Security Self Assessment: [STRIDE-TAMPER-2] Produce an SBoM for machine images

Question

Security Self Assessment: [STRIDE-TAMPER-2] Produce an SBoM for machine images

randomvariable opened this issue 3 years ago · 11 comments

randomvariable commented 3 years ago

Describe the solution you'd like

As per the Cluster API Security Self Assessment:

Machine images used as Node OS images, can be tampered during build time, during install time and
during runtime

One mitigation:

Create SBoM of the Machine Image and verify checksum as a post build action

Additional context
cc @PushkarJ for more details

/kind feature
/area security

Answer 1 · 2022-02-16T15:10:12.000Z

@randomvariable: The label(s) area/security cannot be applied, because the repository doesn't have them.

In response to this:

Describe the solution you'd like

As per the Cluster API Security Self Assessment:

Machine images used as Node OS images, can be tampered during build time, during install time and
during runtime

One mitigation:

Create SBoM of the Machine Image and verify checksum as a post build action

Additional context
cc @PushkarJ for more details

/kind feature
/area security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Answer 2 · 2022-02-16T15:10:54.000Z

Please add an area/security label option.

Answer 3 · 2022-05-13T19:05:35.000Z

/retitle Security Self Assessment: [STRIDE-TAMPER-2] Produce an SBoM for machine images

Answer 4 · 2022-05-13T19:05:53.000Z

/area security
/sig security

Answer 5 · 2022-05-13T19:05:54.000Z

@PushkarJ: The label(s) area/security cannot be applied, because the repository doesn't have them.

In response to this:

/area security
/sig security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Answer 6 · 2022-08-11T19:20:47.000Z

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle stale
Mark this issue or PR as rotten with /lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

Answer 7 · 2022-08-11T19:47:38.000Z

/remove-lifecycle stale

Answer 8 · 2022-11-09T20:32:54.000Z

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle stale
Mark this issue or PR as rotten with /lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

Answer 9 · 2022-12-09T21:02:21.000Z

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

Answer 10 · 2023-01-08T21:47:19.000Z

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Reopen this issue with /reopen
Mark this issue as fresh with /remove-lifecycle rotten
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Answer 11 · 2023-01-08T21:47:23.000Z

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied

After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied

After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Reopen this issue with /reopen

Mark this issue as fresh with /remove-lifecycle rotten

Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.