OC3 registrations are now open! Join the premier event for confidential computing online or in Berlin on March 27.

Generating SBOMs for confidential Kubernetes is easier than you think!

Blog

Generating SBOMs for confidential Kubernetes is easier than you think!

Fabian Kammel


Constellation, our Confidential Kubernetes engine, is now open source. Check it out on GitHub or say Hi on Discord.

 

 

Constellation is an infrastructure product and includes several different components:

 

A command-line interface (CLI) manages the life-cycle of the Confidential Kubernetes cluster

 

In-cluster services provide features such as key management and secure node administration

 

A node operator handles upgrades of cluster nodes

 

 

All of these components could include a dependency with known vulnerabilities! How do we get the full picture to keep track of all our dependencies?

 

 

Software Bill of Materials

 

 

An SBOM comprises a list of all dependencies for a given software artifact in a standard data format, such as SPDX or CycloneDX. For more background on SBOMs see NTIA's overview.

Last year, many companies scrambled to determine, whether software they were running in production was vulnerable to Log4Shell. SBOMs allow organizations to answer these questions easily!

 

 

Generating SBOMs

 

 

Syft allows us to generate an SBOM for several different types of artifacts, using so-called catalogers. Supported ecosystems include OS level package managers, programming language build systems, container images, and file systems.

 

 

Go Modules

 

 

Go already keeps track of its dependencies via the go.mod and go.sum files. Running Syft from our go module's root directory will produce an SBOM based on these files!

 

 

syft --catalogers go-mod-file --file constellation.spdx.sbom -o

spdx-json

 

 

Container Images

 

 

Syft is also able to scan images from container registries. Instead of passing a local file system path, we simply provide the image reference and an SBOM for our container will be generated.

 

Having minimal container images based on scratch or distroless helps to keep the attack surface low!

 

 

CONTAINER_VERSION=v2.0.0 syft
ghcr.io/edgelesssys/constellation/verification-
service:${CONTAINER_VERSION} --file verification-
service.spdx.sbom -o spdx-json syft ghcr.io/edgelesssys/constellation/access-
manager:${CONTAINER_VERSION} --file access-manager.spdx.sbom -o
spdx-json syft ghcr.io/edgelesssys/constellation/join-
service:${CONTAINER_VERSION} --file join-service.spdx.sbom -o
spdx-json syft
ghcr.io/edgelesssys/constellation/kmsserver:${CONTAINER_VERSION}
--file kmsserver.spdx.sbom -o spdx-json syft
ghcr.io/edgelesssys/constellation/node-
operator:${CONTAINER_VERSION} --file node-operator.spdx.sbom -o
spdx-json

 

 

There is (experimental) support in docker CLI to generate an SBOM, which also uses Syft under the hood!

 

 

Conclusion

 

 

Syft helped us to easily and continuously generate SBOMs for our releases.

Customers can be assured that they have the full picture of what is included in our product and can import our SBOMs to solutions such as Dependency Track or BlackDuck to stay on top of vulnerabilities and upgrade Constellation to receive the latest mitigations in time!

Follow Edgeless Systems, to learn how we use SBOMs to keep Constellation secure and users in the loop on known vulnerabilities.


Author: Fabian Kammel


Related reading

View all