[Presentation] cert-manager Graduation Overview

cncf / tag-security

🔐CNCF Security Technical Advisory Group -- secure access, policy control, privacy, auditing, explainability and more!

https://cncf.io/projects

Other

1.99k stars 496 forks source link

[Presentation] cert-manager Graduation Overview #1254

Closed SgtCoDFish closed 2 weeks ago

SgtCoDFish commented 1 month ago

Title: cert-manager Graudation Overview

Speakers:

Ashley Davis (@SgtCoDFish)

Other attendees from the cert-manager project:

Adam Talbot (@ThatsMrTalbot)

Description: An overview of what cert-manager is and does, mostly with the aim of facilitating connections, questions and input from tag-security. Related to (and required by) cert-manager's Graduation Application.

Time: 10 mins, with extra time after for questions if required.

Availability: European timezones preferred!

Checklist:

[x] TAG Representative
[x] Schedule date - pencilled in for 2024-05-22 EMEA meeting
[x] By opening this issue, I, (Ashley Davis - @SgtCoDFish) acknowledge that the presentation topic and speaker will follow the presentation guidelines

sublimino commented 1 month ago

Hi @SgtCoDFish, sounds great!

EMEA meetings are currently free for the next few weeks, please choose a time in the meeting document.

As part of the graduation in https://github.com/cncf/toc/issues/1306 we can support you in the Document Security Self-Assessment phase, and walk through a self-assessment doc based on this template and this process.

The cert-manager incubation due diligence document from a couple of years ago might be useful as a baseline to support the graduation documents too. Any questions please ask, we're here to help :pray:

SgtCoDFish commented 1 month ago

Thanks very much for the quick reply 😁

I've put us in for 2024-05-22 and we'll prepare for then!

As part of the graduation in https://github.com/cncf/toc/issues/1306 we can support you in the Document Security Self-Assessment phase, and walk through a self-assessment doc based on this template and this process.

That sounds great, thank you for pointing to that because I'd been meaning to investigate it! I guess there's nothing stopping us getting started with the self-assessment now (before the 22nd), right?

sublimino commented 1 month ago

That sounds great, thank you for pointing to that because I'd been meaning to investigate it! I guess there's nothing stopping us getting started with the self-assessment now (before the 22nd), right?

Absolutely! And if you share the doc link for public comment we can support async before the 22nd too 🙏

maelvls commented 1 month ago

Hey, here is the self-assessment doc: https://hackmd.io/_e-m6hnzRzqsosUv3aG60A?view. I'm struggling and need help with the subsections "Actors" and "Actions". Are the actors the same as in the security audit report: cert-manager contributors, untrusted users outside of cluster, limited privilege cluster users, cert-manager maintainers, third-party contributors, third-party maintainers? Let me know if you are available on the Kubernetes Slack.

mrcdb commented 1 month ago

hi @maelvls , thanks for sharing the self-assessment doc.

The self-assessment guide describes actors as "the individual parts of your system that interact to provide the desired functionality", so I would consider them as the different components of cert-manager rather than the threat actors. Actions then should delineate which interactions exist between the actors.

I am available on the CNCF Slack

SgtCoDFish commented 1 month ago

Thanks for having us on the EMEA meeting today!

I'm taking away the following actions:

Move from HackMD to a Google Doc for the self assessment
Ask for feedback on the completed self assement Google doc

I'll comment on this issue when I've done those. I'll also update the graduation application to reflect the meeting and self assessment!

SgtCoDFish commented 1 month ago

Here's the Google doc for our self-assesment - the above HackMD can now be ignored!

https://docs.google.com/document/d/1Sl1SqYbPSbBMoZroBU8M1dMw5DN-uUgoR1KLHoo5tr0/edit?usp=sharing

Anyone should be able to comment on it - any problems, let me know!

mrcdb commented 1 month ago

Here's the Google doc for our self-assesment - the above HackMD can now be ignored!

https://docs.google.com/document/d/1Sl1SqYbPSbBMoZroBU8M1dMw5DN-uUgoR1KLHoo5tr0/edit?usp=sharing

Anyone should be able to comment on it - any problems, let me know!

Thanks for the quick update, I appreciate the effort! This makes it easy for interested TAG volunteers to provide feedback directly to the maintainers. I will have a look at the document myself in the next couple of days and hopefully provide any input or ask for clarifications.

mrcdb commented 1 month ago

@SgtCoDFish thanks for the feedback on the self-assessment doc, I'm done with my review :)

Once you are happy with the revised document, please feel free to raise a PR to this repository to include the self-assessment doc in Markdown format to the /assessments/projects/ folder as described in the guide.

SgtCoDFish commented 1 month ago

Thanks very much! I'll try to raise a PR soon 👍

SgtCoDFish commented 3 weeks ago

I raised the PR here: https://github.com/cncf/tag-security/pull/1269

Sorry it took a while, it's been a busy time!

SgtCoDFish commented 2 weeks ago

The self assessment is now merged so I think this issue is completed. Thanks to everyone involved! 🚀