My CNCF LFX Mentorship Spring 2023 Project at Kubescape
Hollow Man
Posted on May 14, 2023
https://www.youtube.com/watch?v=uZCoipC6qRU&t=1773s
Project Link: CNCF - Kubescape: Release engineering: add Kubescape to commonly-requested package managers
kubescape is a Cloud Native Computing Foundation (CNCF) sandbox project. It is an open-source Kubernetes security platform and includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities.
List of things I have done
Documentations:
Repo and Packages created:
- kubescape/packaging
- OpenSUSE Open Build Service home:kubescape/kubescape
- Ubuntu Launchpad PPA kubescape/kubescape
- Chocolatey kubescape
- Snapcraft Store kubescape
- Arch Linux AUR
- SARIF for Reviewdog
PRs opened:
- (merged) kubescape/kubescape #1095 fix(build): LICENSE file in release tarballs
- (merged) kubescape/kubescape #1105 fix(README): broken links
- (merged) kubescape/kubescape #1140 ci(release): fix publishing krew plugin; add '.exe' extension to Windows binary
- (merged) kubescape/kubescape #1147 Change installation path to ~/.kubescape/bin
- (merged) kubescape/kubescape #1148 arm64 release binaries for CI and Krew
- (merged) kubescape/kubescape #1169 Add kubescape.exe to the release assets
- (merged) kubescape/kubescape #1184 feat(sarif): add fix object in generated reports
- (merged) kubescape/kubescape #1185 fix(fix): mixed up change summary list
- (merged) kubescape/kubescape #1186 Invoke packaging workflow to update after release
- (merged) kubescape/kubescape #1196 Move building instructions to wiki, add more installation instructions
- (merged) kubescape/kubescape #1199 Update installation script
- (merged) kubescape/kubescape #1210 ci: update before install packages
- (merged) kubescape/kubescape #1213 Deprecate kubescape-windows-latest
- (merged) kubescape/kubescape #1214 Add ref to workflow dispatch
- (merged) kubescape/kubescape #1216 Make powershell Windows installation user path available immediately
- (merged) kubescape/kubescape #1236 Deprecate kubescape-windows-latest and fix CI
- (merged) kubescape/kubescape #1238 Fix downloading arm64 binary for kubescape
- (merged) kubescape/github-action #32 Support for code reviews instead with PRs
- (merged) kubescape/github-action #34 Fix start new PR with own repo
- (merged) kubescape/github-action #37 Add exceptions parameters back
- (merged) kubescape/github-action #38 Keep kubescape github-action workflow up to date
- (merged) kubescape/github-action #41 Intergrate fix with comments
- (merged) kubescape/github-action #42 Version bumps start PRs instead of committing directly
- (merged) kubescape/github-action #43 Split the suggest fix workflow and update docs
- (merged) kubescape/vscode-kubescape #11 Remove platformPackages config
- (merged) kubescape/vscode-kubescape #12 Bump kubescape version into v2.3.1
- (merged) kubescape/lens-extension #16 Bump kubescape version into v2.3.1
- (merged) kubescape/node-kubescape #3 Support for ARM64 binaries as well as kubescape.exe
- (merged) kubescape/homebrew-tap #7 Add Auto Release CI
- (rejected) kubernetes-sigs/controller-runtime #2266 🐛 Support get config inside snap with SNAP_REAL_HOME
- (rejected) kubernetes/kubernetes #117165 client-go: support detect homedir with SNAP_REAL_HOME and os/user.HomeDir
- (merged) ScoopInstaller/Main #4757 kubescape: Update url and binary naming
- (pending) gentoo/gentoo #30595 sys-cluster/kubescape: new package, add 2.3.3
- (merged) chocolatey-community/chocolatey-packages #2226 (kubescape) Add Kubescape package
Issues opened/helped with:
- (resolved) kubescape/kubescape #195 Provide ARM64 release binaries
- (resolved) kubescape/kubescape #400 Add Kubescape to packages management for easier installation
- (reviewed) kubescape/kubescape #720 Error Fixed when downloading on azure cloud vm environment
- (reviewed) kubescape/kubescape #1014 Package manager support: homebrew
- (resolved) kubescape/kubescape #1015 kubescape installed in first directory in $PATH under $HOME
- (helped) kubescape/kubescape #1033 Generate SLSA provenance for builds
- (reviewed) kubescape/kubescape #1112 can't install Kubescape with krew on Apple Silicon Mac
- (resolved) kubescape/kubescape #1142 Package manager support: RPM
- (resolved) kubescape/kubescape #1143 Package manager support: deb
- (resolved) kubescape/kubescape #1168 Add kubescape.exe to the release assets to replace kubescape-windows-latest
- (resolved) kubescape/kubescape #1183 Add fix object in Kubescape generated SARIF reports when available
- (reviewed) kubescape/kubescape #1215 Fix issue 11552
- (helped) kubescape/kubescape #1237 Download and Installing Wrong Binary For Apple M1
- (reviewed) kubescape/kubescape #1239 Added instructions to setup kubescape locally
- (resolved) kubescape/k8s-interface #46 Kubescape supports getting packed as a snap app
- (resolved) kubescape/k8s-interface #46 Kubescape supports getting packed as a snap app
- (pending response) github/community #52156 Support code auto-fixes for GitHub Code Scanning
- (resolved) chocolatey-community #2186 Migrate kubescape package
- (resolved) chocolatey-community/chocolatey-packages #2190 (kubescape) Migrate package
- (resolved) snapcraft/store-requests #34661 Request for classic confinement and name change for cli-kubescape
- (pending response) snapcraft/snapd #34683 Feature Request: Stop using $SNAP_REAL_HOME to visit real home files
Project summaries
Packaging
- OpenSUSE Build Service (DEB and RPM)
- RPM
- Ubuntu Launchpad PPA
- Homebrew Tap
- Chocolatey
- Snapcraft
- AUR
- Gentoo Portage
Other packages managers that have already been available and not introduced by me during this project period:
- OpenSUSE Zypper
- Homebrew
- Krew (I added the ARM64 support for Krew)
- Nix-pkgs
- Scoop
GitHub Actions Release CI
I helped improve the Kubescape GitHub Actions release CI process, where I added the ARM64 build and tested for the GitHub Actions release CI workflow. I use QEMU with Docker to simulate the Linux ARM64 environment for building and testing the binaries. For macOS M1/M2, I investigated how to cross-build libgit2 C code and use Golang cross-compilation to build the binaries.
I also helped add the auto version bumping CI for kubescape/homebrew-tap, kubescape/packaging, and kubescape/github-action. After the release is made, we trigger these CIs so that the kubescape versions in these repositories can get upgraded automatically.
GitHub Actions Code Review
I helped improve the Kubescape GitHub Actions fix suggestions code review process, where I created the workflow which works by collecting the SARIF (Static Analysis Results Interchange Format) file that kubescape generates. Then, with the help of HollowMan6/sarif4reviewdog, convert the SARIF file into RDFormat (Reviewdog Diagnostic Format) and generate reviews for code fix suggestions on GitHub Actions using Reviewdog. I also helped add the “fix" object support for the Kubescape-generated SARIF report.
In addition to the main project, I also helped the community with other issues like bug-fixing as well as feature-adding.
Posted on May 14, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.