kubernetes/committee-security-response

Distributors Application for Tanzu Kubernetes Grid (TKG)

justaugustus opened this issue · 2 comments

Actively monitored security email alias for our project:

tkg-cve-disclosure@groups.vmware.com (ref: kubernetes/k8s.io#1004)

1. Be an actively maintained and CNCF certified distribution of Kubernetes components.

TKG (and variants, like TKGI) are Certified Kubernetes distributions and listed at https://www.cncf.io/certification/software-conformance/.

2. Have a user base not limited to your own organization.

Yes, this is a user-facing/customer-focused distribution.
Website here: https://tanzu.vmware.com/kubernetes-grid

3. Have a publicly verifiable track record up to present day of fixing security issues.

A plan for a TKG-specific security advisories page is in the works.
VMware as a company has an all-product security advisory page: https://www.vmware.com/security/advisories.html

Members of the tkg-cve-disclosure list include @enj (PSC) and myself (SIG Release Chair), both with public track records of responsible disclosure and assisting with fix efforts, both upstream and internally.

4. Not be a downstream or rebuild of another distribution.

Correct. We only consume upstream Kubernetes.

5. Be a participant and active contributor in the community.

Yes. A vast majority of this list is composed of senior contributors to the project (including @enj, @dims, @nikhita, and myself).

6. Accept the Embargo Policy.

We agree to uphold the Kubernetes Embargo Policy.

7. Be willing to contribute back.

We agree to continue contributing to improvements in the overall security posture of the Kubernetes project.

8. Have someone already on the list vouch for the person requesting membership on behalf of your distribution.

Tagging the @kubernetes/product-security-committee for vouchability. :)

Approved by @joelsmith via this comment: kubernetes/k8s.io#1004 (comment)

@justaugustus could you add Fixes kubernetes/security#101 to the description so that the issue will be auto-closed? And if you don't see this prior to merge, I'll be happy to close the issue when the time comes. ;-)

Giving a PSC stamp of approval. Verified that TKG appears on the Certified Kubernetes list. All other requirements have been met.
/lgtm
/hold cancel