Supply Chain Security

KubeLB v1.3 provides supply chain security for both Community Edition (CE) and Enterprise Edition (EE):

  • SBOM Generation: SPDX format SBOMs for all binaries and container images
  • Keyless Artifact Signing: Cosign signatures for binaries, images, and Helm charts
  • SBOM Attestation: Signed SBOM attestations via Cosign
  • Immutable Releases: Release artifacts cannot be modified after publication
  • Vulnerability Scanning: Automated scanning in PRs and release pipeline
  • Dependency Monitoring: Dependabot tracks and updates vulnerable dependencies

CE Additional Features:

  • OpenSSF Scorecard for security health metrics
  • GitHub dependency graph
  • GitHub attestations and provenance publishing

These features require a public GitHub repository.

Editions

EditionRepositoryRegistryAccess
CEkubermatic/kubelbquay.io/kubermatic/Public
EEkubermatic/kubelb-eequay.io/kubermatic/Licensed

Components:

ComponentCEEE
Managerkubelb-managerkubelb-manager-ee
CCMkubelb-ccmkubelb-ccm-ee
Connection Managerkubelb-connection-manager-ee

Verify Container Image Signatures

# Login required for EE images
docker login quay.io

cosign verify quay.io/kubermatic/kubelb-manager-ee:v1.3.0 \
  --certificate-identity-regexp="^https://github.com/kubermatic/kubelb-ee/.github/workflows/release.yml@refs/tags/v.*" \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

cosign verify quay.io/kubermatic/kubelb-manager:v1.3.0 \
  --certificate-identity-regexp="^https://github.com/kubermatic/kubelb/.github/workflows/release.yml@refs/tags/v.*" \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify Helm Chart Signatures

cosign verify quay.io/kubermatic/helm-charts/kubelb-manager-ee:v1.3.0 \
  --certificate-identity-regexp="^https://github.com/kubermatic/kubelb-ee/.github/workflows/release.yml@refs/tags/v.*" \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

cosign verify quay.io/kubermatic/helm-charts/kubelb-manager:v1.3.0 \
  --certificate-identity-regexp="^https://github.com/kubermatic/kubelb/.github/workflows/release.yml@refs/tags/v.*" \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify Release Checksums

Each release includes a checksums.txt file signed with Cosign.

# Requires repository access
# Download checksums.txt and checksums.txt.sigstore.json from the release

cosign verify-blob --bundle checksums.txt.sigstore.json checksums.txt \
  --certificate-identity-regexp="^https://github.com/kubermatic/kubelb-ee/.github/workflows/release.yml@refs/tags/v.*" \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

# Download from GitHub release
curl -LO https://github.com/kubermatic/kubelb/releases/download/v1.3.0/checksums.txt
curl -LO https://github.com/kubermatic/kubelb/releases/download/v1.3.0/checksums.txt.sigstore.json

cosign verify-blob --bundle checksums.txt.sigstore.json checksums.txt \
  --certificate-identity-regexp="^https://github.com/kubermatic/kubelb/.github/workflows/release.yml@refs/tags/v.*" \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Software Bill of Materials (SBOM)

SBOMs are provided in SPDX format for all artifacts.

Container Image SBOMs

SBOMs are attached to container images as OCI artifacts using ORAS.

# Login required
oras login quay.io

# Discover and pull SBOM
SBOM_DIGEST=$(oras discover --format json --artifact-type application/spdx+json \
  quay.io/kubermatic/kubelb-manager-ee:v1.3.0 | jq -r '.referrers[0].digest')
oras pull quay.io/kubermatic/kubelb-manager-ee@${SBOM_DIGEST} --output sbom/

SBOM_DIGEST=$(oras discover --format json --artifact-type application/spdx+json \
  quay.io/kubermatic/kubelb-manager:v1.3.0 | jq -r '.referrers[0].digest')
oras pull quay.io/kubermatic/kubelb-manager@${SBOM_DIGEST} --output sbom/

Verify SBOM Attestation

cosign verify-attestation quay.io/kubermatic/kubelb-manager-ee:v1.3.0 \
  --type spdxjson \
  --certificate-identity-regexp="^https://github.com/kubermatic/kubelb-ee/.github/workflows/release.yml@refs/tags/v.*" \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

cosign verify-attestation quay.io/kubermatic/kubelb-manager:v1.3.0 \
  --type spdxjson \
  --certificate-identity-regexp="^https://github.com/kubermatic/kubelb/.github/workflows/release.yml@refs/tags/v.*" \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Binary SBOMs

SBOMs for release binaries are available as GitHub release assets.

Release assets (requires repository access):

  • kubelb_<version>_linux_amd64.sbom.spdx.json
  • kubelb_<version>_linux_arm64.sbom.spdx.json
  • ccm_<version>_linux_amd64.sbom.spdx.json
  • ccm_<version>_linux_arm64.sbom.spdx.json
  • connection-manager_<version>_linux_amd64.sbom.spdx.json
  • connection-manager_<version>_linux_arm64.sbom.spdx.json
# All SBOMs are available in the GitHub release assets. Please refer to the GitHub release page for the latest version.
curl -LO https://github.com/kubermatic/kubelb/releases/download/v1.3.0/kubelb_v1.3.0_linux_amd64.sbom.spdx.json

Vulnerability Scanning

KubeLB enforces automated vulnerability scanning:

  • All PRs scanned before merge
  • Container images scanned with Trivy at release
  • HIGH/CRITICAL vulnerabilities block releases
  • Dependabot monitors dependencies

Scan locally:

trivy image quay.io/kubermatic/kubelb-manager:v1.3.0

Tools

  • Cosign — Artifact signing and verification
  • ORAS — OCI Registry As Storage

Vulnerability Reporting

See Vulnerability Reporting for security disclosure process.