[Presentation] Kyverno Status Overview

[realshuting]

Title: Kyverno Status Overview

Speakers: @realshuting, @JimBugwadia

Description: Give an update about Kyverno since its incubation two years ago, talk about the latest architecture and use cases. Related to Kyverno's Graduation Application, previous self-assessment.

Time: How long will the presentation take? (10 minutes)

Availability: August 21st 10 AM PT, August 28th 10 AM PT

TO DO

• [ ] TAG Representative
• [ ] Schedule date
• [ ] By opening this issue, I, (@realshuting / Shuting Zhao) acknowledge that the presentation topic and speaker will follow the presentation guidelines
• [ ] If this is a presentation for a project moving levels, the TAG Representative should complete the Moving Levels Recommendation

[matthewflannery]

Following..

[eddie-knight]

Hi @realshuting! It seems this slipped through the cracks, I apologize for the delay responding!

Would you like to present on September 11 at 10PT?

[realshuting]

Hi @realshuting! It seems this slipped through the cracks, I apologize for the delay responding!

Would you like to present on September 11 at 10PT?

Sounds great, I look forward to the presentation!

[mnm678]

Template for TAG recommendation to TOC

Project Overview

Ecosystem Adoption

What ecosystem adoption has the project seen?

Great ecosystem adotion:

• 5,000 Github stars
• 3,000 slack members
• 450 contributors
• 3.1B downloads

Past TOC Reviews

How has the project addressed comments from previous reviews (incubation if graduation, sandbox if incubating, etc)?

The project has clarified how it differentiates from other security projects in the space, has developed and maintained a roadmap, and has clarified their governance.

Security Reviews

TAG Security Assessments

Has the project completed a TAG Security Self-Assessment and/or Joint Assessment? If yes, please add a link and discuss how this has impacted their security posture.

Yes, Kyverno has a self assessment through security pals

Security Audit

Has the project completed an external security audit? If yes, how have they addressed the findings?

Kyverno has had a third party audit and fuzzing found a few issues which were addressed: https://main.kyverno.io/blog/2023/11/28/kyverno-completes-third-party-security-

Best Practices

Metrics

Which security best practices does the project follow (for example CNCF best practices badge, OpenSSF Best Practices, CLO monitor), and how does it rate by these metrics?

Kyverno has strong compliance with several best practices:

• SLSA 3 compliant
• passing OpenSSF best practices
• scorecard 8.3: active work to improve this

Sub-project Considerations

If the project has sub-projects, how does their security posture compare to the base project?

N/A

TAG Recommendation to the TOC

Kyverno has seen strong adoption and attention to security best practices. They have created a detailed threat model for the project and achieved an impressive SLSA 3 compliance. Based on this, we recommend the project for graduation.

Without blocking graduation, we recommend the project pursues a TAG Security joint assessment.