Task Page for Verifying Signed Images

[PushkarJ]

Supersedes #31611
In support of kubernetes/release#2383
Relevant KEP: kubernetes/enhancements#3031
/sig security release docs
Notes:

• All images in a release are assumed to be signed
• The script points to the latest release by default
• List of images is pulled from SBOM

/cc @saschagrunert @puerco @sftim

[netlify]

👷 Deploy Preview for kubernetes-io-vnext-staging processing.

Name	Link
🔨 Latest commit	a93833c
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/62545a4b95cf6a0009c3ace4

[PushkarJ]

Fixes #31420
(forgot this earlier)

[jihoon-seo]

Some nits. PTAL 😊

[PushkarJ]

@saschagrunert @jihoon-seo updated as per your feedback

[saschagrunert]

/lgtm

Thanks for working on this @PushkarJ!

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 5e19f3a9de514ef0f36d65f316ed3ce1e22ee44e

[PushkarJ]

For components that aren't available as container images, do we provide an official way to verify those yet? If not, I recommend mentioning that no official mechanism is available there, so that people don't have to read source code etc to answer that question.

I think the MVP issue documents the scope is restricted to images only. Will let @saschagrunert chime in on if this would be useful to document as current limitation.

@sftim I have also addressed all the rest of the comments.

[puerco]

@sftim: @PushkarJ is right, it's probable we will not get the other artifacts signed for 1.24. It makes sense to leave out the other verification types for now.

[sftim]

leave out the other verification types for now

From a docs point of view, it's useful to let people know what things aren't covered. When we explain that, we try to avoid statements about the future.

Phrasing like

For Kubernetes v{{< skew currentVersion >}}, the only kind of code artifact that you can verify integrity for is a container image, using the experimental signing support.

for example (using v{{< skew currentVersion >}} so that if eg nothing changes for the v1.25 release, the docs remain relevant).

[PushkarJ]

Updated the download.md file with the text suggested by @sftim

[chrisnegus]

Hello, this is a friendly reminder from the 1.24 docs release team that the Docs’ complete deadline — All PRs reviewed and ready to merge — is EOD Tuesday, April 12th, 2022. Please finish up any remaining technical reviews and edits, and reach out if you need any help.

[saschagrunert]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 9abcb47d41c4749f5556ee2f848efaa1f8e34984

[nate-double-u]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nate-double-u, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• content/en/OWNERS [nate-double-u]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[saschagrunert]

@sftim can we lift the hold?

[chrisnegus]

/unhold

[sftim]

@PushkarJ did you try this out with the beta release? How did it go?

[sftim]

We shouldn't have merged this - level 1 headings aren't allowed in our Markdown.

[saschagrunert]

Follow-up in #32895

[saschagrunert]

Now I saw #32896

[PushkarJ]

@PushkarJ did you try this out with the beta release? How did it go?

I did not get a chance to test it before this was unheld and merged, since rc.0 is going to be first release with signed images ETA April 19 :( Either way seems unlikely we may need major overhaul of the script or guide.

[PushkarJ]

@sftim just confirmed that the shell script works, but I think adding | jq is giving better looking results. Is it still possible to update this page? Demo: https://asciinema.org/a/488826