Kubernetes Third-Party Security Audit for 2024 (tracking issue)

[reylejano]

Tracking issue for the Kubernetes third-party security audit for 2024:

• [ ] Define audit scope
• [ ] Create RFP
  • [ ] Finalize dates: RFP opening and closing dates, question period, vendor selection
  • [ ] Complete question period and publish questions & replies to RFP
• [ ] Vendor assessment
  • [ ] Assemble vendor assessment group
  • [ ] Create private Google group
• [ ] Release vendor selection
• [ ] Coordinate SME as contacts for vendor
• [ ] Vendor conducts audit
• [ ] Send findings to SRC
• [ ] Findings review with SIG Security
• [ ] Publish findings

/sig security

[k8s-ci-robot]

@reylejano: The label(s) /label external-audit cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda, refactor. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to [this](https://github.com/kubernetes/sig-security/issues/104): >Tracking issue for the Kubernetes third-party security audit for 2023-2024: >- [ ] Create RFP > - [ ] Audit scope > - [ ] Finalize dates: RFP opening and closing dates, question period, vendor selection > - [ ] Complete question period and publish questions & replies to RFP >- [ ] Vendor assessment > - [ ] Assemble vendor assessment group > - [ ] Create private Google group >- [ ] Release vendor selection >- [ ] Coordinate SME as contacts for vendor >- [ ] Vendor conducts audit >- [ ] Send findings to SRC >- [ ] Findings review with SIG Security >- [ ] Publish findings > >/sig security >/label external-audit Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[ritazh]

xref: https://github.com/kubernetes/sig-security/pull/105 add windows to scope

[sunstonesecure-robert]

also include the new threat model refresh @raesene

[sftim]

Aside: how about adding /area audit (label and associated Prow command)?

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten