This version is under construction, please use an official release version

Supply Chain Security

Starting from v1.3, KubeLB provides supply chain security for both Community Edition (CE) and Enterprise Edition (EE):

  • SBOM Generation: SPDX format SBOMs for all binaries and container images
  • Keyless Artifact Signing: Cosign signatures for binaries, images, and Helm charts
  • SBOM Attestation: Signed SBOM attestations via Cosign
  • Immutable Releases: Release artifacts cannot be modified after publication
  • Vulnerability Scanning: Automated scanning in PRs and release pipeline
  • Dependency Monitoring: Dependabot tracks and updates vulnerable dependencies

CE Additional Features:

  • OpenSSF Scorecard for security health metrics
  • GitHub dependency graph
  • GitHub attestations and provenance publishing

These features are not available in Enterprise Edition since the repository is private.

Editions

Edition Repository Registry Access
CE kubermatic/kubelb quay.io/kubermatic/ Public
EE kubermatic/kubelb-ee quay.io/kubermatic/ Licensed

Components:

Component CE EE
Manager kubelb-manager kubelb-manager-ee
CCM kubelb-ccm kubelb-ccm-ee
Connection Manager kubelb-connection-manager-ee

Verify Container Image Signatures

# Login required for EE images
docker login quay.io

cosign verify quay.io/kubermatic/kubelb-manager-ee:v1.3.0 \
  --certificate-identity-regexp="^https://github.com/kubermatic/kubelb-ee/.github/workflows/release.yml@refs/tags/v.*" \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

cosign verify quay.io/kubermatic/kubelb-manager:v1.3.0 \
  --certificate-identity-regexp="^https://github.com/kubermatic/kubelb/.github/workflows/release.yml@refs/tags/v.*" \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify Helm Chart Signatures

cosign verify quay.io/kubermatic/helm-charts/kubelb-manager-ee:v1.3.0 \
  --certificate-identity-regexp="^https://github.com/kubermatic/kubelb-ee/.github/workflows/release.yml@refs/tags/v.*" \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

cosign verify quay.io/kubermatic/helm-charts/kubelb-manager:v1.3.0 \
  --certificate-identity-regexp="^https://github.com/kubermatic/kubelb/.github/workflows/release.yml@refs/tags/v.*" \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify Release Checksums

Each release includes a checksums.txt file signed with Cosign.

# Requires repository access
# Download checksums.txt and checksums.txt.sigstore.json from the release

cosign verify-blob --bundle checksums.txt.sigstore.json checksums.txt \
  --certificate-identity-regexp="^https://github.com/kubermatic/kubelb-ee/.github/workflows/release.yml@refs/tags/v.*" \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

# Download from GitHub release
curl -LO https://github.com/kubermatic/kubelb/releases/download/v1.3.0/checksums.txt
curl -LO https://github.com/kubermatic/kubelb/releases/download/v1.3.0/checksums.txt.sigstore.json

cosign verify-blob --bundle checksums.txt.sigstore.json checksums.txt \
  --certificate-identity-regexp="^https://github.com/kubermatic/kubelb/.github/workflows/release.yml@refs/tags/v.*" \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Software Bill of Materials (SBOM)

SBOMs are provided in SPDX format for all artifacts.

Container Image SBOMs

SBOMs are attached to container images as OCI artifacts using ORAS.

# Login required
oras login quay.io

# Discover and pull SBOM
SBOM_DIGEST=$(oras discover --format json --artifact-type application/spdx+json \
  quay.io/kubermatic/kubelb-manager-ee:v1.3.0 | jq -r '.referrers[0].digest')
oras pull quay.io/kubermatic/kubelb-manager-ee@${SBOM_DIGEST} --output sbom/

SBOM_DIGEST=$(oras discover --format json --artifact-type application/spdx+json \
  quay.io/kubermatic/kubelb-manager:v1.3.0 | jq -r '.referrers[0].digest')
oras pull quay.io/kubermatic/kubelb-manager@${SBOM_DIGEST} --output sbom/

Verify SBOM Attestation

cosign verify-attestation quay.io/kubermatic/kubelb-manager-ee:v1.3.0 \
  --type spdxjson \
  --certificate-identity-regexp="^https://github.com/kubermatic/kubelb-ee/.github/workflows/release.yml@refs/tags/v.*" \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

cosign verify-attestation quay.io/kubermatic/kubelb-manager:v1.3.0 \
  --type spdxjson \
  --certificate-identity-regexp="^https://github.com/kubermatic/kubelb/.github/workflows/release.yml@refs/tags/v.*" \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Binary SBOMs

SBOMs for release binaries are available as GitHub release assets.

Release assets (requires repository access):

  • kubelb_<version>_linux_amd64.sbom.spdx.json
  • kubelb_<version>_linux_arm64.sbom.spdx.json
  • ccm_<version>_linux_amd64.sbom.spdx.json
  • ccm_<version>_linux_arm64.sbom.spdx.json
  • connection-manager_<version>_linux_amd64.sbom.spdx.json
  • connection-manager_<version>_linux_arm64.sbom.spdx.json
# All SBOMs are available in the GitHub release assets. Please refer to the GitHub release page for the latest version.
curl -LO https://github.com/kubermatic/kubelb/releases/download/v1.3.0/kubelb_v1.3.0_linux_amd64.sbom.spdx.json

Vulnerability Scanning

KubeLB enforces automated vulnerability scanning:

  • All PRs scanned before merge
  • Container images scanned with Trivy at release
  • HIGH/CRITICAL vulnerabilities block releases
  • Dependabot monitors dependencies

Scan locally:

trivy image quay.io/kubermatic/kubelb-manager:v1.3.0

Tools

  • Cosign — Artifact signing and verification
  • ORAS — OCI Registry As Storage

Vulnerability Reporting

See Vulnerability Reporting for security disclosure process.