Update to security policy for CNCF migration#4504
Conversation
Signed-off-by: Galal Hassan <[email protected]>
|
Note that we need to enable the |
|
Thanks for digging into this -- curious where you sourced best practices from? Does it align with what other CNCF projects are doing, etc? |
| Agones runs on Kubernetes and extends the API with custom resources and controllers. The security of a deployment depends on correct cluster configuration (for example RBAC, network policies, TLS for the allocator service, and node isolation). Operational guidance appears in the [Agones documentation](https://agones.dev/site/docs/), including [best practices](https://agones.dev/site/docs/guides/best-practices/) and topics such as [service accounts](https://agones.dev/site/docs/advanced/service-accounts/) and the [allocator service](https://agones.dev/site/docs/advanced/allocator-service/). | ||
|
|
||
| ## Security contacts | ||
| Security reports are triaged by the [Agones maintainers](https://github.com/agones-dev/agones/blob/main/OWNERS). Coordinated fixes and public advisories are published through [GitHub Security Advisories](https://github.com/agones-dev/agones/security/advisories) when appropriate. |
There was a problem hiding this comment.
There is no owners file, approvers list is here: https://github.com/agones-dev/agones/blob/main/docs/governance/community_membership.md#current-members
There was a problem hiding this comment.
whoops, gonna fix that now
it was mostly the CNCF Security Guidelines page and checked a few repos:
|
Signed-off-by: Galal Hassan <[email protected]>
bf9ef96 to
ae7ae54
Compare
|
🔥 sounds good. Since security - @agones-dev/approvers (and @igooch - since still waiting on your to accept your invite 😁 ) -- any additional thoughts? I'm happy to enable the GitHub vulnerability submission tool. CNCF does have it on their list of tools to use. I did notice that many of the CNCF templates at https://contribute.cncf.io/projects/best-practices/security/security-hygiene/ are broken, which is sad (filed: cncf/contribute-site#351) -- so I assume that's why you ended up going to other projects to see what they were doing, moreso than looking at CNCF templates? |
thats correct, the security stuff was all outdated. The links that are broken now were working last week though, one of them linked to the CNCF TAG GitHub, which is archived and outdated. However, it was useful for the self-assessment stuff (which we should do sometime in the near-future). |
Looking great ! I'm in to enable it as well |
|
Private Security Advisory is now enabled! Let's get this merged. |
|
/gcbrun |
|
Build Succeeded 🥳 Build Id: 36598df3-bd34-4637-8586-c98b610be1e6 The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version: |
What type of PR is this?
/kind documentation
What this PR does / Why we need it:
As part of the effort to move Agones to CNCF Issue #24, we need to include a Security Policy.
This PR updates the SECURITY.md file to include a standard security policy. We still need to do the following in the future, however is not a requirement for our move to CNCF.
Future work
Which issue(s) this PR fixes: None