Complete Cluster API external security audit

[neolit123]

• email to the SIG CL / Security mailing list explaining the current process:
  https://groups.google.com/g/kubernetes-sig-cluster-lifecycle/c/Fi0UGzfbQfY
• CNCF slack discussion xref https://cloud-native.slack.com/archives/CDJ7MLT8S/p1619029631175300
• see more details about the process bellow

---

old OP:

as discussed with @randomvariable and @PushkarJ we can try requesting third party security audit for the Cluster API to ensure it is a secure project that can be safely consumed by the masses.

this can happen in two ways:

1. by volunteer experts for free (ALA the K8s third party security audit)
2. by requesting funds to book experts via https://github.com/kubernetes/funding

the fist action item here is to determine if we can proceed with option 1 and who can help.
@PushkarJ mentioned that he can bring this for discussion at CNCF SIG Security.

if we cannot find volunteers for such an audit we can proceed with option 2. for that we would need to research what company / private experts can do it. at that point we can request the funding from steering via https://github.com/kubernetes/funding

[neolit123]

/assign @PushkarJ @randomvariable
/sig security
/area testing

[k8s-ci-robot]

@neolit123: GitHub didn't allow me to assign the following users: PushkarJ.

Note that only kubernetes-sigs members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @PushkarJ @randomvariable
/sig security
/area testing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[PushkarJ]

Just to clarify the options a bit more here for folks with limited context from my point of view :)

1. CNCF SIG Security security assessment: https://github.com/cncf/sig-security/tree/master/assessments Typically this has been done for CNCF "projects" as part of graduation through different stages. Since CAPI is different, will bring this up in SIG meeting on how to tackle such scenarios in future
2. Kubernetes third party security audit: This is something that was done couple of years ago with the action items tracked here: Kubernetes 3rd Party Security Audit Findings kubernetes/kubernetes#81146 We are redoing this under k8s sig-security umbrella @reylejano is leading this and is currently in progress: https://github.com/kubernetes/community/tree/master/sig-security/sig-security-external-audit
3. Requesting fund to book experts: This is new to me and would be interested to know more.

[rficcaglia]

just to update from the various slack discussions:

1. CNCF SIG-security wants to scope the new Security Pal program to sandbox. "it was scoped to a limited set of CNCF sandbox projects based on recommendations from our TOC Liaisons"
2. However, the process and materials for self-assessment are available and having lead other SIG reviews (before they were called "Pal" reviews) I am confident we can get through this process efficiently.
3. The "joint review" (which is having SIG volunteers review the self assessment) naturally follows from this. I don't see us having too much trouble recruiting volunteers, whether from the SIG directly or related interest groups. I've reached out to the CAPI user community to assess availability.
4. Once that review of the self assessment is done, then since the 3rd party audit scope is closed at this point, I suggest we either drive a formal code audit forward within the community, identifying any gaps in skills and using that as a training opportunity and recruiting from the user community who may have those skills
5. Finally for paid audits, the reality is that the vendors who responded to the kubernetes RFP are already booking months out and most vendors invited have not responded. Commercially I can attest to the reality that auditors have huge backlogs. So by the time we find funding for a paid audit, they may be booking slots into 2022. Which is fine, the bugs aren't going anywhere :) But just to set expectations.

Overall if we can drive this forward in the community --- then use funds to cross check our work with an external party --- I think that's going to deliver max value to the user community and build skills that transfer to other efforts.

[neolit123]

sent email to the k8s SIGs for more visibility:
https://groups.google.com/g/kubernetes-sig-cluster-lifecycle/c/Fi0UGzfbQfY

[vincepri]

Thanks @neolit123 !

[vincepri]

/milestone Next

[PushkarJ]

FYI, A new slack channel is created for focussed discussion on this topic in Kubernetes slack workspace: #sig-security-assess-capi
Related: kubernetes/community#5792

[reylejano]

Kubernetes SIG Security will perform a community-driven, security assessment of Cluster API
Related: https://github.com/kubernetes/community/issues/5814

[PushkarJ]

@vincepri / @neolit123 probably okay to close this, as now we have a separate issue in k8s sig-security to track this effort?

[rficcaglia]

@PushkarJ better late than never ;) here's my first pass at the self-assessment outline structure, ie not the CAPI details themselves but the high level parts to be filled in (including a place for someone to fill in the CAPI-specific features and controls). this is meant to be both for CAPI and serve as a template for future subproject use.

https://docs.google.com/document/d/1Fj_cLUN9kLruHbEgmYiEgoqZjf2rRuVOmQDGOKByaf4/edit?usp=sharing

[PushkarJ]

Thanks @rficcaglia for working on this :) I am thinking of creating two documents from the above:

1. One for cluster-api with many blank spaces to fill in the details as we learn more
2. One that can act as a template for future sub-projects

Does that work for you?

[rficcaglia]

Great! No objections here

…

On Mon, Jul 12, 2021 at 3:08 PM Pushkar Joglekar ***@***.***> wrote: Thanks @rficcaglia <https://github.com/rficcaglia> for working on this :) I am thinking of creating two documents from the above: 1. One for cluster-api with many blank spaces to fill in the details as we learn more 2. One that can act as a template for future sub-projects Does that work for you? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#4446 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAGENIU4BKGITVICMQ23HLLTXNRV5ANCNFSM42RH766A> .

[randomvariable]

/lifecycle active

[randomvariable]

/retitle Complete Cluster API external security audit

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[voor]

/remove-lifecycle stale

[sbueringer]

As discussed in the backlog grooming on 11th February, this issue is ongoing we'll keep it in next as it's not related to a specific CAPI release.

[sbueringer]

@PushkarJ Can you please keep this issue up-to-date if there is anything new.

[PushkarJ]

@sbueringer IMO, we can lessen the load on tracking this issue, by closing it since we have a duplicate issue kubernetes/sig-security#8 that we can all watch and follow the progress on. Does that work for you ?

[sbueringer]

Good point. Sounds reasonable to me. Would like to have confirmation from e.g. @fabriziopandini

[fabriziopandini]

+1 for me; in case we miss some update form the other issue @PushkarJ don't hesitate to ping us
/close

[k8s-ci-robot]

@fabriziopandini: Closing this issue.

In response to this:

+1 for me; in case we miss some update form the other issue @PushkarJ don't hesitate to ping us
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.