sign and detect tampering#809
Conversation
Signed-off-by: entlein <einentlein@gmail.com>
|
Warning Review limit reached
More reviews will be available in 45 minutes and 17 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (27)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…state Signed-off-by: entlein <einentlein@gmail.com>
|
@coderabbitai review Collective re-review request after applying your atomic-split advisory + rabbit-feedback fixes across the full SBOB upstream PR set. Each PR is now scoped to a single tier per your dependency map: Tier 0 (opens):
Tier 2 (execs):
Tier 3 (network):
Tier 4 (tamper/sign):
Umbrellas:
Please confirm atomicity per your earlier advisory and flag any remaining cross-PR coupling we missed. |
🧩 Analysis chain🏁 Script executed: Length of output: 7360
Atomicity Assessment — PR
|
| Surface | Files | Assessment |
|---|---|---|
pkg/signature/** (21 files) |
cosign adapter, sign/verify, profile adapters, signer/verifier interfaces, cluster tests | Exclusively in #809 — fully atomic |
cmd/sign-object/ |
Dockerfile, main.go |
Exclusively in #809 — fully atomic, standalone binary |
pkg/exporters/alert_manager.go |
alert routing for tamper events | Exclusively in #809 — atomic |
⚠️ Cross-PR Coupling Detected
Hard file overlap between #808 and #809:
| File | In #808 |
In #809 |
|---|---|---|
pkg/objectcache/containerprofilecache/tamper_alert.go |
✅ | ✅ |
pkg/objectcache/containerprofilecache/tamper_alert_test.go |
✅ | ✅ |
Both PRs are in Tier 4 and both modify the exact same two files. This creates:
- Hard merge-order dependency — whichever lands second must absorb the other's changes to these files without a clean rebase surface.
- Logical split ambiguity —
#808's scope is projection overlay + tamper infrastructure, while#809's is cosign sign/verify + tamper detection. The tamper_alert files bridge both concerns, but they can't atomically belong to two PRs simultaneously.
Recommendation: Decide ownership of tamper_alert.{go,_test.go}:
- If
tamper_alert.gocontains only the structural tamper hook (non-signature logic), move it entirely into#808and have#809only call into it. - If it contains cosign-verification-driven alert logic, move it entirely into
#809and have#808leave a stub or interface boundary.
Either way, only one PR should own the file; the other should depend on the merged result.
Tier Structure — Remaining Cross-PR Coupling Map
graph TD
subgraph Tier0["Tier 0 (opens)"]
S323["storage#323\npath-wildcards core"]
NA811["node-agent#811\nwas_path_opened CEL\n✅ atomic (2 files, clean)"]
end
subgraph Tier2["Tier 2 (execs)"]
S322["storage#322 CompareExecArgs"]
S325["storage#325 CollapseConfig CRD"]
NA805["node-agent#805 resolveExecPath"]
NA807["node-agent#807 R0040 args"]
NA812["node-agent#812 ExecsByPath"]
end
subgraph Tier3["Tier 3 (network)"]
S324["storage#324 networkmatch"]
NA806["node-agent#806 network CEL"]
end
subgraph Tier4["Tier 4 (tamper/sign)"]
NA808["node-agent#808\nprojection + tamper infra"]
NA809["node-agent#809\ncosign sign/verify\n⚠️ tamper_alert overlap"]
NA808 -->|"tamper_alert.go\nOVERLAP"| NA809
end
subgraph Umbrella["Umbrellas"]
S326["storage#326"]
NA810["node-agent#810\nabsorbs all ✅"]
end
Tier0 --> Tier2
Tier2 --> Tier4
Tier3 --> Tier4
All other tier boundaries appear clean — no file overlaps detected outside the #808↔#809 pair. The umbrella PR #810 correctly absorbs all files from both.
✅ Actions performed
Full review triggered.
Three matthyx blockers (2026-05-27): (1) tamper_alert.go:28 — imports pkg/signature and pkg/signature/profiles which ship in node-agent#809 (not yet merged). Adds minimum-surface stubs (pkg/signature/stub.go, pkg/signature/profiles/stub.go) so the PR compiles standalone. With IsSigned returning false, the tamper path short-circuits and never invokes Verify — the no-op stub is behavior- safe: signed-profile detection is dormant until kubescape#809 lands and replaces these files with the real implementation. (2) projection_apply.go:265 — NetworkNeighbor.IPAddresses missing. (3) mock.go:202 — same IPAddresses issue. Both (2) and (3) resolved by replacing kubescape/storage with k8sstormcenter/storage's upstream-pr/sbob-network tip 46f37d32 (sibling of kubescape/storage#324). Removed when kubescape#324 merges and a release ships IPAddresses.
…ofiles + fixtures
…ofiles + fixtures
2 participants
This PR needs to be reviewed together with the original signature PR
It builds upon the previous PRs and adds
cmd/sign-object/: standalone binary an admin uses to sign a profile against a cosign key.(This one has no sister PR in storage)