New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Argo Project Graduation Proposal #604
Conversation
e30d32c
to
e198c6b
Compare
I'd like to sponsor. |
Yay! |
Given that the Security audit and the CII badges are marked as not completed, this project is not currently eligible for Graduation. The wording for CII is "Have achieved and maintained a Core Infrastructure Initiative badge", so it is clearly intended that they be completed before, not at the moment of graduation. Can we close this and re-apply after the criteria are met? |
@justincormack - where are you looking for the badges please? Argo Workflow has its badge: https://github.com/argoproj/argo-workflows I'm not sure about CD/rollouts. |
The text of the proposal says "Core Infrastructure Initiative Best Practices Badges have been completed for Argo Workflows and Events and are in progress for Argo CD and Rollouts." Due to renames, its pretty confusing as the badge project does not seem to list workflows ona search for argo, and shows another (failing) entry as https://bestpractices.coreinfrastructure.org/en/projects/1446 so it needs cleaning up. https://bestpractices.coreinfrastructure.org/en/projects?q=argo |
Thanks for the heads-up. I'll fix the broken link. |
1446 should be ignored, I don't know the person who completed that. |
@justincormack Thanks for your comments and attention. |
5286e5b
to
ba175c1
Compare
Signed-off-by: Edward Lee <edward_lee@intuit.com>
Adding SIG App Delivery for review, can easily be changed if there's a better fit for a different SIG. |
@amye @resouer i am happy to pick up from @michelleN to help with the process side of graduation here. thanks @michelleN ! |
@dims More than welcome! The current stage is DD doc is under drafting and we are trying to schedule interview meetings with end users from Argo, let's follow up in the slack channel. |
Thank you, @dims! It will be great to have you. Will add you to the argo-graduation slack channel. |
As I understand it the Trail of Bits review recommended a further assessment after the identified issues had been addressed, so that's not a new suggestion. The TOC has a broader concern, that (as indicated by the audit) security needs to be more closely considered as part of the "culture" of the project. It's not just a question of fixing the issues that have been identified, it's also about making sure that the project carefully considers the security implications going forward. This is especially crucial for a project like Argo that's so intertwined with the software supply chain. The recommendation to work with TAG Security and get a Security Buddy is intended to help address this. The recommendation to close this PR doesn't mean that you have to throw away the work so far and start again, although the sponsor might want to do some "refresh" e.g. speak to some more end users. It's really so that we are all clear that the TOC isn't ready to pass a graduation vote at this time. I don't see any reason why this same PR couldn't be re-opened to indicate when you think the security culture of the project is more mature and deserves another look from the TOC. |
@lizrice after reviewing with the rest of the project I think there's a lot happening on security that is simply not as visible as it should be so we'd like to help make sure all of that is visible and I think it will go a long way to show how security is embedded into the culture of the project. Before we close the PR, I think we can update on that. |
Folks, it's been a few months, how far did you all get with the last round of feedback? thanks! |
Security has always been important to the Argo project and the 100s of companies that use our projects in production, as they are very often critical components of platforms and infrastructure. Spurred by the initial comments in the graduation PR almost a year ago and the TOC comments through LIz above, we have been increasing our efforts not only to strengthen our security, but also to make sure the community and our users are aware of the efforts. Below is a summary of work that the project has completed or is in the process of completing.
A lot of work has gone into, and will continue to go into, making and keeping all the Argo projects secure and we are thankful for the resources that have been made available to us from the CNCF! |
Thanks!
Got it.
Is this already documented somewhere? that is easy to find? How are on it? (from which companies?)
Same as above, can you please share urls?
Nice!
What state of the RFP process are we in? Has it gotten to the point of selecting vendors?
This one right? cncf/tag-security#554 Our newly elected TOC member @TheFoxAtWork indicated that it may take a few months for the 4 sub-projects in Argo
Glad to hear this!
Is there a schedule for the blogs?
+1 Some other notes:
|
(edited out answered parts for brevity)
This was discussed, decided and documented in our weekly maintainer meeting. Right now, it consists of volunteers from the maintainer group and have had representation from Intuit, Red Hat, Codefresh and Akuity, but the individuals havent been externalized other than in the meeting notes.
The security.md files never got updated. The PRs have been filed. Thanks for catching!
The process was started in Nov last year and we are still waiting for OSTIF to complete the RFP write-up, so we are not in selection yet.
Yes. We have done the first few rounds of Q&A and information sharing with the STAG, so the actual reviews are planned to start in February, with each project taking 1-2w to complete.
The first one should be within a few weeks, as mentioned, and then the plan is to have them on a ~2-3w cadence.
As you noted, the page has been deprecated in favor of the two github pages that hold the advisories and policy. The plan is to keep that content in github, but we'll look into improving that page as part of our upcoming doc re-write.
See above, this should have been fixed with updated security.md files. Should be corrected once the PRs are merged
Duly noted. We'll look into updating the web pages with this as part of our planned refresh/re-write of the docs.
Good idea. We'll bring that up in our next SIG Security meeting. |
The first blog post in our security series that will include best practices, details on security work we have done etc has been published today. https://blog.argoproj.io/best-practices-for-multi-tenancy-in-argo-cd-273e25a047b0 |
Our next blog, outlining the work done together with CNCF and Adalogics, to implement fuzzing, is now live. |
After some great work by the project and the team over at Ada Logics, we have completed our second external security audit and the report has been published Security Audit report |
@hblixt when you have gone through all the feedback above and feel ready, can you please drop an email to cncf-toc@ to restart things. It would be useful to update the DD doc (is there one already?) as well with info on how far security has gotten and will be an ongoing / sustainable effort. thanks, PS: restart here i mean, continue from the point where things were left off! |
The DD document has been updated and email to the TOC sent. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Ed,
Please consider taking my changes to keep it up to date
Hong
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
@wanghong230 Changes accepted |
Argo has been approved for graduation: https://lists.cncf.io/g/cncf-toc/message/7674 |
This is a proposal for graduating the CNCF Argo Project.
Kind Regards