From 89a0e5ae3e31eff2403361abb57d768a3c07e079 Mon Sep 17 00:00:00 2001 From: Tim Allclair Date: Fri, 27 Jul 2018 18:34:04 -0700 Subject: [PATCH 1/3] Copy sig-charter-template to sig-auth --- sig-auth/charter.md | 66 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 sig-auth/charter.md diff --git a/sig-auth/charter.md b/sig-auth/charter.md new file mode 100644 index 00000000000..77dc777e3e4 --- /dev/null +++ b/sig-auth/charter.md @@ -0,0 +1,66 @@ +# SIG YOURSIG Charter + +This charter adheres to the conventions described in the [Kubernetes Charter README] and uses +the Roles and Organization Management outlined in [sig-governance]. + +## Scope + +Include a 2-3 sentence summary of what work SIG TODO does. Imagine trying to +explain your work to a colleague who is familiar with Kubernetes but not +necessarily all of the internals. + +### In scope + +Link to SIG section in [sigs.yaml] + +#### Code, Binaries and Services + +- list of what qualifies a piece of code, binary or service +- as falling into the scope of this SIG +- e.g. *clis for working with Kubernetes APIs*, +- *CI for kubernetes repos*, etc +- **This is NOT** a list of specific code locations, +- or projects those go in [sigs.yaml] + +#### Cross-cutting and Externally Facing Processes + +- list of the non-internal processes +- that are owned by this SIG +- e.g. qualifying and cutting a Kubernetes release, +- organizing mentorship programs, etc + +### Out of scope + +Outline of things that could be confused as falling into this SIG but don't or don't right now. + +## Roles and Organization Management + +This sig follows adheres to the Roles and Organization Management outlined in [sig-governance] +and opts-in to updates and modifications to [sig-governance]. + +### Additional responsibilities of Chairs + +- list of any additional responsibilities +- of Chairs + +### Additional responsibilities of Tech Leads + +- list of any additional responsibilities +- of Tech Leads + +### Deviations from [sig-governance] + +- list of other ways this SIG's roles and governance differ from +- the outline +- **If the SIG doesn't have either Chairs or Tech Leads specify that here.** + +### Subproject Creation + +Pick one: + +1. SIG Technical Leads +2. Federation of Subprojects + +[sig-governance]: https://github.com/kubernetes/community/blob/master/committee-steering/governance/sig-governance.md +[sigs.yaml]: https://github.com/kubernetes/community/blob/master/sigs.yaml#L1454 +[Kubernetes Charter README]: https://github.com/kubernetes/community/blob/master/committee-steering/governance/README.md From a3ae9a937b8bdaec3dcf8da379f1a310381af98f Mon Sep 17 00:00:00 2001 From: Tim Allclair Date: Fri, 27 Jul 2018 19:26:00 -0700 Subject: [PATCH 2/3] SIG Auth initial charter --- sig-auth/charter.md | 72 +++++++++++++++++++++++---------------------- 1 file changed, 37 insertions(+), 35 deletions(-) diff --git a/sig-auth/charter.md b/sig-auth/charter.md index 77dc777e3e4..9beed880ea9 100644 --- a/sig-auth/charter.md +++ b/sig-auth/charter.md @@ -1,13 +1,14 @@ -# SIG YOURSIG Charter +# SIG Auth Charter This charter adheres to the conventions described in the [Kubernetes Charter README] and uses the Roles and Organization Management outlined in [sig-governance]. ## Scope -Include a 2-3 sentence summary of what work SIG TODO does. Imagine trying to -explain your work to a colleague who is familiar with Kubernetes but not -necessarily all of the internals. +SIG Auth is responsible for the design, implementation, and maintenance of features in +Kubernetes that control and protect access to the API and other core components. This includes +authentication and authorization, but also encompasses features like auditing and some policy +(see below). ### In scope @@ -15,52 +16,53 @@ Link to SIG section in [sigs.yaml] #### Code, Binaries and Services -- list of what qualifies a piece of code, binary or service -- as falling into the scope of this SIG -- e.g. *clis for working with Kubernetes APIs*, -- *CI for kubernetes repos*, etc -- **This is NOT** a list of specific code locations, -- or projects those go in [sigs.yaml] +- Kubernetes authentication, authorization, audit and policy features. Examples include: + - Authentication, authorization and audit interfaces and extension points + - Authentication implementations (service accounts, OIDC, authenticating proxy, webhook, + ...) + - Authorizer implementations (RBAC + default policy, Node + default policy, webhook, ...) + - Security-related admission plugins (NodeRestriction, ServiceAccount, PodSecurityPolicy, + ImagePolicy, etc) +- The mechanisms to protect confidentiality/integrity of API data. Examples include: + - Capability for encryption at rest + - Capability for secure communication between components + - Ensuring users and components can operate with appropriately scoped permissions #### Cross-cutting and Externally Facing Processes -- list of the non-internal processes -- that are owned by this SIG -- e.g. qualifying and cutting a Kubernetes release, -- organizing mentorship programs, etc +- Consult with other SIGs and the community on how to apply mechanisms owned by SIG + Auth. Examples include: + - Review privilege escalation implications of feature and API designs + - Core component authentication & authorization (apiserver, kubelet, controller-manager, + and scheduler) + - Local-storage volume deployment authentication + - Cloud provider authorization policy + - Container runtime streaming (exec/attach/port-forward) authentication + - Best practices for hardening add-ons or other external integrations ### Out of scope -Outline of things that could be confused as falling into this SIG but don't or don't right now. +- Reporting of specific vulnerabilities in Kubernetes. Please report using these instructions: + https://kubernetes.io/security/ +- General security discussion. Examples of topics that are out of scope for SIG-auth include: + - Protection of volume data, container ephemeral data, and other non-API data (prefer: sig-storage + and sig-node) + - Container isolation (prefer: sig-node and sig-networking) + - Bug bounty (prefer: product security team) + - Resource quota (prefer: sig-scheduling) + - Resource availability / DOS protection (prefer: sig-apimachinery, sig-network, sig-node) ## Roles and Organization Management This sig follows adheres to the Roles and Organization Management outlined in [sig-governance] and opts-in to updates and modifications to [sig-governance]. -### Additional responsibilities of Chairs - -- list of any additional responsibilities -- of Chairs - -### Additional responsibilities of Tech Leads - -- list of any additional responsibilities -- of Tech Leads - -### Deviations from [sig-governance] - -- list of other ways this SIG's roles and governance differ from -- the outline -- **If the SIG doesn't have either Chairs or Tech Leads specify that here.** - ### Subproject Creation -Pick one: +SIG Auth delegates subproject approval to Technical Leads. See [Subproject creation - Option 1]. -1. SIG Technical Leads -2. Federation of Subprojects [sig-governance]: https://github.com/kubernetes/community/blob/master/committee-steering/governance/sig-governance.md -[sigs.yaml]: https://github.com/kubernetes/community/blob/master/sigs.yaml#L1454 +[sigs.yaml]: https://github.com/kubernetes/community/blob/master/sigs.yaml#L250 [Kubernetes Charter README]: https://github.com/kubernetes/community/blob/master/committee-steering/governance/README.md +[Subproject creation - Option 1]: https://github.com/kubernetes/community/blob/master/committee-steering/governance/sig-governance.md#subproject-creation From 41a89550ca154dbb936193f59ff53efa7d117a9b Mon Sep 17 00:00:00 2001 From: Tim Allclair Date: Fri, 27 Jul 2018 19:30:57 -0700 Subject: [PATCH 3/3] Update sigs.yaml with link to charter --- sig-auth/README.md | 2 ++ sig-auth/charter.md | 7 ++++--- sigs.yaml | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/sig-auth/README.md b/sig-auth/README.md index 0ba6d2a14cf..6befa9b4689 100644 --- a/sig-auth/README.md +++ b/sig-auth/README.md @@ -10,6 +10,8 @@ To understand how this file is generated, see https://git.k8s.io/community/gener Covers improvements to Kubernetes authorization, authentication, and cluster security policy. +The [charter](charter.md) defines the scope and governance of the Auth Special Interest Group. + ## Meetings * Regular SIG Meeting: [Wednesdays at 11:00 PT (Pacific Time)](https://docs.google.com/document/d/1FQx0BPlkkl1Bn0c9ocVBxYIKojpmrS1CFP5h0DI68AE/edit) (biweekly). [Convert to your timezone](http://www.thetimezoneconverter.com/?t=11:00&tz=PT%20%28Pacific%20Time%29). * [Meeting notes and Agenda](https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/edit#). diff --git a/sig-auth/charter.md b/sig-auth/charter.md index 9beed880ea9..541c854ebf9 100644 --- a/sig-auth/charter.md +++ b/sig-auth/charter.md @@ -7,8 +7,8 @@ the Roles and Organization Management outlined in [sig-governance]. SIG Auth is responsible for the design, implementation, and maintenance of features in Kubernetes that control and protect access to the API and other core components. This includes -authentication and authorization, but also encompasses features like auditing and some policy -(see below). +authentication and authorization, but also encompasses features like auditing and some security +policy (see below). ### In scope @@ -16,7 +16,8 @@ Link to SIG section in [sigs.yaml] #### Code, Binaries and Services -- Kubernetes authentication, authorization, audit and policy features. Examples include: +- Kubernetes authentication, authorization, audit and security policy features. Examples + include: - Authentication, authorization and audit interfaces and extension points - Authentication implementations (service accounts, OIDC, authenticating proxy, webhook, ...) diff --git a/sigs.yaml b/sigs.yaml index 1145bedf790..d863a0a9af8 100644 --- a/sigs.yaml +++ b/sigs.yaml @@ -252,7 +252,7 @@ sigs: mission_statement: > Covers improvements to Kubernetes authorization, authentication, and cluster security policy. - charter_link: + charter_link: charter.md label: auth leadership: chairs: