Project post originally published on Flux’s blog by Daniel Holbach

Flux – built with security in mind

You don’t get to re-architect a successful project very often, but we did about two years ago. The Flux project was already off to a great start and had many happy adopters and many of its design principles we kept at the forefront of our mind:

Why did we re-architect and rewrite Flux? Flux Legacy (v1) had been started Mid-2016 and while it worked great and still does, it didn’t quite benefit from more recent developments in the Kubernetes space like controller-runtime because it pre-dated them significantly.

Also rewriting Flux as a set of very targeted controllers was a unique opportunity to reduce the scope (and thus attack surface) of these individual sub-projects and make testing and debugging a lot easier. Re-usability as well.

All of this said, we believe that a blog series about Flux and its security considerations and features is in order and we will kick it off talking about SBOMs.

What is a SBOM?

Since Flux release 0.26 we publish a SBOM for each of the individual controllers. We reported about this in the accompanying monthly update blog post.

So what is a SBOM? It’s short for Software Bill of Materials. Wikipedia defines it as

software bill of materials (SBOM) is a list of components in a piece of software. Software vendors often create products by assembling open source and commercial software components. The SBOM describes the components in a product. It is analogous to a list of ingredients on food packaging: where you might consult a label to avoid foods that may cause allergies, SBOMs can help organizations or persons avoid consumption of software that could harm them.

The concept of a BOM is well-established in traditional manufacturing as part of supply chain management. A manufacturer uses a BOM to track the parts it uses to create a product. If defects are later found in a specific part, the BOM makes it easy to locate affected products.

For the Flux project we publish a Software Bill of Materials (SBOM) with each release. The SBOM is generated with Syft in the SPDX format.

SPDX logo

The spdx.json file is available for download on the GitHub release page e.g.:

curl -sL https://github.com/fluxcd/flux2/releases/download/v0.25.3/flux_0.25.3_sbom.spdx.json | jq

Inspecting the JSON data, you will see that for each of the files and libraries required for building and shipping the release you can verify the license, origin, version and checksum.

What might seem like a lot of overhead and unnecessary bookkeeping, quickly turns out as useful information because it allows you to

Because it is structured data, all of the above can be done in an automated, programmatic fashion.

Big organizations, corporate or governmental, already keep track of SBOMs and make decisions based on the information provided there. Some started requiring SBOMs for software in-use. A good example of this is the government of the USA requiring SBOM from software suppliers.

Possible use-cases for SBOMs

Here are a couple more concrete examples of what the SBOMs for Flux allow you to do:

One example of automating all of this could be to store SBOMs in https://grafeas.io/. This way you could search across your Estate for:

For policy enforcement, kritis can be used to leverage the information provided by SBOMs inside Grafeas to enforce policies inside of a cluster, enabling auto-blocking of applications that are vulnerable to a specific CVE for example.

If you have read this far and you are using SBOMs in your organisation, let us know what you get out of them as well!

What’s more

If you would like to know more about the history of SBOMs and their development, you might want to read this excellent article from ChainGuard about the subject.

At the time of writing this, Syft does not yet classify licenses based on the file contents, but it is being considered.

Here is the table of SBOMs for all the latest Flux controllers and CLI (as of 2022-02-09).

ProjectSBOMDependencies & Licenses
flagger1.17.01.17.0
flux20.26.20.26.2
helm-controller0.16.00.16.0
image-automation-controller0.20.00.20.0
image-reflector-controller0.16.00.16.0
kustomize-controller0.20.10.20.1
notification-controller0.21.00.21.0
source-controller0.21.20.21.2

This is just one more measure we are taking to keep you more secure.

Talk to us

We love feedback, questions and ideas, so please let us know how you are using SBOMs today. Ask us if you have any questions and please

See you around!