-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chains needs to be able to "Identify entry point" - SLSA L3 requirement. #521
Comments
We might need to preserve an entry in the If the entry in Thoughts? |
IIUC, this would be source information for the Run object? We don't really have a concept of that today, since all Run objects come to us directly through the k8s API.
Top level Run refs (i.e. pipelineRef, taskRef) are probably going to be the closest approximation, but really we might need something like Workflows in place first. |
From slsa spec,
For the url/digest, I am thinking the repo url/digest that triggers the pipelinerun i.e. the If so, we can teach trigger to record the config source information in the annotation of the run object so that Chains can pick up that information rather than using params. wdyt? |
Triggers are almost too generic here since they don't have a strong affinity for particular source or could have multiple sources, etc. I think workflows are meant to make this a bit more opinionated. I'm hesitant to give special meaning to a user supplied value - any ideas on how can we verify this is actually correct? Basing it off of top level refs might work, since you're only ever going to reference one source. Main downside is it wouldn't capture the Run config itself, but rather its referenced object. @dibyom (not sure if you're the best person for this - feel free to redirect) has there been any discussion around remote resolution of Run objects that might be relevant here? |
Could this be a good place to store information about the Task (for TaskRun attestations) and the Pipeline (for PipelineRun attestations) definitions? Currently, this information is not stored in the attestation at all. If a Tekton Bundle is used, this would be really useful:
I guess it would be a bit of a stretch to make those attributes meaningful for in-cluster Task/Pipeline definitions but it seems plausible. |
Could you elaborate more on "that could be a part of the signature", you mean also signing it or it can be another signature that we want to verify? |
👍 This is inline with what I was thinking with top level refs.
I actually don't think it's that far off! entrypoint is optional so we could omit it for API objects that only have 1 item, uri could be the API path (i.e.
Either or. Just wanted to call it out since it feels like a similar problem. |
The explanation for the |
Bit of a philosophical question which is why I'm on the fence here - is there meaningful difference between
There's only 1 top level ref for a pipeline (the pipeline itself might have several taskrefs, but those would apply to the tasks, not the pipeline). |
Observation / question: for human invocations of |
I'm not sure what this means :) We can resolve pipelines and tasks from a variety of places but what does it mean to resolve a run remotely? I do have a question though - The SLSA spec says the invocation field "Identifies the event that kicked off the build." while the For Tekton, this config file (i.e. the pipeline definition) could come from git, oci registry, the cluster or could even be embedded in the run. To me, it seems like the Re: for passing provenance info from the eventing/triggering side, I generally agree with @wlynch 's assesment that Workflows will make it better (probably with the eventSource field. That being said, I think we can still make progress/prototype with current Triggers. Some ideas based on chatting with @chuangw6 and @bendory
|
Agreed! This echoes what @wlynch and @lcarva said about top-level refs (i.e. source of pipeline/task definition). We can focus on this instead of trigger information. git sourcegitresolver expects from the author the exact three fields that we need for the configSource
I created this PoC to try to solve the 3 challenges. tektoncd/pipeline#5397 Please take a look. oci bundleAgreed with @lcarva 's suggestion for oci bundle. The in-cluster definitionAgreed with @wlynch said
But if the actual yaml is not in source control, do we want to consider this case and record the information in SLSA provenance? inline/embedded definitionIf pipelinerun.yaml is in source control, do we want to record its source information? catalogTODO: will follow up on this later. |
Related to tektoncd#521 and tektoncd/pipeline#5397 Prior to this PR, `invocation.configSource` section in slsa provenance was missing. In this change, we want to record the configSource information for the remote resources i.e. git, bundle, catalog. Signed-off-by: Chuang Wang <[email protected]>
Related to tektoncd#521 and tektoncd/pipeline#5397 Prior to this PR, `invocation.configSource` section in slsa provenance was missing. In this change, we want to record the configSource information for the remote resources i.e. git, bundle, catalog. Signed-off-by: Chuang Wang <[email protected]>
Related to tektoncd#521 and tektoncd/pipeline#5397 Prior to this PR, `invocation.configSource` section in slsa provenance was missing. In this change, we want to record the configSource information for the remote resources i.e. git, bundle, catalog. Signed-off-by: Chuang Wang <[email protected]>
Related to tektoncd#521 and tektoncd/pipeline#5397 Prior to this PR, `invocation.configSource` section in slsa provenance was missing. In this change, we want to record the configSource information for the remote resources i.e. git, bundle, catalog. Signed-off-by: Chuang Wang <[email protected]>
Related to tektoncd#521. Prior to this PR, `invocation.configSource` section in slsa provenance was missing. In this change, we want to record the source information in the provenance to track where the remote pipeline/task definition came from i.e. git repo, tekton bundles etc. The source information is available in PipelineRun/TaskRun `Status.Provenance` field. If a remote pipeline definition references remote task definitions from other remote places, `predicate.invocation.configSource` will record the source information of the remote pipeline definition only, and `predicate.buildConfig.tasks[x].invocation.configSource` will record the source information for individual remote task definition. Signed-off-by: Chuang Wang <[email protected]>
Related to tektoncd#521. Prior to this PR, the SLSA provenance that Chains produces did not record the source information of remote resources. In this change, we want to record the source information in the provenance to track where the remote pipeline/task definition came from i.e. git repo, tekton bundles etc. The source information is available in PipelineRun/TaskRun `Status.Provenance` field. If a remote pipeline definition references remote task definitions from other remote places, `predicate.invocation.configSource` will record the source information of the remote pipeline definition only, and `predicate.buildConfig.tasks[x].invocation.configSource` will record the source information for individual remote task definition. Signed-off-by: Chuang Wang <[email protected]>
Related to tektoncd#521. Prior to this PR, the SLSA provenance that Chains produces did not record the source information of remote resources. In this change, we want to record the source information in the provenance to track where the remote pipeline/task definition came from i.e. git repo, tekton bundles etc. The source information is available in PipelineRun/TaskRun `Status.Provenance` field. If a remote pipeline definition references remote task definitions from other remote places, `predicate.invocation.configSource` will record the source information of the remote pipeline definition only, and `predicate.buildConfig.tasks[x].invocation.configSource` will record the source information for the corresponding remote task definition. Signed-off-by: Chuang Wang <[email protected]>
Related to tektoncd#521. Prior to this PR, the SLSA provenance that Chains produces did not record the source information of remote resources. In this change, we want to record the source information in the provenance to track where the remote pipeline/task definition came from i.e. git repo, tekton bundles etc. The source information is available in PipelineRun/TaskRun `Status.Provenance` field. If a remote pipeline definition references remote task definitions from other remote places, `predicate.invocation.configSource` will record the source information of the remote pipeline definition only, and `predicate.buildConfig.tasks[x].invocation.configSource` will record the source information for the corresponding remote task definition. Signed-off-by: Chuang Wang <[email protected]>
Related to tektoncd#521. Prior to this PR, the SLSA provenance that Chains produces did not record the source information of remote resources. In this change, we want to record the source information in the provenance to track where the remote pipeline/task definition came from i.e. git repo, tekton bundles etc. The source information is available in PipelineRun/TaskRun `Status.Provenance` field. If a remote pipeline definition references remote task definitions from other remote places, `predicate.invocation.configSource` will record the source information of the remote pipeline definition only, and `predicate.buildConfig.tasks[x].invocation.configSource` will record the source information for the corresponding remote task definition. Signed-off-by: Chuang Wang <[email protected]>
Related to #521. Prior to this PR, the SLSA provenance that Chains produces did not record the source information of remote resources. In this change, we want to record the source information in the provenance to track where the remote pipeline/task definition came from i.e. git repo, tekton bundles etc. The source information is available in PipelineRun/TaskRun `Status.Provenance` field. If a remote pipeline definition references remote task definitions from other remote places, `predicate.invocation.configSource` will record the source information of the remote pipeline definition only, and `predicate.buildConfig.tasks[x].invocation.configSource` will record the source information for the corresponding remote task definition. Signed-off-by: Chuang Wang <[email protected]> Signed-off-by: Chuang Wang <[email protected]>
/close as completed by #554 |
@chuangw6: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
configSource
in predicate.invocation
Expected Behavior
The intoto attestation with SLSA predicate generated by Chains should include
configSource
section inpredicate.invocation
that is supposed to have 3 fieldsuri
,digest
andentryPoint
per SLSA spec.Actual Behavior
Chains currently doesn't set this field at all for taskrun level provenance.
Motivation
Identifies entry point is one of SLSA L3/L4 requirements on the provenance content. That requires Chains to be able to capture the source information of a remote build definition in the provenance. Remote build definition means the build script that are stored in version control (see Build as code for more details). And Tekton supports referencing a remote pipeline/task definition in a pipelinerun/taskrun via remote resolution.
Solution
Essentially, the source of truth is the Source field in a
ResolutionRequest
Status. Remote resolution reconciler is responsible for capturing the correct source value and update the status field. Next, Tekton reconcilers will fetch the value fromResolutionRequest.Status
and store it in a subfield of the Provenance field in the PipelineRun.Status (or TaskRun.Status) namedConfigSource
so that Chains can grab the information from *run status and finally record in the provenance. Note:Source
in ResolutionRequest Status andProvenancce
in *Run Status are the new fields we introduced.The following diagram shows the data flow.
Related PRs
Step 1: Introduce
Source
field in ResolutionRequest CRD status.ResolutionRequest.Status
pipeline#5529Source
field inResolutionRequest.status
pipeline#5551Step 2: Introduce a
Provenance
field in TaskRun/PipelineRun CRD status.Run.Status
pipeline#5550Step 3: Pass the config source information from Resolvers -> Pipeline reconcilers -> *Run status
*Run.Status.Provenance.ConfigSource
field pipeline#5397Step 4: Chains picks up the data from run status and records in provenance
invocation.configSource
section in slsa provenance #554Q&A
We will leverage SPIRE integration to sign the content of ResolutionRequest Status and *Run Status to guarantee the integrity. See tektoncd/pipeline#5474.
The text was updated successfully, but these errors were encountered: