Comments (17)
PushkarJ
commented on September 26, 2024
2
@rficcaglia regarding WG creation, our co-chair @tabbysable PoV is here, which I tend to agree with.
TL;DR this seems like a lower intensity effort that would not require a WG
from sig-security.
tabbysable
commented on September 26, 2024
2
For the record: this is wonderful, huge thanks to everyone involved.
from sig-security.
PushkarJ
commented on September 26, 2024
2
Just wanted to leave some updates here for folks who stumble upon this and are wondering what's the current status:
- The group collaborates and meets regularly on sig-security-assess-capi
- The scope is limited to Cluster API AWS provider focussing on two flows: workload control plane node creation and workload control plane node worker node creation
- We conducted data flow diagram exercises across several different meetings in the past few months on these flows
- The data flows along with identified threats are being discussed at the time of writing this update
- We expect that the outcome of the discussion would be a list of Github issues that will enable us to address any identified threats in Cluster API
/assign @rficcaglia @PushkarJ
/sig cluster-lifecycle security
from sig-security.
rficcaglia
commented on September 26, 2024
EDIT: I guess I messed up the labels so re-commented below.
maybe we should/need to create a wg? @tabbysable @reylejano @PushkarJ ?
from sig-security.
k8s-ci-robot
commented on September 26, 2024
@rficcaglia: The label(s) sig/sig-security, sig/cluster-api cannot be applied, because the repository doesn't have them.
In response to this:
/sig sig-security
/sig cluster-apimaybe we should/need to create a wg? @tabbysable @reylejano @PushkarJ ?
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from sig-security.
rficcaglia
commented on September 26, 2024
/sig security
from sig-security.
reylejano
commented on September 26, 2024
Related issue in cluster-api repo kubernetes-sigs/cluster-api#4446
from sig-security.
neolit123
commented on September 26, 2024
maybe we should/need to create a wg?
WGs have a contract with Kubernetes Steering and require a community page, Zoom call slots, Slack channels and yearly status reports. my vote would be to not create WGs for subproject security audits, but if people insist it can be done.
from sig-security.
PushkarJ
commented on September 26, 2024
/sig cluster-lifecycle
from sig-security.
rficcaglia
commented on September 26, 2024
here's my first pass at the self-assessment outline structure, ie not the CAPI details themselves but the high level parts to be filled in (including a place for someone to fill in the CAPI-specific features and controls). this is meant to be both for CAPI and serve as a template for future subproject use.
https://docs.google.com/document/d/1Fj_cLUN9kLruHbEgmYiEgoqZjf2rRuVOmQDGOKByaf4/edit?usp=sharing
from sig-security.
k8s-triage-robot
commented on September 26, 2024
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue or PR as fresh with
/remove-lifecycle stale - Mark this issue or PR as rotten with
/lifecycle rotten - Close this issue or PR with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
from sig-security.
PushkarJ
commented on September 26, 2024
/remove-lifecycle stale
/transfer sig-security
from sig-security.
k8s-triage-robot
commented on September 26, 2024
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue or PR as fresh with
/remove-lifecycle stale - Mark this issue or PR as rotten with
/lifecycle rotten - Close this issue or PR with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
from sig-security.
PushkarJ
commented on September 26, 2024
/remove-lifecycle stale
from sig-security.
PushkarJ
commented on September 26, 2024
/retitle Cluster-API Security Self-Assessment Initiative
from sig-security.
PushkarJ
commented on September 26, 2024
So far as a follow up on the security assessment, the following issues have been created:
from sig-security.
PushkarJ
commented on September 26, 2024
Project tracker to manage completion of identified issues can be found here: https://github.com/orgs/kubernetes/projects/83/views/1
from sig-security.
Related Issues (20)
- [govulncheck] Periodic Prow Job for `govulncheck` HOT 12
- Kubernetes Third-Party Security Audit for 2024 (tracking issue) HOT 8
- Add Eric Smalling as "Reviewer" for vuln-mgmt sub-directory HOT 2
- Security Checklist for Applications from a developer perespective HOT 4
- Public Community CTF at CNCF/Kube CON EU 2023 AMSTERDAM HOT 4
- CVE Feed: Add Prow job link as a metadata field HOT 6
- CVE Feed: Add `lastUpdatedAt` as a metadata field HOT 4
- CVE Feed: Sort Markdown Table from most recent to least recently announced CVE HOT 5
- DISCUSSION: How can we improve the new contributor experience? HOT 6
- Support RSS feeds by generating data in Atom format HOT 4
- REQUEST: Request a Learning session for Copa HOT 7
- Bug: Unbound variable in vulnerability scanning script HOT 7
- REQUEST: Request a Learning session for Tetragon HOT 19
- REQUEST: Request a Learning session on bpfd HOT 10
- Kubernetes Policy-Based Governance, Risk, and Compliance paper HOT 3
- Scan `kubernetes/kubernetes` with `govulncheck` HOT 5
- Link not working - Under contact section in README.md HOT 3
- Include open issues in official CVE feed HOT 4
- Publish CVE issue status in JSON CVE feed HOT 14
- [govulncheck] Pre-submit Prow Job for `govulncheck` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sig-security.