github.com/enterprises/kubernetes/settings/actions)
Priyankasaggu11929
force-pushed
the
add-github-actions-policy
branch
from
443937a to
3b289a4
Compare
Priyankasaggu11929
force-pushed
the
add-github-actions-policy
branch
from
3b289a4 to
3bab028
Compare
|
@kubernetes/owners - should we enforce the policy We have about ~200 repos using GH Actions and roughly ~144 of them are using non-sha references. So, I'm assuming all of these will immediately break. |
|
My opinion: I think we should give a notice period of maybe 2 weeks for repos to update this? |
+1. If others don't have objection, then I'll send an email in the evening (Amsterdam time) on the dev@... mailing list, sharing this policy as a PSA and asking folks to update their github actions accordingly to adhere the policy. Will put a deadline of April 15 - that will give folks enough time to act on it. @cblecker, @PushkarJ - could you help merging this PR by then, that would be helpful then to link the merged policy. I have addressed all comments so far. |
yes please |
PushkarJ
left a comment
PushkarJ
left a comment
There was a problem hiding this comment.
/lgtm
(Lets announce a date and then enforce)
k8s-ci-robot
added
the
lgtm
|
/assign cblecker (For approval) |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cblecker, Priyankasaggu11929 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/unhold |
k8s-ci-robot
removed
the
do-not-merge/hold
🐛 (go/v4): Pin GitHub Actions to commit SHA hashes to improve security and align with the latest GitHub Actions security policy. For more details, see kubernetes/community#8911.
|
The PSA was shared with the dev@kubernetes.io mailing list on March 27 - https://groups.google.com/a/kubernetes.io/g/dev/c/gvwLzCBx-hA/m/phP47p52AgAJ, with the following "Immediate Action Required"
We have reached the timeline (April 15) we put for enforcing the policy. I'm going to turn on the "Require actions to be pinned to a full-length commit SHA" policy at the Kubernetes enterprise level today. Before I do so, pinging once again (@kubernetes/owners, @PushkarJ, @dims) for a +1. |
|
+1 Better safe, than sorry. |
|
+1 Would we need comms? (will actions stop running until they are compliant?) |
I plan to send an update on the earlier PSA email to inform folks, after I flip the setting.
The GH policy Docs doesn't confirm if its a preventive or retroactive policy. So, I'm going with assumption that all GH Action workflows with mutable references will start failing until fixed. I added a note about it in the PSA:
|
|
Seems like it is retroactive for new runs as per this: kubernetes/test-infra#36726 (comment) Good call to add it in PSA. +1 from me |
|
Thanks folks. I will go ahead and toggle the "Require actions to be pinned to a full-length commit SHA" button now. Update - The policy is enforced now at the Kubernetes Enterprise level. Sent update on dev@kubernetes.io mailing list - https://groups.google.com/a/kubernetes.io/g/dev/c/gvwLzCBx-hA/m/u2Tt-5U8CAAJ |
9 participants
PR adds a a new policy to establish mandatory requirement for all GitHub Actions to use commit SHA hashes instead of mutable references (tags/branches) to prevent supply chain attacks.
ref: kubernetes/org#6235