ARGO-SLSA: Software Supply Chain Security for Argo Workflows

Abstract

With modern software development widely adopting, Distributed systems & microservice architecture to handle the growing complicity of scaling, Kubernetes has become the widely adopted standard. Not only for software deployments, cloud-native ecosystems are being expanded to run CI/CD workflows to build & produce software artifacts with tools like Argo Workflows. In the recent past, there has been a high spark of attacks on software supply chains, which can affect both software producers & consumers. With these growing concerns, securing the software supply chain has become a key goal in the software development lifecycle. Even though there are established frameworks (e.g., SLSA (Supply chain Levels for Software Artifacts)) designed to mitigate & reduce these types of attacks the complexity of the solutions, the ever-growing problem domain & lack of knowledge of the problem domain lead to inconsistent or lack of adoption of secure software supply chain security practices. While being a widely adopted workflow engine in the Kubernetes ecosystem, Argo Workflows does not provide any native functionality to enforce artifacts' high security and integrity standards. This project proposes to address these problems by developing a Kubernetes controller to monitor, reconcile, and secure artifacts created via Argo workflows to ensure they are meeting high integrity standards. Developed as a Kubernetes native controller leveraging Operator SDK and Golang to connect to the Argo Workflows ecosystem. The controller is designed to serve workflows, extract artifact metadata, and perform security such as cryptographic signing and attaching SLSA provenance (information on how the artifact was built according to SLSA framework specification), attaching SBoM (information on any dependency used within the software). This solution implements a Prototype to solve these concerns, to solve core functions such as artifact monitoring and workflow reconciliation to enforce software supply chain security throughout the Argo Workflows ecosystem. The controller can reliably reconcile workflow states, retrieve pod logs, and enforce the integrity of artifacts created using Argo Workflows. The results show that the controller can contribute to improving the security and traceability of software artifacts flowing in the CI/CD pipelines toward maintaining stronger overall supply chain security in the Argo Workflows ecosystem.