[Security Review] Kubeflow Project

[akgraner]

Project Name: Kubeflow Project

Github URL: https://github.com/kubeflow/kubeflow/tree/master/security

Currently, we are working with Ricardo to get Kubeflow into the CNCF, we are working on going straight into incubation - cncf/toc#1042 (incubation)

Ricardo suggested that we open this issue now, since we are in the beginning stages of setting up our security team as well as our policies and procedures. I don't think we are ready for the formal security review, but we wanted to make sure you all are aware of our on-going efforts. Please let us know what else you need from us.

CNCF project stage and issue NA

Security Provider: yes (e.g. Is the primary function of the project to support the security of an integrating system?)

• Identify team
  • Project security lead @akgraner
  • Lead security reviewer @sublimino
  • 1 or more additional reviewer(s) @krishnakv @mrcdb @vicenteherrera @victorjunlu @yfolias Observers: @krishnakv
  • Every reviewer has read security reviewer guidelines and stated declaration of conflict
  • Sign off by 2 chairs on reviewer conflicts
• Create slack channel (#sec-assess-kubeflow)
• Project lead provides draft document - see outline
• "Naive question phase" Lead Security Reviewer asks clarifying questions
• Assign issue to security reviewers
• Initial review
• Presentation & discussion
• Share draft findings with project
• Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)
• CNCF TOC presentation (if requested by TOC)

[mrcdb]

Have you already performed a self-assessment for the project or something similar that you could share to kickstart the discussion? Thanks!

[krishnakv]

I would like to volunteer for this review, please. I have no soft or hard conflicts to report.

[JustinCappos]

Please ping us once you have a draft of the self-assessment and we can start to put a team together.

[sublimino]

Hi @akgraner and team!

I'll be the lead security reviewer for this project.

Do you have any inclination of when you'll be ready to start considering the self-assessment process?

We also have a Security Pals process that can assist you with preparing for the self assessment document if that would be of interest.

I've created a sec-assess-kubeflow channel if you'd like to discuss anything on Slack 🙏

[akgraner]

Hi Andrew et al, Thank you so much. We’re shooting for the end of August. Yes, the Security Pals process would be of interest. I’ve been looking through your guides and checklists so I can share with the team and we can start going through it. Anything you can/would like to share would be greatly appreciated. With gratitude, ~akgraner on behalf of the Kubeflow Security Team

On Thu, Aug 3, 2023 at 8:38 AM Andrew Martin ***@***.***> wrote: Hi @akgraner <https://github.com/akgraner> and team! I'll be the lead security reviewer for this project. Do you have any inclination of when you'll be ready to start considering the self-assessment process? We also have a Security Pals process that can assist you with preparing for the self assessment document if that would be of interest. I've created a sec-assess-kubeflow <https://app.slack.com/client/T08PSQ7BQ/C05L2H3CKJR> channel if you'd like to discuss anything on Slack 🙏 — Reply to this email directly, view it on GitHub <#1079 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABPJ3ZOAGEIICZ2KPAEZIBTXTOSV5ANCNFSM6AAAAAAYMK6XZU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- Sent from Gmail Mobile

[yfolias]

I would like to volunteer for this review as well, if possible. No soft or hard conflicts on my end

[akgraner]

Thank you all so very much.

On Sat, Aug 12, 2023 at 2:29 PM Yannis Folias ***@***.***> wrote: I would like to volunteer for this review as well, if possible. No soft or hard conflicts on my end — Reply to this email directly, view it on GitHub <#1079 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABPJ3ZNXVLDLTUQPOB7DFMDXU7KQJANCNFSM6AAAAAAYMK6XZU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- Sent from Gmail Mobile

[victorjunlu]

@sublimino Interested in volunteering for this review. This will be my second time volunteering as tag security reviewer. No conflict on my end.

[sublimino]

Hi @akgraner and team! I hope you've had a great summer. Do you have any indications of your timescale to start this assessment?

[vicenteherrera]

Hi, I would like also to help when this work continues. No conflicts here, just I'm usually into many fronts, but I'll find time for this.