Nurturing Security Permaculture: Kubernetes SIG Security Update

The conference presentation discusses various sub-projects under Kubernetes SIG Security, including self-assessment, tooling, and third-party security audit. The focus is on improving the security posture of Kubernetes and supporting developers in deploying applications securely.

• Kubernetes SIG Security has several sub-projects aimed at improving the security of Kubernetes and supporting developers in deploying applications securely
• The self-assessment sub-project aims to determine the security posture of workflows by answering two questions
• The tooling sub-project focuses on building and improving the security of the project and creating a space for new contributors to share and learn
• The third-party security audit sub-project facilitates regular expert audits by third-party auditing firms to improve the security of Kubernetes code and design
• The recent audit report identified several medium and low-level findings, which have been addressed by the security response committee and the SIGs
• The sub-projects are looking for new contributors and maintainers interested in improving Kubernetes security

The self-assessment sub-project aims to answer two questions: what is the security posture of the workflow being assessed, and what can be done to improve it? This involves evaluating the security controls in place, identifying gaps and weaknesses, and providing recommendations for improvement. For example, a self-assessment of a Kubernetes deployment may reveal that the cluster is not properly configured, leaving it vulnerable to attacks. The assessment may recommend implementing RBAC policies, enabling network policies, and using secure communication channels to improve the security posture of the deployment.

SIG Security takes a community-building approach to improving Kubernetes security, both for the project itself and our end users. Join contributors Savitha, Ala, Mahé, and Tabitha for an overview of how we make space for security collaboration to thrive. We'll share timely updates from our documentation, third-party audit, self-assessments, and tooling subprojects. You'll learn what's been going on, what’s next, and how you could join in, regardless of your experience from beginner to expert. We hope to see you there!