Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spike: Do we verify the image digest and does the reference actually exist #1131

Open
4 tasks
LappleApple opened this issue Dec 8, 2023 · 4 comments
Open
4 tasks

Spike: Do we verify the image digest and does the reference actually exist #1131

LappleApple opened this issue Dec 8, 2023 · 4 comments

Comments

@LappleApple
Copy link

LappleApple commented Dec 8, 2023
edited

Comes after #1129. Will be the technical follow-up/the "how" for the image promotion process

Objective

  • Support the goal of breaking up the image promoter monolith by investigating the questions raised below

Questions to answer

  • Describe/document the current process for verifying whether the image digest and reference exists, and evaluate:
    - Did we create an image using appropriate tools and process?
    - Would scanning for CVEs be a blocker?
    - If yes, could we require provenance?
    - Would infra in staging help make it faster than a complete image push/pull? Not in place today.
    - How could we ensure that the SHA is valid?
    - How do we scan the image for any high or critical CVE?

Note: Be sure to actively seek other questions from members of SIG Release and other relevant SIGs as part of your research.

Steps

  • Present a 1-2 page proposal describing the necessary implementation steps and listing pros/cons/tradeoffs
  • Seek input from SIG members and achieve buy-in so the group can reach consensus and move forward

Context and things to think about while working on this task

  • There is verification of the digests. Someone opens a PR => link to the created build. People use this link as proof for digests they want to promote.
  • PR => creates list of digests. No real way for reviewers of the PR to verify. Can be done manually but most reviewers will just approve the PR.
  • Relates to the "Validating signatures from staging in parallel" workflow step
  • We currently have no way to verify the SHA of an image.
  • We delegate responsibility for establishing which image to put in prod but we don't verify the image provenance--coming from stg container registry.
  • We know the source of an image, but we don't verify what is published.
  • Any maintainer could do the promotion. Nothing prevents maintainer w/access to staging repo from pushing something that could impact the registry.

Image

Image
@LappleApple LappleApple changed the title Spike: Do weverify the image digest and does the reference actually exists Spike: Do we verify the image digest and does the reference actually exists Dec 8, 2023
@LappleApple LappleApple changed the title Spike: Do we verify the image digest and does the reference actually exists Spike: Do we verify the image digest and does the reference actually exist Dec 8, 2023
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 17, 2024
@xmudrii
Copy link
Member

xmudrii commented Mar 17, 2024

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 17, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 15, 2024
@xmudrii
Copy link
Member

xmudrii commented Jun 17, 2024

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@LappleApple @xmudrii @k8s-ci-robot @k8s-triage-robot