Proposed charter for SIG Security (#4962)

JayBeale · micahhausler · nikhita · web-flow · commit 131f6d50c91a · 2020-08-18T23:37:10.000-07:00
* Proposed charter for SIG Security

Letter to Steering committee to be linked later.

* Update wg-security-audit/sig-security-charter-proposal.md

Co-authored-by: Micah Hausler &lt;micahhausler@users.noreply.github.com&gt;

* Accept nested list modification

Co-authored-by: Micah Hausler &lt;micahhausler@users.noreply.github.com&gt;

* Adding README created by community make.
Adding sig-security to sigs.yaml
Creating sig-security/ and moving proposed charter to that directory.

* Proposed charter for SIG Security

Letter to Steering committee to be linked later.

* Update wg-security-audit/sig-security-charter-proposal.md

Co-authored-by: Micah Hausler &lt;micahhausler@users.noreply.github.com&gt;

* Accept nested list modification

Co-authored-by: Micah Hausler &lt;micahhausler@users.noreply.github.com&gt;

* Correct capitalization

Co-authored-by: Nikhita Raghunath &lt;nikitaraghunath@gmail.com&gt;

* resolved merge conflict

I don't think we need to use an entirely separate GOPATH, thus forcing
us to re-download modules every time we run `make`

This was causing verify-generated-docs to fail locally since go will
set its modcache as readonly and thus cause the cleanup "rm -rf" in
this script to fail. In go1.14 or later we could use "-modcacherw"
to stop making the modcache readonly but that bring me back to.. why
do need an entirely separate GOPATH in the first place?

* Corrected employers

Co-authored-by: Micah Hausler &lt;micahhausler@users.noreply.github.com&gt;
Co-authored-by: Nikhita Raghunath &lt;nikitaraghunath@gmail.com&gt;
diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES
@@ -72,6 +72,11 @@ aliases:
   sig-scheduling-leads:
     - Huang-Wei
     - ahg-g
+  sig-security-leads:
+    - aasmall
+    - cji
+    - jaybeale
+    - joelsmith
   sig-service-catalog-leads:
     - jberkhahn
     - mszostok
diff --git a/sig-list.md b/sig-list.md
@@ -39,6 +39,7 @@ When the need arises, a [new SIG can be created](sig-wg-lifecycle.md)
 |[Release](sig-release/README.md)|release|* [Stephen Augustus](https://github.com/justaugustus), VMware<br>* [Tim Pepper](https://github.com/tpepper), VMware<br>|* [Slack](https://kubernetes.slack.com/messages/sig-release)<br>* [Mailing List](https://groups.google.com/forum/#!forum/kubernetes-sig-release)|* Regular SIG Meeting: [Tuesdays at 14:30 UTC (biweekly)](https://zoom.us/j/327142148)<br>* (Release Engineering) Release Engineering: [Tuesdays at 14:30 UTC (biweekly)](https://zoom.us/j/240812475)<br>
 |[Scalability](sig-scalability/README.md)|scalability|* [Matt Matejczyk](https://github.com/mm4tt), Google<br>* [Shyam Jeedigunta](https://github.com/shyamjvs), AWS<br>|* [Slack](https://kubernetes.slack.com/messages/sig-scalability)<br>* [Mailing List](https://groups.google.com/forum/#!forum/kubernetes-sig-scale)|* Regular SIG Meeting: [Thursdays at 17:30 UTC (bi-weekly ([upcoming meeting dates](#upcoming-meeting-dates)))](https://zoom.us/j/989573207)<br>
 |[Scheduling](sig-scheduling/README.md)|scheduling|* [Wei Huang](https://github.com/Huang-Wei), IBM<br>* [Abdullah Gharaibeh](https://github.com/ahg-g), Google<br>|* [Slack](https://kubernetes.slack.com/messages/sig-scheduling)<br>* [Mailing List](https://groups.google.com/forum/#!forum/kubernetes-sig-scheduling)|* 10AM PT Meeting: [Thursdays at 17:00 UTC (biweekly starting Thursday June 7, 2018)](https://zoom.us/j/841218129)<br>
+|[Security](sig-security/README.md)|security|* [Aaron Small](https://github.com/aasmall), Invitae<br>* [Craig Ingram](https://github.com/cji), Stripe<br>* [Jay Beale](https://github.com/jaybeale), InGuardians<br>* [Joel Smith](https://github.com/joelsmith), Red Hat<br>|* [Slack](https://kubernetes.slack.com/messages/sig-security)<br>* [Mailing List](https://groups.google.com/forum/#!forum/kubernetes-sig-security)|* Regular SIG Meeting: [Mondays at 12:00 PT (Pacific Time) (biweekly)](https://zoom.us/j/8416212023)<br>
 |[Service Catalog](sig-service-catalog/README.md)|service-catalog|* [Jonathan Berkhahn](https://github.com/jberkhahn), IBM<br>* [Mateusz Szostok](https://github.com/mszostok), SAP<br>|* [Slack](https://kubernetes.slack.com/messages/sig-service-catalog)<br>* [Mailing List](https://groups.google.com/forum/#!forum/kubernetes-sig-service-catalog)|* Regular SIG Meeting: [Mondays at 13:00 PT (Pacific Time) (biweekly)](https://zoom.us/j/7201225346)<br>
 |[Storage](sig-storage/README.md)|storage|* [Saad Ali](https://github.com/saad-ali), Google<br>* [Xing Yang](https://github.com/xing-yang), VMware<br>|* [Slack](https://kubernetes.slack.com/messages/sig-storage)<br>* [Mailing List](https://groups.google.com/forum/#!forum/kubernetes-sig-storage)|* Regular SIG Meeting: [Thursdays at 9:00 PT (Pacific Time) (biweekly)](https://zoom.us/j/614261834)<br>
 |[Testing](sig-testing/README.md)|testing|* [Benjamin Elder](https://github.com/BenTheElder), Google<br>* [Aaron Crickenberger](https://github.com/spiffxp), Google<br>* [Steve Kuznetsov](https://github.com/stevekuznetsov), Red Hat<br>|* [Slack](https://kubernetes.slack.com/messages/sig-testing)<br>* [Mailing List](https://groups.google.com/forum/#!forum/kubernetes-sig-testing)|* SIG Testing Office Hours: [Tuesdays at 10:00 PT (Pacific Time) (bi-weekly starting Tuesday August 13, 2019)](https://zoom.us/j/135450138)<br>* (kind) sigs.k8s.io/kind bi-weekly meeting: [Mondays at 11:00 PT (Pacific Time) (bi-weekly)](https://zoom.us/j/960461819)<br>* (testing-commons) Testing Commons: [Fridays at 13:00 PT (Pacific Time) (bi-weekly)](https://zoom.us/j/790505720)<br>
@@ -60,7 +61,7 @@ When the need arises, a [new SIG can be created](sig-wg-lifecycle.md)
 |[Multitenancy](wg-multitenancy/README.md)|* API Machinery<br>* Auth<br>* Network<br>* Node<br>* Scheduling<br>* Storage<br>|* [Sanjeev Rampal](https://github.com/srampal), Cisco<br>* [Tasha Drew](https://github.com/tashimi), VMware<br>|* [Slack](https://kubernetes.slack.com/messages/wg-multitenancy)<br>* [Mailing List](https://groups.google.com/forum/#!forum/kubernetes-wg-multitenancy)|* Regular WG Meeting: [Tuesdays at 11:00 PT (Pacific Time) (biweekly)](https://zoom.us/my/k8s.sig.auth)<br>
 |[Naming](wg-naming/README.md)|* Architecture<br>* Contributor Experience<br>* Docs<br>|* [Celeste Horgan](https://github.com/celestehorgan), CNCF<br>* [Jaice Singer DuMars](https://github.com/jdumars), Apple<br>* [Stephen Augustus](https://github.com/justaugustus), VMware<br>* [Zach Corleissen](https://github.com/zacharysarah), Linux Foundation<br>|* [Slack](https://kubernetes.slack.com/messages/wg-naming)<br>* [Mailing List](https://groups.google.com/forum/#!forum/kubernetes-wg-naming)|
 |[Policy](wg-policy/README.md)|* Architecture<br>* Auth<br>* Multicluster<br>* Network<br>* Node<br>* Scheduling<br>* Storage<br>|* [Erica von Buelow](https://github.com/ericavonb), Red Hat<br>* [Howard Huang](https://github.com/hannibalhuang), Huawei<br>|* [Slack](https://kubernetes.slack.com/messages/wg-policy)<br>* [Mailing List](https://groups.google.com/forum/#!forum/kubernetes-wg-policy)|* Regular WG Meeting: [Wednesdays at 16:00 PT (Pacific Time) (weekly)](https://zoom.us/j/7375677271)<br>
-|[Security Audit](wg-security-audit/README.md)|* Auth<br>|* [Aaron Small](https://github.com/aasmall), Google<br>* [Craig Ingram](https://github.com/cji), Stripe<br>* [Jay Beale](https://github.com/jaybeale), InGuardians<br>* [Joel Smith](https://github.com/joelsmith), Red Hat<br>|* [Slack](https://kubernetes.slack.com/messages/wg-security-audit)<br>* [Mailing List](https://groups.google.com/forum/#!forum/kubernetes-wg-security-audit)|* Regular WG Meeting: [Mondays at 12:00 PT (Pacific Time) (weekly)](https://docs.google.com/document/d/1RbC4SBZBlKth7IjYv_NaEpnmLGwMJ0ElpUOmsG-bdRA/edit)<br>
+|[Security Audit](wg-security-audit/README.md)|* Auth<br>|* [Aaron Small](https://github.com/aasmall), Invitae<br>* [Craig Ingram](https://github.com/cji), Stripe<br>* [Jay Beale](https://github.com/jaybeale), InGuardians<br>* [Joel Smith](https://github.com/joelsmith), Red Hat<br>|* [Slack](https://kubernetes.slack.com/messages/wg-security-audit)<br>* [Mailing List](https://groups.google.com/forum/#!forum/kubernetes-wg-security-audit)|* Regular WG Meeting: [Mondays at 12:00 PT (Pacific Time) (weekly)](https://docs.google.com/document/d/1RbC4SBZBlKth7IjYv_NaEpnmLGwMJ0ElpUOmsG-bdRA/edit)<br>
 
 ### Master User Group List
 
diff --git a/sig-security/README.md b/sig-security/README.md
@@ -0,0 +1,52 @@
+<!---
+This is an autogenerated file!
+
+Please do not edit this file directly, but instead make changes to the
+sigs.yaml file in the project root.
+
+To understand how this file is generated, see https://git.k8s.io/community/generator/README.md
+--->
+# Security Special Interest Group
+
+Covers horizontal security initiatives for the Kubernetes project, including  regular security audits, the vulnerability management process, cross-cutting  security documentation, and security community management.
+
+The [charter](charter.md) defines the scope and governance of the Security Special Interest Group.
+
+## Meetings
+* Regular SIG Meeting: [Mondays at 12:00 PT (Pacific Time)](https://zoom.us/j/8416212023) (biweekly). [Convert to your timezone](http://www.thetimezoneconverter.com/?t=12:00&tz=PT%20%28Pacific%20Time%29).
+  * [Meeting notes and Agenda](tba).
+  * [Meeting recordings](tba).
+
+## Leadership
+
+### Chairs
+The Chairs of the SIG run operations and processes governing the SIG.
+
+* Aaron Small (**[@aasmall](https://github.com/aasmall)**), Invitae
+* Craig Ingram (**[@cji](https://github.com/cji)**), Stripe
+* Jay Beale (**[@jaybeale](https://github.com/jaybeale)**), InGuardians
+* Joel Smith (**[@joelsmith](https://github.com/joelsmith)**), Red Hat
+
+## Contact
+- Slack: [#sig-security](https://kubernetes.slack.com/messages/sig-security)
+- [Mailing list](https://groups.google.com/forum/#!forum/kubernetes-sig-security)
+- [Open Community Issues/PRs](https://github.com/kubernetes/community/labels/sig%2Fsecurity)
+
+## Subprojects
+
+The following [subprojects][subproject-definition] are owned by sig-security:
+### community-discussion-groups
+Community Discussion Groups
+- **Owners:**
+### security-audit
+Third Party Security Audit
+- **Owners:**
+  - https://github.com/kubernetes/community/blob/master/wg-security-audit/OWNERS
+### security-documents
+Security Documents and Documentation.
+- **Owners:**
+
+[subproject-definition]: https://github.com/kubernetes/community/blob/master/governance.md#subprojects
+<!-- BEGIN CUSTOM CONTENT -->
+
+<!-- END CUSTOM CONTENT -->
diff --git a/sig-security/sig-security-charter-proposal.md b/sig-security/sig-security-charter-proposal.md
@@ -0,0 +1,89 @@
+# SIG Security Charter
+
+This charter adheres to the conventions described in the [Kubernetes Charter README] and uses the Roles and Organization Management outlined in [sig-governance].
+
+## Scope
+
+SIG Security covers horizontal security initiatives for the Kubernetes project, including regular security audits, the vulnerability management process, cross-cutting security documentation, and security community management. As a process-oriented SIG, it does not directly own Kubernetes component code. This SIG replaces the Security Audit Working Group. Instead, SIG Security focuses on improving the security of the Kubernetes project across all components.
+
+This SIG grew out of the [Third-Party Security Audit Working Group](https://github.com/kubernetes/community/tree/master/wg-security-audit), which managed each recurrent Third-Party Security Audit over the course of the audit’s lifecycle. The Working Group worked closely with selected vendors, the Product Security Committee, and the CNCF. It created the RFP, selected the vendors, and managed the vendors’ engagement with other SIGs and subject matter experts.
+
+SIG Security continues to manage the third-party security audits, while serving a wider mission of advocating for security-related structural or systemic issues and default configuration settings, managing the non-embargoed (public) vulnerability process, defining the bug bounty, creating official Kubernetes Hardening Guides and security documents, and serving as a public relations contact point for Kubernetes security. 
+
+### In scope
+
+#### Vulnerability Management Process
+
+Work with the Kubernetes [Product Security Committee (PSC)](https://github.com/kubernetes/security#product-security-committee-psc) to define the processes for fixing and disclosing vulnerabilities, as outlined in https://github.com/kubernetes/security. For example:
+
+- When the private fix & release process is invoked
+- How vulnerabilities are rated
+- The scope of the bug bounty
+- Post-announcement follow-ups, such as additional fixes, mitigations, preventions or documentation after a vulnerability is made public
+- Distributor announcement policies, such as timelines, criteria for joining the list, etc.
+- How, when and where vulnerabilities are announced
+- Defining the criteria and process for supporting Kubernetes subprojects, such as the [dashboard](https://github.com/kubernetes/dashboard), [ingress-nginx](https://github.com/kubernetes/ingress-nginx), or [kops](https://github.com/kubernetes/kops).
+
+#### Security Community Management and Outreach
+
+Provide an entry point to the Kubernetes community for new security-minded contributors, as well as a meeting point to discuss security themes and issues within Kubernetes, including:
+
+- Work with [SIG Contributor Experience](https://github.com/kubernetes/community/tree/master/sig-contributor-experience) to curate and staff security discussion channels (e.g. slack channel, mailing list, discourse, stack overflow, etc.).
+- Answer security questions from inexperienced users (that don't know what SIG to go to), and identify common questions or issues as areas for improvement.
+- Provide an "entry point" for new contributors interested in security. Route these new contributors to other SIGs when they have more specific goals (e.g. SIG Node for container isolation).
+
+#### Horizontal Security Documentation
+
+Author and maintain cross-cutting security documentation, such as hardening guides and security benchmarks. Seek out and coordinate with experts in other SIGs for input on the documentation (i.e. we go to them, they don't need to come to us). In-scope documentation includes:
+
+- Hardening guides and best practices
+- Security benchmarks
+- Improving documentation to address common misunderstandings or questions
+- Threat models
+
+#### Security Audit
+
+Manage recurring security audits and follow up on issues. Coordinate vendors to perform the audit and publish the findings. Follow up on issues with the affected SIG and help coordinate resolution, which can include:
+
+- Helping to prioritize the fixes, possibly by recruiting from SIG Security (while acknowledging that the ultimate authority in deciding whether and how to fix an issue lies with the responsible SIG).
+- Documenting mitigations, workarounds, or caveats, especially when the responsible SIG decides not to fix a reported issue.
+
+### Out of scope
+
+In contrast to SIG Auth, SIG Security does not own any Kubernetes cluster component code. 
+
+Further, SIG Security’s scope does not include:
+
+- Kubernetes authentication, authorization, audit and security policy features.  (SIG Auth)
+- Private vulnerability response (belongs to the PSC), including:
+    - Embargoed vulnerability management
+    - Bug bounty submission triage and management
+    - Non-public vulnerability collection, triage, and disclosure
+- The mechanisms to protect confidentiality/integrity of API data (belongs to SIG API Machinery, SIG Auth or others)
+- Security audit for all other CNCF projects (e.g., etcd, CoreDNS, CRI-O, containerd)  (Belongs to the CNCF’s SIG Security.) 
+- Any projects outside of the Kubernetes project
+- Cloud provider-specific or distributor-specific hardening guides
+- Recommendations or endorsements of specific commercial product vendors or cloud providers.
+
+
+## Roles and Organization Management
+
+This SIG adheres to the Roles and Organization Management outlined in [sig-governance] and opts-in to updates and modifications to [sig-governance].
+
+### Additional responsibilities of Chairs
+
+None defined at this time.
+
+### Additional responsibilities of Tech Leads
+
+- Security Documents and Documentation Tech Leads will be responsible for maintaining the official Kubernetes project Security Hardening Guide.
+
+### Subproject Creation
+
+SIG Security delegates subproject approval to SIG Technical Leads. See Subproject creation - Option 1.
+
+SIG Security’s initial subprojects will be:
+
+- Security Documents and Documentation
+- Third Party Security Audit
+- Community Discussion Groups
diff --git a/sigs.yaml b/sigs.yaml
@@ -1937,6 +1937,54 @@ sigs:
   - name: scheduler-plugins
     owners:
     - https://raw.githubusercontent.com/kubernetes-sigs/scheduler-plugins/master/OWNERS
+- dir: sig-security
+  name: Security
+  mission_statement: >
+    Covers horizontal security initiatives for the Kubernetes project, including 
+    regular security audits, the vulnerability management process, cross-cutting 
+    security documentation, and security community management.
+
+  charter_link: charter.md
+  label: security
+  leadership:
+    chairs:
+    - github: aasmall
+      name: Aaron Small
+      company: Invitae
+    - github: cji
+      name: Craig Ingram
+      company: Stripe
+    - github: jaybeale
+      name: Jay Beale
+      company: InGuardians
+    - github: joelsmith
+      name: Joel Smith
+      company: Red Hat
+  meetings:
+  - description: Regular SIG Meeting
+    day: Monday
+    time: "12:00"
+    tz: PT (Pacific Time)
+    frequency: biweekly
+    url: https://zoom.us/j/8416212023
+    archive_url: tba
+    recordings_url: tba
+  contact:
+    slack: sig-security
+    mailing_list: https://groups.google.com/forum/#!forum/kubernetes-sig-security
+  subprojects:
+  - name: community-discussion-groups
+    description: "Community Discussion Groups \n"
+    owners: []
+  - name: security-audit
+    description: |
+      Third Party Security Audit
+    owners:
+    - https://github.com/kubernetes/community/blob/master/wg-security-audit/OWNERS
+  - name: security-documents
+    description: |
+      Security Documents and Documentation.
+    owners: []
 - dir: sig-service-catalog
   name: Service Catalog
   mission_statement: >
@@ -2757,7 +2805,7 @@ workinggroups:
     chairs:
     - github: aasmall
       name: Aaron Small
-      company: Google
+      company: Invitae
     - github: cji
       name: Craig Ingram
       company: Stripe
diff --git a/wg-security-audit/README.md b/wg-security-audit/README.md
@@ -18,7 +18,7 @@ Perform a security audit on k8s with a vendor and produce as artifacts a threat
 
 ## Organizers
 
-* Aaron Small (**[@aasmall](https://github.com/aasmall)**), Google
+* Aaron Small (**[@aasmall](https://github.com/aasmall)**), Invitae
 * Craig Ingram (**[@cji](https://github.com/cji)**), Stripe
 * Jay Beale (**[@jaybeale](https://github.com/jaybeale)**), InGuardians
 * Joel Smith (**[@joelsmith](https://github.com/joelsmith)**), Red Hat
