search

kubernetes / website

Kubernetes website and documentation repo:
https://kubernetes.io
Creative Commons Attribution 4.0 International
4.44k stars 14.28k forks source link

Improve the Security Overview #43228

Open shannonxtreme opened 11 months ago

shannonxtreme commented 11 months ago

Umbrella issue: #25119 Blocked by: #43176 Collaborators: @tengqm @shannonxtreme @sftim @kubernetes/sig-security

Description

Expand the Kubernetes Security Overview concept page (https://kubernetes.io/docs/concepts/security/) to provide a use-case based, prescriptive guide that various personas can use to do specific jobs at specific phases of their journey.

43176 refactors the existing Overview of Cloud-native Security page to closely follow the lifecycle phases from the CNCF security whitepaper. We should expand this page to provide additional guidance within each phase for where a reader can go to learn how to achieve specific goals.

What does that look like?

The final structure is up for discussion, but we should consider including the following information:

What's next?

  1. Use a Google Doc for discussion (started one here: https://docs.google.com/document/d/1JYe35tUwTYivBdQ5j2g5bp_qP4Pm5OWlaRDAJNTriLA/edit?usp=sharing)

    • Discuss goals and presentation of information
    • Identify pain points and how to address them
    • Identify "core" information to include no matter what
  2. Create a doc plan to plan the work and scope and outline the actual structure
  3. Create a draft doc and solicit reviews from sig-security
  4. PR
  5. ???
  6. Profit!

/sig docs /sig security /label priority/important-longterm /cc @tengqm @sftim

k8s-ci-robot commented 11 months ago

@shannonxtreme: The label(s) /label priority/important-longterm cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda, refactor. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to [this](https://github.com/kubernetes/website/issues/43228): >Umbrella issue: #25119 >Blocked by: #43176 >Collaborators: @tengqm @shannonxtreme @sftim @kubernetes/sig-security > >## Description > >Expand the Kubernetes Security Overview concept page (https://kubernetes.io/docs/concepts/security/) to provide a use-case based, prescriptive guide that various personas can use to do specific jobs at specific phases of their journey. > >#43176 refactors the existing [Overview of Cloud-native Security](https://kubernetes.io/docs/concepts/security/overview/) page to closely follow the lifecycle phases from the CNCF security whitepaper. We should expand this page to provide additional guidance within each phase for where a reader can go to learn how to achieve specific goals. > >## What does that look like? > >The final structure is up for discussion, but we should consider including the following information: > >* The shared responsibility model, broken down by persona. In other words, as an application developer, what are the things I need to pay attention to? As a cluster operator, what are the best practices I need to check. As someone who prepares the underlying infrastructure, is there a checklist for me? (thanks @tengqm ) >* A sensible breakdown of sections in the page. Lifecycle phases is good. What about security "layers" (authn/z, encryption, monitoring/logging, workload security, infrastructure security, etc)? >* Whatever the section breakdown, provide use-case/goal oriented prescriptive guidance for the reader to achieve the goal. For example > * Control which workloads can deploy in the cluster > * Use admission controllers. > * Basic: Enforce pre-defined policies based on best practices (link to PSA) > * Intermediate: Enforce custom policies using something like Gatekeeper OPA > * Advanced: Write your own admission webhook >* Identify the key pain points for new users and reinforce that they're complicated and attempt to break them down. For example, networking is probably horrible for folks and TLS/certificate management. Secure multi-tenancy is also probably a scary area. Can we get community feedback? > >## What's next? > >1. Use a Google Doc for discussion (started one here: https://docs.google.com/document/d/1JYe35tUwTYivBdQ5j2g5bp_qP4Pm5OWlaRDAJNTriLA/edit?usp=sharing) > > * Discuss goals and presentation of information > * Identify pain points and how to address them > * Identify "core" information to include no matter what >2. Create a doc plan to plan the work and scope and outline the actual structure >3. Create a draft doc and solicit reviews from sig-security >4. PR >5. ??? >6. Profit! > >/sig docs >/sig security >/label priority/important-longterm >/cc @tengqm @sftim Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
dipesh-rawat commented 11 months ago

/priority important-longterm

aj11anuj commented 11 months ago

/language en

sftim commented 11 months ago

/triage accepted

sftim commented 11 months ago

/lifecycle frozen Let's track this 'til it's done, or we explicitly decide to let it rot.

sftim commented 10 months ago

How's this work going?