Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[PROPOSAL] general purpose kubernetes taxonomy KBOM #59

Open
itaysk opened this issue Jun 7, 2023 · 9 comments · May be fixed by #61
Open

[PROPOSAL] general purpose kubernetes taxonomy KBOM #59

itaysk opened this issue Jun 7, 2023 · 9 comments · May be fixed by #61
Labels
help wanted Extra attention is needed idea

Comments

@itaysk
Copy link

itaysk commented Jun 7, 2023

We're working on mapping Kubernetes clusters composition as BOM (aka "KBOM"). For that, we want to use properties to designate cluster components roles, and attributes that are meaningful to understanding the cluster composition.
For example, here's a snippet from generated KBOM that describes a Kubernetes API Server component:

{
      "bom-ref": "e86fd8d5-c302-4c44-b1b2-833b97540f13",
      "type": "application",
      "name": "kube-apiserver-kind-control-plane",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "0"
        },
        {
          "name": "aquasecurity:trivy:k8s:controlplane_components",
          "value": "apiserver"
        }
      ]
}

We're proposing to register a kubernetes namespace for the Kubernetes-specific metadata.
As for usage, for now, we are following the Kubernetes taxonomy as defined here: https://kubernetes.io/docs/concepts/overview/components/
Which means we will add:

  1. kubernetes:controlplane_component
  2. kubernetes:node_component
  3. kubernetes:addon

If this is acceptable, I'll create a PR with the namespace reservation and initial documentation.

@jkowalleck
Copy link
Member

jkowalleck commented Jun 7, 2023

i like the idea in general, but ...
my thoughts:

  • who would own this kubernetes namespace, then? Is there any org or a general committee? did you get in touch with kubernetes(Cloud Native Computing Foundation), maybe they have such a thing already?
  • where is the taxonomy for this namespace? just having it registered/reserved and having no FFA taxonomy, that serves no purpose. So as long as there is no peer-reviewed and general agreed taxonomy details, i'd veto this proposal.
  • I am concerned that this would create a non-standard nobody would use, so there should be consensus about the details of this taxonomy, first.

@jkowalleck jkowalleck changed the title Kubernetes namespace PROPOSAL: general purpose kubernetes taxonomy Jun 7, 2023
@jkowalleck jkowalleck added the idea label Jun 7, 2023
@jkowalleck jkowalleck changed the title PROPOSAL: general purpose kubernetes taxonomy [PROPOSAL] general purpose kubernetes taxonomy Jun 7, 2023
@stevespringett
Copy link
Member

@jkowalleck one possibility is to put this under the cdx namespace in the same way we support maven, go, and npm today.

@itaysk
Copy link
Author

itaysk commented Jun 7, 2023

Thanks for the feedback. I'll follow your guidance here. I could kickstart the discussion with the kubernetes community if needed but if you think a cdx subsection is better that's fine with us.

@jkowalleck
Copy link
Member

jkowalleck commented Jun 11, 2023

@itaysk, would you draft a pullrequest introducing the namespace cdx:kubernetes?
This could kick-start a discussion about details and help anybody to understand your idea and goals.

FYI for the container images there is a similar request for standardization: #36

@itaysk itaysk linked a pull request Jun 17, 2023 that will close this issue
@jkowalleck jkowalleck added the help wanted Extra attention is needed label Jun 28, 2023
@jkowalleck jkowalleck pinned this issue Jul 1, 2023
This was referenced Jul 1, 2023
@jkowalleck
Copy link
Member

jkowalleck commented Jul 1, 2023

KSOK also has a Kubernetes taxonomy: https://github.com/ksoclabs/kbom/blob/main/docs/taxonomy.md
I asked for corporation to join efforts

@jkowalleck
Copy link
Member

@itaysk
Copy link
Author

itaysk commented Jul 1, 2023

+1 we (Aqua Trivy) would love to collaborate on this.
From quick look the KSOC taxonomy, it seems there's no overlap with what Trivy defined, which is be a good thing since it will be easy to agree :)

@jkowalleck jkowalleck changed the title [PROPOSAL] general purpose kubernetes taxonomy [PROPOSAL] general purpose kubernetes taxonomy KBOM Jul 3, 2023
@jkowalleck
Copy link
Member

just saw the title, thought this might help here:
https://blog.aquasec.com/scanning-kbom-for-vulnerabilities-with-trivy

@itaysk
Copy link
Author

itaysk commented Nov 10, 2023

Thanks for picking this up. I should mention that in the process to develop vulnerability scanning on top of our KBOM, we changed our KBOM to show Kubernetes components as first class CDX components instead of as properties of other components (such as Pods).
For example, the Kind API-Server example from the issue description now looks like:

    {
      "bom-ref": "pkg:k8s/k8s.io%[email protected]",
      "type": "application",
      "name": "k8s.io/apiserver",
      "version": "1.21.1",
      "purl": "pkg:k8s/k8s.io%[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:resource:Name",
          "value": "kube-apiserver-kind-control-plane"
        },
        {
          "name": "aquasecurity:trivy:resource:Type",
          "value": "controlPlane"
        }
      ]
    },

We are still experimenting and might tweak this more, but this feels like a better approach for us.

For now I wouldn't mind closing this issue, until there's clear motivation to reopen it. If that happens I would bring more opinionated suggestion and backing from Kubernetes and the community.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Extra attention is needed idea
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants