hello,
for those who have not been following the discussion in:
https://github.com/kubernetes-sigs/cluster-api/issues/4446
and
https://cloud-native.slack.com/archives/CDJ7MLT8S/p1619029631175300
the Cluster API will be a subject by a security assessment done with
help from the k8s SIG Security and CNCF SIG Security.
the information on the subject is rather sparse for the time being,
because AFAIK this is the first subproject of a CNCF project where
such a review is being done.
the TL;DR of the process would be the following:
- Cluster API maintainers will collaborate with k8s SIG Security in
performing a self-assessment:
https://github.com/cncf/sig-security/tree/master/assessments
- Once the assessment is done, CNCF SIG Security will step in for a
"joint review":
https://github.com/cncf/sig-security/tree/master/assessments
- Once the joint review passes the participating groups can determine
if another third party audit is required.
with this email i kindly ask the Cluster API maintainers to agree
internally on who can help with participation in the self-assessment
and to respond to other asks that the *Security SIG might have.
Reserving time for meetings and collaboration will be required from
all sides.
another ask from me would be to not use Slack for any important
process related decisions around this...or at least mirror outcomes on
this email thread or on
https://github.com/kubernetes-sigs/cluster-api/issues/4446
shout out to Puskar Joglekar (
pjog...@vmware.com, @PJ on slack), who
has been helping with organizing this. please direct any liaison
related questions to him for the time being, as he is active in both
*Security SIGs.
thank you!
lubomir
--