Applied for security audit

[csantanapr]

Applied for CNCF security audit

Having a security audit performed by CNCF contractor for Knative is a requirement for CNCF project graduation.

I was advised by @caniszczyk to go ahead and open a service ticket now, since there is a large backlog for the Security contractor

cc @evankanderson

[csantanapr]

@evankanderson Do you have access now with your knative.team email to service desk?
This will allow you to open a ticket requesting the security audit for knative, this would put us in the queue of a few months to be done.

[evankanderson]

Created: https://cncfservicedesk.atlassian.net/servicedesk/customer/portal/1/CNCFSD-1174?created=true

[csantanapr]

Thank you @evankanderson it looks like CNFC got you in contact with the auditor

I dropped an intro to **** amir@ostif.org who will send you a template to fill out in scoping the audit, they will then run an RFP process and find a vendor which CNCF will pay for. The backlog is quite long so I’d expect at least a few months before this officially gets started.

Let us know how it goes once you have more info.

[evankanderson]

I chatted with Amir on Tuesday, and we filled out an audit questionnaire together:

https://docs.google.com/document/d/1YaEK5zWmOk1G_eFuiJCPYGm7nWc2l97eBK3wINYNJTE/edit

Sometime (possibly post-Kubecon), we'll probably put together two RFPs:

Serving

A standard security audit, taking into account the in-progress encryption of KIngress -> activator -> queue_proxy path.

Eventing

Probably a more protocol-focused audit this time, focusing on modeling necessary controls and mitigations, probably including:

• TLS capability for Addressable resources with cluster.local endpoints (which can't use public CAs like LetsEncypt)
• Sender identity (probably OAuth / OpenID Connect rooted in the kube-apiserver's ability to mint tokens, and an aud parameter indicated by the Addressable)
• Some form of data-plane RBAC to be able to restrict who can send to a given Addressable
• Necessary RBAC controls on the control plane, possibly by describing the controls to be used with a policy system like Gatekeeper or Kyverno

[csantanapr]

@evankanderson any updates on this front?

[Amir-Montazery]

Hi everyone! I have emailed @evankanderson a few times since July about this but have not heard back. We are ready and happy to continue the conversation and help knative get their security audit done as we do with many cncf projects!

[evankanderson]

Sorry, this got dropped under a bunch of vacation and acquisition traffic -- I'll dig out the emails and respond today.

[aliok]

/close

We now have 2 audits:

• https://knative.dev/blog/events/security-audit-2023/
• https://knative.dev/blog/events/fuzzing-audit-2023/

Closing this as done

[aliok]

/close

[knative-prow]

@aliok: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.