Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kyverno security self assessment #852

Merged
merged 23 commits into from
Mar 25, 2022
Merged

Kyverno security self assessment #852

merged 23 commits into from
Mar 25, 2022

Conversation

JimBugwadia
Copy link
Contributor

cc: @jlk

JimBugwadia and others added 10 commits June 2, 2021 23:16
@JimBugwadia
draft Kyveno self-assessment
e17056f 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
@JimBugwadia
fix format
24359d6 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
@realshuting
fix typo
205b72b 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
@JimBugwadia
updates
1057513 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
@JimBugwadia
Merge branch 'main' of https://github.com/kyverno/tag-security into main
f0313f2
@JimBugwadia
add note on multiple deployments
a2594c4 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
@JimBugwadia
fix links
f42936c 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
@JimBugwadia
Merge branch 'cncf:main' into main
bb0a0ef
@JimBugwadia
updates for self-assessment
13b7b74 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
@JimBugwadia
address comments from John
3e3f718 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
@JimBugwadia
Merge branch 'main' into kyverno-self-assessment
3ef2bf6
@JimBugwadia
fix sp
8b9ea6d 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
@JimBugwadia
fix double @
a7a9034 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
@JimBugwadia
cspell disable names
7e8ef73 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
@JimBugwadia
Copy link
Contributor Author

Preview at https://github.com/kyverno/tag-security/blob/kyverno-self-assessment/assessments/projects/kyverno/self-assessment.md.

@lumjjb
Copy link
Contributor

lumjjb commented Feb 5, 2022
edited
Loading

This is awesome! We'll do a short "clarifying questions" phase review on this just to clarify on some points (if needed) and we'll can merge it in!

Part of this phase is to do the following:

  • Verify completeness
  • Ask for clarifications
  • Ensure terms are defined
  • Ensure concepts introduced are explained with context
  • Provide quick feedback

@lumjjb lumjjb self-assigned this Feb 5, 2022
@lumjjb lumjjb added this to the STAG Rep: @lumjjb milestone Feb 5, 2022
@fkautz
Copy link
Contributor

fkautz commented Feb 7, 2022

Please include me

@dutchshark
Copy link
Contributor

dutchshark commented Feb 8, 2022
edited
Loading

interested in helping out.

After a chat with Brandon on this PR - I've read up on https://github.com/cncf/tag-security/blob/main/assessments/guide/self-assessment.md - I'm missing some elements in this one:
Languages which I would address as Go and the SBOM shouldn't this match up with https://kyverno.io/docs/installation/ and the Compatability Matrix?

@dutchshark
Copy link
Contributor

For discussion tonight with @lumjjb:
kyverno/kyverno#2950 (comment) as this would mean vulnerability in their used logger (which should be part of the SBOM) exists two CVE's are hit.

@dutchshark
Copy link
Contributor

Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO

Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO

@JimBugwadia
Copy link
Contributor Author

Thanks @dutchshark!

I've read up on https://github.com/cncf/tag-security/blob/main/assessments/guide/self-assessment.md - I'm missing some elements in this one

Are there other sections or information you recommend we add to the self-assessment?

Languages which I would address as Go and the SBOM shouldn't this match up with https://kyverno.io/docs/installation/[](https://github.com/JimBugwadia) and the Compatability Matrix?

Kyverno uses Golang but is delivered as a container image and manifests. The available installation are options are via a Helm chart or YAMLs.

The Security page provides a link to the SBOM. We can reference in the installation as well.

@dutchshark
Copy link
Contributor

dutchshark commented Feb 10, 2022
edited
Loading

You're welcome @JimBugwadia - I'm only here to help;

Are there other sections or information you recommend we add to the self-assessment?

I think the initial self-assessment is providing that what tag-security needs and the more details provided the better. Hence my comments around the adding of the SBOM to your self-assessment.

The Security page provides a link to the SBOM.

If you could put it on your self-assessment that would be great.

@lumjjb lumjjb added the assessment project security assessments (one issue per project) label Feb 16, 2022
lumjjb
lumjjb approved these changes Mar 25, 2022
View reviewed changes
Copy link
Contributor

@lumjjb lumjjb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm , added wesley as another reviewer

assessments/projects/kyverno/self-assessment.md Outdated Show resolved Hide resolved
@JimBugwadia @lumjjb
Update assessments/projects/kyverno/self-assessment.md
bb766c4 
Co-authored-by: Brandon Lum <lumjjb@gmail.com>
@lumjjb lumjjb merged commit 885f091 into cncf:main Mar 25, 2022
@JustinCappos JustinCappos mentioned this pull request Jul 7, 2023
Closed
Michael-Susu12138 pushed a commit to Michael-Susu12138/tag-security that referenced this pull request Dec 12, 2023
@JimBugwadia @realshuting
@wryonik @lumjjb
Kyverno security self assessment (cncf#852)
e45e6b9 

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* updates for self-assessment

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* address comments from John

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix sp

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix double @

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* cspell disable names

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Add SBOM and metadata in self-assessment

Signed-off-by: Shubham Gupta <shubham.gupta2956@gmail.com>

* Update SBOM fetching link

Signed-off-by: Shubham Gupta <shubham.gupta2956@gmail.com>

* Update assessments/projects/kyverno/self-assessment.md

Co-authored-by: Shuting Zhao <shutting06@gmail.com>
Co-authored-by: Shubham Gupta <shubham.gupta2956@gmail.com>
Co-authored-by: Brandon Lum <lumjjb@gmail.com>
@realshuting realshuting mentioned this pull request Aug 5, 2024
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lumjjb lumjjb lumjjb approved these changes

@achetal01 achetal01 Awaiting requested review from achetal01

@anvega anvega Awaiting requested review from anvega

@ashutosh-narkar ashutosh-narkar Awaiting requested review from ashutosh-narkar

@dshaw dshaw Awaiting requested review from dshaw

@JustinCappos JustinCappos Awaiting requested review from JustinCappos

@pragashj pragashj Awaiting requested review from pragashj

@PushkarJ PushkarJ Awaiting requested review from PushkarJ

@TheFoxAtWork TheFoxAtWork Awaiting requested review from TheFoxAtWork

@ultrasaurus ultrasaurus Awaiting requested review from ultrasaurus

Assignees

@lumjjb lumjjb

Labels
assessment project security assessments (one issue per project)
Projects
None yet
Milestone
STAG Rep: @lumjjb
Development

Successfully merging this pull request may close these issues.
6 participants
@JimBugwadia @lumjjb @fkautz @dutchshark @realshuting @wryonik