community icon indicating copy to clipboard operation
community copied to clipboard

Published 20 hours ago verified publisher icon knative

Applied for security audit

Open csantanapr opened this issue 3 years ago • 5 comments

Applied for CNCF security audit

Having a security audit performed by CNCF contractor for Knative is a requirement for CNCF project graduation.

I was advised by @caniszczyk to go ahead and open a service ticket now, since there is a large backlog for the Security contractor

cc @evankanderson

csantanapr avatar Mar 10 '22 20:03 csantanapr

@evankanderson Do you have access now with your knative.team email to service desk? This will allow you to open a ticket requesting the security audit for knative, this would put us in the queue of a few months to be done.

csantanapr avatar Mar 29 '22 03:03 csantanapr

Created: https://cncfservicedesk.atlassian.net/servicedesk/customer/portal/1/CNCFSD-1174?created=true

evankanderson avatar Mar 29 '22 20:03 evankanderson

Thank you @evankanderson it looks like CNFC got you in contact with the auditor

I dropped an intro to **** [email protected] who will send you a template to fill out in scoping the audit, they will then run an RFP process and find a vendor which CNCF will pay for. The backlog is quite long so I’d expect at least a few months before this officially gets started.

Let us know how it goes once you have more info.

csantanapr avatar Apr 06 '22 21:04 csantanapr

I chatted with Amir on Tuesday, and we filled out an audit questionnaire together:

https://docs.google.com/document/d/1YaEK5zWmOk1G_eFuiJCPYGm7nWc2l97eBK3wINYNJTE/edit

Sometime (possibly post-Kubecon), we'll probably put together two RFPs:

Serving

A standard security audit, taking into account the in-progress encryption of KIngress -> activator -> queue_proxy path.

Eventing

Probably a more protocol-focused audit this time, focusing on modeling necessary controls and mitigations, probably including:

  • TLS capability for Addressable resources with cluster.local endpoints (which can't use public CAs like LetsEncypt)
  • Sender identity (probably OAuth / OpenID Connect rooted in the kube-apiserver's ability to mint tokens, and an aud parameter indicated by the Addressable)
  • Some form of data-plane RBAC to be able to restrict who can send to a given Addressable
  • Necessary RBAC controls on the control plane, possibly by describing the controls to be used with a policy system like Gatekeeper or Kyverno

evankanderson avatar Apr 28 '22 22:04 evankanderson

@evankanderson any updates on this front?

csantanapr avatar Jun 16 '22 16:06 csantanapr

Hi everyone! I have emailed @evankanderson a few times since July about this but have not heard back. We are ready and happy to continue the conversation and help knative get their security audit done as we do with many cncf projects!

Amir-Montazery avatar Oct 17 '22 14:10 Amir-Montazery

Sorry, this got dropped under a bunch of vacation and acquisition traffic -- I'll dig out the emails and respond today.

evankanderson avatar Oct 17 '22 15:10 evankanderson

/close

We now have 2 audits:

  • https://knative.dev/blog/events/security-audit-2023/
  • https://knative.dev/blog/events/fuzzing-audit-2023/

Closing this as done

aliok avatar Jan 12 '24 08:01 aliok

/close

aliok avatar Jan 12 '24 08:01 aliok

@aliok: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

knative-prow[bot] avatar Jan 12 '24 08:01 knative-prow[bot]