tag-security icon indicating copy to clipboard operation
tag-security copied to clipboard

Published 20 hours ago verified publisher icon cncf

[Presentation] cert-manager Graduation Overview

Open SgtCoDFish opened this issue 9 months ago • 4 comments

Title: cert-manager Graudation Overview

Speakers:

  • Ashley Davis (@SgtCoDFish)
  • Others TBC

Description: An overview of what cert-manager is and does, mostly with the aim of facilitating connections, questions and input from tag-security. Related to (and required by) cert-manager's Graduation Application.

Time: 10 mins, with extra time after for questions if required.

Availability: European timezones preferred!

TO DO:

  • [ ] TAG Representative
  • [x] Schedule date - pencilled in for 2024-05-22 EMEA meeting
  • [x] By opening this issue, I, (Ashley Davis - @SgtCoDFish) acknowledge that the presentation topic and speaker will follow the presentation guidelines

SgtCoDFish avatar May 08 '24 12:05 SgtCoDFish

Hi @SgtCoDFish, sounds great!

EMEA meetings are currently free for the next few weeks, please choose a time in the meeting document.

As part of the graduation in https://github.com/cncf/toc/issues/1306 we can support you in the Document Security Self-Assessment phase, and walk through a self-assessment doc based on this template and this process.

The cert-manager incubation due diligence document from a couple of years ago might be useful as a baseline to support the graduation documents too. Any questions please ask, we're here to help :pray:

sublimino avatar May 08 '24 13:05 sublimino

Thanks very much for the quick reply 😁

I've put us in for 2024-05-22 and we'll prepare for then!

As part of the graduation in https://github.com/cncf/toc/issues/1306 we can support you in the Document Security Self-Assessment phase, and walk through a self-assessment doc based on this template and this process.

That sounds great, thank you for pointing to that because I'd been meaning to investigate it! I guess there's nothing stopping us getting started with the self-assessment now (before the 22nd), right?

SgtCoDFish avatar May 08 '24 13:05 SgtCoDFish

That sounds great, thank you for pointing to that because I'd been meaning to investigate it! I guess there's nothing stopping us getting started with the self-assessment now (before the 22nd), right?

Absolutely! And if you share the doc link for public comment we can support async before the 22nd too 🙏

sublimino avatar May 10 '24 07:05 sublimino

Hey, here is the self-assessment doc: https://hackmd.io/_e-m6hnzRzqsosUv3aG60A?view. I'm struggling and need help with the subsections "Actors" and "Actions". Are the actors the same as in the security audit report: cert-manager contributors, untrusted users outside of cluster, limited privilege cluster users, cert-manager maintainers, third-party contributors, third-party maintainers? Let me know if you are available on the Kubernetes Slack.

maelvls avatar May 16 '24 13:05 maelvls

hi @maelvls , thanks for sharing the self-assessment doc.

The self-assessment guide describes actors as "the individual parts of your system that interact to provide the desired functionality", so I would consider them as the different components of cert-manager rather than the threat actors. Actions then should delineate which interactions exist between the actors.

I am available on the CNCF Slack

mrcdb avatar May 20 '24 15:05 mrcdb

Thanks for having us on the EMEA meeting today!

I'm taking away the following actions:

  1. Move from HackMD to a Google Doc for the self assessment
  2. Ask for feedback on the completed self assement Google doc

I'll comment on this issue when I've done those. I'll also update the graduation application to reflect the meeting and self assessment!

SgtCoDFish avatar May 22 '24 12:05 SgtCoDFish

Here's the Google doc for our self-assesment - the above HackMD can now be ignored!

https://docs.google.com/document/d/1Sl1SqYbPSbBMoZroBU8M1dMw5DN-uUgoR1KLHoo5tr0/edit?usp=sharing

Anyone should be able to comment on it - any problems, let me know!

SgtCoDFish avatar May 22 '24 13:05 SgtCoDFish

Here's the Google doc for our self-assesment - the above HackMD can now be ignored!

https://docs.google.com/document/d/1Sl1SqYbPSbBMoZroBU8M1dMw5DN-uUgoR1KLHoo5tr0/edit?usp=sharing

Anyone should be able to comment on it - any problems, let me know!

Thanks for the quick update, I appreciate the effort! This makes it easy for interested TAG volunteers to provide feedback directly to the maintainers. I will have a look at the document myself in the next couple of days and hopefully provide any input or ask for clarifications.

mrcdb avatar May 22 '24 13:05 mrcdb

@SgtCoDFish thanks for the feedback on the self-assessment doc, I'm done with my review :)

Once you are happy with the revised document, please feel free to raise a PR to this repository to include the self-assessment doc in Markdown format to the /assessments/projects/ folder as described in the guide.

mrcdb avatar May 29 '24 14:05 mrcdb

Thanks very much! I'll try to raise a PR soon 👍

SgtCoDFish avatar May 29 '24 14:05 SgtCoDFish

I raised the PR here: https://github.com/cncf/tag-security/pull/1269

Sorry it took a while, it's been a busy time!

SgtCoDFish avatar Jun 07 '24 12:06 SgtCoDFish

The self assessment is now merged so I think this issue is completed. Thanks to everyone involved! 🚀

SgtCoDFish avatar Jun 12 '24 10:06 SgtCoDFish