Proposal: Etcd Self-Assessment [Initiative] #152
Description
Proposal: Self-Assessment of etcd
Summary
This issue is to consolidate information and coordinate discussions around the security self-assessment of the etcd sub-project, as part of a broader effort led by SIG-Security to review CNCF graduated projects.
This is a significant milestone — our first community-driven security assessment of a sub-project from a graduated CNCF project.
Goals
• Initiate and organize a self-assessment of etcd using the CNCF TAG-Security Assessment Template.
• Facilitate collaboration between SIG-Security volunteers and etcd maintainers.
• Document lessons learned to improve the process for future assessments of other CNCF projects.
Context
A security assessment typically starts with a self-assessment, ideally filled out by the project maintainers. However, given bandwidth constraints, SIG-Security volunteers have offered to take the first pass, relying on:
• Official etcd documentation
• Presentations and recorded talks
• Direct feedback and review from maintainers
Current Status
• Volunteers are studying the etcd architecture and documentation.
• Coordination with maintainers is ongoing — we appreciate their engagement despite limited time.
• Etcd Self Assessment Meeting Notes .
• Etcd - Technical scope of the assessment
Next Steps
- ✅ Kick off self-assessment draft: (done)
- 📬 Share draft with maintainers for input and validation
- 🔁 Iterate based on feedback
- 📢 Publish the final self-assessment in the SIG-Security repo
- 📆 Plan for full SIG-Security review (timeline TBD)
Request for Participation
We welcome:
• Feedback on the approach
• Contributors who want to help draft or review the assessment
• Any tips or resources from past experiences assessing CNCF projects
Please comment on this issue if you’d like to be involved!