Description

Freshness of a feed is important to the end users to have guarantees on when it was last updated. Adding a field which tells you whenever the feed was last updated is good step in that direction.

Details

JSON: Add a field named "lastUpdatedAt", under the custom map of _kubernetes.io at the top of the feed (not part of each CVE item) with single value being ""

Markdown: Add a line explaining mentioning when the feed was last updated with a link to unix time to local timezone converter

Background

There are lot of places where images related to Kubernetes can be found:

1. Container image manifests and yamls: https://github.com/kubernetes/k8s.io/tree/main/k8s.gcr.io
2. Base Image exception list: https://github.com/kubernetes/sig-release/blob/master/release-engineering/baseimage-exception-list.md
3. SBOM: (Software Bill of Materials) @puerco: any pointers on how to parse the SBOM files and if they are a good source to get a list of images?
   • https://sbom.k8s.io/v1.22.0/release
   • https://sbom.k8s.io/v1.22.0/source

Goal

• Find out an authoritative source for list of container images under Kubernetes org (i.e. release, k8s.io, kubernetes) including but not limited to the above resources
• Filter the list to only point to the most recent image or in case of core k8s images most recent n, n-1 and n-2 release images
• Convert this into a JSON doc that can be consumed as input for container image scanner automation

xref: #3
/sig security release

Side note: This issue might be transferred to kubernetes-sigs/security when it is created

SIG-Docs has a New Contributor Ambassador program that seems like a wonderful way to welcome new people to the team. Should we do something similar?
What kinds of programs could we run?

Ref: https://kubernetes.slack.com/archives/C019LFTGNQ3/p1653483955189929

/assign @mtardy

While there are many checklists available, this could be a recommended checklist for ensuring security in Kubernetes clusters.

Overall guidance:

• Avoid 3rd party tools
• Avoid linking to documentation outside of K8s website (as it might not be maintained)
• If you identify a section that needs more documentation, please create an issue and tag sig-security.

Potential checklist sections:
Cluster level

• AuthN & AuthZ
• Network security - @Skybound1
• Pod security - @mtardy
• Pod placement - @Skybound1
• Secrets - @Skybound1
• Container & Image scanning - @p4ck3t0
• Enabling seccomp - @mtardy

Application/workload:

• Ingress/Network config
• RBAC

Creating this issue to document the periodic scanning process for container images . Please refer to this PR for the work done. kubernetes/test-infra#23419

Umbrella issue : #3

There is a similar doc created for build time dependencies also . Reference PR: #16

Description

To have the most recently announced CVE to be at the top of the field will allow everyone to know which was the most recent that they should be aware of. Currently, this is somewhat already happening with table being sorted based on column "Github Issue"

Details

JSON: No changes needed apart from #63

Markdown: Use the timestamp that depicts when the issue was "closed" i.e. from closed_at timestamp from Github REST API output: https://docs.github.com/en/rest/issues/issues#get-an-issue . Open to discuss if we want timestamp column named "Fixed On" visible or invisible in markdown

Please tell us a bit more about the topic
Copacetic (https://github.com/project-copacetic/copacetic) is a recently released open source tool to handle container patching based on vulnerability data obtained from a scanner (Trivy is currently supported). We'd like to share a little bit about the project and get some feedback from the community on the approach and features.

Note: Not a vendor pitch, there is no commercial offering associated with Copa.

Please share speaker details
Xander Grzywinski (GitHub: @salaxander / K8s Slack: @Xander)

If speaker is confirmed, please share speaker availability
Available for any of the upcoming SIG security tooling community meeting times

Explain the benefits to the community that this session provides
We're hoping that the communtiy will get the chance to try out a new tool in the ecosystem that will potentially make their workflows a little easier.

What

Create a Prow job that runs a Github query to create a JSON blob of CVE data and writes it to a GCB bucket

Why

We need a way where Hugo can fetch always the latest data about officially announced CVEs. Google Cloud bucket seems like a simpler way to host that data

How

• Example script that writes to GCB can be found here
• Example prow job that uses this script to write to a GCB bucket is here
• Overall docs for writing to bucket can be found here

Pre-requisites

• Need to request a bucket for which following information is needed. Example Issue: kubernetes/k8s.io#2570
• Google Group of Humans who will own this infra: https://github.com/kubernetes/k8s.io/blob/main/groups/sig-security/groups.yaml (Group description might need an update)
• Name of the bucket: k8s-cve-feed
• Service account name: k8s-cve-feed
  Note: The names here are suggestions, final naming convention is up to SIG k8s Infra

Related Info

• One example for reading from a bucket via HTML can be found here: https://github.com/kubernetes/test-infra/blob/f7e21a3c18f4f4bbc7ee170675ed53e4544a0632/maintenance/oncall.html
• Parent issue that this is part of #1

Discussion

Slack thread: https://kubernetes.slack.com/archives/C01CUSVMHPY/p1642720739011300

/sig testing k8s-infra security

This is a tracking issue and will be updated shortly

/assign @puerco @savitharaghunathan

Job run: https://storage.googleapis.com/kubernetes-jenkins/logs/ci-kubernetes-snyk-master/1643706990876168192/build-log.txt

/bin/bash: line 30: null: unbound variable

Fix needs to happen where TOTAL_COUNT variable is set as null when curl command returns this error:

{"message":"API rate limit exceeded for 98.37.153.210. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)","documentation_url":"https://docs.github.com/rest/overview/resources-in-the-rest-api#rate-limiting"}

We need to check if the variable is "null" and then fail the job if it is since that means we are unable to filter out vulnerabilities that we can.

Something like this would work (optional improvements for redundant code are welcome too):

                  if [ $TOTAL_COUNT == "null" ]; then
                      echo "Vulnerability filtering failed"
                      exit 1
                  else
                    if [[ $TOTAL_COUNT -eq 0 ]]; then
                      echo "Vulnerability filtering failed"
                      exit 1
                    fi
                  fi

/sig security testing k8s-infra
/kind bug

What?

Create the following set of directory structure:

k/sig-security:

• sig-security-docs:
  • Refactor this to here: https://github.com/kubernetes/community/blob/master/sig-security/sig-security-docs/OWNERS
• sig-security-external-audit:
  • Move all of this here: https://github.com/kubernetes/community/tree/master/sig-security/sig-security-external-audit
  • Move all of this here: https://github.com/kubernetes/community/tree/master/sig-security/security-audit-2019
  • Move all of this here: https://github.com/kubernetes/community/tree/master/sig-security/security-audit-2021
• sig-security-tooling:
  • Move this to here: https://github.com/kubernetes/community/blob/master/sig-security/sig-security-tooling/OWNERS

How?
This will need two set of PRs, one to remove stuff from k/community and one to add the same stuff to k/sig-security

Why do this?
This will unblock following PRs: kubernetes/community#6140 and kubernetes/community#5853. More importantly, it will allow allow sig-security artifacts to have a single landing page.

Anything else you would like to add @tabbysable @IanColdwater @reylejano @savitharaghunathan ?

/sig security
/kind cleanup
/label good first issue
/label help wanted

knative.dev/security-guard - a security-behavior tool added and currently developed in Knative. This tool is also applicable for more generic Kubernetes web service use cases and may later be extended for additional Kubernetes use cases.

Security Guard starts with the assumption that all microservices deployed are vulnerable (regardless if due to code vulnerability, malicious code, misconfiguration...). Under this assumption, Security Guard seeks to extend Kubernetes over time to help users manage their Kubernetes deployments. This is done by adding the ability to detect attempts to exploit microservices and adding the ability to detect exploited and misused microservices. Beyond detection, Kubernetes need to add the necessary controls and offer users the ability to manage both the detection and the controls.

We believe that under the assumption that all microservices are vulnerable, such capabilities need to be an integral part of Kubernetes and offered to all Kubernetes downstream projects. Further, the capabilities need to offer users a way to cope with the day-to-day cyber reality of running vulnerable microservices in a hostile environment with offenders seeking to exploit them.

Presenters:

• David Hadas - davidhadas - contact via #sig-security Chanel (David Hadas)

Optional presenters (waiting for confirmation that they will participate):

• Paul Schweigert - psschwei
• Dr.max - maximilien
• Michael Brown - mwbrown

I'd like to suggest doing this on the SIG Security Tooling timeslot, Nov 1st meeting
SIG Security Tooling meets every other week at 8:30 AM Pacific for 45 mins.

Hey folks,

as we just discussed in the sig-security meeting we are creating a Github issue to define the next steps.

Concretely we want to organize a public community CTF in Jeopardy style for the community, where the members of the CNCF should be involved and can help out with challenges or something similar. This issue should help to track the procedure.

Goal: Implement automated scanning capabilities that are tool agnostic for identifying vulnerabilities in Kubernetes related artifacts, followed by a documented private triage process to resolve the identified vulnerability, with a programmable way for Kubernetes users to consume this vulnerability information.

Background

Over the years, multiple different community members in Security Response Committee (formerly PSC), SIG Release, Architecture, Security, Auth have contributed to several standalone efforts related to vulnerability management for https://github.com/kubernetes/kubernetes. We have made tremendous progress but there are still some opportunities to improve :-)

Scope

This issue is created to act as a single place to find current state of the work, in progress and planned work that fall in the overall theme of vulnerability management of Kubernetes artifacts. In scope artifacts include but are not limited to build time dependencies and container images. Adding any missing issues or related work as a comment is encouraged :-)

Artifact Vulnerability Scanning

Build time Dependencies

• Implement automated scanning with prow and test-grid for k/k HEAD (main branch) (kubernetes/kubernetes#101528)
• Parsing improvements (kubernetes/test-infra#22756)
• Ensure scan fails when a vulnerability is found (kubernetes/test-infra#22833)
• kubernetes/test-infra#23112
• #95

Container Images

• #4
• Explore and identify scanners that can detect vulnerabilities in distroless++ images
• Explore using SBOM to programmatically get a list of images in each kubernetes release (kubernetes/release#2095)
• Implement automated scanning with prow and test-grid for k/k HEAD
• Ensure scan fails when a vulnerability is found

Ongoing Maintenance

• kubernetes/test-infra#27309
• kubernetes/test-infra#26777
• kubernetes/test-infra#24857
• kubernetes/test-infra#24446

Triage Policy Definition and Implementation

• Solicit feedback from SRC and SIG Security Co-chairs for Triage and Resolution policy (kubernetes/community#5853)
• Create a new group for private triage (kubernetes/k8s.io#2342)
• Drive an end to end triage for an identified vulnerability to resolution
• Update the triage and resolution policy based on end to end experience
• #1
• Define and Measure mean time to triage, false positive rate for each identified vulnerability
• Create a rotating triage role for taking action on identified vulnerability

Related Issues and PRs

• Original issue to track kubernetes build time dependencies: kubernetes/community#2992
• CVE RSS feed broken: kubernetes/website#29142
• Request for base image patching: kubernetes/release#1833
• Examples of CVE fixes:
  • Build time dependency bumps: kubernetes/kubernetes#117094
  • Debian base image bumps: kubernetes/kubernetes#102302
  • Distroless base image bumps: kubernetes/kubernetes#100566
  • Build time dependency bumps: kubernetes/kubernetes#100401
• CNCF TAG Security discussion: cncf/tag-security#170

/sig security release architecture auth
/area config testing code-organization dependency release-eng release-eng/security
/committee product-security
/kind feature

Goal: Define, execute and improve on a community driven security assessment process for kubernetes sub-projects, which is self-service and welcomes beginners without prior security background to engage and contribute

Background

CNCF TAG Security has a well established process for project maintainers to engage them in a security review process. However, typically the scope is limited to CNCF projects not sub-projects of graduated projects like Kubernetes. In case of Kubernetes, SIG Security is taking up this responsibility to work within the project community through self-assessments as a partnership between maintainers and SIG Security Members

Scope

• Identify first project as a pilot for this process (Cluster API): #40
• Create a draft template for self-assessment and gather feedback (Self-Assessment Template)
• Publish draft template after incorporating feedback, in markdown under kubernetes/sig-security
• Publish a task list that covers the entire security assessment process (channel creation, identifying contributors, presenting and resolving findings, etc.): https://github.com/kubernetes/sig-security/blob/main/sig-security-assessments/Documentation/recipe-book.md
• Create label area/security-assessment to allow filtering of these requests (kubernetes/test-infra#23070)
• Create a Github Issue Template to allow anyone to request a security assessment for a sub-project (kubernetes/community#5922)
• Perform retrospective on the process and identify improvements after every assessment: cncf/tag-security#957

Related Issues

Cluster API pilot discussion: cncf/tag-security#603
Cluster API tracker: https://github.com/kubernetes/community/issues/5814
Admission controller: cncf/tag-security#731

/assign @PushkarJ
cc @rficcaglia @reylejano @savitharaghunathan @kubernetes/sig-security-leads
/sig security

As with all repos, a .gitignore file helps with ensuring unneeded files are not accidentally added under git version control. We need one for k/sig-security repo that may look something like this at the root of the repo.

# OSX leaves these everywhere on SMB shares
._*

# OSX trash
.DS_Store

# Eclipse files
.classpath
.project
.settings/**

# Files generated by JetBrains IDEs, e.g. IntelliJ IDEA
.idea/
*.iml

# Vscode files
.vscode

# Emacs save files
*~
\#*\#
.\#*

# Vim-related files
[._]*.s[a-w][a-z]
[._]s[a-w][a-z]
*.un~
Session.vim
.netrwhist

# User cluster configs
.kubeconfig

Example for a .gitignore file on k/k repo: https://github.com/kubernetes/kubernetes/blob/master/.gitignore

/sig security
/help-wanted
/good-first-issue

Following on from discussion at the last SIG-Security Docs meeting, there's an idea to have a Kubernetes RBAC best practices page. Covering topics like general good practices and also rights which could present a risk of privilege escalation.

In terms of location on the k/website , one idea was to place it under the security concepts page.

Working draft is on HackMD at https://hackmd.io/Tkr1H6dfR1Gu3jcczbCmlw .

cc @savitharaghunathan @reylejano

/sig security docs

Description

We have had multiple learning sessions over the last 10 months or so. It's time to allow a more organized way to propose a learning session that a community member wants to give.

Caveat: No vendor pitches, no sales meetings. This will be only for topics related to kubernetes, security and community projects that are open source

/sig security
/kind cleanup

Description

We want to maintain an index.xml equivalent of https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json
so folks can subscribe to the auto-refreshing CVE feed when a new CVE comes up.

Details

We can use the kubernetes blog RSS feed to get started as an example:

• Feed: kubernetes.io/feed.xml
• Code: https://github.com/kubernetes/website/blob/main/layouts/index.rss.xml

The CVE feed items can be iterated similar to how it is done for index.json

Hugo RSS generator: https://gohugo.io/templates/rss/

Testing / Validation

https://validator.w3.org/feed/#validate_by_input

As per the email sent to kubernetes-dev[1], please create a SECURITY_CONTACTS
file.

The template for the file can be found in the kubernetes-template repository[2].
A description for the file is in the steering-committee docs[3], you might need
to search that page for "Security Contacts".

Please feel free to ping me on the PR when you make it, otherwise I will see when
you close this issue. :)

Thanks so much, let me know if you have any questions.

(This issue was generated from a tool, apologies for any weirdness.)

[1] https://groups.google.com/forum/#!topic/kubernetes-dev/codeiIoQ6QE
[2] https://github.com/kubernetes/kubernetes-template-project/blob/master/SECURITY_CONTACTS
[3] https://github.com/kubernetes/community/blob/master/committee-steering/governance/sig-governance-template-short.md

Hey @PushkarJ I saw that this repository is new and soon it will be populated with directory structure #9. I would like to add proper Repository README.md and PR template (.github) for better contribution.

Any advice for README.md or addition of any other things would be really helpful.

What

This issue describes how to achieve that by creating a prow job that automates PR creation to k/website when a new CVE is announced

Why

As part of #1 , we need an automation to update k/website page that will host the list of known CVEs.

We will be borrowing heavily from prow autobumper tool

How

The flow will look something like this:

• Prow job creates JSON blob based on the information found using github label /official-cve-feed
• It compares the new generated JSON blob with existing JSON blob on k/website page
• Possible location to host the JSON blob: examples/security)
• If generated JSON blob is different, than existing JSON blob (including blob does not exist), a new PR is created to update that JSON blob
• Example Prow job could be something like this: https://github.com/kubernetes/test-infra/blob/master/config/jobs/kubernetes/test-infra/test-infra-trusted.yaml#L604-L677
• Skip-Review label and on-call options in the example job are worth exploring to reduce / bypass approver and reviewer availability

Open items

• Explore the autobumper tool and come up with a shell script or simple go program that will submit a PR via this mechanism
• skip-review is only used supported for kubernetes/test-infra repo. Check if it would make sense to add this label to k/website as well OR move JSON doc under kubernetes/test-infra

Discussion

Slack thread: https://kubernetes.slack.com/archives/C01CUSVMHPY/p1642720739011300

/sig security testing

This is to consolidate info and inform all the interested folks regarding discussions around security assessment of cluster-api sub-project.

This is our first attempt as a community where a Security SIG will perform a security assessment of a sub-project of a graduated CNCF project. So we expect to make slow but reasonable progress and will be open for feedback on how we can improve for the benefit of others who will follow us.

The first step of a (community driven) security assessment of a project is a self-assessment of the project. Although, this is typical done by the project maintainers, some of us in #sig-security would be happy to take a first crack at filling out the outline template provided by CNCF TAG-Security.

Currently the volunteers are educating themselves on cluster-api docs and presentations and will coordinate with maintainers (who understandably are very busy but are engaged).

Related items:

kubernetes/community#5792

cncf/tag-security#603

https://groups.google.com/g/kubernetes-sig-cluster-lifecycle/c/Fi0UGzfbQfY

What?

Could be as simple as Todo, In-progress and Done

How?
Actually do not have a good idea, but somebody has done this before for a small, medium or large project, would love to see them pick this up.

One good example: https://github.com/kubernetes/website/projects/11

Why?

To have co-chairs and sub-project leads + contributors to have one place to find out what is going on in sig-security

/kind design
/sig security
/help
/good-first-issue

Based on a suggestion from @JimBugwadia on slack an idea for a good page on the Kubernetes website would be to collate configurations or privileges which could allow a malicious user or attacker to bypass the API server. As many key security controls (e.g. Auditing and admission control) are handled at the API server layer, attacks which bypass it can present a serious risk to cluster security.

Some examples :-

• node/proxy rights at the cluster level can allow users to directly communicate with the kubelet API, bypassing the API server.
• To an extent users being able to create static pods bypasses some API server controls
• Direct access to the etcd database will effectively allow attackers to retrieve things like secrets without that access being visible in API server audit logs.

/sig security docs

This is a Feature Request

-

What would you like to be added

https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json

• Add lastUpdateTime timestamp field in the root.
• Add timestamp field to CVE entry

Why is this needed

In the current response, there is no lastUpdateTime field. So it's challenging to distinguish when the CVE Feed is actually updated or it's already up-to-date.

I think timestamp field is also necessary to indicate when the CVE is added to the feed. There could be a time-window between CVE discover time versus CVE added to feed time.

Alternative Solution:

Use RSS 2.0 standard instead for better scaling for further requirement needs.

Comments
-

cc @developer-guy

Is this a Kubernetes sub-project?

Yes

Please tell us a bit about your sub-project

vSphere CSI driver is a volume plug-in that runs in a native Kubernetes cluster deployed in vSphere and is responsible for provisioning persistent volumes on vSphere storage.
Repo: https://github.com/kubernetes-sigs/vsphere-csi-driver

Do you have a preferred timeline for completing the security assessment?

Please share any additional or alternate points of contact for this request
@divyenpatel

cc @PushkarJ

Please tell us a bit more about the topic

bpfd is a relatively new open-source project which provides a system daemon aimed at simplifying the deployment and management of eBPF programs. Its goal is to enhance the developer experience as well as provide features to improve security, visibility, and program cooperation. bpfd includes a Kubernetes operator to bring those same features to Kubernetes, allowing users to safely deploy eBPF via custom resources across nodes in a cluster.

Please share speaker details

Andre Fredette is a software engineer on the networking team in the Office of the CTO at Red Hat. He is also a maintainer for the bpfd project.

github: anfredette
k8s slack: Andre Fredette

If speaker is confirmed, please share speaker availability

We’d like to present during one of the regular SIG Security Tooling meetings after 6/16/23. 6/21/23 would be great.

Explain the benefits to the community that this session provides

eBPF is a powerful tool that can be used for many purposes including networking, monitoring, tracing, and security. Because of this, Kubernetes applications that use eBPF are proliferating. However, eBPF also poses security risks because applications using eBPF require increased permission levels including at least CAP_BPF.

We believe that the SIG Security community would benefit from learning about bpfd because it will both facilitate the development of security-related applications as well as help mitigate the security risks when eBPF applications are used in a Kubernetes environment.

Please check out the bpfd website (bpfd.dev) if you want to learn more.

Action item from https://github.com/kubernetes/website/pull/29791/files#r715134850

Can SIG Security recommend a good sample / baseline alert events that we use in all examples moving forward?

/sig security docs
/kind feature

What would you like to be added

As part of SIG-Security-Docs, we've been discussing the creation of a hardening guide for Kubernetes. We've got an initial document for the guide's creation here https://docs.google.com/document/d/1teb42X_c5_k8PNOSEEEbVnEr9aVAwWJXezBuf5fdmZU/edit

Why is this needed

The goal of the hardening guide is to provide guidance to cluster operators about how they can improve the security of their clusters. This will be done by discussing the major areas of security relating to a Kubernetes cluster, looking at the options available for hardening and the trade-offs inherent in them. In contrast to existing 3rd party documentation in this area (the CIS benchmark) which is a prescriptive audit style document, this guide should provide a more discursive approach.

** Table of Areas**

cc @savitharaghunathan @sftim

This came up on the API Server bypass page discussions and also in a slack thread that there's some fuzziness about what exactly the risks of hostPath volumes are, and how easy it would be to break out in various scenarios.

It'd be a nice page to have to bottom out this risk and provide some guidance for cluster operators on where it's more/less safe to use hostPath volumes.

This is a Feature Request
No

What would you like to be added
Use other datasource for CVEs because the actual don't show info about rejected or reserved CVEs.

Why is this needed
This info generated in official-cve-feed is broken

Example: https://www.cvedetails.com/cve-details.php?cve_id=CVE-2022-3172

Alternative Solution:

Use CVE Org instead for better details.

Example: https://www.cve.org/cverecord?id=CVE-2022-3172

Mirror README.md from - https://github.com/kubernetes/community/tree/master/sig-security

/good-first-issue

Related to kubernetes/enhancements#3203

Create a periodic prow job to query GitHub API for new CVEs announced (every 5 minutes).
If new CVE announced, push the new content tok/sig-security/sig-security-tooling/feeds/official-cve-feed.json

This prow job will call the shell/golang/python script to query the github apis and populate the json with the below data.

The sample json format will be as :-

[
        {
            "cve_id": "CVE-2021-25741",
            "cve_url": "https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2021-25741",
            "number": "104980",
            "summary": "Symlink Exchange Can Allow Host Filesystem Access",
            "issue_url": "https://github.com/kubernetes/kubernetes/issues/104980",
            "google_group_url": "https://groups.google.com/g/kubernetes-announce/search?q=CVE-2021-25741"
        },
        {
            "cve_id": "CVE-2020-8565",
            "cve_url": "https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2020-8565",
            "number": "95623",
            "summary": "Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9",
            "issue_url": "https://github.com/kubernetes/kubernetes/issues/95623",
            "google_group_url": "https://groups.google.com/g/kubernetes-announce/search?q=CVE-2020-8565"
        }
]

As per the email sent to kubernetes-dev[1], please create a SECURITY_CONTACTS
file.

The template for the file can be found in the kubernetes-template repository[2].
A description for the file is in the steering-committee docs[3], you might need
to search that page for "Security Contacts".

Please feel free to ping me on the PR when you make it, otherwise I will see when
you close this issue. :)

Thanks so much, let me know if you have any questions.

(This issue was generated from a tool, apologies for any weirdness.)

[1] https://groups.google.com/forum/#!topic/kubernetes-dev/codeiIoQ6QE
[2] https://github.com/kubernetes/kubernetes-template-project/blob/master/SECURITY_CONTACTS
[3] https://github.com/kubernetes/community/blob/master/committee-steering/governance/sig-governance-template-short.md

Description

Write a blog post as pre-cursor to publication of third party security of audit 2021/22 that describes the current state of findings from the audit of 2019

Motivation

As we prepare for #13 it is useful, to take a look back current state of Third Party Security audit of 2019. This issue attempted to keep track of status of findings reported kubernetes/kubernetes#81146 . The blog post will attempt to dive deeper into this and become a point in time summary of the current state of the findings reported from 2019.

This will help folks gain confidence through transparent communication of work done by community to address the findings and bubble up any findings that need help from community contributors

/cc @reylejano
/sig security docs
/area security blog
/wg security-audit

Please tell us a bit more about the topic
Following the CNCF Sandbox Inclusion Meeting feedback, we would like to share with you an overview of why, what, and how Trousseau addresses the Secret Management using the Kubernetes KMS provider plugin constructs.
This session will be a walkthrough demo about the design, current status, roadmap and getting the SIG Security advice to nurture the Trousseau project.

Please share speaker details

@romdalf

If speaker is confirmed, please share speaker availability

The SIG Security Tooling time slot at 8.30AM PDT is perfect.
Just confirm the date.

Explain the benefits to the community that this session provides

The community will gain awareness on the benefit from such open source tool that bridges the native Kubernetes Secret Management (or any resources with sensitive data like a ConfMap) and the usage of one or multiple external KMS provider(s) while keeping the data locally within the cluster in etcd.
This session will also expose our vision about the next steps about the KMS provider pluging support from both the Kubernetes and Trousseau perspectives.

Please tell us a bit more about the topic

kubeaudit is an open-source cli (and library) maintained by Shopify which helps with securing Kubernetes. We would like to demo kubeaudit and discuss the feasibility of donating it to CNCF as a k8s sub-project.

Please share speaker details

@genevieveluyt and @dani-santos-code

If speaker is confirmed, please share speaker availability

We are hoping to present on July 19.

Explain the benefits to the community that this session provides

The community would benefit from learning about kubeaudit as a tool to secure their Kubernetes workloads!

As we learnt from kubernetes/test-infra#26896 (comment) it is possible for prow to pick up shell scripts outside of k/test-infra.

Moving the script that is present here: https://github.com/kubernetes/test-infra/blob/master/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-security-trusted.yaml#L29-L87 into a dedicated shell script with name build-deps-and-release-images.sh under k/sig-security/sig-security-tooling/scanning would be great for faster iteration and approvals and reviews can be managed within SIG Security members.

/sig security
/good-first-issue
/help

Description

• Create a markdown table that lists all the learning sesions here: https://www.youtube.com/playlist?list=PLrQN4xC6U5D9I0LGJxZuXbfvi1qwPqcim to celebrate past presenters and encourage new speakers!

• Please note some of these are working session and some are learning sessions. For more context, refer the meeting minutes page: https://docs.google.com/document/d/1_Rn7S8UPMtXdu6EDl4_L2Ogb433z7hlxPs7El8TfNNg/edit

• The markdown file learning-sessions.md can exist under this directory https://github.com/kubernetes/sig-security/tree/main/sig-security-tooling

Pre-requisites

Somebody working on this would need:

• Basic markdown skills or desire to learn them
• Become a member of https://groups.google.com/g/kubernetes-sig-security to access the meeting minutes

Format

/sig security
/kind cleanup

The Policy WG has drafted a paper on Kubernetes GRC:

https://docs.google.com/document/d/1pWFBfMloSgupjJBcyq45qg9UHkaPjfAyUQHgmBdTqgQ/edit

This issues is to track the migration to markdown. This is WIP at:

https://github.com/JimBugwadia/sig-security/blob/policy_grc_paper/sig-security-docs/papers/policy_grc/kubernetes-grc.md

Pending Tasks:

• add links
• add diagrams
• add reviewer affiliations

With growing number of eyes on Kubernetes, the number of CVEs related to Kubernetes have increased. Although most CVEs are regularly fixed that directly or indirectly or transitively impact Kubernetes, there is no single place to programmatically subscribe or pull the data of fixed CVEs, for the end users of Kubernetes.

Current State of the Art

All these options are broken or incomplete:

1. RSS feed with google groups is broken: kubernetes/website#29142
2. CVEDetails website seems to have incomplete data, with missing CVEs from 2021 and no mention of CVEs in base image or build time deps.
3. This page: https://kubernetes.io/docs/reference/issues-security/issues/ links to a Github issue filter for CVE related fixes but is a broad search term

Metadata

• Issue: kubernetes/enhancements#3203

Pre-requisites

• kubernetes/test-infra#23428
• Search and Identify closed issues that have a CVE ID e.g. CVE-1001-12345 in the issue description or summary (This search filter is giving the most accurate data so far)
• Label those issues with official-cve-feed using https://docs.github.com/en/rest/reference/issues REST API
• kubernetes/committee-security-response#133

Implementation Details

https://github.com/kubernetes/enhancements/tree/master/keps/sig-security/3203-auto-refreshing-official-cve-feed

TestGrid for GCS Bucket is available here: https://testgrid.k8s.io/sig-security-cve-feed#auto-refreshing-official-cve-feed

Optional: Trigger k/website rebuild using netlify build-hook

Beta to GA Graduation Scope

• kubernetes/org#4873
• kubernetes/kubernetes#123964
• kubernetes/website#45576
• kubernetes/website#43968
• kubernetes/website#44074
• #98

Feedback received but that requires more engagement and participation

• Support similar feeds for all CNCF projects

Related Discussions

• kubernetes/committee-security-response#57
• kubernetes/kubernetes#89130
• Slack thread: https://kubernetes.slack.com/archives/C8P1DRTJA/p1632909102076400

cc @sftim @tallclair @kubernetes/sig-security-leads @raesene

/committee product-security
/sig security docs release

Related to kubernetes/enhancements#3203

1. We need a directory under which the JSON blob exists: k/sig-security/sig-security-tooling/feeds/official-cve-feed.json
2. Create an OWNERS file
   made of aliases.

• The OWNERS file can include SRC alias security-response-committee and
• A new alias for sig-security-tooling-leads

Note: sig-security-tooling-leads alias will allow manual modification and rotation for members. It will need to be added here: https://github.com/kubernetes/sig-security/blob/main/OWNERS_ALIASES. For now add @nehaLohia27 and @PushkarJ under this alias.

/help-wanted
/good-first-issue
/sig security

Rory McCune is working on a threat model for K8s admission control.
For now, creating this tracking issue. More details will be updated soon.

cc: @raesene

/sig security docs

Tracking issue for the Kubernetes third-party security audit for 2021:

• Create RFP
  • Audit scope
  • Finalize dates: RFP opening and closing dates, question period, vendor selection
  • Complete question period and publish questions & replies to RFP
• Vendor assessment
  • Assemble vendor assessment group
  • Create private Google group
• Release vendor selection
• Publish findings

/sig security
/label external-audit

What?

Once this refactoring issue is closed: #9, we need to find markdown entries in https://github.com/kubernetes/community/tree/master/sig-security and https://github.com/kubernetes/sig-security that have broken links and change them to correct entries

How?

This will need two PRs:

• Clone k/community, open a code editor, search for "https://github.com/kubernetes/community/tree/master/sig-security" recursively from parent directory. Find the the new place for the link in k/sig-security and replace the link with the new location.
• Clone k/sig-security, open a code editor, search for "https://github.com/kubernetes/community/tree/master/sig-security" recursively from parent directory. Find the the new place for the link in k/sig-security and replace the link with the new location.

Why?

Better new contributor experience, readability and the feeling of all links just work!

/sig security
/kind cleanup
/help
/good-first-issue

Description

Freshness of a feed is dependent on successful scheduled prow job runs. Adding a link to job in the "json" feed and the markdown description, allows folks to look at the prow job to ensure that prow job has been running successfully as recent as few hours ago.

Details

Add a field named "prow job", under the custom map of _kubernetes.io at the top of the feed (not part of each CVE item) with single value being "https://testgrid.k8s.io/sig-security-cve-feed#auto-refreshing-official-cve-feed"

Please tell us a bit more about the topic
We would like to demo and get feedback on an open source project we've been working on to cleanup stale and vulnerable images on Kubernetes clusters -> https://github.com/Azure/eraser

Please share speaker details
@salaxander - available to present at the 6/30 or 7/14 meetings

Explain the benefits to the community that this session provides
The community could hopefully benefit from the project, I've spoken to a lot of folks that have struggled with the problem this project aims to solve. We're also very interested in moving the project out of the Azure org to support more openness.

Please tell us a bit more about the topic

I would love to present Tetragon to people at SIG security tooling! It's an eBPF-based Security Observability and Runtime Enforcement software. In brief, it allows for process lifecycle observability by default and you can extend its capabilities by writing Kubernetes CRD in YAML (called TracingPolicy) that will be translated to eBPF programs to perform customized observability and enforcement.

I'm not exactly sure from which angle we want to present but I have some ideas :)!

Please share speaker details

Partially unsure.
I think I will present but would love to have someone from the Tetragon team with me.

If speaker is confirmed, please share speaker availability

The next challenge will be to find a nice timeslot for the learning session!

Explain the benefits to the community that this session provides

The community would benefit from learning about this new open-source tool that solves security observability and enforcement problem. People are starting to realize that a lot of their security needs can be addressed with eBPF-powered software, but may not know how to get started. Introducing attendees to Tetragon and its TracingPolicy gives them an opportunity to get a bit familiar with eBPF security coming straight from the kernel through things they already know like Kubernetes custom resources. In addition, it will introduce them to some kernel concepts that they will need to understand for security, like syscalls, tracepoints, kprobes, etc, and how to leverage them in the context of Kubernetes clusters.

See you SIG security people!! 👋