rficcaglia
commented
3 years ago @achetal01 @danpopSD @ultrasaurus @pragashj might have either more historical context to add - or forward looking comments to add! thank you in advance!
Closed rficcaglia closed 1 year ago
rficcaglia
commented
3 years ago @achetal01 @danpopSD @ultrasaurus @pragashj might have either more historical context to add - or forward looking comments to add! thank you in advance!
ultrasaurus
commented
3 years ago Thanks for writing up this issue and capturing some of the history!
Some historical context...
Before SAFE WG was formed, CNCF formalized WG process https://github.com/cncf/toc/pull/106 and some SAFE WG members joined with intention of becoming CNCF Security WG (others found the activities useful regardless of affiliation). In parallel several folks involved in Kubernetes Policy SIG were interested in forming a CNCF Policy WG with broader charter. Given the overlap of concerns, SAFE WG agreed to merge efforts and submit a unified proposal for a CNCF WG -- the process was stalled for some time as CNCF TOC decided to change WG process, which led to creation of SIGs.
Would be good to update description -- @rficcaglia feel free if you have time before I get to it.
ultrasaurus
commented
3 years ago A small step toward explaining the governance / charter of what we called the Policy Team (to avoid using the WG name, which at the time was confusing, and maybe still is, not sure) https://github.com/cncf/sig-security/pull/268 -- ideally that PR would be reviewed by people active in Policy team meetings and evaluate what makes sense.
I always wondered if it was really sustainable to have K8s Policy SIG be the same group as the people concerned with broader cloud native policy (e.g. would it be welcoming to non-Kubernetes folk? what if there are folk who want to focus on K8s and not on other cloud native solutions?) At the time of that PR, I thought better to document current process than to hang things up on theoretical / potential future issues.
rficcaglia
commented
3 years ago always wondered if it was really sustainable to have K8s Policy SIG be the same group as the people concerned with broader cloud native policy
My $.02 being one of those people :) It is possible - I hope I have done this - but it absolutely requires OTHER people who bring a strong voice from each perspective. I think it is good to have a link and liaison who can cross pollinate and build collaboration (I have tried to fill that role, for example adding some k8s specific ideas into the CNCF map project and CNCF cloud whitepaper) . But I think it is indispensable to have strong SMEs who bring a more opinionated position. For example Anca, Jaya and Jim and others from RedHat and IBM have been a collective code and specification dynamo for the k8s policy-wg and our CRD and whitepaper. Meanwhile Dan and Aradhna and Kapil and others have been looking at the big picture at the CNCF level and trying to articulate policy needs more broadly.
(e.g. would it be welcoming to non-Kubernetes folk? what if there are folk who want to focus on K8s and not on other cloud native solutions?)
I think welcoming is something like the CNCF inclusivity topic - yes - I think we can and have been inclusive bi-directionally. If anyone feels otherwise, please let me or the sig chairs know ASAP! As to whether the attendees would be interested in both, again I think that depends on their personal interests and "day jobs" so to speak. I can attest that several members of the k8s policy-wg seem to be very k8s security policy as code focused - and even in that domain, the narrower configuration sense of policy, not governance or compliance or other policy concerns. I am sure many attendees coming from the broader CNCF side are less interested in PSPs or rego rules and more interested governance or risk management or threat management, etc.
That's why I think the current reality is actually a good representation of what the community wants - I know that's a bit of a tautology ;) Those who want to focus narrowly on k8s policy gravitate to the Wed 8am calls. Those who are more interested in broader policy topics gravitate to the wed 10am calls (or the Asia sig calls) and those (like me) who want to be involved in both, attend both!
So I think we can have our cake and define policy as code for it too :P
rficcaglia
commented
3 years ago @ultrasaurus just an aside - I think probably "policy" is the wrong term anyway. I think there might be a benefit to having a "GRC" sig separate from sig-security. security is often completely unrelated to compliance and vice versa, eg:.
In the commercial space I think you see this rarefied. No one is selling "policy" per se - they are selling GRC tools or "cloud posture" tools, or "unified management", or compliance automation, or SOAR, or DevSecOps, or threat management, etc.
stale[bot]
commented
3 years ago This issue has been automatically marked as inactive because it has not had recent activity.
TheFoxAtWork
commented
3 years ago https://github.com/cncf/tag-security/tree/main/governance/related-groups needs update to list @achetal01 in addition to @rficcaglia
TheFoxAtWork
commented
3 years ago @rficcaglia @achetal01 would you provide an updated issue description so that we can get this added to the related groups and close the issue?
stale[bot]
commented
2 years ago This issue has been automatically marked as inactive because it has not had recent activity.
anvega
commented
1 year ago It has been a few years since there has been activity on this issue. It's unclear from the strikethrough text and edits to the original post if anything outstanding remains to be addressed. If there is a proposal for a GRC WG or SIG, I suggest creating a new proposal for it if it's still an interest or concern. I'll be closing the issue as it has been inactive for so long.
Description:
The Policy WG was merged into the SAFE WG which then became sig-security.EDIT: See below from @ultrasaurus (summarized here)
See PR #65
Separate Policy
WGteam meetings and projects continued on, which SHOULD have been under under the sig-security governance, but in fact were de facto governed under the Kubernetes Policy WG agenda.Note - all this happened before the documented CNCF WG proposal process was well understood and well grooved, see:
https://github.com/cncf/toc/blob/main/workinggroups/README.md#process
Aside: For an example of the process in action this looks like a good example of another WG:
https://github.com/cncf/toc/issues/584
Presumably since the CNCF WG process didn't yet exist,Kubernetes Policy WG had from the beginning a separate Kubernetes TOC PR:https://github.com/kubernetes/community/pull/1692
Thus there is in the Kubernetes git repo a Kubernetes Policy WG (under sig-auth) and in CNCF sig-security a CNCF Policy Team.
So I propose - that the CNCF SIG-security define a charter/mission for a CNCF Policy WG, define whether that would be homed here in CNCF sig-security or standalone, and follow the (now defined) CNCF process.EDIT: Given @ultrasaurus 's extra history I have modified this a bit:
So I propose to clarify the situation as follows:
Impact: Describe the impact of the problem. Who will this help? How will it help them?
There has been confusion on the CNCF SIG-Security meetings about the scope and mission of the Policy
WGTeam. Meanwhile there has been a lot of good momentum in the Kubernetes Policy WG creating concrete deliverables and growing the # participants and derivative projects:all these things are currently very Kubernetes specific.
The CNCF SIG-security members have expressed both interest in the Policy area, and concern that the Policy Team goals need to be broader than just Kubernetes.
By (re)defining the Policy
WGTeam, formally as defined in the CNCF TOC process, and gathering support from the TOC and SIG-Security and the community,and merging some form of #268 we can both clarify the scope and mission, and clarify the relationship(if any)with thenow current de-factoKubernetes Policy WG and its code and other outputs.Anti-Goals
Arresting or impeding progress on the CRD or Policy Whitepaper which should continue to serve the interested Kubernetes community is an anti-goal. If CNCF TOC decides a Policy WG is a good thing, either standalone or as a SIG-security project, then we should engage with the Kubernetes-focused community members and sub-projects and discuss how we can support their efforts and increase their velocity (while also doing things beyond Kubernetes).
Jumping to solutions without defining the problem space is an anti-goal.EDIT: too vague and hand wavy upon reflectionScope: How much effort will this take?
Not yet determined - depends one scope and TOC guidance.
TO DO