CIS Security Benchmark for Kubernetes project kick-off

[Pravin Goyal]

Hi All,

I am pleased to announce that CIS Security Benchmark for Kubernetes 1.5 project is now ready for developing security recommendations for Kubernetes. The project is targeted towards Kubernetes 1.5.2 running on CentOS 7 and CoreOS. The estimated timeline for completion is 16 weeks.

 

The CIS Security Benchmarks program provides well-defined, unbiased and consensus-based industry best practices to help organizations assess and improve their security. The Security Benchmarks program is recognized as a trusted and independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. Because of the reputation, these benchmarks are recommended as industry-accepted system hardening standards and are used by organizations in meeting various compliance requirements such as PCI and HIPAA.

 

To sign-up, follow the below steps:

1. Go to https://workbench.cisecurity.org/ and register your account and validate your email address.
2. Send the email address you registered with to me. I will get it approved on priority by the CIS account moderators. Also, let me know if you would like to sign-up as author or contributor to the benchmark.
3. Once your account is approved, login to your account on the above URL.
4. On the top header, click on Communities drop down and then click on See All Communities.
5. In the search box, type Kub and click on Search button.
6. On CIS Kubernetes Benchmarks search result, click on Join button.
7. That’s it. You are now ready to contribute to the benchmark.

 

See you all there! For any questions, please let me know.

 

Thanks and regards,

Pravin Goyal

[Adam Heczko]

Hi Pravin, thank you for starting this effort, much appreciated!

However I have kind request to not exclude *.deb based OSes from Kubernetes CIS benchmark.

AFAIK Ubuntu is the most popular operating system running OpenStack clouds [1], slide 45.

And there is increasing interest to run Kubernetes side-by-side with OpenStack or OpenStack on Kubernetes.

Kargo, the Kubernetes bare metal deployment tool is primarily tested on Ubuntu [2]

[1] https://www.openstack.org/assets/survey/April-2016-User-Survey-Report.pdf

[2] https://github.com/kubernetes-incubator/kargo

Thanks,

Adam.

--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-auth" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-auth+unsub...@googlegroups.com.
To post to this group, send email to kubernetes-sig-auth@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/da0aba5b-9285-487c-b236-34ebddfd0d8a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Adam Heczko

Security Engineer @ Mirantis Inc.

[mani.ko...@gmail.com]

Hey CIS Mod's,

I registered on the link but not sure why it does not send me a email to validate my address? (its not in the spam either). I am registered with "mkon...@andrew.cmu.edu". 

Hey Pravin,

Good initiative. Hope to collaborate soon :)

[John Morello]

Hey Pravin-
I registered on the workbench site and validated my email.  I'd like to sign up as a contributor to the work.

[di...@twistlock.com]

Hi Pavin

I've just registered and I'd like to be added as a contributor. My email is: di...@twistlock.com

Thanks

[Mani]

Hi CIS Mod's / Pravin,

I am still having trouble getting access. Can someone assist me? (I am registered with mkon...@andrew.cmu.edu)

On Wednesday, February 1, 2017 at 5:41:44 PM UTC-5, Pravin Goyal wrote:

[Mani]

Okay, That's a mistake from my side. I have access now. Please ignore my previous message. Sorry for the confusion!

[Greg Castle]

Hi, I'd like to be a contributor. I signed up with username destijl.

[jdu...@deis.com]

I definitely want to participate.  I have overseen CIS implementations at scale.  I'm registered as jdu...@deis.com

On Wednesday, February 1, 2017 at 5:41:44 PM UTC-5, Pravin Goyal wrote:

[eric....@coreos.com]

With the planned release of this document coming up, I was wondering if it'd be possible to release a draft for feedback from the general community?

This thread was brought up in the community meeting, and there's a lot of interested in this initiative outside of sig-auth. People understand the implications of this kind of document.

With that in mind, I think it'd be extremely helpful to get this material in front of the wider Kubernetes community before cutting the final version.

What do you think? It this something CIS benchmarks have done in the past?

Eric 

[Pravin Goyal]

Hi Eric,

Thanks for bringing this up.

CIS terms do not permit exporting and circulating incomplete/draft benchmarks. It believes that CIS is an open platform for anyone to join and contribute. Community members who are _really_ interested in looking and contributing could sign up and get access to the benchmark recommendations. 

Another important thing is that CIS respects contributors time. It would be extremely difficult for authors/contributors to ingest the community feedback via emails or comments in the word document or any other form. On CIS website, you have tickets and discussions that you can create for each recommendation. That way anyone can potentially look at what has already been discussed and arrived at a consensus instead of replying to same feedback again and again. CIS is like a git repo. You could submit pull requests (known as proposing new recommendations), you could review recommendations, open tickets, open discussions, raise PRs, etc. but all in the UI form. I would highly recommend community members to join the benchmark and contribute.

If you have any questions, please let me know. We are approximately 75% done with the benchmark. We are planning to release the 1.0 version in around 4 weeks. If anyone is interested to make a difference, please join asap.

Thanks and regards,

Pravin Goyal

--
You received this message because you are subscribed to a topic in the Google Groups "kubernetes-sig-auth" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/kubernetes-sig-auth/mJbmwzKTMqY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to kubernetes-sig-auth+unsub...@googlegroups.com.

To post to this group, send email to kubernetes-sig-auth@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/eb692733-3d57-4d28-91d5-370326c9d84b%40googlegroups.com.

[gary...@gmail.com]

Hi, Pravin,

I have registered to CIS WorkBench. I'd like to find a way to contribute although the document has been released. The account registered is gary...@gmail.com

Thanks,

On Wednesday, February 1, 2017 at 2:41:44 PM UTC-8, Pravin Goyal wrote:

[gary...@gmail.com]

Hi, All,

We have the initial scripts that implement checks in the Benchmark and we plan to open source it. I wonder if there are similar efforts on this so we can collaborate.

Thanks,

Gary

On Wednesday, February 1, 2017 at 2:41:44 PM UTC-8, Pravin Goyal wrote:

[Liz Rice]

Hello everyone, 

We just released a Go-based implementation of the benchmark tests yesterday, and absolutely we're open to collaborate on this. The tests are configured as YAML, which defines the shell commands to run for each check, so it should be easy to add new tests as the benchmark develops for future releases. 

We could demo this in an upcoming sig-auth call if there is interest? 

Best regards,

Liz