Perform a security audit on k8s with a vendor and produce as artifacts a threat model and whitepaper outlining everything found during the audit.

• SIG Auth

• Regular WG Meeting: Mondays at 13:00 PT (Pacific Time) (weekly). Convert to your timezone.

• Aaron Small (@aasmall), Google
• Craig Ingram (@cji), Salesforce
• Jay Beale (@jaybeale), InGuardians
• Joel Smith (@joelsmith), Red Hat

• Slack: #wg-security-audit
• Mailing list
• Open Community Issues/PRs

Trail of Bits and Atredis Partners, in collaboration with the Security Audit Working Group, have released the following documents which detail their assessment of Kubernetes security posture and their findings.

• Kubernetes Security Review
• Attacking and Defending Kubernetes Installations
• Whitepaper
• Threat Model

• Rapid Risk Assessments
• Dataflow

• Sensitive communications regarding the audit should be sent to the private variant of the mailing list.

The RFP was open between 2018/10/29 and 2018/11/30 and has been published here.

The RFP is now closed. The working group selected Trail of Atredis, a collaboration between Trail of Bits and Atredis Partners to perform the audit.

You can read more about the vendor selection here.