Kubernetes 3rd Party Security Audit Findings #81146
Comments
k8s-ci-robot
added
the
needs-sig
|
thanks for logging these tickets, that's some heavy duty! /remove-kind feature |
k8s-ci-robot
added
kind/bug
|
/wg security-audit |
k8s-ci-robot
added
wg/security-audit
|
As far as the affected versions / branches, I know 1.13.4 was tested. Which versions / branches are affected? Everything from 1.13.4 -> 1.15.2? |
|
@cji I know this is also visible below but maybe it is worth to have another column with 'Status'? On the other hand this would require updating it manually :/. |
|
@jdelta-RBS I think the answer is going to vary based on the issue, making it hard to say for sure. Some of these issues are longer term feature requests that have never existed, so they would affect every version. Others would need to be git blamed to look when the code was introduced to get a real understanding of the versions/branches that are affected, and that has not been done. |
|
@disconnect3d great idea! especially now that some of these are being closed as wontfix or duplicates of other issues, I agree having a status column is helpful to understand the current situation more than just seeing a "closed" label on the referenced issues. I've added the column and will do my best to keep things mostly up to date! |
|
@cji the status gives the impression that the #81111 issue is closed but the duplicate #18982 is still open. Since it is an issue tracker, it might be confusing for some readers. The issue is still "to be solved" but is tracked by #18982. Same for #81136. Was just wondering if there was a need to indicate that some issues reported by the audit are closed but still not solved. |
|
@fduthilleul Thank you! I've attempted to clarify the wording one those two rows. Does that look better? |
|
@cji LGTM thanks for considering my comment. |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
/lifecycle frozen |
k8s-ci-robot
added
the
lifecycle/frozen
|
@cji can you please update the item 29 with: Closed, resolved with CoreDNS v1.6.2. #81137 (comment) |
|
@pjbgf certainly :) thanks for all your work on these issues! |
|
FYI, the location of the 2019 audit materials has changed. They can now be found in https://github.com/kubernetes/community/tree/master/sig-security/security-audit-2019 . For example, the final report is at https://github.com/kubernetes/community/raw/master/sig-security/security-audit-2019/findings/Kubernetes%20Final%20Report.pdf . |
|
/sig security |
k8s-ci-robot
added
the
sig/security
|
May I ask what tool do you use to find these issues? Because I find that the Security Audit Working Group site has been closed. |
This issue is to track the findings from the recent 3rd party security audit of Kubernetes performed by Trail of Bits and Atredis on behalf of the CNCF. The intent is to have a place to track the community's response and remediation to these issues now that they've been made public.
The full output of the assessment is available on the Security Audit Working Group site, and this issue specifically tracks the findings from the Security Assessment Report.
The text was updated successfully, but these errors were encountered: