Skip to content

Adding support to build provenance and sbom for build images#1166

Open
visheshtanksale wants to merge 2 commits into
kubernetes-sigs:mainfrom
visheshtanksale:sbom-provenance-support
Open

Adding support to build provenance and sbom for build images#1166
visheshtanksale wants to merge 2 commits into
kubernetes-sigs:mainfrom
visheshtanksale:sbom-provenance-support

Conversation

@visheshtanksale

@visheshtanksale visheshtanksale commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

What type of PR is this?

/kind bug

What this PR does / why we need it:

Add support for SLSA provenance and SBOM generation as part of the image build process

Which issue(s) this PR is related to:

Fixes #1105
#1105

Special notes for your reviewer:

Verified that the provenance and SBOM is built works locally. Not sure how to test this with kpromo. Looking at the documentation it looks like this should work with kpromo.

Sample SLSA Provenance

{
  "buildDefinition": {
    "buildType": "https://cloudbuild.googleapis.com/CloudBuildYaml@v1",
    "externalParameters": {
      "source": {
        "uri": "git+https://github.com/visheshtanksale/k8s-dra-driver-gpu",
        "ref": "refs/heads/sbom-provenance-support",
        "digest": {
          "gitCommit": "160bbb87b5ee827e7152b4bc4d08f40b8bd630f6"
        }
      },
      "chart": {
        "name": "dra-driver-nvidia-gpu",
        "version": "0.0.0-test",
        "ref": "example.com/dra-driver-nvidia/charts/dra-driver-nvidia-gpu@sha256:ae9c140499d32f04de2c9023dca4d3c6eb6453372178db0fe90680cd42b24b0d",
        "digest": {
          "sha256": "ae9c140499d32f04de2c9023dca4d3c6eb6453372178db0fe90680cd42b24b0d"
        }
      }
    },
    "internalParameters": {},
    "resolvedDependencies": [
      {
        "uri": "git+https://github.com/visheshtanksale/k8s-dra-driver-gpu@refs/heads/sbom-provenance-support",
        "digest": {
          "gitCommit": "160bbb87b5ee827e7152b4bc4d08f40b8bd630f6"
        }
      }
    ]
  },
  "runDetails": {
    "builder": {
      "id": "https://cloudbuild.googleapis.com/projects/test-project"
    },
    "metadata": {
      "invocationId": "https://cloudbuild.googleapis.com/v1/projects/test-project/builds/test-build",
      "finishedOn": "2026-06-12T20:22:13Z"
    }
  }
}

Sample SBOM SPDX

{
  "spdxVersion": "SPDX-2.3",
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "dra-driver-nvidia-gpu-0.0.0-test Helm chart SBOM",
  "documentNamespace": "https://sigs.k8s.io/dra-driver-nvidia-gpu/spdx/dra-driver-nvidia-gpu/0.0.0-test/ae9c140499d32f04de2c9023dca4d3c6eb6453372178db0fe90680cd42b24b0d",
  "documentDescribes": [
    "SPDXRef-Package-helm-chart"
  ],
  "creationInfo": {
    "created": "2026-06-12T20:22:13Z",
    "creators": [
      "Organization: Kubernetes Authors",
      "Tool: hack/generate-helm-chart-attestation-predicates.sh"
    ]
  },
  "packages": [
    {
      "name": "dra-driver-nvidia-gpu",
      "SPDXID": "SPDXRef-Package-helm-chart",
      "versionInfo": "0.0.0-test",
      "downloadLocation": "oci://example.com/dra-driver-nvidia/charts/dra-driver-nvidia-gpu@sha256:ae9c140499d32f04de2c9023dca4d3c6eb6453372178db0fe90680cd42b24b0d",
      "filesAnalyzed": false,
      "checksums": [
        {
          "algorithm": "SHA256",
          "checksumValue": "ae9c140499d32f04de2c9023dca4d3c6eb6453372178db0fe90680cd42b24b0d"
        }
      ],
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "copyrightText": "The Kubernetes Authors"
    }
  ]
}

Does this PR introduce a user-facing change?

None

Additional documentation (design docs, usage docs, etc.):

Checklist

  • make check test passes locally
  • make check-generate passes if api/ changed (CRDs, deepcopy, informers, listers, clientset)
  • make check-modules passes if go.mod / go.sum changed
  • Tests added or updated for the change
  • Helm chart (deployments/helm) updated if flags, RBAC, or defaults changed

@k8s-ci-robot

k8s-ci-robot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jun 2, 2026
@netlify

netlify Bot commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for dra-driver-nvidia-gpu ready!

Name Link
🔨 Latest commit 160bbb8
🔍 Latest deploy log https://app.netlify.com/projects/dra-driver-nvidia-gpu/deploys/6a2b43434c90720007b9c6ac
😎 Deploy Preview https://deploy-preview-1166--dra-driver-nvidia-gpu.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@k8s-ci-robot k8s-ci-robot requested review from jgehrcke and shengnuo June 2, 2026 17:57
@k8s-ci-robot

k8s-ci-robot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: visheshtanksale
Once this PR has been reviewed and has the lgtm label, please assign varunrsekar for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jun 2, 2026
@shivamerla

shivamerla commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

@visheshtanksale can we include signed cosign attestations for helm chart artifact too.

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 11, 2026
shivamerla
shivamerla reviewed Jun 12, 2026
View reviewed changes
Comment thread hack/generate-helm-chart-attestation-predicates.sh
@@ -0,0 +1,237 @@
#!/usr/bin/env bash

@shivamerla shivamerla Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add sample output of these attestations for existing builds in the PR.

@visheshtanksale visheshtanksale Jun 12, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added the sample slsa provenance and sbom in the PR description

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shivamerla shivamerla shivamerla left review comments

@jgehrcke jgehrcke Awaiting requested review from jgehrcke

@shengnuo shengnuo Awaiting requested review from shengnuo

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. kind/bug Categorizes issue or PR as related to a bug. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

DRA Driver for NVIDIA GPUs
Status: Backlog

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Publish keyless cosign signatures, SLSA provenance, and SBOM attestations for releases

3 participants

@visheshtanksale @k8s-ci-robot @shivamerla