Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] add cdx:k8s taxonomy #61

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

[WIP] add cdx:k8s taxonomy #61

wants to merge 3 commits into from

Conversation

itaysk
Copy link

@itaysk itaysk commented Jun 17, 2023

Add cdx:k8s taxonomy. Motivation has been discussed in #59.

Comments:

  1. I've decided to start simple and declare just one property that we actually need right now. I do expect us suggesting more fields in the future but to avoid premature discussion, I thought it would be best to declare only what's implemented right now.
  2. I've received some light feedback that role might be confused with "RBAC Role" in k8s context.
    2.1 "type"/"kind" are ambiguous especially in this context.
    2.2 cdx:components:component is semantically most accurate but possibly less readable
    2.3 Overall I think role is fine, but happy feedback welcome.
  3. k8s is commonly used (by the kubernetes community) to abbreviate Kubernetes, especially in use cases like this. LMK if you prefer kubernetes instead.

Close: #59

@itaysk itaysk requested a review from a team as a code owner June 17, 2023 07:26
@jkowalleck
Copy link
Member

Would you mind signing-off your commit, to show that you agree to publishing your contribution under the license of this very project?
Please read the instructions here: https://github.com/CycloneDX/cyclonedx-property-taxonomy/pull/61/checks?check_run_id=14340419670

cdx.md Outdated Show resolved Hide resolved
cdx/k8s.md Outdated Show resolved Hide resolved
Signed-off-by: Itay Shakury <[email protected]>
@jkowalleck jkowalleck self-requested a review June 18, 2023 09:36
Signed-off-by: Itay Shakury <[email protected]>
@jkowalleck jkowalleck changed the title add cds:k8s taxonomy add cdx:k8s taxonomy Jun 20, 2023
@itaysk
Copy link
Author

itaysk commented Jun 20, 2023

After some further discussion and feedback, I have slightly modified the PR:

  1. component type to identify if this is a control plane/node/other (unlabeled). note that Addon is omitted, since the definition of addon is unclear and even conflicting within the k8s documentation. users are still welcome to use this as value, but we don't think it should be encouraged.
  2. component name to identify the component. note the well known examples don't follow the linked doc by the letter since we found it to be out of touch with how k8s distros choose to label the core components

based on this I would also remove the link from the field descriptions and keep it only as a general reference at the namespace description, if you think it makes sense

Copy link
Member

@jkowalleck jkowalleck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

latest change make it hard to read what wand how things are about to be structured.

if you must distinguish between component's runner's type: structure things in a hierarchical way:

but at the moment i do not see any need for it, see #61 (comment)

| `cdx:k8s:component:role` | Role of the [Kubernetes component](https://kubernetes.io/docs/concepts/overview/components/). |
| Property | Description |
| --- | --- |
| `cdx:k8s:component:type` | Type of the [Kubernetes component](https://kubernetes.io/docs/concepts/overview/components/). Well-known roles are "controlPlane", "node" |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to my understanding, "controlPlane" and "node" are not types of a component, but workers that are defined as such are able to run specific components.

why do you need to make this clear in the first place?
if i knew a components role (like "kubelet") i would know on which runner-type this should be running (like "node").
there is no need to announce directly implied data, right?

could you describe why this information is useful?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the use of this field is just for information management, so that a user can search the control plane components or ignore them, etc. yes we don't mind removing it in the initial PR.

about your comment: for node-level components I think you're right and in fact we represent this as a dependency in the SBOM we generate. for control plane, there isn't an entity to refer to, we actually has a version with a controlplan entiry in the sbom just for the hierarchy but eventually decided to use property instead.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @itaysk in that there is value in stating the component type explicitly. If the tool generating the KBOM is able to deduce the type, why should the receiving party have to do it again?

The distinction of control plane vs. node is most certainly something the receiving party is interested in.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The distinction of control plane vs. node is most certainly something the receiving party is interested in.

@nscuro Is there an improvement you want to suggest?

| Property | Description |
| --- | --- |
| `cdx:k8s:component:type` | Type of the [Kubernetes component](https://kubernetes.io/docs/concepts/overview/components/). Well-known roles are "controlPlane", "node" |
| `cdx:k8s:component:name` | Name of the [Kubernetes component](https://kubernetes.io/docs/concepts/overview/components/). Well-known names are "kube-apiserver", "kube-scheduler", kube-controller-manager", "cloud-controller-manager", "kubelet", "kube-proxy", "dashboard", "cni", "csi" |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you mentioned that the names are not the official ones but different.
The official ones do have documentation and I would recognize them. Your custom values have no documentation at all.
what is the benefit in custom values?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the long comment.
I think this document does not intend to be the source of truth for how to classify or name components and it's not comprehensive nor up to date. Also, it is written as an article and not a technical document and therefore I don't think the titles used there should be taken verbatim as canonical names. For example:

  1. some of the components like kube-apiserver or cloud-controller-manager are written in a technical standard, while some like Web UI (Dashboard) or Container Resource Monitoring are written in a human readable standard. Also some titles like "Logging" or "Monitoring" aren't grammatically fitting for a component role or type. I think offering the latter as well known is inconsistent and potentially confusing.
  2. "Network Plugins" is a good for a doc title in but the technical term generally used is CNI Plugin (container network interface). This is used in other parts of the k8s docs and in other k8s tools. The doc covers CNI but not CSI (container storage interface) which is a more recent addition. If we chose the doc title "Network Plugin" should we call the other one "Storage Plugin" to go with the theme? probably not.
  3. Web UI (dashboard) - again, decent title in an web page, but I don't think it's useful in a json document.
  4. Addons is an entire rabbit hole of inconsistency and ill defined concepts. Addons used to be a k8s feature (there was an "addon-manager" and a collection of addons) but this is no longer. Now addon is an abstract concept which has conflicting definitions: the k8s docs refer to addons as k8s components in kube-system namespace, but the addons listed in the same don't follow this definition. most kubernetes utilities today (that could have been "addons") are being distributed and installed by users however they want and aren't called addons anymore. so for us, we decided against trying to fix this problem and just ignore it.

IMO - besides the "very well known" components (apiserver, kubelet, etc) I think it will be very hard to map components to a common taxonomy (for example, is this app I found a k8s dashboard or just an admin tool you happen to have there) and it's also not a problem we're trying to solve right now.

I can restore my original version with the titles from doc, or keep just the "very well known" components, up to you.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, the naming scheme used by the linked document is inconsistent and there exist better, technical names that are widely used in the industry.

For cni and csi specifically though, I'd suggest to use cni-plugin and csi-plugin instead. CNI and CSI are just interfaces exposed by k8s, whereas what you'd list in a KBOM are implementations of it (e.g. Calico, Cilium).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so we really need a set of well-known values in the documentation, right?
Would you add one, so we can discuss it?

Copy link
Member

@jkowalleck jkowalleck Jul 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, the naming scheme used by the linked document is inconsistent and there exist better, technical names that are widely used in the industry.

Why is this? I mean, we are scoping for Kubernetes, right?
How comes the terms from the docs of Kubernetes are inconsistent, and why are there technical names that are widely used in the industry instead?
Could somebody explain and help me understand, whether we are still in the technical scope of Kubernetes, not in general container scope?

@jkowalleck jkowalleck marked this pull request as draft June 27, 2023 21:41
@jkowalleck jkowalleck changed the title add cdx:k8s taxonomy [WIP] add cdx:k8s taxonomy Jun 27, 2023
@jkowalleck
Copy link
Member

@nscuro may I ask for your opinion on this PR?

@jkowalleck jkowalleck requested review from nscuro and coderpatros June 27, 2023 21:42
@nscuro
Copy link
Member

nscuro commented Jun 30, 2023

@jkowalleck Just wanted to ping you that I saw your request and I have it on my list, just didn't have time yet to dig into this. Will provide some feedback this weekend.

@jkowalleck
Copy link
Member

jkowalleck commented Jul 1, 2023

KSOK also has an Kubernetes taxonomy: https://github.com/ksoclabs/kbom/blob/main/docs/taxonomy.md
I asked for corporation to join efforts

CC @mateuszdyminski

@jkowalleck
Copy link
Member

@jkowalleck
Copy link
Member

@itaysk how is the status on this pull request, from your perspective?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[PROPOSAL] general purpose kubernetes taxonomy KBOM
3 participants