refactor: split repo into micromize and sigward products (monorepo)#151
Merged
Conversation
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
There was a problem hiding this comment.
Pull request overview
Refactors the repository into a monorepo that produces two deployables—Micromize (boundary enforcement) and Sigward (execution attestation)—while sharing the existing internal framework and build/release tooling.
Changes:
- Splits IMA/SBOM attestation into
internal/attestand introduces a newcmd/sigwardbinary wired to the Sigward gadget + IMA operator. - Renames the gadget from
binary-attestationtosigwardand updates build/release pipelines to build/publish it alongside existing gadgets. - Adds a new Helm chart for Sigward and removes SBOM/registry-auth plumbing from the Micromize chart.
Reviewed changes
Copilot reviewed 31 out of 32 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Documents the two-product monorepo and introduces Sigward section/link. |
| Makefile | Builds both micromize and sigward binaries; adjusts embedded gadget tar copies per product. |
| internal/operators/operators.go | Removes IMA/SBOM operator from shared operators (Micromize no longer depends on SBOM). |
| internal/attest/ima.go | New IMA/SBOM operator implementation moved under internal/attest. |
| include/micromize/event_types.h | Renames comment label from binary-attestation to sigward for event types 7–10. |
| gadgets/sigward/program.bpf.h | Adds Sigward gadget header/types. |
| gadgets/sigward/program.bpf.c | Renames tracer/program identifiers and printk prefixes to sigward. |
| gadgets/sigward/gadget.yaml | Renames gadget and datasource from binary-attestation to sigward; updates URLs. |
| Dockerfile.sigward | New Sigward image build including gadget build/export + static Go build. |
| Dockerfile | Stops building/exporting the attestation gadget as part of Micromize image build. |
| cmd/sigward/root.go | New Sigward CLI wiring (IMA operator + gadget registry + namespace exemptions). |
| cmd/sigward/root_test.go | Unit tests for namespace-filter construction. |
| cmd/sigward/main.go | New Sigward entrypoint. |
| cmd/sigward/embeds.go | Embeds sigward.tar under the release build tag. |
| cmd/sigward/embeds_dev.go | Non-release stub for embedded gadget bytes. |
| cmd/micromize/root.go | Removes IMA operator and binary-attestation gadget registration from Micromize. |
| cmd/micromize/embeds.go | Removes embedded binary-attestation gadget tar from Micromize release build. |
| cmd/micromize/embeds_dev.go | Removes binary-attestation embedded-bytes stub from Micromize dev build. |
| charts/sigward/values.yaml | New Sigward chart values (image, filters, exempt label, registryAuth). |
| charts/sigward/values.schema.json | New Sigward values JSON schema. |
| charts/sigward/templates/serviceaccount.yaml | New ServiceAccount template for Sigward chart. |
| charts/sigward/templates/NOTES.txt | New chart notes for Sigward installation. |
| charts/sigward/templates/daemonset.yaml | New Sigward DaemonSet (includes registryAuth mount for SBOM pulls). |
| charts/sigward/templates/clusterrolebinding.yaml | New cluster role binding for Sigward chart. |
| charts/sigward/templates/clusterrole.yaml | New cluster role for Sigward chart. |
| charts/sigward/templates/_helpers.tpl | New Sigward chart helper templates. |
| charts/sigward/Chart.yaml | New Sigward Helm chart definition. |
| charts/micromize/values.yaml | Removes registryAuth values (Micromize no longer needs SBOM pull creds). |
| charts/micromize/values.schema.json | Removes registryAuth schema fields from Micromize chart. |
| charts/micromize/templates/daemonset.yaml | Removes registryAuth env/mount/volume from Micromize DaemonSet. |
| .github/workflows/release.yml | Releases Sigward image and includes sigward + socket-restrict in gadget release matrix. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Comment on lines
+43
to
+45
| # Required for ptrace-based gadgets. | ||
| - SYS_PTRACE | ||
| # Required for setting rlimits (e.g. memlock). |
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Comment on lines
+158
to
+162
| t.Run("falls back when env empty and no service account file", func(t *testing.T) { | ||
| t.Setenv(podNamespaceEnvVar, "") | ||
| if got := CurrentNamespace("sigward"); got != "sigward" { | ||
| t.Errorf("CurrentNamespace() = %q, want %q", got, "sigward") | ||
| } |
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Comment on lines
+141
to
+146
| } else if len(exemptNS) > 0 { | ||
| slog.Info("Exempt namespaces discovered (startup only)", "namespaces", exemptNS, "label", exemptLabel) | ||
| for _, ns := range exemptNS { | ||
| nsFilter += ",!" + ns | ||
| } | ||
| } |
Comment on lines
+26
to
+27
| "required": ["repository", "pullPolicy"] | ||
| }, |
Comment on lines
+158
to
+163
| t.Run("falls back when env empty and no service account file", func(t *testing.T) { | ||
| t.Setenv(podNamespaceEnvVar, "") | ||
| if got := CurrentNamespace("sigward"); got != "sigward" { | ||
| t.Errorf("CurrentNamespace() = %q, want %q", got, "sigward") | ||
| } | ||
| }) |
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Comment on lines
+69
to
+72
| rootCmd.PersistentFlags().BoolVar(&enforce, "enforce", true, "Enforce restrictions") | ||
| rootCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "Enable verbose logging") | ||
| rootCmd.PersistentFlags().StringVar(&filterNamespaces, "filter-namespaces", "", "Comma-separated list of Kubernetes namespaces to monitor (empty means all except 'sigward'). Supports exclusion with '!' prefix.") | ||
| rootCmd.PersistentFlags().StringVar(&filterImageDigest, "filter-image-digest", "", "Filter out containers running this image digest from monitoring (e.g. sha256:abc123...)") |
Comment on lines
+125
to
+128
| // Sigward attests every namespace, including its own — it follows its own | ||
| // attestation rules rather than exempting itself. Operators can still scope | ||
| // coverage with --filter-namespaces and --exempt-label. | ||
| nsFilter := utils.BuildNamespaceFilter(filterNamespaces, "") |
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Signed-off-by: Dor Serero <dor.serero@gmail.com>
Comment on lines
37
to
42
| const ( | ||
| fsRestrictGadgetImageRepo = "ghcr.io/micromize-dev/micromize/fs-restrict" | ||
| capRestrictGadgetImageRepo = "ghcr.io/micromize-dev/micromize/cap-restrict" | ||
| ptraceRestrictGadgetImageRepo = "ghcr.io/micromize-dev/micromize/ptrace-restrict" | ||
| socketRestrictGadgetImageRepo = "ghcr.io/micromize-dev/micromize/socket-restrict" | ||
| binaryAttestationGadgetImageRepo = "ghcr.io/micromize-dev/micromize/binary-attestation" | ||
| fsRestrictGadgetImageRepo = "ghcr.io/micromize-dev/micromize/fs-restrict" | ||
| capRestrictGadgetImageRepo = "ghcr.io/micromize-dev/micromize/cap-restrict" | ||
| ptraceRestrictGadgetImageRepo = "ghcr.io/micromize-dev/micromize/ptrace-restrict" | ||
| socketRestrictGadgetImageRepo = "ghcr.io/micromize-dev/micromize/socket-restrict" | ||
| ) |
| "github.com/micromize-dev/micromize/internal/utils" | ||
| ) | ||
|
|
||
| const sigwardGadgetImageRepo = "ghcr.io/micromize-dev/micromize/sigward" |
Comment on lines
+125
to
+129
| // Sigward attests every namespace, including its own — it follows its own | ||
| // attestation rules rather than exempting itself. Operators can still scope | ||
| // coverage with --filter-namespaces and --exempt-label. | ||
| nsFilter := utils.BuildNamespaceFilter(filterNamespaces, "") | ||
|
|
Signed-off-by: Dor Serero <dor.serero@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Restructures this repository moving out the execution-attestation into a separate binary. The execution-attestation is an interesting idea but it's complementary to the philosophy of micromize and therefore has different assumptions on the boundary it protects. At this point in time, it makes sense to separate them. Now we have:
cmd/micromize) — the boundary-enforcement agent.cmd/sigward) — execution attestation: verifies in the kernel (BPF-LSM + IMA) that only binaries/shared-objects/scripts declared in an image's signed SPDX SBOM may execute.The two are separate deployables (binaries, images, Helm charts) but share the
internal/framework, so there is one source of truth for the runner, operators, and tooling. In the future we can consider to unify the runtime layer for both, but at this point in time, the separation creates clearer boundaries and allows me to focus on the development of micromize itself.What changed
internal/attest/— new package holding the IMA operator (moved out ofinternal/operators).gadgets/sigward/— renamed fromgadgets/binary-attestation(prog/tracer/datasource ->sigward); still uses the sharedinclude/micromize/event_types.h(event types 7–10 unchanged).cmd/sigward/— new binary wiring the attestation gadget + IMA operator; self-excludes thesigwardnamespace;sigward.dev/exemptlabel.cmd/micromize/— no longer registers the attestation gadget or the IMA operator.charts/sigward/— new chart (keepsregistryAuthfor private SBOM pulls);charts/micromize/drops the now-unneeded registry-auth plumbing.Dockerfile(micromize, 4 gadgets) +Dockerfile.sigward;Makefilebuilds both binaries;release.ymlbuilds both images and all 5 gadgets.Validation
go build/vet/test,gofmt,addlicense— clean.helm linton both charts — clean.ig image build(incl.sigwardwith the shared header).Note
This supersedes the separate
micromize-dev/sigwardrepo and its PR #1, which can be closed/archived.