Kubernetes Third-Party Security Audit for 2021-22 (tracking issue)

[reylejano]

Tracking issue for the Kubernetes third-party security audit for 2021:

• Create RFP
  • Audit scope
  • Finalize dates: RFP opening and closing dates, question period, vendor selection
  • Complete question period and publish questions & replies to RFP
• Vendor assessment
  • Assemble vendor assessment group
  • Create private Google group
• Release vendor selection
• Publish findings

/sig security
/label external-audit

[k8s-ci-robot]

@reylejano: The label(s) /label external-audit cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda

In response to this:

Tracking issue for the Kubernetes third-party security audit for 2021:

• Create RFP
• Audit scope
• Finalize dates: RFP opening and closing dates, question period, vendor selection
• Complete question period and publish questions & replies to RFP
• Vendor assessment
• Assemble vendor assessment group
• Create private Slack channel
• Create private Google group
• Release vendor selection
• Publish findings

/sig security
/label external-audit

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[reylejano]

/assign

[reylejano]

I agree to abide by the guidelines set forth in the Security Release Process, specifically the embargo on CVE communications and have no conflict of interest

[k8s-ci-robot]

@reylejano: The label(s) /label subproject/external-audit cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda

In response to this:

/label subproject/external-audit

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jlk]

I agree to abide by the guidelines set forth in the Security Release Process, specifically the embargo on CVE communications and have no conflict of interest

[sunstonesecure-robert]

I agree to abide by the guidelines set forth in the Security Release Process, specifically the embargo on CVE communications and have no conflict of interest - just in the interest of FULL 200% transparency I do often speak with, and employ, various pentesting companies. I have hired previously unrelated to CNCF projects 1 of the vendors, and have spoken to all of them at some point in the past 12 months, but no active or pending business/contracts/conflicts at this moment.

[aasmall]

I agree to abide by the guidelines set forth in the Security Release Process, specifically the embargo on CVE communications and have no conflict of interest

[PurelyApplied]

I agree to abide by the guidelines set forth in the Security Release Process, specifically the embargo on CVE communications and have no conflict of interest.

---

The label(s) /label external-audit cannot be applied.

There was a wg/security-audit working group label, but it was folded into the sig/security label in kubernetes/community#5120.

[raesene]

I agree to abide by the guidelines set forth in the Security Release Process, specifically the embargo on CVE communications and have no conflict of interest. In the interests of full transparency, I am an ex employee of a pentesting company, and as a result know various people in the industry, however I am not currently employed in that industry.

[PushkarJ]

@reylejano should I move this to k/sig-security ?

[reylejano]

@PushkarJ , yes moving to k/sig-security is appropriate

[PushkarJ]

/transfer sig-security

[k8s-ci-robot]

@reylejano: The label(s) /label external-audit cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda

In response to this:

Tracking issue for the Kubernetes third-party security audit for 2021:

• Create RFP
• Audit scope
• Finalize dates: RFP opening and closing dates, question period, vendor selection
• Complete question period and publish questions & replies to RFP
• Vendor assessment
• Assemble vendor assessment group
• Create private Google group
• Release vendor selection
• Publish findings

/sig security
/label external-audit

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[PurelyApplied]

These things take time, triage-bot.

/remove-lifecycle stale

Although, given the bleed-over, the this could be renamed * for 2022.

[PushkarJ]

/retitle Kubernetes Third-Party Security Audit for 2021-22 (tracking issue)

[reylejano]

RFP decision / vendor announcement added in PR #34:
https://github.com/kubernetes/sig-security/blob/main/sig-security-external-audit/security-audit-2021/RFP_Decision.md

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[reylejano]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[reylejano]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[PushkarJ]

/remove-lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[reylejano]

/remove-lifecycle stale

[reylejano]

This issue is complete 🎉 with the merge of PR #87
and publishing of the CNCF blog https://www.cncf.io/blog/2023/04/19/new-kubernetes-security-audit-complete-and-open-sourced/

/close

[k8s-ci-robot]

@reylejano: Closing this issue.

In response to this:

This issue is complete 🎉 with the merge of PR #87
and publishing of the CNCF blog https://www.cncf.io/blog/2023/04/19/new-kubernetes-security-audit-complete-and-open-sourced/

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[reylejano]

Findings published at https://github.com/kubernetes/sig-security/blob/main/sig-security-external-audit/security-audit-2021-2022/findings/Kubernetes%20v1.24%20Final%20Report.pdf