Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Argo Project Graduation Proposal #604

Merged
merged 14 commits into from Dec 7, 2022
Merged

Argo Project Graduation Proposal #604

merged 14 commits into from Dec 7, 2022

Conversation

edlee2121
Copy link
Contributor

@edlee2121 edlee2121 commented Feb 9, 2021

This is a proposal for graduating the CNCF Argo Project.

Kind Regards

@edlee2121 edlee2121 changed the title Argo2 Argo Project Graduation Proposal Feb 9, 2021
@amye amye added this to Needs TOC Triage & Public Comment Kickoff in Graduating Projects Backlog Feb 9, 2021
@amye amye added the graduation label Feb 9, 2021
Base automatically changed from master to main February 10, 2021 20:33
@resouer
Copy link
Contributor

resouer commented Feb 11, 2021

I'd like to sponsor.

@chris-short
Copy link

Yay!

@justincormack
Copy link
Contributor

Given that the Security audit and the CII badges are marked as not completed, this project is not currently eligible for Graduation. The wording for CII is "Have achieved and maintained a Core Infrastructure Initiative badge", so it is clearly intended that they be completed before, not at the moment of graduation. Can we close this and re-apply after the criteria are met?

@alexec
Copy link

alexec commented Feb 15, 2021

@justincormack - where are you looking for the badges please?

Argo Workflow has its badge: https://github.com/argoproj/argo-workflows
Argo Events also has its badge: https://github.com/argoproj/argo-events

I'm not sure about CD/rollouts.

@justincormack
Copy link
Contributor

The text of the proposal says "Core Infrastructure Initiative Best Practices Badges have been completed for Argo Workflows and Events and are in progress for Argo CD and Rollouts."

Due to renames, its pretty confusing as the badge project does not seem to list workflows ona search for argo, and shows another (failing) entry as https://bestpractices.coreinfrastructure.org/en/projects/1446 so it needs cleaning up.

https://bestpractices.coreinfrastructure.org/en/projects?q=argo

@alexec
Copy link

alexec commented Feb 15, 2021

Thanks for the heads-up. I'll fix the broken link.

@alexec
Copy link

alexec commented Feb 15, 2021

1446 should be ignored, I don't know the person who completed that.

@alexec
Copy link

alexec commented Feb 15, 2021

@alexec
Copy link

alexec commented Feb 15, 2021

@edlee2121
Copy link
Contributor Author

@justincormack Thanks for your comments and attention.
Would you be interested in co-sponsoring this proposal?

@jessesuen
Copy link

All four of the projects have passing badges now:

Project Badge
CD CII Best Practices
Rollouts CII Best Practices
Workflows CII Best Practices
Events CII Best Practices

Signed-off-by: Edward Lee <edward_lee@intuit.com>
@amye
Copy link
Contributor

amye commented Mar 17, 2021

Adding SIG App Delivery for review, can easily be changed if there's a better fit for a different SIG.

@dims
Copy link
Member

dims commented Mar 31, 2021

@amye @resouer i am happy to pick up from @michelleN to help with the process side of graduation here. thanks @michelleN !

@resouer
Copy link
Contributor

resouer commented Mar 31, 2021

@dims More than welcome! The current stage is DD doc is under drafting and we are trying to schedule interview meetings with end users from Argo, let's follow up in the slack channel.

@edlee2121
Copy link
Contributor Author

edlee2121 commented Mar 31, 2021

Thank you, @dims! It will be great to have you. Will add you to the argo-graduation slack channel.
And thank you @michelleN for all your help thus far.

@lizrice
Copy link
Contributor

lizrice commented Nov 17, 2021

As I understand it the Trail of Bits review recommended a further assessment after the identified issues had been addressed, so that's not a new suggestion. The TOC has a broader concern, that (as indicated by the audit) security needs to be more closely considered as part of the "culture" of the project. It's not just a question of fixing the issues that have been identified, it's also about making sure that the project carefully considers the security implications going forward. This is especially crucial for a project like Argo that's so intertwined with the software supply chain. The recommendation to work with TAG Security and get a Security Buddy is intended to help address this.

The recommendation to close this PR doesn't mean that you have to throw away the work so far and start again, although the sponsor might want to do some "refresh" e.g. speak to some more end users. It's really so that we are all clear that the TOC isn't ready to pass a graduation vote at this time. I don't see any reason why this same PR couldn't be re-opened to indicate when you think the security culture of the project is more mature and deserves another look from the TOC.

@lumjjb
Copy link
Contributor

lumjjb commented Nov 19, 2021

TAG-Security is working with Argo now on a security joint review - that is being kicked off now. This will help educate us in how the security pals effort can be directed to benefit the Argo project. Review leads: @jlk @IAXES.

Ref: cncf/tag-security#739

@todaywasawesome
Copy link

@lizrice after reviewing with the rest of the project I think there's a lot happening on security that is simply not as visible as it should be so we'd like to help make sure all of that is visible and I think it will go a long way to show how security is embedded into the culture of the project.

Before we close the PR, I think we can update on that.

@dims
Copy link
Member

dims commented Feb 2, 2022

Folks, it's been a few months, how far did you all get with the last round of feedback? thanks!

@hblixt
Copy link

hblixt commented Feb 2, 2022

Security has always been important to the Argo project and the 100s of companies that use our projects in production, as they are very often critical components of platforms and infrastructure. Spurred by the initial comments in the graduation PR almost a year ago and the TOC comments through LIz above, we have been increasing our efforts not only to strengthen our security, but also to make sure the community and our users are aware of the efforts. Below is a summary of work that the project has completed or is in the process of completing.

  • We fixed all relevant security issues that were brought up in the external security assessment last year, many before the report was even published.
  • A SIG Security group has been formed within the project to align between the four projects and raise and prioritize any security related issues or concerns
  • The project security policies and contacts have been reviewed to make sure escalation paths are clear and that there are clear responsibilities and associated maintainers
  • Together with CNCF, we have completed a project to integrate fuzzing through OSS-Fuzz and there are now 33 fuzzers that are now running against our code, with very good results. Big thanks to CNCF for sponsoring this!
  • We are working through the RFP process with CNCF to ensure that the issues and recommendations from the previous assessment have been addressed, but also to get on to a path of continuity as our projects move fast and add features at a rapid pace.
    • an additional external security review to be completed ASAP
    • a yearly external security review
  • There is a security assessment underway with the CNCF Security STAG, as a complement to the external assessments, to ensure alignment with any CNCF best practices and recommendations
  • The project was assigned a security buddy from the security TAG, which has met with the team and is involved in the Security TAG assessment.
  • And lastly, the work that has been completed has shown that our security is good, both in terms of absolute numbers and in comparison to other CNCF projects, but it has not been well-communicated. To address this we have a series of blogs planned that will go into much more detail on the status of all our efforts. We hope to have the first one out before the end of the month.

A lot of work has gone into, and will continue to go into, making and keeping all the Argo projects secure and we are thankful for the resources that have been made available to us from the CNCF!

@dims
Copy link
Member

dims commented Feb 2, 2022

Security has always been important to the Argo project and the 100s of companies that use our projects in production, as they are very often critical components of platforms and infrastructure. Spurred by the initial comments in the graduation PR almost a year ago and the TOC comments through LIz above, we have been increasing our efforts not only to strengthen our security, but also to make sure the community and our users are aware of the efforts. Below is a summary of work that the project has completed or is in the process of completing.

Thanks!

  • We fixed all relevant security issues that were brought up in the external security assessment last year, many before the report was even published.

Got it.

  • A SIG Security group has been formed within the project to align between the four projects and raise and prioritize any security related issues or concerns

Is this already documented somewhere? that is easy to find? How are on it? (from which companies?)

  • The project security policies and contacts have been reviewed to make sure escalation paths are clear and that there are clear responsibilities and associated maintainers

Same as above, can you please share urls?

  • Together with CNCF, we have completed a project to integrate fuzzing through OSS-Fuzz and there are now 33 fuzzers that are now running against our code, with very good results. Big thanks to CNCF for sponsoring this!

Nice!

  • We are working through the RFP process with CNCF to ensure that the issues and recommendations from the previous assessment have been addressed, but also to get on to a path of continuity as our projects move fast and add features at a rapid pace.

    • an additional external security review to be completed ASAP
    • a yearly external security review

What state of the RFP process are we in? Has it gotten to the point of selecting vendors?

  • There is a security assessment underway with the CNCF Security STAG, as a complement to the external assessments, to ensure alignment with any CNCF best practices and recommendations

This one right? cncf/tag-security#554 Our newly elected TOC member @TheFoxAtWork indicated that it may take a few months for the 4 sub-projects in Argo

  • The project was assigned a security buddy from the security TAG, which has met with the team and is involved in the Security TAG assessment.

Glad to hear this!

  • And lastly, the work that has been completed has shown that our security is good, both in terms of absolute numbers and in comparison to other CNCF projects, but it has not been well-communicated. To address this we have a series of blogs planned that will go into much more detail on the status of all our efforts. We hope to have the first one out before the end of the month.

Is there a schedule for the blogs?

A lot of work has gone into, and will continue to go into, making and keeping all the Argo projects secure and we are thankful for the resources that have been made available to us from the CNCF!

+1

Some other notes:

@hblixt
Copy link

hblixt commented Feb 2, 2022

(edited out answered parts for brevity)

Is this already documented somewhere? that is easy to find? How are on it? (from which companies?)

This was discussed, decided and documented in our weekly maintainer meeting. Right now, it consists of volunteers from the maintainer group and have had representation from Intuit, Red Hat, Codefresh and Akuity, but the individuals havent been externalized other than in the meeting notes.

  • The project security policies and contacts have been reviewed to make sure escalation paths are clear and that there are clear responsibilities and associated maintainers

Same as above, can you please share urls?

The security.md files never got updated. The PRs have been filed. Thanks for catching!

  • We are working through the RFP process with CNCF to ensure that the issues and recommendations from the previous assessment have been addressed, but also to get on to a path of continuity as our projects move fast and add features at a rapid pace.

    • an additional external security review to be completed ASAP
    • a yearly external security review

What state of the RFP process are we in? Has it gotten to the point of selecting vendors?

The process was started in Nov last year and we are still waiting for OSTIF to complete the RFP write-up, so we are not in selection yet.

  • There is a security assessment underway with the CNCF Security STAG, as a complement to the external assessments, to ensure alignment with any CNCF best practices and recommendations

This one right? cncf/tag-security#554 Our newly elected TOC member @TheFoxAtWork indicated that it may take a few months for the 4 sub-projects in Argo

Yes. We have done the first few rounds of Q&A and information sharing with the STAG, so the actual reviews are planned to start in February, with each project taking 1-2w to complete.

  • And lastly, the work that has been completed has shown that our security is good, both in terms of absolute numbers and in comparison to other CNCF projects, but it has not been well-communicated. To address this we have a series of blogs planned that will go into much more detail on the status of all our efforts. We hope to have the first one out before the end of the month.

Is there a schedule for the blogs?

The first one should be within a few weeks, as mentioned, and then the plan is to have them on a ~2-3w cadence.

Some other notes:

* Argo cd : is https://argo-cd.readthedocs.io/en/stable/security_considerations/ slated to be replaced? (i see a deprecated notice) is there a plan to remove this page with better content?

As you noted, the page has been deprecated in favor of the two github pages that hold the advisories and policy. The plan is to keep that content in github, but we'll look into improving that page as part of our upcoming doc re-write.

* Argo rollouts : seems to indicate that 3 community members are to be emailed directly? https://argoproj.github.io/argo-rollouts/security/

* https://github.com/argoproj/argo-events/blob/master/SECURITY.md has emails listed as well (note that the website does not have this info as mentioned earlier)

* https://github.com/argoproj/argo-rollouts is missing a SECURITY.md but there is a https://github.com/argoproj/argo-rollouts/security/policy which says email 3 people

* Can there be a uniform process for all the projects? one single mailing list perhaps? (example containerd - https://github.com/containerd/project/blob/main/SECURITY.md)

See above, this should have been fixed with updated security.md files. Should be corrected once the PRs are merged

* Argo Events : does not seem to have a security link in the main page in documentation

* Argo Workflows : same as Events

* Can https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/security.md be surfaced better in Argo CD documentation?

* Can https://github.com/argoproj/argo-workflows/blob/master/docs/security.md be surfaced better in Argo workflow documentation? (says email as mentioned above, but looks like Jesse's email is different)

Duly noted. We'll look into updating the web pages with this as part of our planned refresh/re-write of the docs.

  * would also recommend outlining an embargo process and an announce list (see containerd above)

Good idea. We'll bring that up in our next SIG Security meeting.

@hblixt
Copy link

hblixt commented Feb 14, 2022

The first blog post in our security series that will include best practices, details on security work we have done etc has been published today.
We plan on continuing the series and posting blogs with a ~2-4w cadence. The next one is scheduled for 2/28.

https://blog.argoproj.io/best-practices-for-multi-tenancy-in-argo-cd-273e25a047b0

@hblixt
Copy link

hblixt commented Feb 28, 2022

Our next blog, outlining the work done together with CNCF and Adalogics, to implement fuzzing, is now live.
https://blog.argoproj.io/argo-security-automation-with-oss-fuzz-da38c1f86452

@hblixt
Copy link

hblixt commented Jul 18, 2022

After some great work by the project and the team over at Ada Logics, we have completed our second external security audit and the report has been published Security Audit report
The project also put together a blog on some of the learnings that we will carry forward with us. Lessons learned

@dims
Copy link
Member

dims commented Jul 19, 2022

@hblixt when you have gone through all the feedback above and feel ready, can you please drop an email to cncf-toc@ to restart things. It would be useful to update the DD doc (is there one already?) as well with info on how far security has gotten and will be an ongoing / sustainable effort.

thanks,
dims

PS: restart here i mean, continue from the point where things were left off!

@hblixt
Copy link

hblixt commented Aug 2, 2022

@hblixt when you have gone through all the feedback above and feel ready, can you please drop an email to cncf-toc@ to restart things. It would be useful to update the DD doc (is there one already?) as well with info on how far security has gotten and will be an ongoing / sustainable effort.

thanks, dims

PS: restart here i mean, continue from the point where things were left off!

The DD document has been updated and email to the TOC sent.

Copy link
Contributor

@wanghong230 wanghong230 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Ed,

Please consider taking my changes to keep it up to date

Hong

proposals/graduation/argo.md Outdated Show resolved Hide resolved
proposals/graduation/argo.md Outdated Show resolved Hide resolved
proposals/graduation/argo.md Outdated Show resolved Hide resolved
proposals/graduation/argo.md Outdated Show resolved Hide resolved
proposals/graduation/argo.md Outdated Show resolved Hide resolved
proposals/graduation/argo.md Outdated Show resolved Hide resolved
proposals/graduation/argo.md Outdated Show resolved Hide resolved
proposals/graduation/argo.md Outdated Show resolved Hide resolved
proposals/graduation/argo.md Show resolved Hide resolved
proposals/graduation/argo.md Outdated Show resolved Hide resolved
edlee2121 and others added 12 commits August 11, 2022 22:31
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
Co-authored-by: Hong Wang <2680725+wanghong230@users.noreply.github.com>
@edlee2121
Copy link
Contributor Author

@wanghong230 Changes accepted

@amye amye moved this from In Public Comment Period to In TOC Voting in Graduating Projects Backlog Nov 23, 2022
@caniszczyk
Copy link
Contributor

@caniszczyk caniszczyk merged commit 20adcbb into cncf:main Dec 7, 2022
Graduating Projects Backlog automation moved this from In TOC Voting to Done Dec 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

None yet