Spike: Do we verify the image digest and does the reference actually exist

[lasomethingsomething]

Comes after #1129. Will be the technical follow-up/the "how" for the image promotion process

Objective

• Support the goal of breaking up the image promoter monolith by investigating the questions raised below

Questions to answer

• Describe/document the current process for verifying whether the image digest and reference exists, and evaluate:
  - Did we create an image using appropriate tools and process?
  - Would scanning for CVEs be a blocker?
  - If yes, could we require provenance?
  - Would infra in staging help make it faster than a complete image push/pull? Not in place today.
  - How could we ensure that the SHA is valid?
  - How do we scan the image for any high or critical CVE?

Note: Be sure to actively seek other questions from members of SIG Release and other relevant SIGs as part of your research.

Steps

• Present a 1-2 page proposal describing the necessary implementation steps and listing pros/cons/tradeoffs
• Seek input from SIG members and achieve buy-in so the group can reach consensus and move forward

Context and things to think about while working on this task

• There is verification of the digests. Someone opens a PR => link to the created build. People use this link as proof for digests they want to promote.
• PR => creates list of digests. No real way for reviewers of the PR to verify. Can be done manually but most reviewers will just approve the PR.
• Relates to the "Validating signatures from staging in parallel" workflow step
• We currently have no way to verify the SHA of an image.
• We delegate responsibility for establishing which image to put in prod but we don't verify the image provenance--coming from stg container registry.
• We know the source of an image, but we don't verify what is published.
• Any maintainer could do the promotion. Nothing prevents maintainer w/access to staging repo from pushing something that could impact the registry.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[xmudrii]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[xmudrii]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[xmudrii]

/remove-lifecycle stale