Security policies for Kubernetes


Brian Grant
 

+mohr

If you have feedback on the kubernetes proposal, please do provide that feedback on the doc or on the issue.

On Thu, Nov 10, 2016 at 10:05 AM, Nicko van Someren via cncf-toc <cncf-toc@...> wrote:
Hi Alexis,

Thanks for that. I read through the Google Doc and added some comments.

One thing I think would be valuable to include in the security process is for there to be a broadcast mail to some 'announce' mailing list in advance of patches to high severity issues, indicating that a critical patch is imminent, with an expected release date but without full details of the issue. For large users with big IT infrastructure it may be necessary to schedule extra staff to install urgent patches quickly and having advanced notice of when this will be necessary is very helpful. Projects like OpenSSL usually send these out three days before security-critical releases (see https://goo.gl/BzElRC for examples).

Cheers,
Nicko









On Thu, Nov 10, 2016 at 10:26 AM, Alexis Richardson <alexis@...> wrote:
+nicko

On Thu, Nov 10, 2016 at 5:21 PM, Dan Kohn via cncf-toc <cncf-toc@...> wrote:
There was a question at the Kubernetes panel Monday night about how to handle security reports now that Kubernetes is a CNCF rather than a Google project.

Brandon Phillips seems to have already gotten a good start on this at https://github.com/kubernetes/kubernetes/issues/35462 and in the linked Google Doc.

I presume he and Sarah Novotny will let CNCF staff know if they want any CNCF-hosted mailing lists or other infrastructure.

But I wanted to flag this publicly in case anyone on the TOC list wanted to chime in. I'm also cc'ing Greg KH, in case he might want to add any comments about the kernel security process.
--
Dan Kohn <mailto:dan@...g>
Executive Director, Cloud Native Computing Foundation <https://cncf.io/>
tel:+1-415-233-1000

_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc





--
Nicko van Someren
CTO, Linux Foundation


_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc



Brandon Philips <brandon.philips@...>
 

Thanks Dan. I plan on pushing more on this post-KubeCon. Hopefully get PRs up against the documentation in the coming days.

I will take this discussion under advisement but I think there are some clear people and process things we can get right before bike-shedding on disclosure process.

Cheers,

Brandon

On Thu, Nov 10, 2016 at 9:21 AM Dan Kohn <dan@...> wrote:
There was a question at the Kubernetes panel Monday night about how to handle security reports now that Kubernetes is a CNCF rather than a Google project.

Brandon Phillips seems to have already gotten a good start on this at https://github.com/kubernetes/kubernetes/issues/35462 and in the linked Google Doc.

I presume he and Sarah Novotny will let CNCF staff know if they want any CNCF-hosted mailing lists or other infrastructure.

But I wanted to flag this publicly in case anyone on the TOC list wanted to chime in. I'm also cc'ing Greg KH, in case he might want to add any comments about the kernel security process.
--
Dan Kohn <mailto:dan@...>
Executive Director, Cloud Native Computing Foundation <https://cncf.io/>
tel:+1-415-233-1000


Nicko van Someren <nicko@...>
 

I mailed a few of the OpenSSL team to ask them about this. Here's the reply from Rich Salz:

I’m not sure what greg heard, maybe it was well into the number of beers?

 

It’s not that we’re opposed, it’s that it is difficult.  We think we’re doing the right thing, and in Munich we made some tweaks but reconfirmed our plans.


I hope that clarifies things.


Cheers,

Nicko



On Thu, Nov 10, 2016 at 12:21 PM, Nicko van Someren <nicko@...> wrote:
That's interesting feedback. I was speaking to the VP of infrastructure at a major bank last week and he said that having a heads up from OpenSSL helps him hugely and he wished that more projects did it. I also had a request from one of the CII members asking for the same thing. Who in the OpenSSL team felt it didn't work? I would be interested to know what problems they find with this.

Cheers,
Nicko

On Thu, Nov 10, 2016 at 12:17 Greg KH <gregkh@...> wrote:
On Thu, Nov 10, 2016 at 11:05:01AM -0700, Nicko van Someren wrote:
> One thing I think would be valuable to include in the security process is for
> there to be a broadcast mail to some 'announce' mailing list in advance of
> patches to high severity issues, indicating that a critical patch is imminent,
> with an expected release date but without full details of the issue. For large
> users with big IT infrastructure it may be necessary to schedule extra staff to
> install urgent patches quickly and having advanced notice of when this will be
> necessary is very helpful. Projects like OpenSSL usually send these out three
> days before security-critical releases (see https://goo.gl/BzElRC for
> examples).

I think you might want to reconsider that, as over beers, the OpenSSL
team says that this type of thing really doesn't work and just causes
more problems...

But hey, remember that I'm on a project that does weekly releases
without telling anyone what the security fixes we made in them were, so
what do I know? :)

thanks,

greg k-h



--
Nicko van Someren
CTO, Linux Foundation
+1 (978) 821-0391


Greg KH <gregkh@...>
 

On Thu, Nov 10, 2016 at 12:41:46PM -0700, Nicko van Someren wrote:
It's also worth noting that precisely because the Linux kernel team put out a
release every single week the scheduling of IT resources for deployment is not
a problem. People know in advance when your releases are going to drop. It is
more valuable to have the advanced notice if you don't have a highly regular
delivery schedule.
Ah, but I don't, I'm a horrible release maker. I did 3 releases 2 weeks
ago, none last week, and then one this week. Or was it one last week, I
can't remember... And all were on different days of the week, with no
apparent reasoning behind when each is made[1] (some came later than
announced, some earlier, and one with no announcement at all, and this
was just the past 3 weeks.)

So no, no one knows when our stable kernel releases are going to happen,
heck, I don't even know that :)

sorry,

greg k-h

[1] - It's my travel schedule that drives most of it, combined with when
security bugs are found and fixed in Linus's tree, which happen
unexpectedly as expected, or when embargos leak early, as happened
with DirtyC0w[2].

[2] - DirtyC0w is proof that even when everything goes right on the
project's security team side (kernel team was properly notified of
problem in the wild, fix was found, backports to all relevant
kernels were made and tested, embargo was planned, distros were
notified ahead of time), it's really up to the other groups you
notify to not mess up in order to keep it all together, which
failed horribly here (embargo was leaked to the public from a
distro, random companies knew there was a pending problem weeks
early due to a different leak, competing OS team decides to make
fun of the situatation and make a web site, etc.). So I'm really
all for not telling _anyone_ outside of the project's team about
security issues, as it always seems to go wrong.


Nicko van Someren <nicko@...>
 

On Thu, Nov 10, 2016 at 2:57 PM, Greg KH <gregkh@...> wrote:
​...​

Users might get warm and fuzzies thinking that this is the only time
they need to update, but really, they should be updating all the time.
Announcing it ahead of time really doesn't help companies fix their
infrastructure problems properly.

​I don't disagree but in the absence of a highly regular release cadence, or in the case of an out-of-cycle release, it is still valuable to know when a new​ release is coming.

But that's my comments, and not the OpenSSL's teams comments, I can't
recall their exact reasons.  I suggest talking to them at their next
hackfest about it to get all of the details.

​I will do. Thanks for raising the issue.

Cheers,
Nicko​


--
Nicko van Someren
CTO, Linux Foundation
+1 (978) 821-0391


Greg KH <gregkh@...>
 

On Thu, Nov 10, 2016 at 07:21:34PM +0000, Nicko van Someren wrote:
That's interesting feedback. I was speaking to the VP of infrastructure at a
major bank last week and he said that having a heads up from OpenSSL helps him
hugely and he wished that more projects did it. I also had a request from one
of the CII members asking for the same thing. Who in the OpenSSL team felt it
didn't work? I would be interested to know what problems they find with this.
Users might get warm and fuzzies thinking that this is the only time
they need to update, but really, they should be updating all the time.
Announcing it ahead of time really doesn't help companies fix their
infrastructure problems properly.

But that's my comments, and not the OpenSSL's teams comments, I can't
recall their exact reasons. I suggest talking to them at their next
hackfest about it to get all of the details.

thanks,

greg k-h


Nicko van Someren <nicko@...>
 

It's also worth noting that precisely because the Linux kernel team put out a release every single week the scheduling of IT resources for deployment is not a problem. People know in advance when your releases are going to drop. It is more valuable to have the advanced notice if you don't have a highly regular delivery schedule.

Cheers,
Nicko


On Thu, Nov 10, 2016 at 12:21 PM, Nicko van Someren <nicko@...> wrote:
That's interesting feedback. I was speaking to the VP of infrastructure at a major bank last week and he said that having a heads up from OpenSSL helps him hugely and he wished that more projects did it. I also had a request from one of the CII members asking for the same thing. Who in the OpenSSL team felt it didn't work? I would be interested to know what problems they find with this.

Cheers,
Nicko

On Thu, Nov 10, 2016 at 12:17 Greg KH <gregkh@...> wrote:
On Thu, Nov 10, 2016 at 11:05:01AM -0700, Nicko van Someren wrote:
> One thing I think would be valuable to include in the security process is for
> there to be a broadcast mail to some 'announce' mailing list in advance of
> patches to high severity issues, indicating that a critical patch is imminent,
> with an expected release date but without full details of the issue. For large
> users with big IT infrastructure it may be necessary to schedule extra staff to
> install urgent patches quickly and having advanced notice of when this will be
> necessary is very helpful. Projects like OpenSSL usually send these out three
> days before security-critical releases (see https://goo.gl/BzElRC for
> examples).

I think you might want to reconsider that, as over beers, the OpenSSL
team says that this type of thing really doesn't work and just causes
more problems...

But hey, remember that I'm on a project that does weekly releases
without telling anyone what the security fixes we made in them were, so
what do I know? :)

thanks,

greg k-h



--
Nicko van Someren
CTO, Linux Foundation
+1 (978) 821-0391


Nicko van Someren <nicko@...>
 

That's interesting feedback. I was speaking to the VP of infrastructure at a major bank last week and he said that having a heads up from OpenSSL helps him hugely and he wished that more projects did it. I also had a request from one of the CII members asking for the same thing. Who in the OpenSSL team felt it didn't work? I would be interested to know what problems they find with this.

Cheers,
Nicko


On Thu, Nov 10, 2016 at 12:17 Greg KH <gregkh@...> wrote:
On Thu, Nov 10, 2016 at 11:05:01AM -0700, Nicko van Someren wrote:
> One thing I think would be valuable to include in the security process is for
> there to be a broadcast mail to some 'announce' mailing list in advance of
> patches to high severity issues, indicating that a critical patch is imminent,
> with an expected release date but without full details of the issue. For large
> users with big IT infrastructure it may be necessary to schedule extra staff to
> install urgent patches quickly and having advanced notice of when this will be
> necessary is very helpful. Projects like OpenSSL usually send these out three
> days before security-critical releases (see https://goo.gl/BzElRC for
> examples).

I think you might want to reconsider that, as over beers, the OpenSSL
team says that this type of thing really doesn't work and just causes
more problems...

But hey, remember that I'm on a project that does weekly releases
without telling anyone what the security fixes we made in them were, so
what do I know? :)

thanks,

greg k-h


Greg KH <gregkh@...>
 

On Thu, Nov 10, 2016 at 11:05:01AM -0700, Nicko van Someren wrote:
One thing I think would be valuable to include in the security process is for
there to be a broadcast mail to some 'announce' mailing list in advance of
patches to high severity issues, indicating that a critical patch is imminent,
with an expected release date but without full details of the issue. For large
users with big IT infrastructure it may be necessary to schedule extra staff to
install urgent patches quickly and having advanced notice of when this will be
necessary is very helpful. Projects like OpenSSL usually send these out three
days before security-critical releases (see?https://goo.gl/BzElRC for
examples).
I think you might want to reconsider that, as over beers, the OpenSSL
team says that this type of thing really doesn't work and just causes
more problems...

But hey, remember that I'm on a project that does weekly releases
without telling anyone what the security fixes we made in them were, so
what do I know? :)

thanks,

greg k-h


Nicko van Someren <nicko@...>
 

Hi Alexis,

Thanks for that. I read through the Google Doc and added some comments.

One thing I think would be valuable to include in the security process is for there to be a broadcast mail to some 'announce' mailing list in advance of patches to high severity issues, indicating that a critical patch is imminent, with an expected release date but without full details of the issue. For large users with big IT infrastructure it may be necessary to schedule extra staff to install urgent patches quickly and having advanced notice of when this will be necessary is very helpful. Projects like OpenSSL usually send these out three days before security-critical releases (see https://goo.gl/BzElRC for examples).

Cheers,
Nicko









On Thu, Nov 10, 2016 at 10:26 AM, Alexis Richardson <alexis@...> wrote:
+nicko

On Thu, Nov 10, 2016 at 5:21 PM, Dan Kohn via cncf-toc <cncf-toc@...> wrote:
There was a question at the Kubernetes panel Monday night about how to handle security reports now that Kubernetes is a CNCF rather than a Google project.

Brandon Phillips seems to have already gotten a good start on this at https://github.com/kubernetes/kubernetes/issues/35462 and in the linked Google Doc.

I presume he and Sarah Novotny will let CNCF staff know if they want any CNCF-hosted mailing lists or other infrastructure.

But I wanted to flag this publicly in case anyone on the TOC list wanted to chime in. I'm also cc'ing Greg KH, in case he might want to add any comments about the kernel security process.
--
Dan Kohn <mailto:dan@...g>
Executive Director, Cloud Native Computing Foundation <https://cncf.io/>
tel:+1-415-233-1000

_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc





--
Nicko van Someren
CTO, Linux Foundation
+1 (978) 821-0391


Chenxi Wang
 

Hi, Twistlock is a member and is a Container security company. We have been working with Google/GCP/Kubernetes for some time. We'd love to contribute. We'll start on the Github thread. 

Chenxi

On Thu, Nov 10, 2016 at 9:21 AM, Dan Kohn via cncf-toc <cncf-toc@...> wrote:
There was a question at the Kubernetes panel Monday night about how to handle security reports now that Kubernetes is a CNCF rather than a Google project.

Brandon Phillips seems to have already gotten a good start on this at https://github.com/kubernetes/kubernetes/issues/35462 and in the linked Google Doc.

I presume he and Sarah Novotny will let CNCF staff know if they want any CNCF-hosted mailing lists or other infrastructure.

But I wanted to flag this publicly in case anyone on the TOC list wanted to chime in. I'm also cc'ing Greg KH, in case he might want to add any comments about the kernel security process.
--
Dan Kohn <mailto:dan@linuxfoundation.org>
Executive Director, Cloud Native Computing Foundation <https://cncf.io/>
tel:+1-415-233-1000

_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc




--
Chenxi Wang, Ph.D.
Chief Strategy Officer, Twistlock
@chenxiwang
+1.650.224.7197


alexis richardson
 

+nicko

On Thu, Nov 10, 2016 at 5:21 PM, Dan Kohn via cncf-toc <cncf-toc@...> wrote:
There was a question at the Kubernetes panel Monday night about how to handle security reports now that Kubernetes is a CNCF rather than a Google project.

Brandon Phillips seems to have already gotten a good start on this at https://github.com/kubernetes/kubernetes/issues/35462 and in the linked Google Doc.

I presume he and Sarah Novotny will let CNCF staff know if they want any CNCF-hosted mailing lists or other infrastructure.

But I wanted to flag this publicly in case anyone on the TOC list wanted to chime in. I'm also cc'ing Greg KH, in case he might want to add any comments about the kernel security process.
--
Dan Kohn <mailto:dan@linuxfoundation.org>
Executive Director, Cloud Native Computing Foundation <https://cncf.io/>
tel:+1-415-233-1000

_______________________________________________
cncf-toc mailing list
cncf-toc@...
https://lists.cncf.io/mailman/listinfo/cncf-toc



Dan Kohn <dan@...>
 

There was a question at the Kubernetes panel Monday night about how to handle security reports now that Kubernetes is a CNCF rather than a Google project.

Brandon Phillips seems to have already gotten a good start on this at https://github.com/kubernetes/kubernetes/issues/35462 and in the linked Google Doc.

I presume he and Sarah Novotny will let CNCF staff know if they want any CNCF-hosted mailing lists or other infrastructure.

But I wanted to flag this publicly in case anyone on the TOC list wanted to chime in. I'm also cc'ing Greg KH, in case he might want to add any comments about the kernel security process.
--
Dan Kohn <mailto:dan@...>
Executive Director, Cloud Native Computing Foundation <https://cncf.io/>
tel:+1-415-233-1000