Re: Security policies for Kubernetes
Nicko van Someren <nicko@...>
toggle quoted messageShow quoted text
Thanks for that. I read through the Google Doc and added some comments.
One thing I think would be valuable to include in the security process is for there to be a broadcast mail to some 'announce' mailing list in advance of patches to high severity issues, indicating that a critical patch is imminent, with an expected release date but without full details of the issue. For large users with big IT infrastructure it may be necessary to schedule extra staff to install urgent patches quickly and having advanced notice of when this will be necessary is very helpful. Projects like OpenSSL usually send these out three days before security-critical releases (see https://goo.gl/BzElRC for examples).
Nicko van Someren
CTO, Linux Foundation
+1 (978) 821-0391