[Initiative]: Kyverno Joint Security Assessment

[brandtkeller]

(Note: this was filed with the initiative template and updated to the joint security assessment template on 1 Oct by @evankanderson. Some fields will still need to be filled out.)

Project Name

Kyverno

GitHub URL

https://github.com/kyverno/kyverno

Project Security Contacts

@JimBugwadia , @realshuting

Getting Started

Self Assessment Link

https://github.com/cncf/toc/tree/main/projects/kyverno/security-assessment/self-assessment.md

CNCF Project Stage

Incubation

Security Provider

Yes

Security Review Checklist

• [x] Identify team
  • [x] Project's assessment lead @realshuting / @JimBugwadia
  • [x] Lead security reviewer @sublimino
  • [x] 1 or more additional reviewer(s) @JustinCappos @sunstonesecure-robert @eddie-knight Observers: @jackap @trumant @camilaavilarinho @tturquette
  • [x] Every reviewer has read security reviewer guidelines and stated declaration of conflict
  • [x] Sign off by facilitator on reviewer conflicts
• [x] Create slack channel (e.g. #sec-assess-projectname)
• [ ] "Naive question phase" Lead Security Reviewer asks clarifying questions
• [ ] Assign issue to security reviewers
• [ ] Initial review
• [ ] Presentation & discussion
• [ ] Share draft findings with project
• [ ] Assessment summary and doc checked into /projects/project-name/assessments/ (require at least 1 co-chair approval)
• [ ] CNCF TOC presentation (if requested by TOC)

[CortNick]

Hi @brandtkeller! Now that the elections for TAG chairs is completed, I wanted to check in with you about this. Is there anything we can/should do on our end to help get this review started?

[eddie-knight]

Some thoughts...

1. I don't anticipate that Brandt has any mechanism to help move this forward or answer questions on it
2. The new TAG Security & Compliance is not yet chartered, and there is not yet clarity on when/how the TAG is able to take action independently of TOC approval
3. This application will require response from the TOC, as they now hold the approval authority for all initiatives

[realshuting]

Hi @eddie-knight, thank you for your input, and thanks to @angellk for assisting with triage. We understand that TAG Security & Compliance is currently undergoing the chartering process. In the meantime, is there any documentation or preparatory work you recommend we begin now to help streamline the upcoming security assessment for Kyverno? Please let us know if there are specific materials or actions we can prioritize.

[JustinCappos]

If you haven't done the self-assessment, please start this. I'd recommend reading this book, which is a lightweight guide to help you get started.

In the meantime, is there any documentation or preparatory work you recommend we begin now to help streamline the upcoming security assessment for Kyverno? Please let us know if there are specific materials or actions we can prioritize.

[eddie-knight]

Reiterating the previous comment, TAG-SC will keep this on our backlog pending action until the self-assessment has been completed.

Interest was expressed by the following folks on the previous issue:

• @sunstonesecure-robert
• @camilaavilarinho
• @zoltani
• @0dd
• @trumant

[eddie-knight]

@realshuting We noticed that a self assessment was already created and will only need to be updated with the latest accurate info:

https://github.com/cncf/tag-security/blob/main/community/assessments/projects/kyverno/self-assessment.md

[realshuting]

@realshuting We noticed that a self assessment was already created and will only need to be updated with the latest accurate info:

https://github.com/cncf/tag-security/blob/main/community/assessments/projects/kyverno/self-assessment.md

Thank you @eddie-knight for the notification. We will review and update the existing self-assessment document with the latest information and share the updated version with you.

[realshuting]

@realshuting We noticed that a self assessment was already created and will only need to be updated with the latest accurate info: https://github.com/cncf/tag-security/blob/main/community/assessments/projects/kyverno/self-assessment.md

Thank you @eddie-knight for the notification. We will review and update the existing self-assessment document with the latest information and share the updated version with you.

Hi @eddie-knight - we've submitted this PR to update our self-assessment with the most current and accurate information. Please let us know if you need any additional details or have any questions for us.

[eddie-knight]

Thanks @realshuting!

The next step will be to determine a project lead, and confirm participation from the volunteers who have already raised their hand. We'll discuss this more on tomorrow's TAG-SC community call.

[JustinCappos]

@realshuting And don't forget to work on the feedback given on your PR! https://github.com/cncf/tag-security/pull/1486

[realshuting]

@realshuting And don't forget to work on the feedback given on your PR! cncf/tag-security#1486

Thank you for your patience, @JustinCappos. I have updated the PR based on your feedback. Please review the changes and let me know if any further modifications are needed.

[JustinCappos]

I think some of your changes will get merged in via @brandtkeller 's recent PR.

However, due to the TOC's reshuffling of things, the assessment template was lost until @jpower432 recently copied it over. You could either copy the contents of that into your issue description (above) or close this issue and open a new one. When everyone is ready, we can get the group together for the joint assessment...

[evankanderson]

Hello all! I updated the format of this issue, in particular to include the series of steps that are needed to progress this joint security assessment.

[eddie-knight]

Hey @realshuting are you still volunteering as the lead for this effort? It appears we're at a point where we can set up a meeting to work on the Joint Assessment next steps.

[JustinCappos]

@realshuting pinging again.

[realshuting]

Thanks @eddie-knight and @JustinCappos for the remindar, and apologies for the delayed reply.

We’re ready to proceed with the Kyverno joint security assessment:

• Primary contact: @realshuting
• Backup contact: @JimBugwadia

We’re flexible on the scheduling options, and can adjust as needed:

• Join any upcoming TAG Security public meeting that works for the reviewers; or
• Meet next Tuesday, Oct 21, 10:00 am –11:00 am PT

Once a slot is confirmed, we’ll follow up with the Slack channel and next steps. Looking forward to collaborating.

[JustinCappos]

@trumant @0dd @sunstonesecure-robert @zoltani @camilaavilarinho

Please chime in if you'd like to participate in the review. If so, please read the security reviewer guidelines and make a stated declaration of conflict

I have the reviewer guidelines and do not have a conflict.

If anyone else wants to participate, now is the time to chime in.

[sunstonesecure-robert]

no hard conflicts for me - only soft conflicts as defined:

• personal relationships: Jim B. and I worked closely on wg-policy but that was >1 year back
• uses the project in their work: I use kyverno or recommend it often

On Tue, Oct 14, 2025 at 6:39 AM Justin Cappos @.***> wrote:

JustinCappos left a comment (cncf/toc#1703) https://github.com/cncf/toc/issues/1703#issuecomment-3401943519

@trumant https://github.com/trumant @0dd https://github.com/0dd @sunstonesecure-robert https://github.com/sunstonesecure-robert @zoltani https://github.com/zoltani @camilaavilarinho https://github.com/camilaavilarinho

Please chime in if you'd like to participate in the review. If so, please read the security reviewer guidelines https://tag-security.cncf.io/community/assessments/guide/security-reviewer/ and make a stated declaration of conflict

I have the reviewer guidelines and do not have a conflict.

If anyone else wants to participate, now is the time to chime in.

— Reply to this email directly, view it on GitHub https://github.com/cncf/toc/issues/1703#issuecomment-3401943519, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQWTGFCXF5CAUXTUZURDDY33XT4K5AVCNFSM6AAAAAB5D2O5J2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTIMBRHE2DGNJRHE . You are receiving this because you were mentioned.Message ID: @.***>

[jackap]

I'm interested as an Observer and I have no conflict.

[sublimino]

I'll contribute into this effort where I can, no conflicts except professional use

[JustinCappos]

I'll contribute into this effort where I can, no conflicts except professional use

Would you like to lead, @sublimino ? We don't have anyone who has stepped up to take on that role

[trumant]

I have reviewed the reviewer and conflict guidance and affirm that I have no conflicts and wish to shadow as this is my first assessment.

[0dd]

@trumant @0dd @sunstonesecure-robert @zoltani @camilaavilarinho

Please chime in if you'd like to participate in the review. If so, please read the security reviewer guidelines and make a stated declaration of conflict

@JustinCappos I have read the reviewer guidelines and do not have a conflict.

[sublimino]

I'll contribute into this effort where I can, no conflicts except professional use

Would you like to lead, @sublimino ? We don't have anyone who has stepped up to take on that role

Sure thing, very happy to @JustinCappos

[eddie-knight]

Count me in. No conflicts.

[JustinCappos]

Okay, I've updated the issue to add everyone who volunteered.

I also made the slack channel on the CNCF slack (#sec-assess-kyverno). @jackap @sunstonesecure-robert , please join. Everyone else I knew their slack handle and added.

[camilaavilarinho]

I’d like to participate as an observer as well if possible. I have no conflict.

[brandtkeller]

Automation closed this unintentionally.

[tturquette]

I'd love to contribute as an Observer. I have no conflict

[sublimino]

We'll start this joint assessment with the question and threat model phase in tomorrow's TAG Security meeting!

Joint assessment document: https://docs.google.com/document/d/1JJVlYu6LNpWs2ukirOmoHMEhCsuOEoseBq6dq-Kcgjc/edit?tab=t.0

Please join us 😊