community icon indicating copy to clipboard operation
community copied to clipboard

Published 20 hours ago verified publisher icon knative

New Repo: security-guard

Open davidhadas opened this issue 2 years ago • 8 comments

Use this issue type to request a new repo in knative-sandbox (or knative, which may require additional discussion).

Repo information

Org: knative-sandbox

Repo: security-guard

Purpose (Description): A knative-sandbox/security-guard repository will be the home of a Security Runtime plug (based on https://github.com/IBM/workload-security-guard) that will be used as a QP Extension (QP Option).

Sponsoring WG: Security

Actions to fulfill

This area is used to track the repo creation process. The requestor and sponsoring WG lead should perform the steps listed below and cross out the checkmarks when done. The TOC is involved only in the TOC Gate steps.

  • [x] Add this issue to the TOC project board for review. You are responsible for moving your entry on the board to "Needs Discussion" or "In Progress" as you move forward in this checklist.

You may not be able to use the Projects quick menu on this page. In that case, go to the project board and use the Add cards interface.

  • [x] Send a PR adding entries for this repo in /peribolos/knative-sandbox.yaml. Please mind the alphabetical order when adding to a list.
    • [x] Add the repository and a description.
    • [x] Grant Knative Admin the admin privilege.
    • [x] Grant the sponsoring WG the write privilege.

TOC Gate: Once the TOC has approved the above, it will merge and Peribolos will create an empty repository.

  • [x] (golang) Send a PR to add aliases for knative.dev/$REPONAME import paths (sample).

  • [x] Have a lead from the sponsoring WG bootstrap the Git repository by pushing an appropriate "template" repository (basic, sample-controller, sample-source) to the new repository as a git remote. For example:

      git clone https://github.com/knative-sandbox/sample-controller.git
  cd sample-controller
  git remote add newrepo https://github.com/knative-sandbox/$REPONAME.git
  git push newrepo main

  • [x] Add your GitHub ID to the OWNERS file for your repo.

  • [x] Set up prow for a new repo

  • [ ] Bootstrap your CI jobs using hack project (look at other sandbox repos for reference)

  • [x] Create a sample PR to verify Prow (e.g., edit the boilerplate README)

  • [x] Verify that within 24 hours the appropriate branch protections have been applied requiring tide to pass before PRs are merged.

  • [x] (optional) Send a PR adding the repo to knobots.

davidhadas avatar Jul 26 '22 09:07 davidhadas

So far, we've tried to group repo names in sandbox based on the corresponding working group or extension point (net-, eventing-, kn-plugin-, etc)

There are a few repos that don't match this pattern, but I'd be inclined to try to introduce that pattern here.

evankanderson avatar Jul 26 '22 17:07 evankanderson

As agreed this will be discussed in the WG meeting before we continue. If we decide to open it, we can use sec-guard

davidhadas avatar Jul 26 '22 20:07 davidhadas

Talked about this in the security WG meeting.

The concern I had previously been unable to articulate is that knative-sandbox policies include the use of Prow and two-eyes review of all commits (PR proposer and a reviewer, at least one of whom must be an OWNER on the files). The existing repos don't seem to have been developed in that model, and it wasn't clear who would pick up the PR review burden. It sounds like @maximilien and @psschwei will pick up some of those duties while the project is bootstrapping, and maybe @davidhadas will find some co-contributors who can do reviews and vice-versa.

The setup would be that the repo would have @davidhadas as OWNER along with the Security WG leads, which would allow David to be the responsible reviewer (approver) for the work with Paul and Dr Max providing /lgtm services and code review.

We agree to start out with one repo where the most important forward-progress code would land; we'll skip adding additional "example" repos until we have evidence that multiple people are attempting to extend queue-proxy and need examples. In the meantime, we can link to this repo (or to out-of-Knative examples) from a README.md in cmd/queue or pkg/queue/main in the Serving repo if we need to document additional usage beyond Serving itself.

evankanderson avatar Aug 01 '22 21:08 evankanderson

Link to peribolos PR: https://github.com/knative/community/pull/1139

psschwei avatar Aug 03 '22 13:08 psschwei

Naming sounds good given that this is Security-WG sponsored.

Approved by TOC on 4 Aug.

evankanderson avatar Aug 04 '22 16:08 evankanderson

https://github.com/knative/test-infra/pull/3469

davidhadas avatar Aug 05 '22 14:08 davidhadas

https://github.com/knative-sandbox/knobots/pull/222

davidhadas avatar Aug 10 '22 19:08 davidhadas

Need to review and consider CI jobs using hack project (look at other sandbox repos for reference)

davidhadas avatar Aug 10 '22 19:08 davidhadas

/close

(Setting up CI jobs is up to the the repo OWNERS to decide on)

evankanderson avatar Sep 15 '22 16:09 evankanderson

@evankanderson: Closing this issue.

In response to this:

/close

(Setting up CI jobs is up to the the repo OWNERS to decide on)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

knative-prow[bot] avatar Sep 15 '22 16:09 knative-prow[bot]