📖 Fix data-at-rest claim in security self-assessment#4350
Conversation
The Non-Goals section previously stated Console does not store cluster data at rest except user preferences in SQLite. This understates what is actually persisted: GPU utilization snapshots in backend SQLite, 7-day metrics history in ~/.kc/metrics_history.json, and browser-side caches (OPFS SQLite, IndexedDB). Add a Data Storage Summary table to the Appendix with full transparency on all persistence layers. Signed-off-by: Andrew Anderson <andy@clubanderson.com>
kubestellar-prow
Bot
added
the
dco-signoff: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
✅ Deploy Preview for kubestellarconsole canceled.
|
|
👋 Hey @clubanderson — thanks for opening this PR!
This is an automated message. |
kubestellar-prow
Bot
added
the
size/S
There was a problem hiding this comment.
Pull request overview
Updates the security self-assessment to correct an inaccurate “data at rest” non-goal and to document the console’s actual persistence surfaces more explicitly for TAG-Security review.
Changes:
- Replaces the misleading “does not store cluster data at rest” claim with a more precise statement about not persisting raw K8s resource data server-side.
- Adds a new Data Storage Summary section to the Appendix describing server-side and client-side persistence layers.
- Updates the Table of Contents to include the new Appendix subsection.
|
|
||
| | Storage | Type | What is Stored | Location | Retention | | ||
| |---------|------|----------------|----------|-----------| | ||
| | **Backend SQLite** | Relational DB | User accounts, dashboard layouts, card configurations, GPU utilization snapshots, revoked JWT tokens, user analytics events, feature requests | Server: `/data/console.db` | Indefinite | |
There was a problem hiding this comment.
The Backend SQLite location and retention look inaccurate/misleading. The backend default is ./data/console.db (or DATABASE_PATH), and the Helm chart defaults to /app/data/console.db—not /data/console.db. Also, not all data in this DB is indefinite: GPU utilization snapshots are cleaned up after 90 days and revoked tokens are deleted after expires_at passes. Please update the Location/Retention cells to reflect these defaults and mixed retention.
| | **Backend SQLite** | Relational DB | User accounts, dashboard layouts, card configurations, GPU utilization snapshots, revoked JWT tokens, user analytics events, feature requests | Server: `/data/console.db` | Indefinite | | |
| | **Backend SQLite** | Relational DB | User accounts, dashboard layouts, card configurations, GPU utilization snapshots, revoked JWT tokens, user analytics events, feature requests | Server default: `./data/console.db` (or `DATABASE_PATH`); Helm default: `/app/data/console.db` | Mixed: user/configuration data retained until deleted; GPU utilization snapshots cleaned up after 90 days; revoked JWT tokens deleted after `expires_at` | |
| The following table details all data persisted by KubeStellar Console, both server-side and client-side: | ||
|
|
||
| | Storage | Type | What is Stored | Location | Retention | | ||
| |---------|------|----------------|----------|-----------| | ||
| | **Backend SQLite** | Relational DB | User accounts, dashboard layouts, card configurations, GPU utilization snapshots, revoked JWT tokens, user analytics events, feature requests | Server: `/data/console.db` | Indefinite | |
There was a problem hiding this comment.
This section says the table “details all data persisted”, but the Backend SQLite row doesn’t currently cover several server-side tables that are persisted (e.g., onboarding responses, notifications, GPU reservations, PR feedback, pending swaps/card history). Either expand the row to include these categories or reword the intro to clarify the table is a high-level summary rather than exhaustive.
|
|
||
| - Raw Kubernetes resource data (pods, deployments, services) is **not** stored server-side — it is fetched on-demand and cached only in browser storage and a 15-second in-memory server cache. | ||
| - Kubernetes **credentials** never leave the user's machine — the kc-agent proxies requests locally. | ||
| - The backend SQLite database stores user preferences and dashboard configuration, plus GPU utilization snapshots for historical trend analysis. |
There was a problem hiding this comment.
The “Key points” bullet says the backend SQLite DB stores “user preferences”, but the backend schema is primarily user accounts + dashboards/cards/config, onboarding responses, notifications, etc. To avoid confusion with browser-stored preferences (theme/UI state in localStorage), consider rephrasing this bullet to name the server-side objects explicitly (e.g., users/dashboards/cards/feature requests + GPU snapshot history).
| - The backend SQLite database stores user preferences and dashboard configuration, plus GPU utilization snapshots for historical trend analysis. | |
| - The backend SQLite database stores server-side application data such as user accounts, dashboards/cards/configuration, feature requests, and GPU utilization snapshots for historical trend analysis. |
🔄 Auto-Applying Copilot Code ReviewCopilot code review found 2 code suggestion(s) and 1 general comment(s). @copilot Please apply all of the following code review suggestions:
Also address these general comments:
Push all fixes in a single commit. Run Auto-generated by copilot-review-apply workflow. |
…eview feedback Agent-Logs-Url: https://github.com/kubestellar/console/sessions/c3bcac78-3113-4d8a-957e-a4b8e59898fa Co-authored-by: clubanderson <407614+clubanderson@users.noreply.github.com>
kubestellar-prow
Bot
added
dco-signoff: no
|
Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits. 📝 Please follow instructions in the contributing guide to update your commits with the DCO Full details of the Developer Certificate of Origin can be found at developercertificate.org. The list of commits missing DCO signoff:
DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Applied all three changes in commit
|
|
Superseded — self-assessment updated directly via cncf/toc#2106 with TAG-Security reviewer feedback addressed. Will sync console copy separately. |
📌 Fixes
📝 Summary of Changes
/data/console.dbto./data/console.db(orDATABASE_PATH); Helm default/app/data/console.dbIndefiniteto mixed policy (user/config data: until deleted; GPU snapshots: 90 days; revoked JWT tokens: deleted afterexpires_at)This matters because the self-assessment is referenced in the CNCF TOC sandbox application — accuracy is critical for TAG-Security review.
Changes Made
docs/security/SELF-ASSESSMENT.mdChecklist
Please ensure the following before submitting your PR:
git commit -s)Screenshots or Logs (if applicable)
Documentation-only change — no screenshots applicable.
👀 Reviewer Notes
Cross-reference the Data Storage Summary table against:
pkg/store/sqlite.go— backend SQLite schema and cleanup jobspkg/agent/metrics_history.go— 7-day rolling metrics historyweb/src/lib/cache/— OPFS/IndexedDB browser cache layerdeploy/helm/kubestellar-console/values.yaml— HelmDATABASE_PATHdefault (/app/data/console.db)