From 85f52434054537fcad5f1a121b716e131b2054d5 Mon Sep 17 00:00:00 2001 From: Robert A Ficcaglia Date: Tue, 21 Mar 2023 14:36:12 -0700 Subject: [PATCH 1/2] Update annual-report-2022.md --- wg-policy/annual-report-2022.md | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/wg-policy/annual-report-2022.md b/wg-policy/annual-report-2022.md index fb3948d75..d3dfa908f 100644 --- a/wg-policy/annual-report-2022.md +++ b/wg-policy/annual-report-2022.md @@ -5,27 +5,31 @@ 1. What work did the WG do this year that should be highlighted? For example, artifacts, reports, white papers produced this year. - - - - + - [Policy Whitepaper]() + - [PolicyReport CRD]() Adapters, [list here]() + - [Review of whether to KEP or not to KEP for Policy Report]() - 2. What initiatives are you working on that aren't being tracked in KEPs? - - - - - - + - The main topic of discussion is now whether to KEP the PolicyReport, or just keep it in a sig (e.g. sig-auth) + - Outside of that there has been a lot of community interest, and workgroup effort spent, on control mapping + and control-as-code implementation, eg OSCAL, that might be better served moved into its own workgroup or a + sandbox project ## Project health 1. What's the current roadmap until completion of the working group? - - - - - - + - We intend to wrap up the workgroup once the KEP for PolicyReport is created OR sig-auth or another sig accepts it + - Or if neither occurs + - There is considerable interest in continuing the governance and assessment and lifecycle of policy and controls, + however as these necessarily cross boundaries, it seems like something that should either be re-homed to sig-security, + and/or hosted in a CNCF-level workgroup and/or moved into a relevant sandbox CNCF project, eg. [SLEDGEHammer](). 2. Does the group have contributors from multiple companies/affiliations? - - + - Yes, RedHat, IBM, SunStone Secure, Nirmata, Google, ... 3. Are there ways end users/companies can contribute that they currently are not? If one of those ways is more full time support, what would they work on and why? From 245f82200a13e3b4288a9dff7d12b3d9fdeb62c9 Mon Sep 17 00:00:00 2001 From: Robert A Ficcaglia Date: Wed, 12 Apr 2023 08:45:23 -0700 Subject: [PATCH 2/2] Update annual-report-2022.md required annual report --- wg-policy/annual-report-2022.md | 54 ++++++++++++++++----------------- 1 file changed, 26 insertions(+), 28 deletions(-) diff --git a/wg-policy/annual-report-2022.md b/wg-policy/annual-report-2022.md index d3dfa908f..30da43902 100644 --- a/wg-policy/annual-report-2022.md +++ b/wg-policy/annual-report-2022.md @@ -5,14 +5,14 @@ 1. What work did the WG do this year that should be highlighted? For example, artifacts, reports, white papers produced this year. - - [Policy Whitepaper]() - - [PolicyReport CRD]() Adapters, [list here]() - - [Review of whether to KEP or not to KEP for Policy Report]() - - + - CR for PolicyReport being used more widely in other projects and by end users + - 2 whitepapers released + - 2 KubeCon talks NA + EU 2. What initiatives are you working on that aren't being tracked in KEPs? - - The main topic of discussion is now whether to KEP the PolicyReport, or just keep it in a sig (e.g. sig-auth) + - We are discussing a KEP for the PolicyReport CR but still pending + - Feedback from some of the sig leadership recommend NOT doing a KEP but just hosting the code in sig-auth or sig-security namespace - Outside of that there has been a lot of community interest, and workgroup effort spent, on control mapping and control-as-code implementation, eg OSCAL, that might be better served moved into its own workgroup or a sandbox project @@ -21,28 +21,29 @@ 1. What's the current roadmap until completion of the working group? - - We intend to wrap up the workgroup once the KEP for PolicyReport is created OR sig-auth or another sig accepts it - - Or if neither occurs - - There is considerable interest in continuing the governance and assessment and lifecycle of policy and controls, - however as these necessarily cross boundaries, it seems like something that should either be re-homed to sig-security, - and/or hosted in a CNCF-level workgroup and/or moved into a relevant sandbox CNCF project, eg. [SLEDGEHammer](). + - Once the CR KEP is submitted or the sig decides yea or nay, we anticipate winding down the WG unless the community asks for new prototypes + - There seems limited/no interest in a corresponding CR for policy inputs/profiles + - One option is that many of the attendees are interested in compliance, so maybe a sig-security compliance WG is a follow on + - Also several of the concrete policy implementations can be carried over to SLEDGEHammer (which will be submitting a Sandbox application) 2. Does the group have contributors from multiple companies/affiliations? - - - Yes, RedHat, IBM, SunStone Secure, Nirmata, Google, ... + - Yes (RedHat, IBM. Kyverno, Google, Fairwinds, Defense Unicorns, others) 3. Are there ways end users/companies can contribute that they currently are not? If one of those ways is more full time support, what would they work on and why? - - - - - + - Maintaining the PolicyReport API code + - Building out more PolicyReport API client code and examples + - Contributing more concrete policy library content (SLEDGEHammer will be committed to this) + - There is considerable interest in continuing the governance and assessment and lifecycle of policy and controls, + however as these necessarily cross boundaries, it seems like something that should either be re-homed to sig-security, + and/or hosted in a CNCF-level workgroup and/or moved into a relevant sandbox CNCF project ## Membership -- Primary slack channel member count: -- Primary mailing list member count: -- Primary meeting attendee count (estimated, if needed): -- Primary meeting participant count (estimated, if needed): +- Primary slack channel member count: 360 +- Primary mailing list member count: 139 +- Primary meeting attendee count (estimated, if needed): ~8 +- Primary meeting participant count (estimated, if needed): ~6 Include any other ways you measure group membership @@ -50,15 +51,12 @@ Include any other ways you measure group membership Operational tasks in [wg-governance.md]: -- [ ] [README.md] reviewed for accuracy and updated if needed -- [ ] WG leaders in [sigs.yaml] are accurate and active, and updated if needed -- [ ] Meeting notes and recordings for 2022 are linked from [README.md] and updated/uploaded if needed -- [ ] Updates provided to sponsoring SIGs in 2022 - - [$sig-name](https://git.k8s.io/community/$sig-id/) - - links to email, meeting notes, slides, or recordings, etc - - [$sig-name](https://git.k8s.io/community/$sig-id/) - - links to email, meeting notes, slides, or recordings, etc - - +- [X] [README.md] reviewed for accuracy and updated if needed +- [X] WG leaders in [sigs.yaml] are accurate and active, and updated if needed +- [X] Meeting notes and recordings for 2022 are linked from [README.md] and updated/uploaded if needed +- [X] Updates provided to sponsoring SIGs in 2022 + - [sig-auth](https://git.k8s.io/community/sig-auth/) + - TODO: JIM: links to email, meeting notes, slides, or recordings, etc [wg-governance.md]: https://git.k8s.io/community/committee-steering/governance/wg-governance.md [README.md]: https://git.k8s.io/community/wg-policy/README.md