Conference:  KubeCon + CloudNativeCon North America 2021

Authors: Adolfo García Veytia

2021-10-15

The presentation discusses the creation of a software bill of materials (S-BOM) for Kubernetes releases using SPDX and a custom tool.

• The S-BOM includes source code, container images, binaries, packages, and dependencies.
• The tool packages the S-BOM into more consumable documents for different tools to use.
• The tool also generates an attestation file for compliance purposes.
• Future directions include adding RPM and dev file analysis, merging efforts with the SPDX community, and adding validation and verification capabilities.

Conference:  KubeCon + CloudNativeCon North America 2021

Authors: Nabarun Pal, Verónica López González, Adolfo García Veytia

2021-10-13

Software supply chains are gaining increasingly complex nowadays, especially when it is about deploying cloud native environments securely. After refactoring the Kubernetes release process over the past years, SIG Release efforts have shifted towards three main areas of work. In this talk, Verónica, Nabarun, and Adolfo will cover all of them in-depth: * Starting with Kubernetes v1.22, every release includes an SPDX Bill of Materials describing the source code, binaries, and all published images. * Automatic verification of the integrity and consistency of release artifacts as part of the Kubernetes Release process. * Digital signing of released artifacts and signature verification of upstream images. In the final part of the presentation, the speakers will demonstrate some of the tools that SIG Release has created, which can be leveraged today by the community in other projects, too.