My CNCF LFX Mentorship Spring 2023 Project at Kubescape

Project Link: CNCF - Kubescape: Release engineering: add Kubescape to commonly-requested package managers

kubescape is a Cloud Native Computing Foundation (CNCF) sandbox project. It is an open-source Kubernetes security platform and includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities.

List of things I have done

Documentations:

• Publishing

Repo and Packages created:

• kubescape/packaging
• OpenSUSE Open Build Service home:kubescape/kubescape
• Ubuntu Launchpad PPA kubescape/kubescape
• Chocolatey kubescape
• Snapcraft Store kubescape
• Arch Linux AUR
• SARIF for Reviewdog

PRs opened:

• (merged) kubescape/kubescape #1095 fix(build): LICENSE file in release tarballs
• (merged) kubescape/kubescape #1105 fix(README): broken links
• (merged) kubescape/kubescape #1140 ci(release): fix publishing krew plugin; add '.exe' extension to Windows binary
• (merged) kubescape/kubescape #1147 Change installation path to ~/.kubescape/bin
• (merged) kubescape/kubescape #1148 arm64 release binaries for CI and Krew
• (merged) kubescape/kubescape #1169 Add kubescape.exe to the release assets
• (merged) kubescape/kubescape #1184 feat(sarif): add fix object in generated reports
• (merged) kubescape/kubescape #1185 fix(fix): mixed up change summary list
• (merged) kubescape/kubescape #1186 Invoke packaging workflow to update after release
• (merged) kubescape/kubescape #1196 Move building instructions to wiki, add more installation instructions
• (merged) kubescape/kubescape #1199 Update installation script
• (merged) kubescape/kubescape #1210 ci: update before install packages
• (merged) kubescape/kubescape #1213 Deprecate kubescape-windows-latest
• (merged) kubescape/kubescape #1214 Add ref to workflow dispatch
• (merged) kubescape/kubescape #1216 Make powershell Windows installation user path available immediately
• (merged) kubescape/kubescape #1236 Deprecate kubescape-windows-latest and fix CI
• (merged) kubescape/kubescape #1238 Fix downloading arm64 binary for kubescape
• (merged) kubescape/github-action #32 Support for code reviews instead with PRs
• (merged) kubescape/github-action #34 Fix start new PR with own repo
• (merged) kubescape/github-action #37 Add exceptions parameters back
• (merged) kubescape/github-action #38 Keep kubescape github-action workflow up to date
• (merged) kubescape/github-action #41 Intergrate fix with comments
• (merged) kubescape/github-action #42 Version bumps start PRs instead of committing directly
• (merged) kubescape/github-action #43 Split the suggest fix workflow and update docs
• (merged) kubescape/vscode-kubescape #11 Remove platformPackages config
• (merged) kubescape/vscode-kubescape #12 Bump kubescape version into v2.3.1
• (merged) kubescape/lens-extension #16 Bump kubescape version into v2.3.1
• (merged) kubescape/node-kubescape #3 Support for ARM64 binaries as well as kubescape.exe
• (merged) kubescape/homebrew-tap #7 Add Auto Release CI
• (rejected) kubernetes-sigs/controller-runtime #2266 🐛 Support get config inside snap with SNAP_REAL_HOME
• (rejected) kubernetes/kubernetes #117165 client-go: support detect homedir with SNAP_REAL_HOME and os/user.HomeDir
• (merged) ScoopInstaller/Main #4757 kubescape: Update url and binary naming
• (pending) gentoo/gentoo #30595 sys-cluster/kubescape: new package, add 2.3.3
• (merged) chocolatey-community/chocolatey-packages #2226 (kubescape) Add Kubescape package

Issues opened/helped with:

• (resolved) kubescape/kubescape #195 Provide ARM64 release binaries
• (resolved) kubescape/kubescape #400 Add Kubescape to packages management for easier installation
• (reviewed) kubescape/kubescape #720 Error Fixed when downloading on azure cloud vm environment
• (reviewed) kubescape/kubescape #1014 Package manager support: homebrew
• (resolved) kubescape/kubescape #1015 kubescape installed in first directory in $PATH under $HOME
• (helped) kubescape/kubescape #1033 Generate SLSA provenance for builds
• (reviewed) kubescape/kubescape #1112 can't install Kubescape with krew on Apple Silicon Mac
• (resolved) kubescape/kubescape #1142 Package manager support: RPM
• (resolved) kubescape/kubescape #1143 Package manager support: deb
• (resolved) kubescape/kubescape #1168 Add kubescape.exe to the release assets to replace kubescape-windows-latest
• (resolved) kubescape/kubescape #1183 Add fix object in Kubescape generated SARIF reports when available
• (reviewed) kubescape/kubescape #1215 Fix issue 11552
• (helped) kubescape/kubescape #1237 Download and Installing Wrong Binary For Apple M1
• (reviewed) kubescape/kubescape #1239 Added instructions to setup kubescape locally
• (resolved) kubescape/k8s-interface #46 Kubescape supports getting packed as a snap app
• (resolved) kubescape/k8s-interface #46 Kubescape supports getting packed as a snap app
• (pending response) github/community #52156 Support code auto-fixes for GitHub Code Scanning
• (resolved) chocolatey-community #2186 Migrate kubescape package
• (resolved) chocolatey-community/chocolatey-packages #2190 (kubescape) Migrate package
• (resolved) snapcraft/store-requests #34661 Request for classic confinement and name change for cli-kubescape
• (pending response) snapcraft/snapd #34683 Feature Request: Stop using $SNAP_REAL_HOME to visit real home files

Project summaries

Packaging

• OpenSUSE Build Service (DEB and RPM)
• RPM
• Ubuntu Launchpad PPA
• Homebrew Tap
• Chocolatey
• Snapcraft
• AUR
• Gentoo Portage

Other packages managers that have already been available and not introduced by me during this project period:

• OpenSUSE Zypper
• Homebrew
• Krew (I added the ARM64 support for Krew)
• Nix-pkgs
• Scoop

GitHub Actions Release CI

I helped improve the Kubescape GitHub Actions release CI process, where I added the ARM64 build and tested for the GitHub Actions release CI workflow. I use QEMU with Docker to simulate the Linux ARM64 environment for building and testing the binaries. For macOS M1/M2, I investigated how to cross-build libgit2 C code and use Golang cross-compilation to build the binaries.

I also helped add the auto version bumping CI for kubescape/homebrew-tap, kubescape/packaging, and kubescape/github-action. After the release is made, we trigger these CIs so that the kubescape versions in these repositories can get upgraded automatically.

GitHub Actions Code Review

I helped improve the Kubescape GitHub Actions fix suggestions code review process, where I created the workflow which works by collecting the SARIF (Static Analysis Results Interchange Format) file that kubescape generates. Then, with the help of HollowMan6/sarif4reviewdog, convert the SARIF file into RDFormat (Reviewdog Diagnostic Format) and generate reviews for code fix suggestions on GitHub Actions using Reviewdog. I also helped add the “fix" object support for the Kubescape-generated SARIF report.

In addition to the main project, I also helped the community with other issues like bug-fixing as well as feature-adding.