Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SLSA Level 3 Compliance in the Kubernetes Release Process #3027

Open
puerco opened this issue Oct 30, 2021 · 13 comments
Open

SLSA Level 3 Compliance in the Kubernetes Release Process #3027

puerco opened this issue Oct 30, 2021 · 13 comments
Labels
area/release-eng Issues or PRs related to the Release Engineering subproject sig/release Categorizes an issue or PR as relevant to SIG Release.

Comments

@puerco
Copy link
Member

puerco commented Oct 30, 2021

Enhancement Description

  • One-line enhancement description (can be used as a release note): SLSA compliance for the Kubernetes release process
  • Kubernetes Enhancement Proposal:
  • Discussion Link:
  • Primary contact (assignee): @puerco
  • Responsible SIGs: SIG Release
  • Enhancement target (which target equals to which milestone):
    • SLSA Level 1: 1.23
    • SLSA Level 2: 1.24
    • SLSA Level 3: 1.25

    /sig release
    /cc @kubernetes/sig-release-leads @kubernetes/release-managers @kubernetes/release-engineering

    Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

@k8s-ci-robot k8s-ci-robot added the sig/release Categorizes an issue or PR as relevant to SIG Release. label Oct 30, 2021
@saschagrunert
Copy link
Member

saschagrunert commented Nov 2, 2021

/area release-eng
refers to kubernetes/sig-release#1724, #3031

@k8s-ci-robot k8s-ci-robot added the area/release-eng Issues or PRs related to the Release Engineering subproject label Nov 2, 2021
@saschagrunert
Copy link
Member

saschagrunert commented Nov 29, 2021

The initial draft of the sining KEP is proposed in #3061

@tpepper
Copy link
Contributor

tpepper commented Nov 30, 2021

Given the unknown unknowns, and the context of a SIG Release 2021 (and beyond) vision/roadmap, I believe it would make sense to set a more concrete and limited scope first KEP for "SLSA Level 3 Compliance". Level four feels notably harder to accomplish in many contexts (but I'm hopeful it wont be tremendously hard in our specific context, maybe naive?). Level three feels readily attainable for the Kubernetes project. And even at that it will also take a considerable amount of effort and time while also bringing into high clarity what would actually be required for level four compliance.

This would also have the benefit of removing the ambiguous split graduation criteria currently in https://github.com/kubernetes/enhancements/pull/3051/files#diff-1f8352f993f9069e41c3ce0f07a3e5ae5c6f58b87acf834b8cf9099fbc6fcc68R379

And it sets a high bar while allowing a reasonable time bound on expected delivery. "SLSA compliance" without a number in the phrase can mean anything from "SLSA level-0 compliant" up to "SLSA level-4 compliant", and I very much hope we intend to do more than level 0.

@puerco puerco changed the title SLSA Compliance in the Kubernetes Release Process SLSA Level 3 Compliance in the Kubernetes Release Process Dec 10, 2021
@puerco
Copy link
Member Author

puerco commented Dec 10, 2021

Thanks for the comments @tpepper. I agree completely. I did not want to give up before declaring level 4 as unimplementable, but I agree that for now, it is not realistic to consider it. But we can always finish this and push forward.

I've retitled the KEP and scoped it to level 3. I have also removed the dual graduation criteria. Thank you !

@dlorenc
Copy link

dlorenc commented Dec 10, 2021

I'd agree with this - SLSA4 was designed to be very aspirational from the start. Just my personal take - but I'd either expect some intermediate levels or massive changes in tooling to pop up before SLSA4 is realistic for most projects.

@k8s-triage-robot
Copy link

k8s-triage-robot commented Mar 10, 2022

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 10, 2022
@puerco
Copy link
Member Author

puerco commented Mar 10, 2022

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 10, 2022
@mlieberman85
Copy link

mlieberman85 commented May 26, 2022

Related proposal from CNCF that might be able to help here: cncf/tag-security#890

@saschagrunert
Copy link
Member

saschagrunert commented May 27, 2022

We still have to define which deliverables will land in v1.25, especially in combination with the signing KEP.

@k8s-triage-robot
Copy link

k8s-triage-robot commented Aug 25, 2022

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 25, 2022
@ameukam
Copy link
Member

ameukam commented Aug 25, 2022

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 25, 2022
@k8s-triage-robot
Copy link

k8s-triage-robot commented Nov 23, 2022

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 23, 2022
@xmudrii
Copy link
Member

xmudrii commented Nov 23, 2022

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/release-eng Issues or PRs related to the Release Engineering subproject sig/release Categorizes an issue or PR as relevant to SIG Release.
Projects
None yet
Development

No branches or pull requests

9 participants