►
Description
Don’t miss out! Join us at our upcoming hybrid event: KubeCon + CloudNativeCon North America 2022 from October 24-28 in Detroit (and online!). Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Releasing Kubernetes Less Often and More Secure – The SIG Release Update - Adolfo García Veytia & Carlos Panato, Chainguard; Sascha Grunert, Red Hat; Stephen Augustus, Cisco
The Kubernetes Special Interest Group (SIG) Release is inviting you to join their project update at KubeCon! Adolfo, Carlos, Sascha and Stephen will speak about the latest changes to the SIG as well as its influence on the overall Kubernetes project. The session will cover how the SIG Release roadmap and vision maps to recent project development efforts, which enhancements to the general release process they’re currently working on, as well as the lessons learned from past release cycles. As part of that update, the Release Engineering subproject of SIG Release will speak about how the community hardens their software supply chain by driving towards full SLSA (Supply-chain Levels for Software Artifacts) compliance, including SBOM generation and container image signing. Do you wanna be part one of the largest Kubernetes SIGs? Then join this session to learn more about our latest efforts and how to contribute to them! Maintainers of other projects under the Kubernetes organization are strongly encouraged to attend this session to learn more about extending the SIG Release tools to their own releases.
A
Hello,
everyone,
let's
get
started,
my
name
is
carlos
vanato.
I
work
for
chainwalk
and
in
kubernetes.
I
work
for
a
single
release.
Singular
release
is
the
sig
that
takes
care
about
the
release
of
kubernetes
and
all
the
tooling
around
the
release,
engineering
like
for
taking
care
of
the
images
promotions
and
all
the
tools
that
makes
everybody
use
this
kubernetes.
B
My
name
is
garcia
and
I
am
also
a
software
engineer
with
chain
guard.
We
originally
had
two
more
speakers
scheduled
to
be
here
with
us
and
for
traveling
problems.
They
couldn't
be
here.
So
sorry,
you're
stuck
with
us,
but
we
are
both.
Tech
leads
for
seek
release
for
the
release
and
journeys
of
project
and
we're
gonna
do
an
update
on
the
things
we've
been
working
on.
C
Welcome
to
our
talk
from
zeke
release
about
releasing
kubernetes
less
often
and
secure.
Unfortunately,
I
cannot
attend
that
is
cubecon
in
person,
but
I'm
absolutely
sure
that
the
build
for
carlos
and
steve
will
work
this
session
on
behalf
of
jeremy
and
myself.
I
really
hope
you
enjoy
this
talk
and
always
feel
free
to
reach
out.
If
you
have
any
questions
or
comments,
hey.
A
A
Then
we
decided
to
send
a
release
survey
to
see
how
the
community
feel
about
like
having
less
or
more
releases,
and
we
find
out
that,
like
the
community
prefer
like
to
have
three
releases
a
year,
then
we
like
that's
some
justification
that
we
can
think
about
and
we
decided
to
instead
of
four
release
per
year.
Now
we
were
running
three
releases
per
year.
That
makes
like
a
place
more
sustainable
for
not
only
for
the
release
team,
but
also
for
all
the
other
things.
A
A
Then
this
was
a
manual
task
and
like
sometimes
like,
we
forgot
to
fast
forward
in
every
day
and
then
we
miss
it
and
then
some
conflicts
sometimes
happen
and
then
like.
We
decided
like
not
doing
fast
forward
anymore
and
then
during
the
like,
when
the
cherry
pick
or
the
release
break
was
created,
we
started
doing
the
cherry
pick
like
when
we
merge
things
to
the
main
branch
we
charge
it
to
the
release
break.
A
That
causes
a
lot
of
like
a
overwork,
like
like
a
lot
of
overhead
for
the
development
like
for
the
contributors
to
every
time.
We
need
to
like
approve
that
pr
to
get
merged
to
the
master
branch
and
then,
like
cherry
pick
mentally
cherry
picking
all
the
process
right
and
then
we
think
to
reintroduce
the
fast
forward
and
then
the
last
cycle.
We
did
like
a
like
a
mock
job
that
is
was
running
for
the
entire
cycle.
B
What
are
now
the
common
words
in
supply
chain.
Security
like
smalls
for
the
kubernetes
release
process,
and
also
the
big
one
around
now,
is
that
we
just
finished
signing
all
the
images
for
kubernetes
with
six
stores
so
about
what
one
year
ago,
or
so,
where
we
started
right
up
about.
The
point
when
sixer
was
just
starting
to
form.
B
So
right,
since
the
beginning,
we
started
looking
into
how
we
could
integrate
the
the
the
six
store
tool,
tooling
and
libraries,
and
their
infrastructure
to
secure
releases
so
right
and
so
now,
kubernetes
124
watches
released
and
it's
the
first
one
to
have
there.
It's
it's
images
signed,
and
it
was
like
a
really
good
huge
effort.
I
took
a
lot
of
contributors,
in
fact,
since
I
joined
six
releases,
the
project
that
has
seen
the
most
people
contributing
to
a
single
project.
B
B
That
was
the
infrastructure
just
to
make
sure
that
our
our
all
of
the
all
of
the
signatures
could
be
like
propagated
in
a
proper
way
like
doing
the
impersonation
flow,
because
kubernetes
promotes
its
images
and
the
image
promoter
wasn't
ready
yet
to
take
on
the
on
the
impersonation
requirements
that
we
needed
to
to
have
the
available
the
available
idc
tokens
to
do
the
signing.
So
we
had
to
go.
B
Do
there
and
adapt
to
the
current
image
promotion
process,
which
we
didn't
want
to
to
disrupt
anything
any
any
of
the
the
current
process
that
that
we
were
using.
So
it
was
like
a
really
big
deal.
I
I
was
really
surprised
to
see
how
much
fire
this
got
in
on
all
of
the
news
outlet.
So
thank
you
media
for
for
covering
that.
I
feel
really
humble
for
that.
Just
one.
A
Comment
like
if
you
maintain
a
project
in
the
kubernetes
community,
and
you
want
to
sign
your
images
on
your
package
like
come
to
talk
to
us,
then
we
are
glad
to
help
and
the
image
promoter
promoter
also
like
if
you
use
the
image,
promote,
promote
the
image
across
to
the
case
registry.
It
also
sign
your
image
already.
Then,
if
you
sites
like
three
two
weeks,
if
you
start
using
that
tool,
it
signs
the
image
for
you
as
well.
B
Yeah,
there's
more
there's
a
little
bit
more
security
that
we
can
build
into
your
project
if
you're.
If
you
are
interested
in
signing
at
build
time
and
still
propagating
those
signatures
like
we're
doing
kubernetes,
you
can
talk
to
us
at
any
time,
show
up
on
the
seek
release
meetings
and
we
can
get
you
to
do
that.
The
other
is
when
we
built
the
kubernetes
phone
we
produce.
We
produce
a
lot
of
libraries
to
to
be
able
to
to
write
the
documents
and
that
tool
has
been
gaining
traction.
B
The
some
other
projects
are
already
doing
their
sboms
with
our
tool,
which
is
great
and
we've
been
gaining
more
contributors
and,
for
example,
istio
recently
started
doing
their
their
their
s
bombs
with
our
tool,
which
makes
me
very
happy,
and
also
this
tool
is
now
incubating
in
the
automated
compliance
tooling
tech
with
the
linux
foundation.
So
also
like,
I
mean
science
of
it
getting
a
little
bit
more
mature
and
finally,
the
other,
like
key
milestone
that
we
are
trying
to
achieve
is
making
the
kubernetes
release
process
achieve
salsa
level.
B
It's
a
supply
chain
framework
to
that
to
enable
companies
to
start
securing
their
their
their
workloads
and
their
their
release
process
a
little
bit
gradually
so
gives
you
insight
into
observability
and
then
making
the
the
artifacts
ever
more
hard
to
impersonate
to
to
forge
and
and
secure
them.
So
we
are
aiming
to
to
comply
with
salsa
level
2
right
now,
the
last
coupon,
in
los
angeles,
we
announced
that
we
have
reached
level
1.
now
with
the
signing
libraries
all
almost
almost
done.
We
are
almost
ready
to
start
implementing
sales
level
2..
B
We
we
wanted
to
do
to
make
it
in
kubernetes
124,
but
well
we
simply
didn't
get
the
time,
but
we're
almost
there.
We
just
have
to
finish
signing
the
binaries,
the
other
stations
and
the
yes
bombs,
and
then
we
we
are.
I
think
that
those
are
the
three
remaining
for
reaching
salsa
two
in
the
kubernetes
release
process
and
oh
yeah,
this
this
was
it
okay
and
next
one
apprenticeship,
okay,.
A
This
is
another
survey
we
have
out
like
with,
like
we
have
the
included
name
working
group.
We
are
working
like
to
make
all
the
everything
more
inclusive
and
one
of
the
forces
is
changing
the
branch
names
across
the
kubernetes
community
and
we
are
planning
we
are
planning
to
change
the
kk.
The
kubernetes
could
unite
range
name
from
master
to
main,
and
this
is
like
a
big
thing
that
we
are
planning
science
end
of
last
year.
A
There
is
a
survey
you
can
scan
the
qr
code
if
you
want
to
fill
that
survey
and
we
are
like
collecting
results
like
information,
because
that
we
would
like
to
know
the
companies
using
kubernetes
downstream
to
see
if
they're
gonna
be
impacted,
and
then
we
can
plan
accordingly
for,
like
changing
the
name,
how
the
most
all
the
infrastructure
for
these
changes
already
done.
We
just
like
waiting
for
these
results.
A
In
the
sig
release,
we
built
like
a
roadmap
and
a
vision
that
makes
the
community
and
the
sig
release
team,
like
everybody
that
contributes
release,
see
what's
a
division
for
the
sig
release
and
what
are
we
gonna
focus
in
then?
We
have
like
the
primary
focus.
Is
the
consumable,
introspective
and
secure
each
one,
we'd
like
to
drill
down
and
open
in
deliverables?
We
are
looking
for,
for
example,
we
like
the
the
they
find
some
deliverables
you
want
to
achieve,
that
is
the
salsa
compliance
design,
release
effects
and
hence
the
kubernetes
artifacts
management
like
we.
A
We
like
we
are
working
in
some
improvements
on
the
artifact
management
as
well,
and
we
are
available
in
other
providers
as
well,
and
we
highly
recommend
for
the
other,
sick
chairs
and
techniques
for
the
other
six
to
have
the
whole
american
division
as
well
for
their
tips.
And
if
you
need
help
like
we
also,
we
are
here
like
to
help
to
create
their
own
map
and
vision.
A
A
I
know
that
I'm
only
in
the
in
the
central
europe
times,
one
which
is
430,
I
don't
know
there
are
others,
but
I
think
it's
easy
to
figure
out
and
you
can
find
us
also
in
the
communities
like
like
just
our
fingers,
that
we
have
the
sig
release
channel.
And
if
you
are
more
interested
in
the
sig
release
engineer,
then
you
do
a
part.
We
have
the
release,
engineer
channel
as
well.
A
C
C
A
A
The
question
is:
what's
challenging
about
the
renaming
the
branch
for
cuban
s
itself,
if
you
think
about
only
kubernetes,
we
have
like
we
can
check,
I
think
we
have
more
than
50
pr's
open
on
kk,
or
I
think
it's
much
more
than
that
and
renaming
like
changing
the
the
branch
name.
It's
kind
of
easy
in
good
problems.
Just.
C
A
And
go
to
the
status
and
change
and
they
do
everything
for
you,
but
the
problem
behind
that
is
like
if
we
do
this
we're
gonna
pro
we're
gonna
kick
out
all
the
jobs
for
the
open,
pr's
and
then
we're
gonna
be
like
a
big
queue
and
there
might
be.
We
like
have
some
hard
time
to
cleaning
up
or
we
don't
want
to
put
these
high
loads
on
the
floor
and
have
like
the
people
like
trying
to
figure
out
that
some
workarounds,
for
that
is
like
we're.
A
Gonna
move
everything
that
open
pr
to
draft
and
draft
that
pro
doesn't
trigger.
We
need
to
trigger
manually
and
then
we're
gonna
like
ask
for
the
the
persons
that
draw
the
review,
like
move
back
to
left,
to
to
read
to
review
that
then
won't
keep
the
specific
one,
we're
not
gonna,
move
to
draft
and
then
move
everybody.
We're
gonna
just
move
one
by
one
as
needed
for
downstream.
A
Maybe
they
we
can
broke
this
yeah
if
but
github
offers
the
follow
the
right
directions,
but
you
need
to
certify
in
your
downstream
if
you
can
follow
that
resurrection,
usually
just
change
the
the
branch
name
we're
going
to
have,
but
mike
brought
ci
for
the
companies
like
we're,
not
sure
how
they
are
consuming.
The
kubernetes.