Kubernetes Third-Party Security Audit for 2025 (tracking issue)

[reylejano]

Tracking issue for the Kubernetes third-party security audit for 2025:

• Define audit scope and provide to the Open Source Technology Improvement Fund (OSTIF)
• OSTIF Creates RFP
  • SIG Security Third-Party Audit subproject reviews RFP
• Vendor assessment
• Release vendor selection
• Create private Slack channel for vendor and subproject
• Vendor conducts audit
  • Coordinate SME as contacts for vendor
• Send findings to SRC
• Findings review with SIG Security
• Publish findings

/sig security

[k8s-ci-robot]

@reylejano: The label(s) /label external-audit cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda, refactor. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to this:

Tracking issue for the Kubernetes third-party security audit for 2023-2024:

• Create RFP
• Audit scope
• Finalize dates: RFP opening and closing dates, question period, vendor selection
• Complete question period and publish questions & replies to RFP
• Vendor assessment
• Assemble vendor assessment group
• Create private Google group
• Release vendor selection
• Coordinate SME as contacts for vendor
• Vendor conducts audit
• Send findings to SRC
• Findings review with SIG Security
• Publish findings

/sig security
/label external-audit

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ritazh]

xref: #105 add windows to scope

[sunstonesecure-robert]

also include the new threat model refresh @raesene

[sftim]

Aside: how about adding /area audit (label and associated Prow command)?

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.