Comments (17)
@rficcaglia regarding WG creation, our co-chair @tabbysable PoV is here, which I tend to agree with.
TL;DR this seems like a lower intensity effort that would not require a WG
from sig-security.
For the record: this is wonderful, huge thanks to everyone involved.
from sig-security.
Just wanted to leave some updates here for folks who stumble upon this and are wondering what's the current status:
- The group collaborates and meets regularly on sig-security-assess-capi
- The scope is limited to Cluster API AWS provider focussing on two flows: workload control plane node creation and workload control plane node worker node creation
- We conducted data flow diagram exercises across several different meetings in the past few months on these flows
- The data flows along with identified threats are being discussed at the time of writing this update
- We expect that the outcome of the discussion would be a list of Github issues that will enable us to address any identified threats in Cluster API
/assign @rficcaglia @PushkarJ
/sig cluster-lifecycle security
from sig-security.
EDIT: I guess I messed up the labels so re-commented below.
maybe we should/need to create a wg? @tabbysable @reylejano @PushkarJ ?
from sig-security.
@rficcaglia: The label(s) sig/sig-security, sig/cluster-api
cannot be applied, because the repository doesn't have them.
In response to this:
/sig sig-security
/sig cluster-apimaybe we should/need to create a wg? @tabbysable @reylejano @PushkarJ ?
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from sig-security.
/sig security
from sig-security.
Related issue in cluster-api repo kubernetes-sigs/cluster-api#4446
from sig-security.
maybe we should/need to create a wg?
WGs have a contract with Kubernetes Steering and require a community page, Zoom call slots, Slack channels and yearly status reports. my vote would be to not create WGs for subproject security audits, but if people insist it can be done.
from sig-security.
/sig cluster-lifecycle
from sig-security.
here's my first pass at the self-assessment outline structure, ie not the CAPI details themselves but the high level parts to be filled in (including a place for someone to fill in the CAPI-specific features and controls). this is meant to be both for CAPI and serve as a template for future subproject use.
https://docs.google.com/document/d/1Fj_cLUN9kLruHbEgmYiEgoqZjf2rRuVOmQDGOKByaf4/edit?usp=sharing
from sig-security.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
- After 90d of inactivity,
lifecycle/stale
is applied - After 30d of inactivity since
lifecycle/stale
was applied,lifecycle/rotten
is applied - After 30d of inactivity since
lifecycle/rotten
was applied, the issue is closed
You can:
- Mark this issue or PR as fresh with
/remove-lifecycle stale
- Mark this issue or PR as rotten with
/lifecycle rotten
- Close this issue or PR with
/close
- Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
from sig-security.
/remove-lifecycle stale
/transfer sig-security
from sig-security.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
- After 90d of inactivity,
lifecycle/stale
is applied - After 30d of inactivity since
lifecycle/stale
was applied,lifecycle/rotten
is applied - After 30d of inactivity since
lifecycle/rotten
was applied, the issue is closed
You can:
- Mark this issue or PR as fresh with
/remove-lifecycle stale
- Mark this issue or PR as rotten with
/lifecycle rotten
- Close this issue or PR with
/close
- Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
from sig-security.
/remove-lifecycle stale
from sig-security.
/retitle Cluster-API Security Self-Assessment Initiative
from sig-security.
So far as a follow up on the security assessment, the following issues have been created:
from sig-security.
Project tracker to manage completion of identified issues can be found here: https://github.com/orgs/kubernetes/projects/83/views/1
from sig-security.
Related Issues (20)
- [govulncheck] Periodic Prow Job for `govulncheck` HOT 12
- Kubernetes Third-Party Security Audit for 2024 (tracking issue) HOT 8
- Add Eric Smalling as "Reviewer" for vuln-mgmt sub-directory HOT 2
- Security Checklist for Applications from a developer perespective HOT 4
- Public Community CTF at CNCF/Kube CON EU 2023 AMSTERDAM HOT 4
- CVE Feed: Add Prow job link as a metadata field HOT 6
- CVE Feed: Add `lastUpdatedAt` as a metadata field HOT 4
- CVE Feed: Sort Markdown Table from most recent to least recently announced CVE HOT 5
- DISCUSSION: How can we improve the new contributor experience? HOT 6
- Support RSS feeds by generating data in Atom format HOT 4
- REQUEST: Request a Learning session for Copa HOT 7
- Bug: Unbound variable in vulnerability scanning script HOT 7
- REQUEST: Request a Learning session for Tetragon HOT 19
- REQUEST: Request a Learning session on bpfd HOT 10
- Kubernetes Policy-Based Governance, Risk, and Compliance paper HOT 3
- Scan `kubernetes/kubernetes` with `govulncheck` HOT 5
- Link not working - Under contact section in README.md HOT 3
- Include open issues in official CVE feed HOT 4
- Publish CVE issue status in JSON CVE feed HOT 14
- [govulncheck] Pre-submit Prow Job for `govulncheck` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sig-security.