Add K3s self-security assessment #1500
Conversation
Signed-off-by: Orlix <[email protected]>
❌ Deploy Preview for tag-security failed. Why did it fail? →
|
JustinCappos
left a comment
JustinCappos
left a comment
There was a problem hiding this comment.
I have a few minor requests. It looks good overall. Can you fix these and we'll merge?
|
|
||
| ### Background | ||
|
|
||
| K3s is a lightweight, opinionated Kubernetes distribution optimized for edge, IoT, and CI/CD environments. It achieves its small binary size by removing legacy or unnecessary components and replacing more resource-intensive ones with lightweight alternatives. K3s is secure by default, and operation of all Kubernetes control plane components is encapsulated in a single binary and process. K3s easily allows automation and management of complex cluster operations like distributing certificates. |
There was a problem hiding this comment.
Can you be more quantitative / falsifiable and reduce the marketing speak?
For example,
"K3s is secure by default," -> "K3s is designed to provide secure default settings by ..."
"K3s easily allows automation and management of complex cluster operations like distributing certificates." -> "K3s has mechanisms to allow the automation and management of complex cluster operations like distributing certificates."
FYI: This comment applies later in the document as well.
|
|
||
| | Component | Applicability | Description of Importance | | ||
| | --------- | ------------- | ------------------------- | | ||
| | Role-Based Access Control | Critical | RBAC is fundamental to Kubernetes security, enforcing the principle of least privilege. It strictly controls what users and service accounts can do, preventing unauthorized resource manipulation and reducing the blast radius of any compromised component. | |
There was a problem hiding this comment.
Is this different from what people expect from k8s RBAC in any way?
| List of ADR (similiar to Kubernetes KEPs) here: https://github.com/k3s-io/k3s/tree/main/docs/adrs | ||
|
|
||
| ## Secure Development Practices | ||
| Although the K3s project is still sandbox, we strive to implement the highest standard of secure development best practices, as noted below. |
There was a problem hiding this comment.
OpenSSF has best practices and baseline. Can you map what you're doing to those?
(edit: I was surprised to see them referenced at the bottom of the document, but not here.)
|
|
||
| ### Responsible Disclosure Practice | ||
|
|
||
| The K3s project does not accept vulnerability reports through the [GitHub Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability) tool. Users attempting to report an security issue via the Create Issue or Vulnerability Reporting workflows will be redirected to our security policy document, which requests that they make contact via e-mail. |
There was a problem hiding this comment.
Are these encrypted in any way?
2 participants
K3s project is getting itself prepared for the Incubation phase. We are completing our first self-assessment.