88 - [ Goals] ( #goals )
99 - [ Non-Goals] ( #non-goals )
1010- [ Proposal] ( #proposal )
11+ - [ Alpha implementation] ( #alpha-implementation )
12+ - [ Beta graduation] ( #beta-graduation )
1113 - [ User Stories (Optional)] ( #user-stories-optional )
1214 - [ Risks and Mitigations] ( #risks-and-mitigations )
1315 - [ Test Plan] ( #test-plan )
@@ -35,16 +37,12 @@ Items marked with (R) are required _prior to targeting to a milestone / release_
3537- [x] (R) KEP approvers have approved the KEP status as ` implementable `
3638- [x] (R) Design details are appropriately documented
3739- [x] (R) Test plan is in place, giving consideration to SIG Architecture and SIG Testing input (including test refactors)
38- - [ ] e2e Tests for all Beta API Operations (endpoints)
39- - [ ] (R) Ensure GA e2e tests for meet requirements for [ Conformance Tests] ( https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md )
40- - [ ] (R) Minimum Two Week Window for GA e2e tests to prove flake free
4140- [x] (R) Graduation criteria is in place
42- - [ ] (R) [ all GA Endpoints] ( https://github.com/kubernetes/community/pull/1806 ) must be hit by [ Conformance Tests] ( https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md )
4341- [x] (R) Production readiness review completed
4442- [x] (R) Production readiness review approved
4543- [x] "Implementation History" section is up-to-date for milestone
46- - [ ] User-facing documentation has been created in [ kubernetes/website] , for publication to [ kubernetes.io]
47- - [ ] Supporting documentation—e.g., additional design documents, links to mailing list discussions/SIG meetings, relevant PRs/issues, release notes
44+ - [x ] User-facing documentation has been created in [ kubernetes/website] , for publication to [ kubernetes.io]
45+ - [x ] Supporting documentation—e.g., additional design documents, links to mailing list discussions/SIG meetings, relevant PRs/issues, release notes
4846
4947[ kubernetes.io ] : https://kubernetes.io/
5048[ kubernetes/enhancements ] : https://git.k8s.io/enhancements
@@ -77,7 +75,8 @@ artifacts.
7775Every Kubernetes release produces a set of artifacts. We define artifacts as
7876something consumable by end users. Artifacts can be binaries, container images,
7977checksum files, documentation, provenance metadata, or the software bill of
80- materials. None of those end-user resources are signed right now.
78+ materials (SBOM). Only the official Kubernetes container images are signed right
79+ now.
8180
8281The overall goal of SIG Release is to unify the way how to sign artifacts. This
8382will be done by relying on the tools of the Linux Foundations digital signing
@@ -102,6 +101,20 @@ discussions about how to utilize the existing Google infrastructure as well as
102101consider utilizing keyless signing via workload identities. Nevertheless, this
103102KEP focuses more on the "What" aspects rather than the "How".
104103
104+ ### Alpha implementation
105+
106+ The alpha phase of the proposal is about signing the official Kubernetes
107+ container images and providing a minimum infrastructure to achieve that goal.
108+
109+ ### Beta graduation
110+
111+ Graduation the KEP to beta means that we will now sign all artifacts which got
112+ created during the release process. This includes binary artifacts, source code
113+ tarballs, documentation and the SBOM.
114+
115+ This explicitly exudes the provenance data, which will be signed into a
116+ different location once we graduate the feature to GA.
117+
105118### User Stories (Optional)
106119
107120- As an end user, I would like to be able to verify the Kubernetes release
@@ -146,13 +159,15 @@ feedback.
146159
147160#### Beta
148161
149- - Standard Kubernetes release artifacts (binaries and container images) are
162+ - Standard Kubernetes release artifacts (binaries, container images, etc. ) are
150163 signed.
151164
152165#### GA
153166
154167- All Kubernetes artifacts are signed. This does exclude everything which gets
155168 build outside of the main Kubernetes repository.
169+ - Kubernetes owned infrastructure is used for the signing (root trust) and
170+ verification (transparency log) process.
156171
157172## Production Readiness Review Questionnaire
158173
@@ -185,240 +200,23 @@ No, not on a cluster level. We test the signatures during the release process.
185200
186201### Rollout, Upgrade and Rollback Planning
187202
188- <!--
189- This section must be completed when targeting beta to a release.
190- -->
191-
192- ###### How can a rollout or rollback fail? Can it impact already running workloads?
193-
194- <!--
195- Try to be as paranoid as possible - e.g., what if some components will restart
196- mid-rollout?
197-
198- Be sure to consider highly-available clusters, where, for example,
199- feature flags will be enabled on some API servers and not others during the
200- rollout. Similarly, consider large clusters and how enablement/disablement
201- will rollout across nodes.
202- -->
203-
204- ###### What specific metrics should inform a rollback?
205-
206- <!--
207- What signals should users be paying attention to when the feature is young
208- that might indicate a serious problem?
209- -->
210-
211- ###### Were upgrade and rollback tested? Was the upgrade->downgrade->upgrade path tested?
212-
213- <!--
214- Describe manual testing that was done and the outcomes.
215- Longer term, we may want to require automated upgrade/rollback tests, but we
216- are missing a bunch of machinery and tooling and can't do that now.
217- -->
218-
219- ###### Is the rollout accompanied by any deprecations and/or removals of features, APIs, fields of API types, flags, etc.?
220-
221- <!--
222- Even if applying deprecation policies, they may still surprise some users.
223- -->
203+ Not required.
224204
225205### Monitoring Requirements
226206
227- <!--
228- This section must be completed when targeting beta to a release.
229- -->
230-
231- ###### How can an operator determine if the feature is in use by workloads?
232-
233- <!--
234- Ideally, this should be a metric. Operations against the Kubernetes API (e.g.,
235- checking if there are objects with field X set) may be a last resort. Avoid
236- logs or events for this purpose.
237- -->
238-
239- ###### How can someone using this feature know that it is working for their instance?
240-
241- <!--
242- For instance, if this is a pod-related feature, it should be possible to determine if the feature is functioning properly
243- for each individual pod.
244- Pick one more of these and delete the rest.
245- Please describe all items visible to end users below with sufficient detail so that they can verify correct enablement
246- and operation of this feature.
247- Recall that end users cannot usually observe component logs or access metrics.
248- -->
249-
250- - [ ] Events
251- - Event Reason:
252- - [ ] API .status
253- - Condition name:
254- - Other field:
255- - [ ] Other (treat as last resort)
256- - Details:
257-
258- ###### What are the reasonable SLOs (Service Level Objectives) for the enhancement?
259-
260- <!--
261- This is your opportunity to define what "normal" quality of service looks like
262- for a feature.
263-
264- It's impossible to provide comprehensive guidance, but at the very
265- high level (needs more precise definitions) those may be things like:
266- - per-day percentage of API calls finishing with 5XX errors <= 1%
267- - 99% percentile over day of absolute value from (job creation time minus expected
268- job creation time) for cron job <= 10%
269- - 99.9% of /health requests per day finish with 200 code
270-
271- These goals will help you determine what you need to measure (SLIs) in the next
272- question.
273- -->
274-
275- ###### What are the SLIs (Service Level Indicators) an operator can use to determine the health of the service?
276-
277- <!--
278- Pick one more of these and delete the rest.
279- -->
280-
281- - [ ] Metrics
282- - Metric name:
283- - [ Optional] Aggregation method:
284- - Components exposing the metric:
285- - [ ] Other (treat as last resort)
286- - Details:
287-
288- ###### Are there any missing metrics that would be useful to have to improve observability of this feature?
289-
290- <!--
291- Describe the metrics themselves and the reasons why they weren't added (e.g., cost,
292- implementation difficulties, etc.).
293- -->
207+ Not required.
294208
295209### Dependencies
296210
297- <!--
298- This section must be completed when targeting beta to a release.
299- -->
300-
301- ###### Does this feature depend on any specific services running in the cluster?
302-
303- <!--
304- Think about both cluster-level services (e.g. metrics-server) as well
305- as node-level agents (e.g. specific version of CRI). Focus on external or
306- optional services that are needed. For example, if this feature depends on
307- a cloud provider API, or upon an external software-defined storage or network
308- control plane.
309-
310- For each of these, fill in the following—thinking about running existing user workloads
311- and creating new ones, as well as about cluster-level services (e.g. DNS):
312- - [Dependency name]
313- - Usage description:
314- - Impact of its outage on the feature:
315- - Impact of its degraded performance or high-error rates on the feature:
316- -->
211+ Not required.
317212
318213### Scalability
319214
320- <!--
321- For alpha, this section is encouraged: reviewers should consider these questions
322- and attempt to answer them.
323-
324- For beta, this section is required: reviewers must answer these questions.
325-
326- For GA, this section is required: approvers should be able to confirm the
327- previous answers based on experience in the field.
328- -->
329-
330- ###### Will enabling / using this feature result in any new API calls?
331-
332- <!--
333- Describe them, providing:
334- - API call type (e.g. PATCH pods)
335- - estimated throughput
336- - originating component(s) (e.g. Kubelet, Feature-X-controller)
337- Focusing mostly on:
338- - components listing and/or watching resources they didn't before
339- - API calls that may be triggered by changes of some Kubernetes resources
340- (e.g. update of object X triggers new updates of object Y)
341- - periodic API calls to reconcile state (e.g. periodic fetching state,
342- heartbeats, leader election, etc.)
343- -->
344-
345- ###### Will enabling / using this feature result in introducing new API types?
346-
347- <!--
348- Describe them, providing:
349- - API type
350- - Supported number of objects per cluster
351- - Supported number of objects per namespace (for namespace-scoped objects)
352- -->
353-
354- ###### Will enabling / using this feature result in any new calls to the cloud provider?
355-
356- <!--
357- Describe them, providing:
358- - Which API(s):
359- - Estimated increase:
360- -->
361-
362- ###### Will enabling / using this feature result in increasing size or count of the existing API objects?
363-
364- <!--
365- Describe them, providing:
366- - API type(s):
367- - Estimated increase in size: (e.g., new annotation of size 32B)
368- - Estimated amount of new objects: (e.g., new Object X for every existing Pod)
369- -->
370-
371- ###### Will enabling / using this feature result in increasing time taken by any operations covered by existing SLIs/SLOs?
372-
373- <!--
374- Look at the [existing SLIs/SLOs].
375-
376- Think about adding additional work or introducing new steps in between
377- (e.g. need to do X to start a container), etc. Please describe the details.
378-
379- [existing SLIs/SLOs]: https://git.k8s.io/community/sig-scalability/slos/slos.md#kubernetes-slisslos
380- -->
381-
382- ###### Will enabling / using this feature result in non-negligible increase of resource usage (CPU, RAM, disk, IO, ...) in any components?
383-
384- <!--
385- Things to keep in mind include: additional in-memory state, additional
386- non-trivial computations, excessive access to disks (including increased log
387- volume), significant amount of data sent and/or received over network, etc.
388- This through this both in small and large cases, again with respect to the
389- [supported limits].
390-
391- [supported limits]: https://git.k8s.io/community//sig-scalability/configs-and-limits/thresholds.md
392- -->
215+ Not required.
393216
394217### Troubleshooting
395218
396- <!--
397- This section must be completed when targeting beta to a release.
398-
399- The Troubleshooting section currently serves the `Playbook` role. We may consider
400- splitting it into a dedicated `Playbook` document (potentially with some monitoring
401- details). For now, we leave it here.
402- -->
403-
404- ###### How does this feature react if the API server and/or etcd is unavailable?
405-
406- ###### What are other known failure modes?
407-
408- <!--
409- For each of them, fill in the following information by copying the below template:
410- - [Failure mode brief description]
411- - Detection: How can it be detected via metrics? Stated another way:
412- how can an operator troubleshoot without logging into a master or worker node?
413- - Mitigations: What can be done to stop the bleeding, especially for already
414- running user workloads?
415- - Diagnostics: What are the useful log messages and their required logging
416- levels that could help debug the issue?
417- Not required until feature graduated to beta.
418- - Testing: Are there any tests for failure mode? If not, describe why.
419- -->
420-
421- ###### What steps should be taken if SLOs are not being met to determine the problem?
219+ Not required.
422220
423221## Drawbacks
424222
@@ -432,5 +230,6 @@ For each of them, fill in the following information by copying the below templat
432230
433231## Implementation History
434232
233+ - 2022-05-30 Graduate to beta
435234- 2022-01-27 Updated to contain test plan and correct milestones
436235- 2021-11-29 Initial Draft
0 commit comments