Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security@etcd.io group #6542

Merged
merged 2 commits into from
Jun 4, 2024

Conversation

ahrtr
Copy link
Member

@ahrtr ahrtr commented Mar 7, 2024

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/access Define who has access to what via IAM bindings, role bindings, policy, etc. labels Mar 7, 2024
@k8s-ci-robot k8s-ci-robot added area/groups Google Groups management, code in groups/ sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 7, 2024
Copy link
Contributor

@MadhavJivrajani MadhavJivrajani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 7, 2024
@MadhavJivrajani
Copy link
Contributor

/assign @cblecker @nikhita

@upodroid
Copy link
Member

upodroid commented Mar 7, 2024

I have a better idea, why don't we add the etcd.io domain to the kubernetes.io Workspace as an alias domain and then recreate the same mailing list?

@ahrtr
Copy link
Member Author

ahrtr commented Mar 7, 2024

I have a better idea, why don't we add the etcd.io domain to the kubernetes.io Workspace as an alias domain and then recreate the same mailing list?

Sounds like a good idea, so we can continue to use security@etcd.io? cc @jmhbnz @serathius @spzala @wenjiaswe

Will it have any impact on https://etcd.io/?

@upodroid
Copy link
Member

upodroid commented Mar 7, 2024

No, there is a separate issue to recreate the etcd.io DNS zone in a Google Cloud DNS project that the community owns similar to https://github.com/kubernetes/k8s.io/tree/main/dns.

@ahrtr
Copy link
Member Author

ahrtr commented Mar 7, 2024

Thanks for the feedback. Let's see others' feedback on we add the etcd.io domain to the kubernetes.io Workspace as an alias domain and then recreate the same mailing list.

Could you provide detailed guide on how to do it? Or can we add a task in #6102?

@upodroid
Copy link
Member

upodroid commented Mar 7, 2024

  1. Send the complete DNS zone for etcd.io to sig-k8s-infra via Slack
  2. We'll recreate the zone in GCP with zero modifications and give you a set of NS records to configure with your domain provider. I'm assuming the domain is owned by CNCF/LF. If not, I would probably fix that as well.
  3. Unlink etcd.io from the current Google Workspace subscription
  4. Someone from @kubernetes/steering-committee needs to add the domain to the kubernetes.io Google Workspace. They will receive a set of DNS records to verify ownership.
  5. We'll add the DNS records for verification and the domain is now available for use.
  6. Update this PR to use the previous email
  7. Merge this PR.

@spzala
Copy link
Member

spzala commented Mar 7, 2024

Thanks for the feedback. Let's see others' feedback on we add the etcd.io domain to the kubernetes.io Workspace as an alias domain and then recreate the same mailing list.

Could you provide detailed guide on how to do it? Or can we add a task in #6102?

Thanks @ahrtr @upodroid Also CC'ing @mrbobbytables @BenTheElder for their thoughts, thanks!

@mrbobbytables
Copy link
Member

I think it's a good move, theres been a separate thread on what to do with the etcd google workspace so this would wrap everything up nicely.

/cc

@spzala
Copy link
Member

spzala commented Mar 7, 2024

I think it's a good move, theres been a separate thread on what to do with the etcd google workspace so this would wrap everything up nicely.

/cc

Sounds good, thanks so much @mrbobbytables !! @ahrtr thanks for driving this, I am looking at the next steps in this direction.

Copy link
Member

@spzala spzala left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WIP - we will update the PR after working on the suggestions provided by @upodroid Thanks!

@cblecker
Copy link
Member

cblecker commented Mar 7, 2024

Another thing to consider: has sig-etcd spoken with the Kubernetes SRC about this? Now that etcd is a part of the Kubernetes project, I would expect that vulnerability reporting would flow through them now (it wasn't specifically called out in the charter as something that sig-etcd would do differently).

/hold
(adding as the consensus is this PR as is, isn't ready to merge)

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 7, 2024
@wenjiaswe
Copy link

@cblecker I don't know, probably not? Would you please kindly share the point of contact of k8s SRC please?

@BenTheElder
Copy link
Member

@spzala
Copy link
Member

spzala commented Mar 13, 2024

As etcd is used as stand-alone, we want to make sure users of etcd don't feel restricted to using it with only k8s. If we can use security@etcd.io alias then using k8s SRC that should be good, IMHO. This will keep things simpler from any maintenance perspective and will keep SRC in aware of any etcd security issues. However, that means, we may want etcd maintainer representation in the SRC or SRC can simply forward issues to the maintainers group (I guess either should work). I can reach out to SRC if using SRC sounds good to you @ahrtr @wenjiaswe @serathius @jmhbnz cc @cblecker @BenTheElder Thanks!

@idvoretskyi
Copy link
Member

A quick check here on a current state of things, @cblecker :)

@BenTheElder
Copy link
Member

What happened with this? Please let us know in #sig-k8s-infra at slack.k8s.io if there's anything blocked on us.

@jmhbnz
Copy link
Member

jmhbnz commented May 23, 2024

What happened with this? Please let us know in #sig-k8s-infra at slack.k8s.io if there's anything blocked on us.

Hey Team - @upodroid and I met a couple weeks ago to continue stepping through the migration of gcp projects. We got stuck on permissions and needed to reach out to the Linux Foundation listed org admin for the etcd-development gcp project.

I did that on Kubernetes slack but checking back we haven't had a reply so I have just followed up with an email.

@jmhbnz
Copy link
Member

jmhbnz commented Jun 3, 2024

Update: After a call today with @upodroid and Shah Ahmadzai from the Linux Foundation 2/3 etcd GCP projects have now been migrated to the Kubernetes org and I believe billing account has also now been updated.

The one remaining project etcd-development we still have a credentials/permissions issue with and are continuing to work with the Linux Foundation on.

@upodroid
Copy link
Member

upodroid commented Jun 3, 2024

Also, we got access to the etcd.io Google Workspace and are currently working on delinking the domain from there and attaching it to the kubernetes.io Google Workspace.

@upodroid upodroid changed the title Add etcd-security@kubernetes.io group Add security@etcd.io group Jun 4, 2024
Copy link
Member

@upodroid upodroid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The domain has now been migrated. Please apply my suggestions to merge the PR.

groups/sig-etcd/groups.yaml Show resolved Hide resolved
groups/sig-etcd/groups.yaml Outdated Show resolved Hide resolved
groups/restrictions.yaml Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 4, 2024
@ahrtr
Copy link
Member Author

ahrtr commented Jun 4, 2024

Resolve all comments, thanks all for the help!

Signed-off-by: Benjamin Wang <benjamin.ahrtr@gmail.com>
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 4, 2024
@ahrtr
Copy link
Member Author

ahrtr commented Jun 4, 2024

Note the test case TestGroupConventions requires,

  • the group name and email match. The mail ID is security@etcd.io, but the name "security" has already been used by security@kubernetes.io, so I use the name "etcd-security"
  • the email must have suffix "@kubernetes.io". I updated the test case.

expectedEmailId := g.Name + "@kubernetes.io"

Signed-off-by: Benjamin Wang <benjamin.ahrtr@gmail.com>
Copy link
Member

@upodroid upodroid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 4, 2024
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 4, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ahrtr, MadhavJivrajani, upodroid

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 4, 2024
@k8s-ci-robot k8s-ci-robot merged commit cb91252 into kubernetes:main Jun 4, 2024
4 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.31 milestone Jun 4, 2024
@spzala
Copy link
Member

spzala commented Jun 4, 2024

Resolve all comments, thanks all for the help!

+1 Thank you so much @ahrtr @cblecker and everyone!!!

@spzala
Copy link
Member

spzala commented Jun 4, 2024

@upodroid received the test email :) Thank you so much!

@ahrtr ahrtr deleted the add_etcd_group_20240303 branch August 5, 2024 16:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/access Define who has access to what via IAM bindings, role bindings, policy, etc. area/groups Google Groups management, code in groups/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Create etcd-security@kubernetes.io group