Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blog post: A closer look at NSA / CISA Kubernetes Hardening Guidance #29791

Merged
merged 2 commits into from
Oct 5, 2021
Merged

Blog post: A closer look at NSA / CISA Kubernetes Hardening Guidance #29791

merged 2 commits into from
Oct 5, 2021

Conversation

PushkarJ
Copy link
Member

@PushkarJ PushkarJ commented Sep 23, 2021
edited
Loading

This is a community response blog post that acts as complementary resource that takes a closer look at the guidance.

This blog post is not a substitute for reading the guidance

Co-authored-by: Jim Angel jameswangel@gmail.com
Co-authored-by: Savitha Raghunathan saveetha13@gmail.com

/area blog
/sig security docs
/tide merge-method-squash

@k8s-ci-robot k8s-ci-robot added area/blog Issues or PRs related to the Kubernetes Blog subproject sig/security Categorizes an issue or PR as relevant to SIG Security. sig/docs Categorizes an issue or PR as relevant to SIG Docs. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Sep 23, 2021
@k8s-ci-robot k8s-ci-robot added the language/en Issues or PRs related to English language label Sep 23, 2021
@PushkarJ PushkarJ force-pushed the blog-nsa-cisa-hardening branch from 92b437c to 8289185 Compare September 23, 2021 19:23
@PushkarJ
Copy link
Member Author

PushkarJ commented Sep 23, 2021
edited
Loading

/hold

Trying to get kubernetes-sigs/kind#2431 merged before publishing this blog post

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 23, 2021
@netlify
Copy link

netlify bot commented Sep 23, 2021
edited
Loading

✔️ Deploy Preview for kubernetes-io-main-staging ready!

🔨 Explore the source changes: 3d87e15

🔍 Inspect the deploy log: https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/615b9a4cb3f9fd00073e6731

😎 Browse the preview: https://deploy-preview-29791--kubernetes-io-main-staging.netlify.app

@reylejano
Copy link
Member

Preview of blog: https://deploy-preview-29791--kubernetes-io-main-staging.netlify.app/blog/2021/10/05/nsa-cisa-kubernetes-hardening-guidance/

alexbarbato
alexbarbato reviewed Sep 23, 2021
View reviewed changes
Copy link

@alexbarbato alexbarbato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for writing all this up :) I didn't have time to go too much in detail end to end, but tried to capture some nit picks I noticed while going through it.

content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
sftim
sftim reviewed Sep 23, 2021
View reviewed changes
Copy link
Contributor

@sftim sftim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @PushkarJ

I've reviewed this. Although there is quite a lot of feedback, I hope you're pleased that there is one question (about the recommendation around Secret) and pretty much everything else is a nit about punctuation or grammar.

content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot changed the title Blog post: A closer look at NSA / CISA Kubernetes Hardening Guidance [WIP] Blog post: A closer look at NSA / CISA Kubernetes Hardening Guidance Sep 23, 2021
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 23, 2021
@PushkarJ
Copy link
Member Author

Hi @PushkarJ

I've reviewed this. Although there is quite a lot of feedback, I hope you're pleased that there is one question (about the recommendation around Secret) and pretty much everything else is a nit about punctuation or grammar.

You are such a wonderful gift to the community @sftim . Thank you for the detailed review!! Will work on resolving the feedback 🥲

shannonxtreme
shannonxtreme suggested changes Sep 24, 2021
View reviewed changes
Copy link
Contributor

@shannonxtreme shannonxtreme left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really awesome work, folks!

content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
@shannonxtreme
Copy link
Contributor

shannonxtreme commented Sep 24, 2021
edited
Loading

Hi @PushkarJ
I've reviewed this. Although there is quite a lot of feedback, I hope you're pleased that there is one question (about the recommendation around Secret) and pretty much everything else is a nit about punctuation or grammar.

You are such a wonderful gift to the community @sftim . Thank you for the detailed review!! Will work on resolving the feedback 🥲

1000%. Thank you for the work you do, Tim!

(also PushkarJ my reviews are also mostly nits to improve style and flow, implement at your discretion). Thank you for this amazing blog post :)

@PushkarJ
Copy link
Member Author

Thanks for the feedback @shannonxtreme , taking a look now :)

hyakuhei
hyakuhei reviewed Sep 24, 2021
View reviewed changes
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
content/en/blog/_posts/2021-10-05-nsa-cisa-hardening.md Outdated Show resolved Hide resolved
@PushkarJ
Copy link
Member Author

/hold cancel

Because kubernetes-sigs/kind#2431 is merged

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 24, 2021
@reylejano
Copy link
Member

A few small, optional nits from me. Other than that, LGTM!

@PushkarJ PushkarJ force-pushed the blog-nsa-cisa-hardening branch from ac929c6 to dd9a8a1 Compare September 27, 2021 22:16
@PushkarJ
Copy link
Member Author

All the comments and suggestion should now be resolved. Propose as a next step to keep the PR open until Oct 4 for further feedback tied to content.

@PushkarJ
Copy link
Member Author

Blog preview is ready

@sftim
Copy link
Contributor

sftim commented Sep 28, 2021

I've going to infer formal LGTMs from #29791 (comment) and #29791 (comment)

/lgtm
/approve

/hold
(we should unhold before Monday so that this is ready to publish)

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 28, 2021
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 9c8d2d2249c0c6780633843829e7ba09c0f250ba

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 28, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sftim

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Sep 28, 2021
@PushkarJ PushkarJ force-pushed the blog-nsa-cisa-hardening branch from 4d7da77 to c4f2d5c Compare October 5, 2021 00:14
PushkarJ and others added 2 commits October 4, 2021 17:20
@PushkarJ @jimangel
@savitharaghunathan @sftim @shannonxtreme @hyakuhei @reylejano
Blog post: NSA / CISA Hardening
a565574 
This is a community response blog post that
acts as complementary resource that takes a
closer look at the guidance.

This blog post is not a substitute for reading
the guidance
Apply suggestions from code review

Co-authored-by: Jim Angel <jameswangel@gmail.com>
Co-authored-by: Savitha Raghunathan <saveetha13@gmail.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: Shannon Kularathna <ax3shannonkularathna@gmail.com>
Co-authored-by: Robert <hyakuhei@gmail.com>
Co-authored-by: Rey Lejano <rlejano@gmail.com>
@PushkarJ
Changes based on NSA/CISA initial
3d87e15 
feedback
@PushkarJ PushkarJ force-pushed the blog-nsa-cisa-hardening branch from c4f2d5c to 3d87e15 Compare October 5, 2021 00:20
@PushkarJ
Copy link
Member Author

PushkarJ commented Oct 5, 2021

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 5, 2021
@PushkarJ
Copy link
Member Author

PushkarJ commented Oct 5, 2021

/label tide/merge-method-squash

@k8s-ci-robot k8s-ci-robot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Oct 5, 2021
@reylejano
Copy link
Member

reapplying lgtm
hold has been removed and is ready to merge 🚀
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 5, 2021
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 5699b2537519437c83a9b28d53e7114206f56168

@k8s-ci-robot k8s-ci-robot merged commit a72f7fa into kubernetes:main Oct 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reylejano reylejano reylejano left review comments

@shannonxtreme shannonxtreme shannonxtreme requested changes

@alexbarbato alexbarbato alexbarbato left review comments

@sftim sftim sftim left review comments

@savitharaghunathan savitharaghunathan savitharaghunathan left review comments

@hyakuhei hyakuhei hyakuhei left review comments

@onlydole onlydole Awaiting requested review from onlydole

Assignees

@sftim sftim

@reylejano reylejano

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/blog Issues or PRs related to the Kubernetes Blog subproject cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. language/en Issues or PRs related to English language lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/docs Categorizes an issue or PR as relevant to SIG Docs. sig/security Categorizes an issue or PR as relevant to SIG Security. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@PushkarJ @reylejano @shannonxtreme @sftim @k8s-ci-robot @hyakuhei @savitharaghunathan @alexbarbato