Date
1 - 13 of 13
Security policies for Kubernetes
|
Dan Kohn <dan@...>
|
|
|
|
|
|
alexis richardson
+nicko On Thu, Nov 10, 2016 at 5:21 PM, Dan Kohn via cncf-toc <cncf-toc@...> wrote:
|
|
|
|
|
|
Chenxi Wang <chenxi@...>
Hi, Twistlock is a member and is a Container security company. We have been working with Google/GCP/Kubernetes for some time. We'd love to contribute. We'll start on the Github thread. Chenxi On Thu, Nov 10, 2016 at 9:21 AM, Dan Kohn via cncf-toc <cncf-toc@...> wrote:
--
Chenxi Wang, Ph.D. Chief Strategy Officer, Twistlock @chenxiwang +1.650.224.7197 |
|
|
|
|
|
Nicko van Someren <nicko@...>
Hi Alexis, Thanks for that. I read through the Google Doc and added some comments. One thing I think would be valuable to include in the security process is for there to be a broadcast mail to some 'announce' mailing list in advance of patches to high severity issues, indicating that a critical patch is imminent, with an expected release date but without full details of the issue. For large users with big IT infrastructure it may be necessary to schedule extra staff to install urgent patches quickly and having advanced notice of when this will be necessary is very helpful. Projects like OpenSSL usually send these out three days before security-critical releases (see https://goo.gl/BzElRC for examples). Cheers, Nicko On Thu, Nov 10, 2016 at 10:26 AM, Alexis Richardson <alexis@...> wrote:
--
Nicko van Someren CTO, Linux Foundation +1 (978) 821-0391 |
|
|
|
|
|
Greg KH <gregkh@...>
On Thu, Nov 10, 2016 at 11:05:01AM -0700, Nicko van Someren wrote:
One thing I think would be valuable to include in the security process is forI think you might want to reconsider that, as over beers, the OpenSSL team says that this type of thing really doesn't work and just causes more problems... But hey, remember that I'm on a project that does weekly releases without telling anyone what the security fixes we made in them were, so what do I know? :) thanks, greg k-h |
|
|
|
|
|
Nicko van Someren <nicko@...>
That's interesting feedback. I was speaking to the VP of infrastructure at a major bank last week and he said that having a heads up from OpenSSL helps him hugely and he wished that more projects did it. I also had a request from one of the CII members asking for the same thing. Who in the OpenSSL team felt it didn't work? I would be interested to know what problems they find with this. Cheers, Nicko On Thu, Nov 10, 2016 at 12:17 Greg KH <gregkh@...> wrote: On Thu, Nov 10, 2016 at 11:05:01AM -0700, Nicko van Someren wrote: |
|
|
|
|
|
Nicko van Someren <nicko@...>
It's also worth noting that precisely because the Linux kernel team put out a release every single week the scheduling of IT resources for deployment is not a problem. People know in advance when your releases are going to drop. It is more valuable to have the advanced notice if you don't have a highly regular delivery schedule. Cheers, Nicko On Thu, Nov 10, 2016 at 12:21 PM, Nicko van Someren <nicko@...> wrote:
--
Nicko van Someren CTO, Linux Foundation +1 (978) 821-0391 |
|
|
|
|
|
Greg KH <gregkh@...>
On Thu, Nov 10, 2016 at 07:21:34PM +0000, Nicko van Someren wrote:
That's interesting feedback. I was speaking to the VP of infrastructure at aUsers might get warm and fuzzies thinking that this is the only time they need to update, but really, they should be updating all the time. Announcing it ahead of time really doesn't help companies fix their infrastructure problems properly. But that's my comments, and not the OpenSSL's teams comments, I can't recall their exact reasons. I suggest talking to them at their next hackfest about it to get all of the details. thanks, greg k-h |
|
|
|
|
|
Nicko van Someren <nicko@...>
I don't disagree but in the absence of a highly regular release cadence, or in the case of an out-of-cycle release, it is still valuable to know when a new release is coming. But that's my comments, and not the OpenSSL's teams comments, I can't I will do. Thanks for raising the issue. Cheers, Nicko Nicko van Someren CTO, Linux Foundation +1 (978) 821-0391 |
|
|
|
|
|
Greg KH <gregkh@...>
On Thu, Nov 10, 2016 at 12:41:46PM -0700, Nicko van Someren wrote:
It's also worth noting that precisely because the Linux kernel team put out aAh, but I don't, I'm a horrible release maker. I did 3 releases 2 weeks ago, none last week, and then one this week. Or was it one last week, I can't remember... And all were on different days of the week, with no apparent reasoning behind when each is made[1] (some came later than announced, some earlier, and one with no announcement at all, and this was just the past 3 weeks.) So no, no one knows when our stable kernel releases are going to happen, heck, I don't even know that :) sorry, greg k-h [1] - It's my travel schedule that drives most of it, combined with when security bugs are found and fixed in Linus's tree, which happen unexpectedly as expected, or when embargos leak early, as happened with DirtyC0w[2]. [2] - DirtyC0w is proof that even when everything goes right on the project's security team side (kernel team was properly notified of problem in the wild, fix was found, backports to all relevant kernels were made and tested, embargo was planned, distros were notified ahead of time), it's really up to the other groups you notify to not mess up in order to keep it all together, which failed horribly here (embargo was leaked to the public from a distro, random companies knew there was a pending problem weeks early due to a different leak, competing OS team decides to make fun of the situatation and make a web site, etc.). So I'm really all for not telling _anyone_ outside of the project's team about security issues, as it always seems to go wrong. |
|
|
|
|
|
Nicko van Someren <nicko@...>
I mailed a few of the OpenSSL team to ask them about this. Here's the reply from Rich Salz:
I hope that clarifies things. Cheers, Nicko On Thu, Nov 10, 2016 at 12:21 PM, Nicko van Someren <nicko@...> wrote:
Nicko van Someren CTO, Linux Foundation +1 (978) 821-0391 |
|
|
|
|
|
Brandon Philips <brandon.philips@...>
Thanks Dan. I plan on pushing more on this post-KubeCon. Hopefully get PRs up against the documentation in the coming days. I will take this discussion under advisement but I think there are some clear people and process things we can get right before bike-shedding on disclosure process. Cheers, Brandon On Thu, Nov 10, 2016 at 9:21 AM Dan Kohn <dan@...> wrote:
|
|
|
|
|
|
Brian Grant
+mohr If you have feedback on the kubernetes proposal, please do provide that feedback on the doc or on the issue. On Thu, Nov 10, 2016 at 10:05 AM, Nicko van Someren via cncf-toc <cncf-toc@...> wrote:
|
|
|
|