History

Jay Beale 131f6d50c9 Proposed charter for SIG Security (#4962 ) * Proposed charter for SIG Security Letter to Steering committee to be linked later. * Update wg-security-audit/sig-security-charter-proposal.md Co-authored-by: Micah Hausler <micahhausler@users.noreply.github.com> * Accept nested list modification Co-authored-by: Micah Hausler <micahhausler@users.noreply.github.com> * Adding README created by community make. Adding sig-security to sigs.yaml Creating sig-security/ and moving proposed charter to that directory. * Proposed charter for SIG Security Letter to Steering committee to be linked later. * Update wg-security-audit/sig-security-charter-proposal.md Co-authored-by: Micah Hausler <micahhausler@users.noreply.github.com> * Accept nested list modification Co-authored-by: Micah Hausler <micahhausler@users.noreply.github.com> * Correct capitalization Co-authored-by: Nikhita Raghunath <nikitaraghunath@gmail.com> * resolved merge conflict I don't think we need to use an entirely separate GOPATH, thus forcing us to re-download modules every time we run `make` This was causing verify-generated-docs to fail locally since go will set its modcache as readonly and thus cause the cleanup "rm -rf" in this script to fail. In go1.14 or later we could use "-modcacherw" to stop making the modcache readonly but that bring me back to.. why do need an entirely separate GOPATH in the first place? * Corrected employers Co-authored-by: Micah Hausler <micahhausler@users.noreply.github.com> Co-authored-by: Nikhita Raghunath <nikitaraghunath@gmail.com>		2020-08-18 23:37:10 -07:00
..
ancillary-data	Added final reports	2019-08-06 08:30:27 -07:00
findings	added updated version of final report	2019-08-06 12:17:37 -07:00
Atredis and Trail of Bits Proposal.pdf	published accepted proposal and updated mailing lists	2019-01-28 13:34:35 -08:00
OWNERS	Updated OWNERS files to include link to docs	2019-01-30 19:37:21 +01:00
README.md	Proposed charter for SIG Security (#4962 )	2020-08-18 23:37:10 -07:00
RFP.md	fixurl	2020-02-25 18:42:02 +08:00
RFP_Decision.md	Add wg-security-audit RFP decision process	2019-02-08 12:12:13 -05:00

README.md

Security Audit Working Group

Perform a security audit on k8s with a vendor and produce as artifacts a threat model and whitepaper outlining everything found during the audit.

Stakeholder SIGs

SIG Auth

Meetings

Regular WG Meeting: Mondays at 12:00 PT (Pacific Time) (weekly). Convert to your timezone.

Organizers

Aaron Small (@aasmall), Invitae
Craig Ingram (@cji), Stripe
Jay Beale (@jaybeale), InGuardians
Joel Smith (@joelsmith), Red Hat

Contact

Published Documents

Trail of Bits and Atredis Partners, in collaboration with the Security Audit Working Group, have released the following documents which detail their assessment of Kubernetes security posture and their findings.

Findings

Ancillary Data

Mailing Lists

Sensitive communications regarding the audit should be sent to the private variant of the mailing list.

Request For Proposals

The RFP was open between 2018/10/29 and 2018/11/30 and has been published here.

Vendor Selection

The RFP is now closed. The working group selected Trail of Atredis, a collaboration between Trail of Bits and Atredis Partners to perform the audit.

You can read more about the vendor selection here.