Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Review] Kubeflow Project #1079

Open
5 of 15 tasks
akgraner opened this issue May 23, 2023 · 23 comments
Open
5 of 15 tasks

[Security Review] Kubeflow Project #1079

akgraner opened this issue May 23, 2023 · 23 comments
Assignees
Labels
assessment project security assessments (one issue per project) need-self-assessment The project has not yet created a self assessment

Comments

@akgraner
Copy link

akgraner commented May 23, 2023

Project Name: Kubeflow Project

Github URL: https://github.com/kubeflow/kubeflow/tree/master/security

Currently, we are working with Ricardo to get Kubeflow into the CNCF, we are working on going straight into incubation - cncf/toc#1042 (incubation)

Ricardo suggested that we open this issue now, since we are in the beginning stages of setting up our security team as well as our policies and procedures. I don't think we are ready for the formal security review, but we wanted to make sure you all are aware of our on-going efforts. Please let us know what else you need from us.

CNCF project stage and issue NA

Security Provider: yes (e.g. Is the primary function of the project to support the security of an integrating system?)

  • Identify team
  • Create slack channel (#sec-assess-kubeflow)
  • Project lead provides draft document - see outline
  • "Naive question phase" Lead Security Reviewer asks clarifying questions
  • Assign issue to security reviewers
  • Initial review
  • Presentation & discussion
  • Share draft findings with project
  • Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)
  • CNCF TOC presentation (if requested by TOC)
@akgraner akgraner added the triage-required Requires triage label May 23, 2023
@mrcdb
Copy link
Member

mrcdb commented May 24, 2023

Have you already performed a self-assessment for the project or something similar that you could share to kickstart the discussion? Thanks!

@anvega anvega added the assessment project security assessments (one issue per project) label Jun 16, 2023
@krishnakv
Copy link
Contributor

I would like to volunteer for this review, please. I have no soft or hard conflicts to report.

@JustinCappos JustinCappos self-assigned this Jul 7, 2023
@JustinCappos
Copy link
Collaborator

Please ping us once you have a draft of the self-assessment and we can start to put a team together.

@JustinCappos JustinCappos added need-self-assessment The project has not yet created a self assessment and removed triage-required Requires triage labels Jul 7, 2023
@sublimino
Copy link
Member

Hi @akgraner and team!

I'll be the lead security reviewer for this project.

Do you have any inclination of when you'll be ready to start considering the self-assessment process?

We also have a Security Pals process that can assist you with preparing for the self assessment document if that would be of interest.

I've created a sec-assess-kubeflow channel if you'd like to discuss anything on Slack 🙏

@akgraner
Copy link
Author

akgraner commented Aug 3, 2023 via email

@yfolias
Copy link

yfolias commented Aug 12, 2023

I would like to volunteer for this review as well, if possible. No soft or hard conflicts on my end

@akgraner
Copy link
Author

akgraner commented Aug 12, 2023 via email

@victorjunlu
Copy link

@sublimino Interested in volunteering for this review. This will be my second time volunteering as tag security reviewer. No conflict on my end.

@sublimino
Copy link
Member

Hi @akgraner and team! I hope you've had a great summer. Do you have any indications of your timescale to start this assessment?

@vicenteherrera
Copy link

Hi, I would like also to help when this work continues. No conflicts here, just I'm usually into many fronts, but I'll find time for this.

@akgraner
Copy link
Author

akgraner commented Dec 20, 2023 via email

@lcostea
Copy link

lcostea commented Jan 18, 2024

If possible I would like to be an observer. No conflicts on my end. Thanks.

@TheFoxAtWork
Copy link
Contributor

@akgraner following up on this - is Kubeflow ready to engage with TAG Security on this? The joint-review will need members of Kubeflow to support TAG Security in completing the jointly completing the assessment.

@akgraner
Copy link
Author

@TheFoxAtWork - we aren't ready for the official joint assessment, but we are working through the joint assessment.

@sublimino
Copy link
Member

We have begun the security-pals self-assessment process today, with an intro call and working document.

The goals are to understand current security efforts, ensure collation of relevant documentation, and scope the joint assessment through the self-assessment document. We'll work through another meeting, present and gain corrections from the maintainers, and aim for the joint assessment post-Kubecon — where we hope to meet at the STAG Unconference 😊 Many thanks for attending @akgraner, your contributions are invaluable.

/cc @TheFoxAtWork

@TheFoxAtWork
Copy link
Contributor

Wicked! Thanks!

@sublimino
Copy link
Member

Hello all, we'll continue the self-assessment preparation this Wednesday 21st, 2pm UK time (other TZs):

Kubeflow Threat Model Working Session (TAG Security)
Wednesday, 21 February · 14:00 – 15:00
Time zone: Europe/London
Google Meet joining info
Video call link: https://meet.google.com/ayp-ctvn-oee
Or dial: ‪(GB) +44 20 3957 1685‬ PIN: ‪642 661 786‬#
More phone numbers: https://tel.meet/ayp-ctvn-oee?pin=5129528357352

@akgraner
Copy link
Author

akgraner commented Feb 16, 2024 via email

@JustinCappos JustinCappos mentioned this issue Mar 27, 2024
15 tasks
@JustinCappos
Copy link
Collaborator

This looks stalled. If not, please update the issue and I'll move it to the appropriate part of the queue

@mrcdb
Copy link
Member

mrcdb commented Apr 8, 2024

Hi @JustinCappos !

We are currently in a naive questions phase on this project, and we have set up a follow-up meeting with @akgraner to discuss the next steps for Tuesday, 9/4. Details have been shared in the Slack channel.

The working document (based on the self-assessment template) is here, we highlighted the open questions for the Kubeflow team: https://docs.google.com/document/d/1ROvqsHtmEOxbX3fvN1fkDCtELHaRRDdA-UKezz59ZKQ/edit#heading=h.ri0460k7tpla

@PushkarJ
Copy link
Contributor

Signing off with co-chair hat that the reviewers have indicated looking at the GitHub issue comments that they do not have any conflicts.

(Please point me to a comment if there is one where a conflict of interest was highlighted that I missed)

@mrcdb
Copy link
Member

mrcdb commented Apr 18, 2024

@PushkarJ I confirm I have no hard or soft conflicts as a reviewer on this assessment.

@sublimino
Copy link
Member

Hi @akgraner, congratulations on the Kubeflow 1.9 rc!

We're stalled waiting for comments from the project on the review doc https://docs.google.com/document/d/1ROvqsHtmEOxbX3fvN1fkDCtELHaRRDdA-UKezz59ZKQ/edit

We can't move further until we have more detailed guidance, so please let us know when there's likely to be bandwidth from the Kubeflow team and we can schedule in more time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
assessment project security assessments (one issue per project) need-self-assessment The project has not yet created a self assessment
Projects
Status: Waiting on Project
Development

No branches or pull requests