Define a Standard for the security of the KaaS Layer

[josephineSei]

In https://github.com/SovereignCloudStack/standards/issues/749 we are standardizing the security of the software of the IaaS Layer.

But integrating security patches and updates are not solely done on one layer, but need to be accomplished by CSPs on all Layers.

This issue should investigate which measures should be done on the KAAS layer to prevent and deal with security issues. It should be included, how CSPs could get information about potential security issues. How fast they should respond according to the severity? (see C5 criteria catalog with timeframes for responses on page 75. )## Definition of Done:

Please refer to scs-0001-v1 for details.

• [ ] Proposal has been written with name of the form scs-xxxx-v1-slug.md (only substitute slug)
• [ ] Proposal has the fields status, type, track set
• [ ] Proposal has been voted upon in the corresponding team
• [ ] Status has been changed into Draft, file renamed: xxxx replaced by document number
• [ ] If applicable: test script has been written (this item may be moved into a separate issue so long as the state is Draft)

[mbuechse]

I may be wrong, but I think we have that already. We have a version policy, cluster hardening, and possibly more.

[josephineSei]

I read the version policy standard. It includes how to deal with patches and CVEs, but the time frame required there is vague. It just says "Must provide latest patch version no later than a week after release" and "Should be faster for critical CVEs (CVSS >= 8)" Maybe it would be good to align this timeframe for security patches over all layers.