From 59e5d4b0b05482847c9e759ee3ea22b8777f5e25 Mon Sep 17 00:00:00 2001
From: Nick Veitch <nick.veitch@canonical.com>
Date: Mon, 4 Mar 2024 10:20:29 +0000
Subject: [PATCH] Docs: add security page (#191)

* add security page

---------

Co-authored-by: eaudetcobello <155978570+eaudetcobello@users.noreply.github.com>
---
 docs/src/explanation/index.md    |  5 +++
 docs/src/explanation/security.md | 65 ++++++++++++++++++++++++++++++++
 docs/src/reference/roadmap.md    |  9 ++++-
 3 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 docs/src/explanation/security.md

diff --git a/docs/src/explanation/index.md b/docs/src/explanation/index.md
index dc4c235bb..366b2f9d9 100644
--- a/docs/src/explanation/index.md
+++ b/docs/src/explanation/index.md
@@ -14,8 +14,13 @@ Overview <self>
 :titlesonly:
 /explanation/about
 /explanation/channels
+/explanation/security
 ```
 
+---
+
+## Other documentation types
+
 If you are just getting started, the [Tutorials section] contains
 step-by-step tutorials to help guide you through exploring and using
 Canonical Kubernetes.
diff --git a/docs/src/explanation/security.md b/docs/src/explanation/security.md
new file mode 100644
index 000000000..4f5826e19
--- /dev/null
+++ b/docs/src/explanation/security.md
@@ -0,0 +1,65 @@
+# Security 
+
+This page provides an overview of various aspects of security to be considered
+when operating a cluster with **Canonical Kubernetes**. To consider security
+properly, this means not just aspects of Kubernetes itself, but also how and
+where it is installed and operated.
+
+A lot of important aspects of security therefore lie outside the direct scope
+of **Canonical Kubernetes**, but links for further reading
+are provided.
+
+## Security of the snap/executable
+
+As detailed in the [snap documentation][], an application installed from a snap
+is inherently more secure than a traditionally installed application.
+Snap-based applications are installed into a sandboxed, self contained
+environment which restricts its ability to interact with the rest of user
+space.
+
+## Security of the OCI images
+
+**Canonical Kubernetes** relies on OCI standard images published as `rocks` to
+deliver the services which run and facilitate the opration of the Kubernetes
+cluster. The use of Rockcraft and `rocks` gives Canonical a way to maintain and
+patch images to remove vulnerabilities at their source, which is fundamental to
+our commitment to a sustainable Long Term Support(LTS) release of Kubernetes
+and overcoming the issues of stale images with known vulnerabilities. For more
+information on how these images are maintained and published, see the
+[Rockcraft documentation][rocks-security]. 
+
+## Kubernetes Security
+
+The Kubernetes cluster deployed by Canonical Kubernetes can be secured using
+any of the methods and options described by the upstream
+[Kubernetes Security Documentation][].
+
+Canonical Kubernetes enables RBAC (Rules Based Access Control) by default.
+
+## Cloud security
+
+If you are deploying **Canonical Kubernetes** on public or private cloud
+instances, anyone with credentials to the cloud where it is deployed may also
+have access to your cluster. Describing the security mechanisms of these clouds
+is out of the scope of this documentation, but you may find the following links
+useful.
+
+-  Amazon Web Services <https://aws.amazon.com/security/>
+-  Google Cloud Platform <https://cloud.google.com/security/>
+-  Metal As A Service(MAAS) <https://maas.io/docs/snap/3.0/ui/hardening-your-maas-installation>
+-  Microsoft Azure <https://docs.microsoft.com/en-us/azure/security/azure-security>
+-  VMWare VSphere <https://www.vmware.com/security/hardening-guides.html>
+
+## Security Compliance
+
+As with previously released Kubernetes software from Canonical, we aim to
+satisfy the needs of various security compliance standards. This is a process
+that will take some time however. Please watch out for future announcements and
+check the [roadmap][] for current areas of work.
+
+<!-- LINKS -->
+
+[Kubernetes Security documentation]: https://kubernetes.io/docs/concepts/security/overview/
+[snap documentation]: https://snapcraft.io/docs/security-sandboxing
+[rocks-security]: https://canonical-rockcraft.readthedocs-hosted.com/en/latest/explanation/rockcraft/
+[roadmap]: ../reference/roadmap
diff --git a/docs/src/reference/roadmap.md b/docs/src/reference/roadmap.md
index 707c7353c..b72039511 100644
--- a/docs/src/reference/roadmap.md
+++ b/docs/src/reference/roadmap.md
@@ -5,7 +5,9 @@ roadmap, letting everyone know the headline features we are working on and the
 future direction and priorities of the project.
 
 Our roadmap matches the cadence of the Ubuntu release cycle, so `24.10` is the
-same as the release date for Ubuntu 24.10. 
+same as the release date for Ubuntu 24.10. This does not precisely map to the
+release cycle of Kubernetes versions, so please consult the [release notes] for
+specifics of whatfeatures have been delivered.
 
 
 ``` {csv-table} Canonical Kubernetes public roadmap
@@ -13,3 +15,8 @@ same as the release date for Ubuntu 24.10.
    :widths: 30, 30
    :header-rows: 1
 ```
+
+
+<!-- LINKS -->
+
+[release notes]: ./releases
\ No newline at end of file