add security self-assessment for project kcp#2209
Open
SimonTheLeg wants to merge 1 commit into
Open
Conversation
github-actions
Bot
added
needs-triage
github-actions
Bot
added
the
needs-group
Signed-off-by: Simon Bein <simontheleg@gmail.com> Co-authored-by: Marvin Beckers <mail@embik.me>
evankanderson
added
tag/security-and-compliance
JustinCappos
left a comment
JustinCappos
left a comment
Contributor
There was a problem hiding this comment.
This looks pretty good. Can you address the comments I have and integrate those into the text (not just reply to my comments)?
I think this will be ready to merge soon.
|
|
||
| #### kcp Server Components | ||
|
|
||
| * **Workspaces**: The primary user-facing unit of tenancy and isolation. From a user's perspective, a Workspace is a fully-isolated, Kubernetes-like cluster with its own unique API endpoint, CustomResourceDefinitions (CRDs), and RBAC policies. |
Contributor
There was a problem hiding this comment.
Can you explain more about how this is isolated from other actors? How does one interface with this in a trustworthy manner?
|
|
||
| * **Workspaces**: The primary user-facing unit of tenancy and isolation. From a user's perspective, a Workspace is a fully-isolated, Kubernetes-like cluster with its own unique API endpoint, CustomResourceDefinitions (CRDs), and RBAC policies. | ||
|
|
||
| * **Logical Clusters**: The underlying implementation construct for a Workspace. A logical cluster is a logical partition within the kcp data store (etcd), ensuring that objects from different workspaces are stored in disjoint key prefixes, which is the primary mechanism for enforcing isolation. The goal is to make creating a logical cluster as cheap and fast as creating a Kubernetes namespace. |
Contributor
There was a problem hiding this comment.
Do you have other performance / side channel concerns as a result? (This likely goes in non-goals for your system as well.)
|
|
||
| * **Virtual Workspaces**: Endpoints that provide a Kubernetes-like API interface, but are not backed by a logical cluster for storage. They provide a computed "view" of certain resources across logical clusters. The exact semantics depend on the virtual workspace implementation, different virtual workspace endpoints provide different views according to their role. Access to virtual workspace endpoint is guarded by RBAC. | ||
|
|
||
| * **Shards**: A running instance of the kcp server process. Each shard hosts a set of logical clusters, and a full kcp installation can be composed of many shards to achieve horizontal scalability. |
Contributor
There was a problem hiding this comment.
How are these coordinated? Are these trusted by other shards? What happens if a shard is compromised / buggy?
|
|
||
| ##### kcp Components | ||
|
|
||
| * **kcp**: The `kcp` binary provides the means to run a kcp shard (see above). It can either be launched completely standalone and then embeds a "mini" front-proxy, virtual-workspaces and a cache-server to run a fully functional kcp instance, or be run just to serve API endpoints and run controller loops. |
Contributor
There was a problem hiding this comment.
Is this a trusted component? How does this auth?
|
|
||
| kcp provides resources dedicated to managing available APIs in a Workspace. | ||
|
|
||
| * **APIExport**: Allows a service provider in one workspace to publish an API for consumption by other workspaces. |
Contributor
There was a problem hiding this comment.
What if the same API is published for consumption by different parties? Is this namespaced somehow? If so, how is the namespacing securely defined / allocated? If not, what happens if there is a conflict?
|
|
||
| #### Security Goals | ||
|
|
||
| * **Strict Workspace Isolation:** Ensure that tenants in one Workspace cannot see, access, or affect resources in another Workspace unless explicitly authorized. This is the core security boundary of the system. |
Contributor
There was a problem hiding this comment.
I think performance interference + side channels are likely out of scope
|
|
||
| Security vulnerability reports are handled via GitHub's security issue reporting feature, available [here](https://github.com/kcp-dev/kcp/security). The Security Response Team triage and respond to security issues reported privately through the tool. | ||
|
|
||
| Please see the complete [security release process](https://github.com/kcp-dev/kcp/blob/main/SECURITY.md) for further details. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
add security self-assessment for project kcp
moved per request from #1815 (comment)