Publish threat model in documentation #6263
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: evankanderson The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knative-prow
bot
added
the
approved
knative-prow
bot
added
the
size/L
✅ Deploy Preview for knative ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
|
||
| * [Threat model](https://github.com/knative/community/blob/main/working-groups/security/threat-model.md) | ||
|
|
||
| ## Code Signature Verification |
There was a problem hiding this comment.
I moved this to verifying-cli.md, as it didn't really fit with the rest of the overview
|
bump @davidhadas |
| TeamIdentifier=7R64489VHL | ||
| ``` | ||
| ## Report a vulnerability |
There was a problem hiding this comment.
I believe we were planning to move from mailing report to github for reporting a security vulnerability. This ode snot have to be done in this PR, but I thought to bring this up in case we chose to also do it here.
There was a problem hiding this comment.
I was going to do that as a follow-on, as we haven't set up private vulnerability reporting consistently on all the repos yet.
| @@ -0,0 +1,373 @@ | |||
| # Knative Threat Model | |||
|
|
|||
| This document describes the Knative threat model. When vulnerabilities are | |||
There was a problem hiding this comment.
This first paragraph try to answer the question when do we use the Knative threat model rather than describing what it is or giving any useful information for it. I think it a side note how we may use it and not a good way to start the document.
There was a problem hiding this comment.
I moved this paragraph to a "Usage of this document" coda.
| supply chain security threats (which it largely inherits from | ||
| [CNCF Buildpacks](https://buildpacks.io/)). | ||
|
|
||
| Knative builds on the capabilities of the Kubernetes cluster, and exposes both |
There was a problem hiding this comment.
This second paragraph seem to frame the Knative threat model and its relationship with best practices - again I do not think it is a helpful starting statement for a page spelling out what is the Knative threat model - the information should be in the doc, but we first need to layout what is the Knative threat model...
There was a problem hiding this comment.
Moved this later in the document.
| example, Knative Serving routes and Kubernetes NetworkPolicy) will be called | ||
| out. | ||
|
|
||
| Knative aims to support application teams from a single organization working in |
There was a problem hiding this comment.
This third paragraph does provide some information about what the threat model is. I do think we need to find a way to make it more comprehensive and say what it is and not what it is not (i.e. not talk about multiple clusters in here , multiple clusters can be discussed at a later limitations section maybe). Maybe start by stating that Knative is an extension to the Kubernetes control plan that automates certain Kubernetes control mechanisms, offering a more abstracted service to users. Give some more information about what is a Knative service and what it encompass. Stating the association between users and namespaces, the association between resources and namespaces and between Knative serivces and namespaces.
Than, we can move to make some initial statmenet on the security model, e.g. that the security threat model includes attacks by malicious knative users, or by other Kubernetes users or by other unauthorized users on the Knative control plan, or on resources/services/namespaces that are not designated to them and.... (see what else we should say on this initial description of the threat model). Once we put all that in writing we can draw the line to say that the Knative Threat Model does not include.... attacks on the underlying Kubernetes system unless they are faciliated by Knative presence and our assumptions about the Kubernets following best practices. In this context we should say that it is Knative responsibility to ensure K~native services follow best practices by default but Knatiev may support user configurations which do not support best practices as long as user actively set them as such.... etc.
There was a problem hiding this comment.
Thanks for the feedback! I've moved this to the first paragraph, to define the goals of the project. As this threat model aims to cover both serving and eventing, I'm not sure that defining what a Knative Service is (and not what Brokers, Triggers, Sources, etc are) makes sense here, rather than by linking to the existing component descriptions.
I added a sentence here to clarify what the namespace-as-a-service tenancy model means:
Each team (users in a namespace) should be isolated from affecting the
configuration, availability, or integrity of applications in other namespaces.
There was a problem hiding this comment.
I made some changes to make it more specific to Knative, to start highlighting the threat model of Knative - beyond the one of K8s.
The main theme of this doc in my view is:
We extend the K8s control plan.
We have these actors and components (teams in namespaces etc., components in the control plans...).
Our control plan has Admin privileges and serves all teams
Threats:
- There are threats that teams will attack the control plan.
- There are threats that teams will attack each other
- There are threats that others on the same cluster will attack the control plan.
- There are threats that others on the same cluster will attack one of the teams (or its application)
- There are threats that third party will attack the control plan
- There are threats that third party will attack one of the teams (or its application)
I think these are the 6 main bundles of threats to point out and analyze in some high level suitable for this doc.
…troller and webhook functionality and update targets of threats
knative-prow
bot
added
size/XL
|
@davidhadas @evankanderson anything else here? |
|
This looks valuable to me as is. /lgtm |
* Publish threat model in documentation * Separate security contents a bit more, update link to threat model, update nav * Add a section on supply chain and SBOM/SLSA mitigation * Update threat model with feedback from David Hadas * Update introduction with content from davidhadas, add sections on controller and webhook functionality and update targets of threats
* Phase 1: Adding documentation metadata tags (#6274) * Add metadata tags for documentation * Add classification for about 2/3rds of docs (func + eventing) * Add classification for remainder of docs (serving+install) * Add mermaid support (#6327) * Publish threat model in documentation (#6263) * Publish threat model in documentation * Separate security contents a bit more, update link to threat model, update nav * Add a section on supply chain and SBOM/SLSA mitigation * Update threat model with feedback from David Hadas * Update introduction with content from davidhadas, add sections on controller and webhook functionality and update targets of threats * content tab fixes, added success output for kn func (#6367) * Add dry run section and take out old feature flag in serving (#6366) * add dry run section * drop mention of old feature flag * fix casing on nav * update docs to be more clear and include inline example --------- Co-authored-by: Dave Protasowski <[email protected]> * Attempt to rebuild docs build process, inspired by #6319 (#6371) * Attempt to rebuild docs build process * Use a more modern python version * Fix strict verify, hide versions on unversioned pages * Fix search with mkdocs typescript patches (vendored). (#6392) Hopefully, this can be fixed upstream via PR shortly. * Installation Doc Updates (#6395) * Installation Doc Updates Improve installation guidance * Formatting fix * Update docs/install/README.md link fix Co-authored-by: Evan Anderson <[email protected]> * Update docs/install/README.md link fix Co-authored-by: Evan Anderson <[email protected]> * link fix and table update More writing * Update README.md Misc edits * Update README.md Minor edits * Adding install-kn to PR Consolidating CLI installations into this this topic. * Update install-kn.md Changing red bug alert to important The old syntax was: ??? bug "Having issues upgrading `kn` to Homebrew?" * Update install-kn (snippet) Removed alert formatting * Added quickstart-install.md Various edits * Fixes and reviewed edits Made Evan suggestions, table column test, spelling fixes * Update quickstart-install.md link fix * Update README.md Replaced the table with a bulleted list approach. * Update README.md Put back the table * Added serving and eventing install topics Updated topics per effort - consolidating guidance * Link fixes * Made Evan's edits * Various updates All files added for this PR. * Link fix * Formatting fixes * Formatting and consistency fix * Update docs/install/operator/knative-with-operator-cli.md Co-authored-by: Evan Anderson <[email protected]> * Update docs/client/install-kn.md Co-authored-by: Evan Anderson <[email protected]> --------- Co-authored-by: Evan Anderson <[email protected]> * Fix edit page links, move technical docs under sub-heading (#6398) * Fix edit links by moving docs content under a dedicated subdirectory * Fix edit links by moving docs content under a dedicated subdirectory * Add High availability documentation section for eventing (#6401) I have copy-pasted from the Knative Serving documentation page the block as I found it missing when configuring it. * Update proc-running-function.md (#6400) Undo separeate kn func output for invoke * Add a note that Apache Kafka is required to use EKB (#6404) * Move install docs to administration (#6403) * Fix trailing newline complaints * Fix redirects from #6398 --------- Co-authored-by: Bruce Hamilton <[email protected]> Co-authored-by: Alexander-Kita <[email protected]> Co-authored-by: Dave Protasowski <[email protected]> Co-authored-by: Aurélien Joga <[email protected]> Co-authored-by: Christoph Stäbler <[email protected]>
3 participants
Check in a format threat model, following up on the commitment in cncf/toc#1509 (comment) (Better late than never!)
Proposed Changes
communityrepo with the AdaLogics report, and adds a bunch of new content that I've been meaning to write. It does not currently include diagrams, though I may add some later.Once this is merged, I intend to redirect the draft threat model from the
communityrepo to this documentation.