Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve the Security Overview #43228

Closed
shannonxtreme opened this issue Sep 27, 2023 · 11 comments
Closed

Improve the Security Overview #43228

shannonxtreme opened this issue Sep 27, 2023 · 11 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. language/en Issues or PRs related to English language priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/docs Categorizes an issue or PR as relevant to SIG Docs. sig/security Categorizes an issue or PR as relevant to SIG Security. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@shannonxtreme
Copy link
Contributor

Umbrella issue: #25119
Blocked by: #43176
Collaborators: @tengqm @shannonxtreme @sftim @kubernetes/sig-security

Description

Expand the Kubernetes Security Overview concept page (https://kubernetes.io/docs/concepts/security/) to provide a use-case based, prescriptive guide that various personas can use to do specific jobs at specific phases of their journey.

#43176 refactors the existing Overview of Cloud-native Security page to closely follow the lifecycle phases from the CNCF security whitepaper. We should expand this page to provide additional guidance within each phase for where a reader can go to learn how to achieve specific goals.

What does that look like?

The final structure is up for discussion, but we should consider including the following information:

  • The shared responsibility model, broken down by persona. In other words, as an application developer, what are the things I need to pay attention to? As a cluster operator, what are the best practices I need to check. As someone who prepares the underlying infrastructure, is there a checklist for me? (thanks @tengqm )
  • A sensible breakdown of sections in the page. Lifecycle phases is good. What about security "layers" (authn/z, encryption, monitoring/logging, workload security, infrastructure security, etc)?
  • Whatever the section breakdown, provide use-case/goal oriented prescriptive guidance for the reader to achieve the goal. For example
    • Control which workloads can deploy in the cluster
      • Use admission controllers.
      • Basic: Enforce pre-defined policies based on best practices (link to PSA)
      • Intermediate: Enforce custom policies using something like Gatekeeper OPA
      • Advanced: Write your own admission webhook
  • Identify the key pain points for new users and reinforce that they're complicated and attempt to break them down. For example, networking is probably horrible for folks and TLS/certificate management. Secure multi-tenancy is also probably a scary area. Can we get community feedback?

What's next?

  1. Use a Google Doc for discussion (started one here: https://docs.google.com/document/d/1JYe35tUwTYivBdQ5j2g5bp_qP4Pm5OWlaRDAJNTriLA/edit?usp=sharing)
  • Discuss goals and presentation of information
  • Identify pain points and how to address them
  • Identify "core" information to include no matter what
  1. Create a doc plan to plan the work and scope and outline the actual structure
  2. Create a draft doc and solicit reviews from sig-security
  3. PR
  4. ???
  5. Profit!

/sig docs
/sig security
/label priority/important-longterm
/cc @tengqm @sftim
@shannonxtreme shannonxtreme added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 27, 2023
@k8s-ci-robot k8s-ci-robot added sig/docs Categorizes an issue or PR as relevant to SIG Docs. sig/security Categorizes an issue or PR as relevant to SIG Security. labels Sep 27, 2023
@k8s-ci-robot
Copy link
Contributor

@shannonxtreme: The label(s) /label priority/important-longterm cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda, refactor. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to this:

Umbrella issue: #25119
Blocked by: #43176
Collaborators: @tengqm @shannonxtreme @sftim @kubernetes/sig-security

Description

Expand the Kubernetes Security Overview concept page (https://kubernetes.io/docs/concepts/security/) to provide a use-case based, prescriptive guide that various personas can use to do specific jobs at specific phases of their journey.

#43176 refactors the existing Overview of Cloud-native Security page to closely follow the lifecycle phases from the CNCF security whitepaper. We should expand this page to provide additional guidance within each phase for where a reader can go to learn how to achieve specific goals.

What does that look like?

The final structure is up for discussion, but we should consider including the following information:

  • The shared responsibility model, broken down by persona. In other words, as an application developer, what are the things I need to pay attention to? As a cluster operator, what are the best practices I need to check. As someone who prepares the underlying infrastructure, is there a checklist for me? (thanks @tengqm )
  • A sensible breakdown of sections in the page. Lifecycle phases is good. What about security "layers" (authn/z, encryption, monitoring/logging, workload security, infrastructure security, etc)?
  • Whatever the section breakdown, provide use-case/goal oriented prescriptive guidance for the reader to achieve the goal. For example
    • Control which workloads can deploy in the cluster
      • Use admission controllers.
      • Basic: Enforce pre-defined policies based on best practices (link to PSA)
      • Intermediate: Enforce custom policies using something like Gatekeeper OPA
      • Advanced: Write your own admission webhook
  • Identify the key pain points for new users and reinforce that they're complicated and attempt to break them down. For example, networking is probably horrible for folks and TLS/certificate management. Secure multi-tenancy is also probably a scary area. Can we get community feedback?

What's next?

  1. Use a Google Doc for discussion (started one here: https://docs.google.com/document/d/1JYe35tUwTYivBdQ5j2g5bp_qP4Pm5OWlaRDAJNTriLA/edit?usp=sharing)
  • Discuss goals and presentation of information
  • Identify pain points and how to address them
  • Identify "core" information to include no matter what
  1. Create a doc plan to plan the work and scope and outline the actual structure
  2. Create a draft doc and solicit reviews from sig-security
  3. PR
  4. ???
  5. Profit!

/sig docs
/sig security
/label priority/important-longterm
/cc @tengqm @sftim

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Sep 27, 2023
@dipesh-rawat
Copy link
Member

/priority important-longterm

@k8s-ci-robot k8s-ci-robot added the priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. label Sep 27, 2023
@aj11anuj
Copy link
Member

/language en

@k8s-ci-robot k8s-ci-robot added the language/en Issues or PRs related to English language label Sep 27, 2023
@sftim
Copy link
Contributor

sftim commented Sep 27, 2023

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Sep 27, 2023
@sftim
Copy link
Contributor

sftim commented Sep 27, 2023

/lifecycle frozen
Let's track this 'til it's done, or we explicitly decide to let it rot.

@k8s-ci-robot k8s-ci-robot added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Sep 27, 2023
@sftim
Copy link
Contributor

sftim commented Nov 4, 2023

How's this work going?

@sftim
Copy link
Contributor

sftim commented Oct 19, 2024

I think we've improved this somewhat. @shannonxtreme is this OK to close?

@sftim
Copy link
Contributor

sftim commented Oct 19, 2024

/remove-lifecycle frozen

@k8s-ci-robot k8s-ci-robot removed the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Oct 19, 2024
@shannonxtreme
Copy link
Contributor Author

The page has improved, sadly I got too busy to work on the original google doc though. I think we can close this, and if I do find the time to work on it in the future I can always propose reopening!

@sftim
Copy link
Contributor

sftim commented Oct 19, 2024

/close

@k8s-ci-robot
Copy link
Contributor

@sftim: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. language/en Issues or PRs related to English language priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/docs Categorizes an issue or PR as relevant to SIG Docs. sig/security Categorizes an issue or PR as relevant to SIG Security. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dipesh-rawat @k8s-ci-robot @sftim @shannonxtreme @aj11anuj