|
5 | 5 | 1. What work did the WG do this year that should be highlighted? |
6 | 6 | For example, artifacts, reports, white papers produced this year. |
7 | 7 |
|
8 | | - - [Policy Whitepaper]() |
9 | | - - [PolicyReport CRD]() Adapters, [list here]() |
10 | | - - [Review of whether to KEP or not to KEP for Policy Report]() |
11 | | - - |
| 8 | + - CR for PolicyReport being used more widely in other projects and by end users |
| 9 | + - 2 whitepapers released |
| 10 | + - 2 KubeCon talks NA + EU |
12 | 11 |
|
13 | 12 | 2. What initiatives are you working on that aren't being tracked in KEPs? |
14 | 13 |
|
15 | | - - The main topic of discussion is now whether to KEP the PolicyReport, or just keep it in a sig (e.g. sig-auth) |
| 14 | + - We are discussing a KEP for the PolicyReport CR but still pending |
| 15 | + - Feedback from some of the sig leadership recommend NOT doing a KEP but just hosting the code in sig-auth or sig-security namespace |
16 | 16 | - Outside of that there has been a lot of community interest, and workgroup effort spent, on control mapping |
17 | 17 | and control-as-code implementation, eg OSCAL, that might be better served moved into its own workgroup or a |
18 | 18 | sandbox project |
|
21 | 21 |
|
22 | 22 | 1. What's the current roadmap until completion of the working group? |
23 | 23 |
|
24 | | - - We intend to wrap up the workgroup once the KEP for PolicyReport is created OR sig-auth or another sig accepts it |
25 | | - - Or if neither occurs |
26 | | - - There is considerable interest in continuing the governance and assessment and lifecycle of policy and controls, |
27 | | - however as these necessarily cross boundaries, it seems like something that should either be re-homed to sig-security, |
28 | | - and/or hosted in a CNCF-level workgroup and/or moved into a relevant sandbox CNCF project, eg. [SLEDGEHammer](). |
| 24 | + - Once the CR KEP is submitted or the sig decides yea or nay, we anticipate winding down the WG unless the community asks for new prototypes |
| 25 | + - There seems limited/no interest in a corresponding CR for policy inputs/profiles |
| 26 | + - One option is that many of the attendees are interested in compliance, so maybe a sig-security compliance WG is a follow on |
| 27 | + - Also several of the concrete policy implementations can be carried over to SLEDGEHammer (which will be submitting a Sandbox application) |
29 | 28 |
|
30 | 29 | 2. Does the group have contributors from multiple companies/affiliations? |
31 | | - |
32 | | - - Yes, RedHat, IBM, SunStone Secure, Nirmata, Google, ... |
| 30 | + - Yes (RedHat, IBM. Kyverno, Google, Fairwinds, Defense Unicorns, others) |
33 | 31 |
|
34 | 32 | 3. Are there ways end users/companies can contribute that they currently are not? |
35 | 33 | If one of those ways is more full time support, what would they work on and why? |
36 | | - |
37 | | - - |
38 | | - - |
| 34 | + - Maintaining the PolicyReport API code |
| 35 | + - Building out more PolicyReport API client code and examples |
| 36 | + - Contributing more concrete policy library content (SLEDGEHammer will be committed to this) |
| 37 | + - There is considerable interest in continuing the governance and assessment and lifecycle of policy and controls, |
| 38 | + however as these necessarily cross boundaries, it seems like something that should either be re-homed to sig-security, |
| 39 | + and/or hosted in a CNCF-level workgroup and/or moved into a relevant sandbox CNCF project |
39 | 40 |
|
40 | 41 | ## Membership |
41 | 42 |
|
42 | | -- Primary slack channel member count: |
43 | | -- Primary mailing list member count: |
44 | | -- Primary meeting attendee count (estimated, if needed): |
45 | | -- Primary meeting participant count (estimated, if needed): |
| 43 | +- Primary slack channel member count: 360 |
| 44 | +- Primary mailing list member count: 139 |
| 45 | +- Primary meeting attendee count (estimated, if needed): ~8 |
| 46 | +- Primary meeting participant count (estimated, if needed): ~6 |
46 | 47 |
|
47 | 48 | Include any other ways you measure group membership |
48 | 49 |
|
49 | 50 | ## Operational |
50 | 51 |
|
51 | 52 | Operational tasks in [wg-governance.md]: |
52 | 53 |
|
53 | | -- [ ] [README.md] reviewed for accuracy and updated if needed |
54 | | -- [ ] WG leaders in [sigs.yaml] are accurate and active, and updated if needed |
55 | | -- [ ] Meeting notes and recordings for 2022 are linked from [README.md] and updated/uploaded if needed |
56 | | -- [ ] Updates provided to sponsoring SIGs in 2022 |
57 | | - - [$sig-name](https://git.k8s.io/community/$sig-id/) |
58 | | - - links to email, meeting notes, slides, or recordings, etc |
59 | | - - [$sig-name](https://git.k8s.io/community/$sig-id/) |
60 | | - - links to email, meeting notes, slides, or recordings, etc |
61 | | - - |
| 54 | +- [X] [README.md] reviewed for accuracy and updated if needed |
| 55 | +- [X] WG leaders in [sigs.yaml] are accurate and active, and updated if needed |
| 56 | +- [X] Meeting notes and recordings for 2022 are linked from [README.md] and updated/uploaded if needed |
| 57 | +- [X] Updates provided to sponsoring SIGs in 2022 |
| 58 | + - [sig-auth](https://git.k8s.io/community/sig-auth/) |
| 59 | + - TODO: JIM: links to email, meeting notes, slides, or recordings, etc |
62 | 60 |
|
63 | 61 | [wg-governance.md]: https://git.k8s.io/community/committee-steering/governance/wg-governance.md |
64 | 62 | [README.md]: https://git.k8s.io/community/wg-policy/README.md |
|
0 commit comments