Uploaded image for project: 'OpenShift Builds'
  1. OpenShift Builds
  2. BUILD-1776

Immutable Build Strategies

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • shipwright
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected

      Story (Required)

      As a developer trying to securely build my container images I want Shipwright's build instructions to be immutable and protected from potential external influences.

      <Describes high level purpose and goal for this story. Answers the questions: Who is impacted, what is it and why do we need it? How does it improve the customer’s experience?>

      Background (Required)

      To meet SLSA Build Level 3, the build platform must meet the following "isolated" requirement:

      The build platform ensured that the build steps ran in an isolated environment, free of unintended external influence. In other words, any external influence on the build was specifically requested by the build itself. This MUST hold true even between builds within the same tenant project.

      Shipwright's `BuildStrategy` implementation does not currently meet this criteria, as the build steps defined in a build strategy are stored as a mutable object on Kubernetes. An attacker who obtains permission to edit a `BuildStrategy` or `ClusterBuildStrategy` can externally influence the behavior of a build outside of a user's intent.

      Shipwright should provide a mechanisms to build containers with an immutable build strategy whose contents are obtained from a content-addressable location. Examples include:

      • A file stored in a git repository, at a particular revision/sha
      • A file within an OCI artifact, stored in a container registry and pullable by digest

      Describe alternatives you have considered.

      Allow build strategies to be derived from Tekton tasks/pipelines, which can be sourced from a Git repository or OCI artifact: https://github.com/shipwright-io/build/issues/1578

      Anything else?

      SLSA v1.2 build track requirements: https://slsa.dev/spec/v1.2/build-requirements#follow-a-consistent-build-process

      Out of scope

      <Defines what is not included in this story>

      Approach (Required)

      <Description of the general technical path on how to achieve the goal of the story. Include details like json schema, class definitions>

      Dependencies

      <Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>

      Acceptance Criteria (Mandatory)

      <Describe edge cases to consider when implementing the story and defining tests>

      <Provides a required and minimum list of acceptance tests for this story. More is expected as the engineer implements this story>

      INVEST Checklist

      Dependencies identified

      Blockers noted and expected delivery timelines set

      Design is implementable

      Acceptance criteria agreed upon

      Story estimated

      Legend

      Unknown

      Verified

      Unsatisfied

      Done Checklist

      • Code is completed, reviewed, documented and checked in
      • Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
      • Continuous Delivery pipeline(s) is able to proceed with new code included
      • Customer facing documentation, API docs etc. are produced/updated, reviewed and published
      • Acceptance criteria are met

              Unassigned Unassigned
              adkaplan@redhat.com Adam Kaplan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: