Cloud Native Security Slam - Kubernetes Lightning Round
Adolfo Veytia
Dear Kubernetes Community:
During December, SIG Release together with CNCF will be conducting a Kubernetes version of the recent Cloud Native Security Slam[1]. This is a program to incentivize projects to improve the security of their release processes while bringing in new contributors who want to start contributing to the project.
The TLDR is:
Interested individuals sign up in a form we've set up for the project.
The Release Engineering team will lay several tasks -with instructions- to help projects improve their release security posture.
Interested projects need to opt in to receive help, the only hard requirement from project maintainers is to commit to review and approve the PR from contributors participating in the Slam before the end of the year.
Finally, contributors who completed the task(s) during the slam (and get it merged before the end of the year) receive a prize from CNCF!
The idea of the Cloud Native Security Slam: Kubernetes Lightning Round is to improve the security posture of the Kubernetes projects with the least possible burden to maintainers, all while spreading the use of SIG Release's release tooling.
Which Projects are Eligible?
Any projects under the Kubernetes organization that builds and releases artifacts (container images, binaries, tarballs, etc) can opt-in to receive help to make their releases more secure!
Interested? If you are a maintainer, just reply to sign up!
Full Mechanics
Starting at Kubecon, CNCF prepared a form for contributors to sign up to
participate. We are building up the list!
At this time, SIG Release / RelEng is building a set of security tasks, all with step-by-step instructions for contributors to follow. The tasks we are thinking about include generating SBOMs, signing artifacts, automating releases, releasing images via the community infrastructure, etc. (These are just examples, not all may be in the final list).
Our current plan is to hold a webinar with contributors who signed up on December 9th. Before that date, we will match available contributors to the projects that signed up. We know that there may not be enough projects, or we may not get enough contributors, but that's OK! If we are successful, we can do another Slam sometime next year!
During the webinar, contributors will work to file their pull requests before EOD. SIG Release will guide them on their PRs, answering questions and offering help to verify the correct use of the tools, etc.
The only commitment that we require from project maintainers is that they complete in time the final review and approval of pull requests created by Slam participants. You may also provide input during the event if you wish. To earn credit, pull requests must be merged before the end of the year. Therefore, we will require participants (in conjunction with project maintainers) to have their work merged at least one week before the end of the year.
To show interest in signing up as a project, please reply to this email directly to me (pue...@chainguard.dev) and we can discuss the next steps.
Questions and Answers
I have other areas of my project that need help, can I sign up to get help there?
Dear maintainer: Provided that a) it is a security-related improvement and b) you are willing to closely guide contributors to fix them you can sign up to get help on specific areas. Keep in mind that most volunteers will be new to the project and, while talented, they may need some hand-holding.
Can I sign up other projects from the CNCF landscape?
Not at this time, only projects under the Kubernetes organization are eligible (projects in `kubernetes/*` and `kubernetes-sigs/*`).