Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SLSA Level 3 Compliance in the Kubernetes Release Process #3027

Open
puerco opened this issue Oct 30, 2021 · 25 comments
Open

SLSA Level 3 Compliance in the Kubernetes Release Process #3027

puerco opened this issue Oct 30, 2021 · 25 comments
Labels
area/release-eng Issues or PRs related to the Release Engineering subproject lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. sig/release Categorizes an issue or PR as relevant to SIG Release.

Comments

@puerco
Copy link
Member

puerco commented Oct 30, 2021
edited
Loading

Enhancement Description

  • One-line enhancement description (can be used as a release note): SLSA compliance for the Kubernetes release process
  • Kubernetes Enhancement Proposal:
  • Discussion Link:
  • Primary contact (assignee): @puerco
  • Responsible SIGs: SIG Release
  • Enhancement target (which target equals to which milestone):
    • SLSA Level 1: 1.23
    • SLSA Level 2: 1.24
    • SLSA Level 3: 1.25

    /sig release
    /cc @kubernetes/sig-release-leads @kubernetes/release-managers @kubernetes/release-engineering

    Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.
@k8s-ci-robot k8s-ci-robot added the sig/release Categorizes an issue or PR as relevant to SIG Release. label Oct 30, 2021
@saschagrunert
Copy link
Member

saschagrunert commented Nov 2, 2021
edited
Loading

/area release-eng
refers to kubernetes/sig-release#1724, #3031

@k8s-ci-robot k8s-ci-robot added the area/release-eng Issues or PRs related to the Release Engineering subproject label Nov 2, 2021
@saschagrunert saschagrunert mentioned this issue Nov 2, 2021
Closed
7 tasks
@puerco puerco mentioned this issue Nov 18, 2021
Merged
@saschagrunert
Copy link
Member

The initial draft of the sining KEP is proposed in #3061

@tpepper
Copy link
Member

tpepper commented Nov 30, 2021

Given the unknown unknowns, and the context of a SIG Release 2021 (and beyond) vision/roadmap, I believe it would make sense to set a more concrete and limited scope first KEP for "SLSA Level 3 Compliance". Level four feels notably harder to accomplish in many contexts (but I'm hopeful it wont be tremendously hard in our specific context, maybe naive?). Level three feels readily attainable for the Kubernetes project. And even at that it will also take a considerable amount of effort and time while also bringing into high clarity what would actually be required for level four compliance.

This would also have the benefit of removing the ambiguous split graduation criteria currently in https://github.com/kubernetes/enhancements/pull/3051/files#diff-1f8352f993f9069e41c3ce0f07a3e5ae5c6f58b87acf834b8cf9099fbc6fcc68R379

And it sets a high bar while allowing a reasonable time bound on expected delivery. "SLSA compliance" without a number in the phrase can mean anything from "SLSA level-0 compliant" up to "SLSA level-4 compliant", and I very much hope we intend to do more than level 0.

@puerco puerco changed the title SLSA Compliance in the Kubernetes Release Process SLSA Level 3 Compliance in the Kubernetes Release Process Dec 10, 2021
@puerco
Copy link
Member Author

puerco commented Dec 10, 2021

Thanks for the comments @tpepper. I agree completely. I did not want to give up before declaring level 4 as unimplementable, but I agree that for now, it is not realistic to consider it. But we can always finish this and push forward.

I've retitled the KEP and scoped it to level 3. I have also removed the dual graduation criteria. Thank you !

@dlorenc
Copy link

dlorenc commented Dec 10, 2021

I'd agree with this - SLSA4 was designed to be very aspirational from the start. Just my personal take - but I'd either expect some intermediate levels or massive changes in tooling to pop up before SLSA4 is realistic for most projects.

@JimBugwadia JimBugwadia mentioned this issue Jan 28, 2022
Closed
@justaugustus justaugustus mentioned this issue Feb 23, 2022
Closed
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 10, 2022
@puerco
Copy link
Member Author

puerco commented Mar 10, 2022

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 10, 2022
@matglas matglas mentioned this issue Apr 28, 2022
Merged
@github-actions github-actions bot mentioned this issue May 6, 2022
Open
@mlieberman85
Copy link

Related proposal from CNCF that might be able to help here: cncf/tag-security#890

@saschagrunert
Copy link
Member

We still have to define which deliverables will land in v1.25, especially in combination with the signing KEP.

@mlieberman85 mlieberman85 mentioned this issue May 31, 2022
Closed
12 tasks
@saschagrunert saschagrunert mentioned this issue Jun 8, 2022
Closed
15 tasks
@puerco puerco mentioned this issue Jul 25, 2022
Closed
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 25, 2022
@ameukam
Copy link
Member

ameukam commented Aug 25, 2022

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 25, 2022
@saschagrunert saschagrunert mentioned this issue Oct 12, 2022
Merged
@tracymiranda tracymiranda mentioned this issue Nov 14, 2022
Open
6 tasks
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 23, 2022
@xmudrii
Copy link
Member

xmudrii commented Nov 23, 2022

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 23, 2022
@saschagrunert
Copy link
Member

@puerco are there any bits we want to achieve in v1.27?

@saschagrunert saschagrunert mentioned this issue Mar 27, 2023
Merged
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 12, 2023
@pjbgf
Copy link
Member

pjbgf commented Apr 13, 2023

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 13, 2023
@mlieberman85
Copy link

Just an FYI, because some folks have missed the announcements. If all goes as planned SLSA 1.0 releases on April 19th, 2023. There are a few changes to what SLSA 3 compliance would look like. See release candidate 2: https://slsa.dev/spec/v1.0-rc2/

The SLSA community is also interested in helping out anyway we can in helping making the adoption of SLSA 3 v1.0 as simple and straightforward as possible. How can we help? Are there meetings we should attend?

@mlieberman85 mlieberman85 mentioned this issue Apr 13, 2023
Open
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 12, 2023
@xmudrii
Copy link
Member

xmudrii commented Jul 12, 2023

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 12, 2023
@saschagrunert saschagrunert mentioned this issue Nov 14, 2023
Open
@lasomethingsomething lasomethingsomething mentioned this issue Dec 8, 2023
Open
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 24, 2024
@xmudrii
Copy link
Member

xmudrii commented Jan 24, 2024

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 24, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 23, 2024
@xmudrii
Copy link
Member

xmudrii commented Apr 23, 2024

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 23, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 22, 2024
@xmudrii
Copy link
Member

xmudrii commented Jul 22, 2024

/lifecycle frozen

@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jul 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/release-eng Issues or PRs related to the Release Engineering subproject lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. sig/release Categorizes an issue or PR as relevant to SIG Release.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@mlieberman85 @saschagrunert @dlorenc @ameukam @tpepper @puerco @pjbgf @xmudrii @k8s-ci-robot @k8s-triage-robot