Retiring wg-security-audit

3 files changed, 96 insertions, 0 deletions

diff --git a/archive/wg-security-audit/OWNERS b/archive/wg-security-audit/OWNERS
new file mode 100644
index 00000000..bd60c850
--- /dev/null
+++ b/archive/wg-security-audit/OWNERS
@@ -0,0 +1,8 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+reviewers:
+  - wg-security-audit-leads
+approvers:
+  - wg-security-audit-leads
+labels:
+  - wg/security-audit
diff --git a/archive/wg-security-audit/README.md b/archive/wg-security-audit/README.md
new file mode 100644
index 00000000..fd6af780
--- /dev/null
+++ b/archive/wg-security-audit/README.md
@@ -0,0 +1,62 @@
+<!---
+This is an autogenerated file!
+
+Please do not edit this file directly, but instead make changes to the
+sigs.yaml file in the project root.
+
+To understand how this file is generated, see https://git.k8s.io/community/generator/README.md
+--->
+# Security Audit Working Group
+
+Perform a security audit on k8s with a vendor and produce as artifacts a threat model and whitepaper outlining everything found during the audit.
+
+## Stakeholder SIGs
+* SIG Auth
+
+## Meetings
+* Regular WG Meeting: [Mondays at 12:00 PT (Pacific Time)](https://docs.google.com/document/d/1RbC4SBZBlKth7IjYv_NaEpnmLGwMJ0ElpUOmsG-bdRA/edit) (weekly). [Convert to your timezone](http://www.thetimezoneconverter.com/?t=12:00&tz=PT%20%28Pacific%20Time%29).
+
+## Organizers
+
+* Aaron Small (**[@aasmall](https://github.com/aasmall)**), Invitae
+* Craig Ingram (**[@cji](https://github.com/cji)**), Stripe
+* Jay Beale (**[@jaybeale](https://github.com/jaybeale)**), InGuardians
+* Joel Smith (**[@joelsmith](https://github.com/joelsmith)**), Red Hat
+
+## Contact
+- Slack: [#wg-security-audit](https://kubernetes.slack.com/messages/wg-security-audit)
+- [Mailing list](https://groups.google.com/forum/#!forum/kubernetes-wg-security-audit)
+- [Open Community Issues/PRs](https://github.com/kubernetes/community/labels/wg%2Fsecurity-audit)
+<!-- BEGIN CUSTOM CONTENT -->
+## Published Documents
+
+Trail of Bits and Atredis Partners, in collaboration with the Security Audit Working Group, have released the following documents which
+detail their assessment of Kubernetes security posture and their findings.
+
+### Findings
+
+* [Kubernetes Security Review](findings/Kubernetes%20Final%20Report.pdf)
+* [Attacking and Defending Kubernetes Installations](findings/AtredisPartners_Attacking_Kubernetes-v1.0.pdf)
+* [Whitepaper](findings/Kubernetes%20White%20Paper.pdf)
+* [Threat Model](findings/Kubernetes%20Threat%20Model.pdf)
+
+### Ancillary Data
+
+* [Rapid Risk Assessments](ancillary-data/rapid-risk-assessments)
+* [Dataflow](ancillary-data/dataflow)
+
+## Mailing Lists
+
+* Sensitive communications regarding the audit should be sent to the [private variant of the mailing list](https://groups.google.com/forum/#!forum/kubernetes-wg-security-audit-private).
+
+## Request For Proposals
+
+The RFP was open between 2018/10/29 and 2018/11/30 and has been published [here](https://github.com/kubernetes/community/blob/master/wg-security-audit/RFP.md).
+
+## Vendor Selection
+
+The [RFP](https://github.com/kubernetes/community/blob/master/wg-security-audit/RFP.md) is now closed. The working group selected Trail of Atredis, a collaboration between [Trail of Bits](https://www.trailofbits.com/) and [Atredis Partners](https://www.atredis.com/) to perform the audit.
+
+You can read more about the vendor selection [here](RFP_Decision.md).
+
+<!-- END CUSTOM CONTENT -->
diff --git a/archive/wg-security-audit/letter-to-steering.md b/archive/wg-security-audit/letter-to-steering.md
new file mode 100644
index 00000000..cb9b123a
--- /dev/null
+++ b/archive/wg-security-audit/letter-to-steering.md
@@ -0,0 +1,26 @@
+Dear Steering Committee:
+
+
+We propose the creation of a new Kubernetes SIG: SIG Security.
+
+
+In managing the Third-Party Security Audits, the Working Group realized that its efforts didn’t end with the completion of each audit. The audit’s process and findings demonstrated the need to advocate for stronger security defaults, facilitate outreach for both developers and end-users, and drive structural security improvements.
+
+At KubeCon San Diego, we presented the results of the audit with a call to action for the broader community to take the findings and drive them into a better, more secure, Kubernetes. We were met with far more support than we could reasonably channel in our current form.
+
+We worked with members of SIG Auth, the Product Security Committee, the SIG Docs Security subproject, and the CIS Benchmark maintainers to identify underserved aspects of their domains. To express the scope and responsibilities of the new SIG, we all collaborated on a draft charter for your consideration. 
+
+We hope that the entire group behind this draft charter can serve the Kubernetes project via this SIG.
+
+Thank you.
+
+Signed,
+
+
+Aaron, Craig, Jay, Joel, Tim, Ian, Micah, Seth, Peter, Rory, Liz 
+
+
+
+You can find our proposed charter in this pull request:
+
+https://github.com/kubernetes/community/pull/4962/commits/535d9eab9c37826edd39d79f70e94f51330bb15c