Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SLSA Compliance: Check provenance before accepting staged artifacts #2283

Merged
merged 9 commits into from
Oct 7, 2021
Merged

SLSA Compliance: Check provenance before accepting staged artifacts #2283

merged 9 commits into from
Oct 7, 2021

Conversation

puerco
Copy link
Member

@puerco puerco commented Oct 7, 2021

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR modifies the anago/release to verify the provenance metadata describing the artifacts stored in the release bucket during staging. To do so, it introduces a new ProvenanceChecker object which is used by anago.Release to validate all artifacts staged by the build against the in-toto attestation written during stage.

Which issue(s) this PR fixes:

Part of: #2267

Special notes for your reviewer:

  • This PR includes commit d14061d which changes the provenance error to just a warning to avoid failing a release when metadata is incorrect. This commit is to be kept in place while SLSA compliance code is under development. Once the SLSA effort is done, it must be reverted. An example for this commit is that while I was writing this PR, I noticed that the current metadata generation has a flaw. Paths to the staged container image tarballs are wrong, so checking will fail so we need to only warn for now.

  • Another important consideration is that in order to verify the provenance metadata, (at least for now) we have to pull all artifacts from the bucket to the GCB workspace. Let's discuss here if there are other possible approaches to this problem.

Does this PR introduce a user-facing change?

- Artifacts are now verified against the in-toto attestation produced during the staging phase of a release. If validation fails, for now only a warning is reported in the logs. Future builds will abort execution right after validation.
- New `ProvenanceChecker` object in the `release` package to enable release runs to verify provenance metadata.
- The `provenance.Statement` object which abstracts in-toto attestations can now read attestations from JSON files and clone predicates from other attestations.

puerco added 9 commits October 7, 2021 00:17
@puerco
provenance: Add LoadStatement() func
b1ac7e0 
Add a function to read statements from files

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
provenance: Add Test data
89f2f92 
Add some provenance files to use during tests

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
provenance: Add ClonePredicate() function
55af30b 
This functions allow reading a provenance file and clone its predicate
to a new statement.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
generate: anago/release fakes
1bedb44 
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
anago/release: CheckProvenance()
2542696 
This commit adds a new stage to anago/stage: CheckProvenance()

This new step checks all staged artifacts during staging to ensure
they match the in-toto attestation metadata produced and stored with
them durin stage.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
provenance: statment.VerifySubjects()
e66f5f3 
This commit adds a new function to the provenance statement object to
verify the contents of its subject against a directory tree.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
release: ProvenanceChecker object
b77937c 
This code introduces a new object:  ProvenanceChecker which will
be used to concentrate the provenance functionality in the release
process. In this first iteration it introduces one sole function:
`CheckStageProvenance()` that verifies the staged artifacts in
the release bucket.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
VerifySubjects unit test
e497944 
Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@puerco
Only warn on SLSA provenance errors
d14061d 
This commit modifies the call to CheckProvenance() during release. For
now, we will treat provenance errors as non-fatal and warn in the
release process log.

Once we finish testing and implementing SLSA1 support, this commit
should be reverted to reenable failing the build when the provenance
metadata does not match the staged artifacts.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. needs-priority cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Oct 7, 2021
@puerco puerco added this to the v1.23 milestone Oct 7, 2021
@k8s-ci-robot k8s-ci-robot added area/release-eng Issues or PRs related to the Release Engineering subproject sig/release Categorizes an issue or PR as relevant to SIG Release. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Oct 7, 2021
@puerco
Copy link
Member Author

puerco commented Oct 7, 2021

OK, here is a point to consider: To verify the provenance of the staged artifacts, we need to have them at hand. This means that before the release phase can proceed, the run in GCB will have to download everything from the staging bucket. Currently, this means rsyncing ~14 GB per released tag down to the GCB workspace. This is a considerable volume to move and will have an impact on the Release Manager's time needed to cut a release.

I've been thinking of ways to avoid copying the release from the bucket, but I think there is no way around it. Any other ideas @kubernetes/release-engineering ?

@puerco puerco mentioned this pull request Oct 7, 2021
Closed
15 tasks
Verolop
Verolop approved these changes Oct 7, 2021
View reviewed changes
Copy link
Contributor

@Verolop Verolop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

reviewed it, everything looks good to me for now, but would be curious to see if anyone has any opinions around the downloaded artifacts size

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 7, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: puerco, Verolop

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 6eea9b4 into kubernetes:master Oct 7, 2021
@puerco puerco mentioned this pull request Oct 24, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Verolop Verolop Verolop approved these changes

@cpanato cpanato Awaiting requested review from cpanato

@xmudrii xmudrii Awaiting requested review from xmudrii

Assignees

@Verolop Verolop

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/release-eng Issues or PRs related to the Release Engineering subproject cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/release Categorizes an issue or PR as relevant to SIG Release. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
v1.23
Development

Successfully merging this pull request may close these issues.
3 participants
@puerco @k8s-ci-robot @Verolop