Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add blog article about microservices, vulnerabilities, and Guard #38918

Merged
merged 24 commits into from
Jan 20, 2023

Conversation

davidhadas
Copy link
Contributor

This is a continuation of #38104 where a long discussion was already held and reviews of both #sig-security and #sig-docs were provided.

Due to technical problems with the preview mechanism in #38104, we continue here and will close #38104.


This PR adds a blog post discussing "Vulnerable Microservices"

It explains why it s realistic to assume all services deployed on Kubernetes are vulnerable
It shows that using proper security-behavior instrumentation can protect deployed vulnerable services
It details 4 cyber use cases that users should cover in their service deployments
It shows that microservice architecture is well-suited to security-behavior instrumentation
It points to the Guard Open Source (Part of the CNCF Knative project) to offer security-behavior instrumentation
The idea to create this post came up while discussing options to raise the security awareness of 4 cyber use cases that need to be covered by Kubernetes users and the desire to point them to the external open-source project that targets covering these use cases.

See #37356

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jan 13, 2023
@k8s-ci-robot k8s-ci-robot added area/blog Issues or PRs related to the Kubernetes Blog subproject language/en Issues or PRs related to English language sig/docs Categorizes an issue or PR as relevant to SIG Docs. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jan 13, 2023
@netlify
Copy link

netlify bot commented Jan 13, 2023

Pull request preview available for checking

Built without sensitive environment variables

Name Link
🔨 Latest commit 42fb3aa
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/63c7f343ce2aab0008291dd6
😎 Deploy Preview https://deploy-preview-38918--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@sftim
Copy link
Contributor

sftim commented Jan 13, 2023

@davidhadas if you can provide the source for those diagrams (GitHub lets you add attachments to a comment), I'll try to make a version as SVG that will work OK.

@davidhadas
Copy link
Contributor Author

Power point file
VulnerableMicroservicesBlogPost.pptx

@sftim

Copy link
Contributor

@sftim sftim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the revised / squashed replacement PR.

Two style items you should fix:

  • don't use “we” (there's only one author, and our style guide recommends addressing the reader as ”you”)
  • Write headings within the article in sentence case

I'd love to try to fix the diagrams into SVG, and should have time to work on that if you provide the source file.

Where I've marked feedback as a nit, this is something that I recommend, but you don't have to accept the feedback and we can merge anyway even if you don't agree or don't get round to addressing it.

davidhadas and others added 7 commits January 13, 2023 17:35
…ndex.md

Co-authored-by: Tim Bannister <tim@scalefactory.com>
…ndex.md

Co-authored-by: Tim Bannister <tim@scalefactory.com>
…ndex.md

Co-authored-by: Tim Bannister <tim@scalefactory.com>
…ndex.md

Co-authored-by: Tim Bannister <tim@scalefactory.com>
…ndex.md

Co-authored-by: Tim Bannister <tim@scalefactory.com>
…ndex.md

Co-authored-by: Tim Bannister <tim@scalefactory.com>
@davidhadas
Copy link
Contributor Author

@sftim
All comments addressed

@sftim
Copy link
Contributor

sftim commented Jan 17, 2023

/retitle Add blog article about microservices, vulnerabilities, and Guard

@k8s-ci-robot k8s-ci-robot changed the title Vulnerable Microservices Add blog article about microservices, vulnerabilities, and Guard Jan 17, 2023
@sftim
Copy link
Contributor

sftim commented Jan 17, 2023

All comments addressed

I looked at https://github.com/kubernetes/website/pull/38918/files and saw feedback not yet accounted for. Please comment when you've had a chance to address what's remaining (either incorporate the feedback, or you can explain why you disagree).

davidhadas and others added 3 commits January 17, 2023 13:05
…ndex.md

Co-authored-by: Tim Bannister <tim@scalefactory.com>
…ndex.md

Co-authored-by: Tim Bannister <tim@scalefactory.com>
…ndex.md

Co-authored-by: Tim Bannister <tim@scalefactory.com>
davidhadas and others added 4 commits January 18, 2023 07:03
…ndex.md

Co-authored-by: Nate W. <natew@cncf.io>
…ndex.md

Co-authored-by: Nate W. <natew@cncf.io>
…ndex.md

Co-authored-by: Nate W. <natew@cncf.io>
…ndex.md

Co-authored-by: Nate W. <natew@cncf.io>
Copy link
Contributor

@divya-mohan0209 divya-mohan0209 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this LGTM. Thanks @davidhadas for your patience. The main suggestions right now are:

  • Change the date of publication since it seems to be in the past.
  • Are we planning to continue with the .png files? I recall @sftim mentioning that we'd prefer .svg files.
  • Thirdly, since this is third-party content, I believe we need to add the third-party content tag. @sftim & @nate-double-u I'd like your opinions on this, as well.

@davidhadas
Copy link
Contributor Author

@divya-mohan0209 @nate-double-u @sftim
I am not sure what is meant here by third-party content, this blog includes a reference to the Knative Open source (A CNCF project) - so it should be treated the same way a blog post about CoreDns for example is handled.

If the standard is to mark such posts in any way - it should be done here as well.

There is no vendor-related content at all in this post.

@divya-mohan0209
Copy link
Contributor

To clarify our stand on third-party content, we have some documentation outlining what falls under this category. My understanding from this blog post is that Guard is a project we aren't dependent on but is a good-to-have for security behavior monitoring and analysis. Based on that understanding, I believe this does fall under the third-party category.
However, I would like a second pair of eyes to confirm that this is the case. Hopefully that makes it a bit more clear to you, David?

@sftim
Copy link
Contributor

sftim commented Jan 18, 2023

Sorry, I'm a bit busy but:

  • CoreDNS is third party and also covered by the “required for a cluster to operate” case
  • Guard is also third party
  • Knative is third party

We actually try to provide parity between external projects (outside Kubernetes) from three kinds of source:

  • the Linux Foundation
  • other open source initiatives
  • the private sector / commercial software providers

Even though we're a CNCF project, we try to avoid giving other CNCF projects unmerited special treatment. CoreDNS gets an exemption not for its provenance but because you need a relevant DNS implementation to have a conformant cluster.

@sftim
Copy link
Contributor

sftim commented Jan 18, 2023

Oh, and the SVG thing, I haven't had time yet. I think we could convert after publication but recommend we check we're happy to do so.

/hold
Future-dated publication date is not yet assigned

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 18, 2023
@divya-mohan0209
Copy link
Contributor

Thank you for your response, Tim!
@davidhadas , please could you add the third party content shortcode to the blog article? Also, would you be able to confirm if you're happy with the conversion to SVG post blog publication?
From an approval perspective, I'm okay with the SVG conversion.

@davidhadas
Copy link
Contributor Author

davidhadas commented Jan 18, 2023

@divya-mohan0209

Can you please refer me to an example blog post that has the third party content shortcode? I need to understand which shortcode exactly and where to place it.

Searching under content/en/blog/_posts, I found no blog posts that have "thirdparty-content" embedded in them - so I am a bit puzzled.

Btw, I was originally told when I started this process that third party content can't exist in the documentation but can exist in blog posts and there are of course many examples (many blog posts do include references to projects outside of Kubernetes).

Since I could not yet find an example I have no idea what it means to add the third party content shortcode, but I understand from the documentation it adds some disclaimer - not a problem of course.

As for SVG, please do not postpone this post further to create SVGs.
My previous attempts to create SVGs with good quality for this post failed and I would ask that lesser-quality images will not replace the existing PNGs.
If at some later point (e.g. after we publish) when @sftim or anyone else finds a way to create good quality SVGs there is no problem of course to replace the images.

Why are we on "hold" again?
I pushed the date to the 20th, is this not appropriate?

@divya-mohan0209
Copy link
Contributor

  1. The third-party shortcode is:
    {{% thirdparty-content %}}. There is no blogpost where we have this shortcode. However, there is a disclaimer on the hardening guide for the listed open source tools not being a recommendation from the Kubernetes community. I'd recommend that we add something similar to the article. This is so that we can maintain neutrality, as a community, when it comes to the tool listed in this article.
  2. My ask in the previous comment was a confirmation from your end that we'd be happy to convert this to SVG after blog publication. I'm happy to approve this, given your confirmation above.

@sftim
Copy link
Contributor

sftim commented Jan 18, 2023

I can clarify: we don't expect the {{% thirdparty-content %}} shortcode for a blog article. So long as the wording makes the third party nature clear, I think that's OK.

@nate-double-u / other blog team folk: thoughts?

@davidhadas
Copy link
Contributor Author

If that helps - the text includes the sentence "Guard, developed under the CNCF project Knative." I.e. clearly it is stated that Guard is developed externally.

If I understand correctly, we are good to go - please clarify if not.

@nate-double-u
Copy link
Contributor

@davidhadas

If at some later point (e.g. after we publish) when @sftim or anyone else finds a way to create good quality SVGs there is no problem of course to replace the images.

I agree, we shouldn't hold up the post for SVGs -- we'll just need to remember to open an issue when we merge the PR to make the update.

@sftim

I can clarify: we don't expect the {{% thirdparty-content %}} shortcode for a blog article. So long as the wording makes the third party nature clear, I think that's OK.

I agree, if the text is clear that the article is third party content then we shouldn't need the shortcode. The link to the article that Divya provided is a good example - it can be short and doesn't need to be in the disclaimer box.

@davidhadas
Copy link
Contributor Author

davidhadas commented Jan 19, 2023

@sftim, @divya-mohan0209, @nate-double-u

Excellent, so now that we have thumbs up from both sig-security and sig-docs - let's get it merged today such that it can be online tomorrow.

Thank you all for your reviews

@nate-double-u
Copy link
Contributor

I think the line "It points to Guard, an open source project offering security-behavior monitoring and control of Kubernetes microservices presumed vulnerable._" covers the third party stuff, should there be anything else @sftim, @divya-mohan0209?

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 20, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 0b459868f98d22cb2407487169e708ca8d85070d

@divya-mohan0209
Copy link
Contributor

Deferring to the subproject owners' suggestions above and approving the PR.

@davidhadas : Please open an issue for your files to be converted to an SVG whenever you're in for the day. Kindly add a reference to this PR so that contributors can understand the background. Thanks!

/hold cancel
/approve

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 20, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: divya-mohan0209

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 20, 2023
@divya-mohan0209 divya-mohan0209 dismissed their stale review January 20, 2023 02:22

Changes addressed + deferring to the subproject owners' recommendations.

@k8s-ci-robot k8s-ci-robot merged commit 2bc7425 into kubernetes:main Jan 20, 2023
@davidhadas
Copy link
Contributor Author

See #39015 - issue for the files to be converted to an SVG

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/blog Issues or PRs related to the Kubernetes Blog subproject cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. language/en Issues or PRs related to English language lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/docs Categorizes an issue or PR as relevant to SIG Docs. sig/security Categorizes an issue or PR as relevant to SIG Security. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants