This document outlines the process for individual(s) both joining or leaving the Kubernetes SRC (Security Response Committee).
For the purpose of example, we will use a placeholder name of Jane Doe with
a github username jdoe
and a company name of ACME LTD.
- Required file and access grant updates.
- kubernetes/security repository
- kubernetes/k8s.io repository
- kubernetes/community repository
- kubernetes/org repository
- Add/remove from HackerOne
- Add/remove from OpsGenie rotation
- Add/ Remove SRC Owner permission from Kubernetes Security Mailing Lists
- Discuss Account
- kubernetes-security github org
- Slack
- Calendar
- Google Docs
- Checklist
Once the SRC has promoted an individual(s) to a full SRC member, various systems require updating. Likewise, should a SRC member leave the SRC - the reverse is required, with the user being removed from each system.
All SRC member discussion & approval must happen on the kubernetes/security
repository first and only once approved by means of the pull request being
merged, should pull requests be approved / merged in the kubernetes/community
repository, and the user added to the mailing lists and ACLs.
Add / remove the SRC member(s) github name from security/README.md
to the appropriate list of committee members, according to the usernames
alphabetical placing.
The initial Security Response Committee will consist of volunteers subscribed to the private [Kubernetes Security](https://groups.google.com/a/kubernetes.io/forum/#!forum/security) list. These are the people who have been involved in the initial discussion and volunteered:
- Jane Doe (**[@jdoe](https://github.com/jdoe)**) `<jdoe@acme.com>` [GPG_KEY]
If removing a SRC member, move them to the list of emeritus members.
Add / remove the SRC member(s) github name from security/OWNERS_ALIASES
to the
existing security-response-committee
field, according to the usernames
alphabetical placing:
aliases:
security-response-committee:
- jdoe
file: https://github.com/kubernetes/k8s.io/blob/main/groups/committee-security-response/groups.yaml
groups.yaml
is the source of truth for membership to the
security-response-committee mailing lists. Update the owners
field for the
following lists:
security@kubernetes.io
security-discuss-private@kubernetes.io
distributors-announce@kubernetes.io
Ensure the 3 lists match.
aliases:
security-response-committee:
- jdoe
Add / remove the SRC member(s) github name from community/sigs.yaml
to the
existing label
| leadership
field, according to the usernames alphabetical
placing:
label: security-response
leadership:
chairs:
- github: jdoe
name: Jane Doe
company: Acme LTD
Once the yaml is updated, run make generate
to regenerate the markdown
versions.
This will then automatically create the following files:
- kubernetes/community/OWNERS_ALIASES
- kubernetes/community/security-response-committee/README.md
- kubernetes/community/sig-list.md
file: https://github.com/kubernetes/community/blob/master/communication/slack-config/usergroups.yaml
Add / remove the SRC member(s) github name from the security-response-committee
user group.
Add / remove the SRC member(s) github username from config/kubernetes/org.yaml
to the existing security-response-committee
| members
field. The usernames
should be alphabetized:
security-response-committee:
description: Please report security issues to https://kubernetes.io/security
members:
- alice
- bob
- jdoe
Once merged, peribolos will automatically run and update the members of the GitHub group https://github.com/orgs/kubernetes/teams/security-response-committee
To add or remove members from the Kubernetes HackerOne project, navigate to https://hackerone.com/kubernetes/team_members
Click Remove
next to a member to remove.
Click Invite user
to add a new SRC member. Add them to the Kubernetes Team
,
Standard
and Admin
groups.
We also request that new members enable 2-factor auth. Once they've accepted the
invitation, you can verify the status in the 2FA
column on the user management
page.
Once the user account has been created in OpsGenie, they must add a
github=GITHUB_USERNAME
tag to their OpsGenie profile for the tool to work.
See the below example.
url: https://kubernetes.app.opsgenie.com/settings/schedule/detail/f835cdef-8df9-4ddc-9a39-911cb9e521b5
Click Edit Rotation
next to "PST Rotation", and add/remove the new member from the participants list.
New SRC members are added to various security lists and upgraded to "owner" (or downgraded to member if they are leaving the SRC)
To add members and assign the "owner" role:
- Visit the groups URL as a user authenticated as an existing "owner".
- Select the 'Manage group' or 'Manage Members' link.
- Within the left side panel, select 'Direct add member'.
- Enter the new SRC members email address
- Select the 'All members' link, or search for the new member in the search box.
- Select the new member and change the drop down role to "Owner" (or "Manager" in the case of kubernetes-announce)
Existing Accounts
It may be the case, that the user has already joined the group / mailing list. If this is the case, steps 1 to 4 can be ignored and you can proceed to change the role of their existing account.
To downgrade existing owners to members:
- Visit the groups URL as a user authenticated as an existing "owner".
- Select the 'All members' link, or search for the existing owner in the search box.
- Select the owner and change the drop down role to "Member".
Mailing List | URL |
---|---|
Security Discuss | https://groups.google.com/forum/#!forum/kubernetes-security-discuss |
Security Announce | https://groups.google.com/forum/#!forum/kubernetes-security-announce |
Kubernetes Announce | https://groups.google.com/forum/#!forum/kubernetes-announce (Manager) |
Kubernetes Dev | https://groups.google.com/forum/#!forum/kubernetes-dev (Member) |
Note: the @kubernetes.io addresses are now managed through groups.yaml
A verified discuss account is required.
Update the kubernetes-security github org team members for the additions or removals.
Navigate to https://github.com/orgs/kubernetes-security/people, and invite new members or remove existing members. Note that several non-SRC members have access to this org (primarily release managers).
Once a new SRC member has accepted the invite, they should be granted Owner
permissions.
For members stepping down, please ensure they are not assigned any issues in the vulnerability trackers:
- https://github.com/kubernetes-security/security-disclosures/issues
- https://github.com/kubernetes-security/security-disclosures-low/issues
SRC members must enable slack 2-factor authentication: https://slack.com/help/articles/204509068-Set-up-two-factor-authentication
New members must be manually added to the private channels on slack by someone who is already a member of those channels:
#SRC-private
for private SRC-only discussion#security-release-team
for private discussions with the security-release-team
Members who are stepping down must leave the channels themselves.
Finally, ask a #slack-admins
member to add the new SRC member to the list of people who can post in #announcements
.
If a member is stepping down, we must let the admins know to remove the #announcements
permission.
Update the Google calendar entries to add or remove the member:
- SRC Monthly (monthly, first Thursday)
- HackerOne sync (every 3 months, second Thursday)
Update the sharing settings for the following docs:
- "SRC Monthly Agenda & Notes" (owner: timallclair@gmail.com)
- "Kubernetes CNA Tracker" (owner: timallclair@gmail.com) - Only for CNA trained members
The following checklist can be pasted into an onboarding issue to track all the steps that need to be taken:
- [ ] kubernetes/security PR:
- [ ] README.md
- [ ] OWNERS_ALIASES
- [ ] SECURITY_CONTACTS
- [ ] kubernetes/k8s.io PR:
- [ ] groups/security-response-committee/groups.yaml
- `security@kubernetes.io`
- `security-discuss-private@kubernetes.io`
- `distributors-announce@kubernetes.io`
- [ ] OWNERS_ALIASES
- [ ] kubernetes/community PR:
- [ ] sigs.yaml
- [ ] communication/slack-config/usergroups.yaml
- [ ] Verify slack 2-factor auth
- [ ] `make generate`
- [ ] kubernetes/org PR:
- [ ] config/kubernetes/org.yaml
- [ ] HackerOne project membership
- [ ] Verify 2-factor auth
- [ ] OpsGenie rotation
- [ ] Add new user
- [ ] Update rotation
- [ ] Mailing lists
- [ ] [Security Discuss](https://groups.google.com/forum/#!forum/kubernetes-security-discuss) - owner
- [ ] [Security Announce](https://groups.google.com/forum/#!forum/kubernetes-security-announce) - owner
- [ ] [Kubernetes Announce](https://groups.google.com/forum/#!forum/kubernetes-announce) - manager
- [ ] [Kubernetes Dev](https://groups.google.com/forum/#!forum/kubernetes-dev) - member
- [ ] Verify Discuss account
- [ ] github.com/kubernetes-security membership
- [ ] Slack
- [ ] Verify 2-factor auth
- [ ] `#SRC-private` membership
- [ ] `#security-release-team` membership
- [ ] Calendar meetings
- [ ] Google Docs access