[eks] [request]: Sign release artifacts with Sigstore

[stevehipwell]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
I'd like all artifacts created for EKS to be signed with Sigstore so we can verify that they are what they say they are. This would align EKS with upstream Kubernetes which as of v1.24.0 is using Sigstore for all release artifacts.

Which service(s) is this request for?
EKS.

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
I'd like to be able to verify the EKS artifacts with the same tools as for upstream Kubernetes, other OSS projects and internal services; Sigstore is the OpenSSF solution for this.

Are you currently working around this issue?
n/a

Additional context
This is related to #43 for storing the signatures.

Attachments
n/a

[stevehipwell]

Given that this has now been blogged about from an end-user perspective shouldn't all of the AWS images be signed by Cosign?

CC @dlorenc

[dlorenc]

I'd love to see this happen and would be willing to help out! Sorry I missed the ping @stevehipwell.

[stevehipwell]

I think there are a number of repo types which would need to be covered by this; AWS internal (e.g. kube-proxy), AWS open source (e.g. AWS VPC CNI) & Kubernetes SIGs (e.g. AWS EBS CSI Driver).

@dlorenc is there a reference repo for doing this correctly? And is there an implementation in kubernetes-sigs so Prow is being used? I've got a reference implementation based purely on GitHub Actions but I didn't get the attestation working correctly.

[dlorenc]

cc @cpanato @puerco

[cpanato]

@stevehipwell lets talk :) some examples are in the sigstore repos itself, but we see how you are using GH actions so we can adapt. :)

in k8s we dont use prow, we have krel and promo-tools to do the release/promotion release artifacts

[stevehipwell]

@cpanato are there any repos in kubernetes (not kubernetes/kubernetes) or kubernetes-sigswhere this has been implemented to act as patterns?

[stevehipwell]

I think the following containers would be in scope for this (based on my own clusters), with each group potentially needing slightly different tooling and the core images signing needing to be done directly by AWS.

EKS Core Images

• kube-proxy
• coredns
• pause

AWS Images

• amazon-k8s-cni
• amazon-k8s-cni-init
• aws-node-termination-handler
• karpenter

AWS Kubernetes SIGS Images

• aws-load-balancer-controller
• aws-ebs-csi-driver
• aws-efs-csi-driver

[cpanato]

@cpanato are there any repos in kubernetes (not kubernetes/kubernetes) or kubernetes-sigswhere this has been implemented to act as patterns?

sorry for the delay

In K8s organization, we use the promo-tools (https://github.com/kubernetes-sigs/promo-tools), which promote the images from staging to the production registry, and during this process, it signs the image.

How are your images being built? In GitHub actions or using something internal?
I am super happy to help to implement this

[stevehipwell]

@cpanto the SIGs images are likely the best place to start and could then be used as a template for the images with private builds which would need to be implemented by AWS employees.

[vsabelli]

+1 to this very useful request!

Is there any estimated delivery for the feature?

Thank you!