[Security Pals] Flux multi-tenancy proposal

[pjbgf]

Project Name: Flux

Github URL: https://github.com/fluxcd
Key sub-projects:

• https://github.com/fluxcd/flux2
• https://github.com/fluxcd/source-controller
• https://github.com/fluxcd/helm-controller
• https://github.com/fluxcd/kustomize-controller
• https://github.com/fluxcd/notification-controller
• https://github.com/fluxcd/image-automation-controller
• https://github.com/fluxcd/image-reflector-controller
• https://github.com/fluxcd/pkg
• https://github.com/fluxcd/flagger

CNCF project stage and issue (NA if not applicable): in-flight proposal for Graduation

• Sandbox Proposal: Flux sandbox proposal toc#232
• Incubation Proposal: Add proposal for Flux moving to incubation toc#567
• Graduation Proposal (in-flight): Propose Flux for Graduation toc#796

Security Provider: No

• Identify team
  • Project security lead - @pjbgf
  • Lead security reviewer
  • 1 or more additional reviewer(s)
  • Every reviewer has read security reviewer guidelines and stated declaration of conflict
  • Sign off by 2 chairs on reviewer conflicts
• Create slack channel (e.g. #sec-assess-projectname)
• Project lead provides draft document - see outline
• "Naive question phase" Lead Security Reviewer asks clarifying questions
• Assign issue to security reviewers
• Initial review
• Presentation & discussion
• Share draft findings with project
• Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)
• CNCF TOC presentation (if requested by TOC)

Self-assessment:
Multi-tenancy: https://docs.google.com/document/d/1SluYVDuq-egSTurcnrVRMJw6ecSV65Qtgi10T4WHyYs/edit#
Flagger: https://docs.google.com/document/d/1bdsWHT1L403ss1meMF6zR1G4hUy2qLtIi8I-IMKEMmM/edit

Context:

Flux had its first security audit in November 2021. Multi-tenancy was mostly out of scope, however the report advised us to engage "with experts, such as the CNCF Security Technical Advisory Group, on both the design of the underlying user system and also on the implementation of the security model."

Therefore this assessent scope will focus on the current and proposed changes of Flux in multi-tenancy environments.

---

EDIT: Added flagger details and self-assessment.

[lumjjb]

@IAXES

[lumjjb]

TODO: @cncf/tag-security need to discuss with TOC @TheFoxAtWork @justincormack on next steps.

[lumjjb]

Notes from our meeting to discuss next steps:

• [@pjbgf/Hidde] Will be helpful to have a matrix of resource vs deployment model matrix (table visualization of threat model)
• [@pjbgf/Hidde] Create a presentation issue with what dates work and we will schedule a time to present multi-tenancy, to find someone to try and help more closely with this.
• [@achetal01 ] is going to dive a bit more on it and comment on the proposal
• [@lumjjb] Will communicate with the TOC on planned next steps

• Flux will add an additional matrix to help better interpret the threat model against the various types of deployment models available
• Flux multi-tenancy proposal will be presented at TAG to drive the security pals process.
• k8s multi-tenancy WG will release some definitions around soft/hard multitenancy. In the future, flux will write something up around the Flux deployment model compared with the WG definitions.

[TheFoxAtWork]

Requested access to the multi tenancy doc

[pjbgf]

Following-up from our meeting back in May, I have updated the Self-Assessment documents with further information about Multi-Tenancy models (inc. an initial thread model) and the Flux Security Best Practices (for users).

We have also submitted an issue to present Multi-tenancy. Please let us know whether anything else is required ahead of the presentation.

[stale]

This issue has been automatically marked as inactive because it has not had recent activity.

[pjbgf]

I was away for a couple of weeks and just got back now. Is there anything that the Flux team can do to help on progressing this issue?