security assessment for Cluster API
40 views
Skip to first unread message
Lubomir I. Ivanov
Apr 26, 2021, 12:30:05 PM4/26/21
to kubernetes-sig-cluster-lifecycle, kubernetes-...@googlegroups.com
hello,
for those who have not been following the discussion in:
https://github.com/kubernetes-sigs/cluster-api/issues/4446
and
https://cloud-native.slack.com/archives/CDJ7MLT8S/p1619029631175300
the Cluster API will be a subject by a security assessment done with
help from the k8s SIG Security and CNCF SIG Security.
the information on the subject is rather sparse for the time being,
because AFAIK this is the first subproject of a CNCF project where
such a review is being done.
the TL;DR of the process would be the following:
- Cluster API maintainers will collaborate with k8s SIG Security in
performing a self-assessment:
https://github.com/cncf/sig-security/tree/master/assessments
- Once the assessment is done, CNCF SIG Security will step in for a
"joint review":
https://github.com/cncf/sig-security/tree/master/assessments
- Once the joint review passes the participating groups can determine
if another third party audit is required.
with this email i kindly ask the Cluster API maintainers to agree
internally on who can help with participation in the self-assessment
and to respond to other asks that the *Security SIG might have.
Reserving time for meetings and collaboration will be required from
all sides.
another ask from me would be to not use Slack for any important
process related decisions around this...or at least mirror outcomes on
this email thread or on
https://github.com/kubernetes-sigs/cluster-api/issues/4446
shout out to Puskar Joglekar (pjog...@vmware.com, @PJ on slack), who
has been helping with organizing this. please direct any liaison
related questions to him for the time being, as he is active in both
*Security SIGs.
thank you!
lubomir
--
for those who have not been following the discussion in:
https://github.com/kubernetes-sigs/cluster-api/issues/4446
and
https://cloud-native.slack.com/archives/CDJ7MLT8S/p1619029631175300
the Cluster API will be a subject by a security assessment done with
help from the k8s SIG Security and CNCF SIG Security.
the information on the subject is rather sparse for the time being,
because AFAIK this is the first subproject of a CNCF project where
such a review is being done.
the TL;DR of the process would be the following:
- Cluster API maintainers will collaborate with k8s SIG Security in
performing a self-assessment:
https://github.com/cncf/sig-security/tree/master/assessments
- Once the assessment is done, CNCF SIG Security will step in for a
"joint review":
https://github.com/cncf/sig-security/tree/master/assessments
- Once the joint review passes the participating groups can determine
if another third party audit is required.
with this email i kindly ask the Cluster API maintainers to agree
internally on who can help with participation in the self-assessment
and to respond to other asks that the *Security SIG might have.
Reserving time for meetings and collaboration will be required from
all sides.
another ask from me would be to not use Slack for any important
process related decisions around this...or at least mirror outcomes on
this email thread or on
https://github.com/kubernetes-sigs/cluster-api/issues/4446
shout out to Puskar Joglekar (pjog...@vmware.com, @PJ on slack), who
has been helping with organizing this. please direct any liaison
related questions to him for the time being, as he is active in both
*Security SIGs.
thank you!
lubomir
--
Message has been deleted
Message has been deleted
Pushkar Joglekar
Apr 27, 2021, 3:45:39 PM4/27/21
to kubernetes-sig-security
Hi All, Related issue on CNCF SIG Security: https://github.com/cncf/sig-security/issues/603 that has all the interested folks and brief overview of action items. Let's continue the discussion there :) Thanks to those participating in this pilot which will hopefully set a precedent for security of sub-projects as our community continues to grow!
Reply all
Reply to author
Forward
0 new messages