k8s.io
k8s.io copied to clipboard
kubernetes
Best Practice on Security for AWS S3 buckets for registry.k8s.io
- [x] Ensure versioning is enabled for the production buckets: https://github.com/kubernetes/k8s.io/pull/4118 (@deobieta)
- [ ] Ensure access logging is enabled for the production buckets: https://github.com/kubernetes/k8s.io/issues/3929
- [ ] Monitor IAM permissions changes for the authentication account and the S3 buckets accounts
Conversation during k8s-infra meeting
: These buckets will likely be around for 10 years. This doesn't seem to expressed. Arnaud would like to have Ted/Jay advise us about this.Jay : We can setup cloud trail facilities. Ted already signed of on buckets+iam roles.
Arnaud: It's not about service, it's about the policy we need to put in place. For example, you can have access logs.
Lay out some security policy about those buckets. When Ben put out the design doc, there were some questions. What is the plan if there is an accident... wiping out the entire bucket...
Policy: Let's get some advice, best practices, not specifically to IAM roles.
Jay : these are all mirror, copies, and gcs storage. Worst case would be some malicious actor getting ability to push to write objects within that bucket and overwrite. We have image signatures and checksums are the current guards against that.
Ben: We talk about this in the doc, outside DOS attack, it's all content addressed.
We should talk about this at some point, and document. But let's also move forward with advice from Jay and Ted.
https://kubernetes.slack.com/archives/CCK68P2Q2/p1650579215464579
On the AWS side, I'm willing to try to make time to do security review for the infrastructure. I'm also happy to coach or support someone who wants to do that security review but isn't comfortable taking that responsibility on solo.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue or PR as fresh with
/remove-lifecycle stale - Mark this issue or PR as rotten with
/lifecycle rotten - Close this issue or PR with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
/remove-lifecycle stale
Buckets is created and ready. This issue need attendtion soon.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue or PR as fresh with
/remove-lifecycle stale - Mark this issue or PR as rotten with
/lifecycle rotten - Close this issue or PR with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle rotten - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten