Cluster-API Security Self-Assessment Initiative #8
Comments
|
EDIT: I guess I messed up the labels so re-commented below. maybe we should/need to create a wg? @tabbysable @reylejano @PushkarJ ? |
|
@rficcaglia: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/sig security |
|
Related issue in cluster-api repo kubernetes-sigs/cluster-api#4446 |
WGs have a contract with Kubernetes Steering and require a community page, Zoom call slots, Slack channels and yearly status reports. my vote would be to not create WGs for subproject security audits, but if people insist it can be done. |
|
@rficcaglia regarding WG creation, our co-chair @tabbysable PoV is here, which I tend to agree with. TL;DR this seems like a lower intensity effort that would not require a WG |
|
/sig cluster-lifecycle |
|
For the record: this is wonderful, huge thanks to everyone involved. |
|
here's my first pass at the self-assessment outline structure, ie not the CAPI details themselves but the high level parts to be filled in (including a place for someone to fill in the CAPI-specific features and controls). this is meant to be both for CAPI and serve as a template for future subproject use. https://docs.google.com/document/d/1Fj_cLUN9kLruHbEgmYiEgoqZjf2rRuVOmQDGOKByaf4/edit?usp=sharing |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
|
/remove-lifecycle stale |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
Just wanted to leave some updates here for folks who stumble upon this and are wondering what's the current status:
/assign @rficcaglia @PushkarJ |
k8s-ci-robot
added
sig/cluster-lifecycle
|
/retitle Cluster-API Security Self-Assessment Initiative |
k8s-ci-robot
changed the title
|
So far as a follow up on the security assessment, the following issues have been created: |
|
Project tracker to manage completion of identified issues can be found here: https://github.com/orgs/kubernetes/projects/83/views/1 |
This is to consolidate info and inform all the interested folks regarding discussions around security assessment of cluster-api sub-project.
This is our first attempt as a community where a Security SIG will perform a security assessment of a sub-project of a graduated CNCF project. So we expect to make slow but reasonable progress and will be open for feedback on how we can improve for the benefit of others who will follow us.
The first step of a (community driven) security assessment of a project is a self-assessment of the project. Although, this is typical done by the project maintainers, some of us in #sig-security would be happy to take a first crack at filling out the outline template provided by CNCF TAG-Security.
Currently the volunteers are educating themselves on cluster-api docs and presentations and will coordinate with maintainers (who understandably are very busy but are engaged).
Related items:
kubernetes/community#5792
cncf/tag-security#603
https://groups.google.com/g/kubernetes-sig-cluster-lifecycle/c/Fi0UGzfbQfY
The text was updated successfully, but these errors were encountered: