Skip to content

v0.10.0

Compare
Choose a tag to compare
@cpanato cpanato released this 09 Aug 14:15
· 2818 commits to master since this release
v0.10.0
82b23b9

Changes by Kind

Feature

  • Allows more options to be passed to the SPDX document builder
    • File analysis is now done in parallel speeding the kubernetes bom generation significally
    • When generating a SPDX package from a directory, file paths will now be relative to the dir root
    • Golang packages that have local replacements will be honored saving a considerable amount of downloads
    • Fixed a bug where we would erase the local golang package install
    • Fixed a bug where license data would be saved in the download cache directory, resulting in the license classifier having a lower accuracy
    • Golang packages will now include all license text in the SBOM as well as the SPDX license identifier
    • New function license.ReadTopLicense() will scan and return only the most significant license in a directory, potentially avoiding thousands of operations in the classifier code. (#2096, @puerco) [SIG Release]
  • Apache-2.0 is now defined as the default and expressed license in packages
    • The SPDX package now supports ExternalDocRef making it possible to define external documents related to an SBOM
    • Added functions to the release package to get the produced artifacts (ListBuildImages, ListBuildTarballs, ListBuildBinaries)
    • Added release tarballs (client, server, node) to artifacts SBOM
    • Binaries are now listed with their correct relative paths in the artifacts SBOM
    • FIxed a bug where SPDX Ids would clash when two packages shared the same base image
    • The source code SBOM is now referenced by the artifacts sbom packages as GENERATED_FROM
    • Added tests to ensure SPDX Relationships render correctly (#2156, @puerco) [SIG Release]
  • Changed archived Kubernetes release sources to be compressed as tarball (#2130, @saschagrunert) [SIG Release]
  • Debian-base: Build buster-v1.8.0 image (#2135, @jindijamie) [SIG Release]
  • Debian-base: Build buster-v1.9.0 image (#2189, @justaugustus) [SIG Release]
  • Debian-iptables: Build buster-v1.6.5 image
  • Debian-iptables: Build buster-v1.6.6 image
  • Fixed a bug that was causing errors downloading go packages, except for a few specific deps, we now have licensing data for all packages.
    • Correct a bug where HTML entities were being introduced into the spdx licenses and output. The code was wrongly using html/template instead of text/template.
    • There is now a new Relationship type and a better way to relate objects among themselves via a new spdx.Object interface
    • New SPDX object interface. This is important as we will start having functions that can take either packages or files, hence we create the interface to address them both
    • Changes the way image references are treated when generating an SBOM from an image reference. Now, The spdx package will now fetch all images for all architectures found
    • New function to generates a valid SPDX ID string, optionally it can take strings as seeds to generate a more intuitive ID for packages and files.
    • Fixes a bug where month and day were in the wrong order in the SPDX document date. (#2147, @puerco) [SIG Release]
  • K8s-ci-builder: Add 1.22 variant, drop 1.18 variant
    • k8s-ci-builder: Add 1.23 variant
    • k8s-ci-builder: Build go1.16.6 images
    • k8s-cloud-builder: Build v1.17.0-rc.1-1 image (#2168, @justaugustus) [SIG Release]
  • K8s-cloud-builder/k8s-ci-builder: Build image using go1.15.15 (#2200, @cpanato) [SIG Release]
  • K8s-cloud-builder/k8s-ci-builder: Build image using go1.16.7 (#2198, @cpanato) [SIG Release]
  • K8s-cloud-builder: Build image using go1.16.6 (#2163, @puerco) [SIG Release]
  • K8s-cloud-builder: Build v1.17.0-rc.2-1 image (#2190, @justaugustus) [SIG Release]
  • Schedule-builder: add new field (#2173, @cpanato) [SIG Release]
  • Stage now runs completely without setting the github token in the k/k clone remote configuration
    • krel now resets the git origin remote in the staged clone of kubernetes/kubernetes to pickup a new GITHUB_TOKEN if we change it.
    • before archiving the release, we now delete the git remote config (#2127, @puerco) [SIG Release]
  • The binary.Binary object has a new method ContainsString() that allows for searching inside the binary for one or more strings.
    • The release process now has a new step during staging: VerifyArtifacts. Where during which we will perform checks of the artifacts we produce.
    • Binaries are now checked to ensure they are of the expected platform/arch
    • The version tag in binaries is now checked to ensure they match each release version tag
    • Fixed a bug in release.ListBuildBinaries where server and client tarballs were wrongly included in the output. (#2160, @puerco) [SIG Release]
  • Update dependencies.yaml 1.15 to use Go 1.15.14
    • k8s-cloud-builder: Build v1.15.14-legacy-1/v1.15.14-1 image
    • k8s-ci-builder: Build 1.15 image variants using Go 1.15.14 (#2171, @puerco) [SIG Release]
  • When running release from a non-main branch, krel will now merge any commits before pushing the branch back to github, avoiding conflicts due to divergent branches. (#2128, @puerco) [SIG Release]
  • When staging a new kubernetes build, krel will now prewarm the license cache to have the classifier data ready when generating the bill of materials.
    • The release process staging phase now has a GenerateBillOfMaterials() step that builds the SPDX documents.
    • We now create an SPDX SBOM describing the Kubernetes source during staging
    • Each version in a release now features an SPDX bill of materials listing its binaries and images
    • stage.GenerateBillOfMaterials() now has an integration test (#2095, @puerco) [SIG Release]
  • [go1.15] Update kubernetes/kubernetes dependents to use Go 1.15.13
    • k8s-cloud-builder: Build v1.15.13-legacy-1/v1.15.13-1 image
    • k8s-ci-builder: Build image variants using Go 1.15.13 (#2122, @thejoycekung) [SIG Release]
  • [go1.16] Update kubernetes/kubernetes dependents to use go1.16.5
    • k8s-cloud-builder: Build v1.16.5-1 image
    • k8s-ci-builder: Build image variants using go1.16.5 (#2116, @cpanato) [SIG Release]
  • [go1.17] Build images for go1.17rc1 (#2117, @justaugustus) [SIG Release]
  • [go1.17] Build images for go1.17rc2 (#2188, @justaugustus) [SIG Release]
  • [go] go1.16.5 and go1.15.13 updates
    • kube-cross: Build v1.16.5-1 and v1.15.13-1 images
    • go-runner: Build v2.3.1-go1.16.5-buster.0 and v2.3.1-go1.15.13-buster.0
    • releng-ci: build iamge for go1.16.5 and go1.15.13
    • kubepkg/packages-deb: update base image to go1.16.5 (#2111, @cpanato) [SIG Release]
  • [go] go1.16.6 and go1.15.14 updates
    • kube-cross: Build v1.16.6-1 and v1.15.14-1 images
    • go-runner: Build v2.3.1-go1.16.6-buster.0 and v2.3.1-go1.15.14-buster.0
    • releng-ci: build iamge for go1.16.6 and go1.15.14
    • kubepkg/packages-deb: update base image to go1.16.6 (#2162, @mengjiao-liu) [SIG Release]
  • [go] go1.16.7 and go1.15.15 updates
    • go-runner: Build v2.3.1-go1.16.7-buster.0 and v2.3.1-go1.15.15-buster.0
    • releng-ci: build image for go1.16.6 and go1.15.15
    • kube-cross: Build v1.16.7-1 and v1.15.15-1 images
    • kubepkg/packages-deb: update base image to go1.16.7
    • k8s-cloud-builder: Build v1.16.7-1 / v1.15.15-1 / v1.15.15-legacy-1 images (#2197, @cpanato) [SIG Release]
  • PrerequisitesChecker nos has options, currently the only one is CheckGitHubToken. This bool allows us to run without setting the GITHUB_TOKEN variable when not needed (#2138, @puerco) [SIG Release]

Documentation

  • Add documentation for the bom utility
    • In-depth HOWTO guide to generating an SPDX Bill of Materials using our tools (#2109, @puerco) [SIG Release]

Bug or Regression

  • Debian-iptables: select nft mode if ntf lines > legacy lines, matching https://github.com/kubernetes-sigs/iptables-wrappers/ (#2106, @BenTheElder) [SIG Release]
  • Fixed a bug where creating a PR would fail with a too many open files error. (#2180, @puerco) [SIG Release]
  • Fixed bug that changelog table of contents have been generated before dependency changes. (#2194, @saschagrunert) [SIG Release]
  • Git Pusher will now check for a remote branch before attempting to fetch + merge (#2177, @puerco) [SIG Release]
  • Update go-git to v5.4.2 to fix a bug that prevented the release process to clone repositories (#2104, @puerco) [SIG Release]

Other (Cleanup or Flake)

  • Changed krel --log-level=debug output less verbose in terms of git commands. The previous behavior can be restored by
    using the trace log level. (#2136, @saschagrunert) [SIG Release]

  • Debian-iptables: Build buster-v1.6.3 image

    • setcap: Build buster-v2.0.2 image (#2118, @rikatz) [SIG Release]
  • Debian-iptables: Stop pinning the iptables version

  • Gcb/stage: Add read-only GITHUB_TOKEN to enable relnotes generation (#2140, @justaugustus) [SIG Release]

  • Gcb/stage: Remove extraneous GITHUB_TOKEN from config

    Given we no longer set an authenticated git environment in the staging
    phase of the release, we no longer need to include the GitHub token in
    the secrets environment. (#2137, @justaugustus) [SIG Release]

  • Gcb: Update GITHUB_TOKEN to use new authentication token format (#2126, @justaugustus) [SIG Release]

  • Kube-cross: Build v1.16.5-canary-2 image without etcd (#2124, @justaugustus)

  • Namespaces for the SPDX documents now use the sbom.k8s.io URI as the final place for the Kubernetes SBOMs. (#2186, @puerco) [SIG Release]

  • Packages/deb: Use ci/latest.txt as canonical cross build marker (#2153, @justaugustus) [SIG Release]

  • Push-build.sh defaults to k8s-release-dev instead of
    kubernetes-release-dev (kubernetes/k8s.io#846) (#2158, @spiffxp) [SIG Release]

  • When training the license classifier, the license package will now ignore deprecated license IDs from the SPDX catalog. (#2159, @puerco) [SIG Release]

Dependencies

Added

  • bazil.org/fuse: 371fbbd
  • github.com/Azure/azure-sdk-for-go: v16.2.1+incompatible
  • github.com/Azure/go-autorest/autorest/adal: v0.9.5
  • github.com/Azure/go-autorest/autorest/date: v0.3.0
  • github.com/Azure/go-autorest/autorest/mocks: v0.4.1
  • github.com/Azure/go-autorest/autorest: v0.11.1
  • github.com/Azure/go-autorest/logger: v0.2.0
  • github.com/Azure/go-autorest/tracing: v0.6.0
  • github.com/Azure/go-autorest: v14.2.0+incompatible
  • github.com/Microsoft/hcsshim/test: 43a75bb
  • github.com/Microsoft/hcsshim: v0.8.16
  • github.com/Shopify/logrus-bugsnag: 577dee2
  • github.com/alexflint/go-filemutex: 72bdc8e
  • github.com/antihax/optional: v1.0.0
  • github.com/asaskevich/govalidator: f61b66f
  • github.com/bitly/go-simplejson: v0.5.0
  • github.com/bmizerany/assert: b7ed37b
  • github.com/bshuster-repo/logrus-logstash-hook: v0.4.1
  • github.com/buger/jsonparser: f4dd9f5
  • github.com/bugsnag/bugsnag-go: b1d1530
  • github.com/bugsnag/osext: 0dd3f91
  • github.com/bugsnag/panicwrap: e2c2850
  • github.com/cespare/xxhash/v2: v2.1.1
  • github.com/checkpoint-restore/go-criu/v4: v4.1.0
  • github.com/cilium/ebpf: v0.4.0
  • github.com/cncf/xds/go: fbca930
  • github.com/cockroachdb/datadriven: 80d97fb
  • github.com/containerd/aufs: v1.0.0
  • github.com/containerd/btrfs: v1.0.0
  • github.com/containerd/cgroups: v1.0.1
  • github.com/containerd/console: v1.0.2
  • github.com/containerd/continuity: v0.1.0
  • github.com/containerd/fifo: v1.0.0
  • github.com/containerd/go-cni: v1.0.2
  • github.com/containerd/go-runc: v1.0.0
  • github.com/containerd/imgcrypt: v1.1.1
  • github.com/containerd/nri: v0.1.0
  • github.com/containerd/ttrpc: v1.0.2
  • github.com/containerd/typeurl: v1.0.2
  • github.com/containerd/zfs: v1.0.0
  • github.com/containernetworking/cni: v0.8.1
  • github.com/containernetworking/plugins: v0.9.1
  • github.com/containers/ocicrypt: v1.1.1
  • github.com/coreos/go-iptables: v0.5.0
  • github.com/coreos/go-oidc: v2.1.0+incompatible
  • github.com/coreos/go-systemd/v22: v22.3.2
  • github.com/cyphar/filepath-securejoin: v0.2.2
  • github.com/d2g/dhcp4: a1d1b6c
  • github.com/d2g/dhcp4client: v1.0.0
  • github.com/d2g/dhcp4server: 7d4a0a7
  • github.com/d2g/hardwareaddr: e7d9fbe
  • github.com/denverdino/aliyungo: a747050
  • github.com/dnaeon/go-vcr: v1.0.1
  • github.com/docker/go-events: e31b211
  • github.com/docker/go-metrics: v0.0.1
  • github.com/docker/libtrust: fa56704
  • github.com/docker/spdystream: 449fdfc
  • github.com/dustin/go-humanize: v1.0.0
  • github.com/elazarl/goproxy: 947c36d
  • github.com/evanphx/json-patch: v4.9.0+incompatible
  • github.com/form3tech-oss/jwt-go: v3.2.2+incompatible
  • github.com/frankban/quicktest: v1.11.3
  • github.com/fullsailor/pkcs7: d7302db
  • github.com/garyburd/redigo: 535138d
  • github.com/go-ini/ini: v1.25.4
  • github.com/godbus/dbus/v5: v5.0.4
  • github.com/godbus/dbus: ade71ed
  • github.com/gogo/googleapis: v1.4.0
  • github.com/gorilla/handlers: 60c7bfd
  • github.com/gregjones/httpcache: 9cad4c3
  • github.com/j-keck/arping: 2cf9dc6
  • github.com/kr/fs: v0.1.0
  • github.com/marstr/guid: v1.1.0
  • github.com/mattn/go-shellwords: v1.0.3
  • github.com/miekg/pkcs11: v1.0.3
  • github.com/mistifyio/go-zfs: f784269
  • github.com/mitchellh/osext: 5e2d6d4
  • github.com/moby/locker: v1.0.1
  • github.com/moby/sys/mountinfo: v0.4.1
  • github.com/moby/sys/symlink: v0.1.0
  • github.com/mrunalp/fileutils: v0.5.0
  • github.com/mxk/go-flowrate: cca7078
  • github.com/ncw/swift: v1.0.47
  • github.com/opencontainers/runc: v1.0.0-rc93
  • github.com/opencontainers/runtime-spec: e6143ca
  • github.com/opencontainers/runtime-tools: 1d69bd0
  • github.com/opencontainers/selinux: v1.8.0
  • github.com/peterbourgon/diskv: v2.0.1+incompatible
  • github.com/pkg/sftp: v1.10.1
  • github.com/pquerna/cachecontrol: 0dec1b3
  • github.com/safchain/ethtool: 42ed695
  • github.com/satori/go.uuid: v1.2.0
  • github.com/seccomp/libseccomp-golang: v0.9.1
  • github.com/stefanberger/go-pkcs11uri: 78d3cae
  • github.com/syndtr/gocapability: 42c35b4
  • github.com/tchap/go-patricia: v2.2.6+incompatible
  • github.com/urfave/cli: v1.22.2
  • github.com/vishvananda/netlink: d40f988
  • github.com/vishvananda/netns: db3c7e5
  • github.com/willf/bitset: v1.1.11
  • github.com/xeipuuv/gojsonpointer: 4e3ac27
  • github.com/xeipuuv/gojsonreference: bd5ef7b
  • github.com/xeipuuv/gojsonschema: 1d52303
  • github.com/yvasiyarov/go-metrics: 57bccd1
  • github.com/yvasiyarov/gorelic: a9bba5b
  • github.com/yvasiyarov/newrelic_platform_go: b21fdbd
  • go.etcd.io/etcd/api/v3: v3.5.0
  • go.etcd.io/etcd/client/pkg/v3: v3.5.0
  • go.etcd.io/etcd/client/v2: v2.305.0
  • go.etcd.io/etcd: dd1b699
  • go.mozilla.org/pkcs7: 432b235
  • go.opentelemetry.io/proto/otlp: v0.7.0
  • google.golang.org/cloud: 975617b
  • google.golang.org/grpc/cmd/protoc-gen-go-grpc: v1.1.0
  • gopkg.in/airbrake/gobrake.v2: v2.0.9
  • gopkg.in/cheggaaa/pb.v1: v1.0.25
  • gopkg.in/gemnasium/logrus-airbrake-hook.v2: v2.1.2
  • gopkg.in/inf.v0: v0.9.1
  • gopkg.in/natefinch/lumberjack.v2: v2.0.0
  • gopkg.in/square/go-jose.v2: v2.5.1
  • k8s.io/api: v0.20.6
  • k8s.io/apimachinery: v0.20.6
  • k8s.io/apiserver: v0.20.6
  • k8s.io/client-go: v0.20.6
  • k8s.io/component-base: v0.20.6
  • k8s.io/cri-api: v0.20.6
  • k8s.io/kubernetes: v1.13.0
  • sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.15