cncf
[Security Review] Kyverno
Project Name: Kyverno
Github URL: https://github.com/kyverno/kyverno
CNCF project stage and issue (NA if not applicable): Incubation, https://github.com/cncf/toc/pull/784.
Security Provider: yes
Further comments: Kyverno has added self-assessment here, and the security processes and guidelines can be found here. OpenSSF Best Practices is passing.
- [ ] Identify team
- [ ] Project security lead
- [ ] Lead security reviewer
- [ ] 1 or more additional reviewer(s) @JustinCappos
- [ ] Every reviewer has read security reviewer guidelines and stated declaration of conflict
- [ ] Sign off by facilitator on reviewer conflicts
- [ ] Create slack channel (e.g. #sec-assess-projectname)
- [ ] Project lead provides draft document - see outline
- [ ] "Naive question phase" Lead Security Reviewer asks clarifying questions
- [ ] Assign issue to security reviewers
- [ ] Initial review
- [ ] Presentation & discussion
- [ ] Share draft findings with project
- [ ] Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)
- [ ] CNCF TOC presentation (if requested by TOC)
Hey @realshuting, thanks for this! We will need to migrate this to the new TOC repo following the TAG reorg and associated activity freeze.
In the meantime, we can use this issue to collect interest from any community members who would like to participate in the Kyverno joint assessment.
Who will be leading this effort from the Kyverno maintainer team?
I agree that this issue probably still needs to exist here - as the generic initiative scope may not capture context and details we need to move forward.
I will create an initiative issue in order to get this on the TOC radar early.
I'm happy to participate in this review as a normal reviewer. I have no conflicts.
Hey @realshuting, thanks for this! We will need to migrate this to the new TOC repo following the TAG reorg and associated activity freeze.
In the meantime, we can use this issue to collect interest from any community members who would like to participate in the Kyverno joint assessment.
Who will be leading this effort from the Kyverno maintainer team?
Hi @eddie-knight - thanks for the reply! I will lead this effort to complete the join security review.
In the meantime please let me know if there is anything else needed from us. I will join the Project Review Subproject Meeting next week to discuss next action items.
I'm interested in participating as a reviewer if additional hands/eyes are useful here.
I'm also interested in participating the joint assessment Experience: CKS, 2 CVE, one from next.js CVE-2024-39693 one from NSA CVE-2025-27508
I can participate - since I am no longer chair of the K8s wg-policy I don't feel I have any bias. That said for full transparency @JimBugwadia and I spent a lot of time working together on the wg-policy and I spent a considerable amount of time looking at Kyverno. I think that's a good thing, but maybe some might consider me tainted. That said, I also helped with the OPA review long ago, and work closely with that team, so I think I'm being fair and balanced ;)
I'd like to participate as an observer, if still possible. I have no conflicts.
We will be migrating discussion of this security review to the TOC repo as part of the migration to the newly launched TAG Security & Compliance: https://github.com/cncf/toc/issues/1703
[!NOTE] Mistakenly linked TOC#1709, sorry about the confusion there