2024-05-29 Meeting notes for Workload Runtime Security

Owned by Joseph Pearson
Last updated: May 29, 2024
1 min read

Date

May 29, 2024 recording: 30 minutes

Attendees



  • @Joseph Pearson

  • @Rahul 



Goals

  1. Demonstrate KubeArmor deployment to:

    1. Kubernetes clusters

    2. bare Linux hosts

  2. Facilitate Day 1 & Day 2 operations on deployed workloads

  3. Integrate with monitoring and observability solutions

  4. Define and deliver an embedded KubeArmor

Discussion items

  • Goal 1: What is left to do so we can declare success?

  • Goal 2: Detailed work breakdown should include:

    • Default hardened security policy

      • How should Open Horizon service definition files know about a security policy?  Assume it can be tied to specific service versions.

      • Default policies should be able to be public, used by all organizations

      • Or is this really a property of a deployment policy which may or may not be specific to a node's purpose or other attributes?

      • What role(s) will likely be involved in maintaining the security policy, mapping it to deployments?

    • Built-in deployment policy properties

      • provenance

      • auditing

      • trustworthiness

      • BOMs?

      • security scans?

      • Both for services and models

    • Script to deploy KubeArmor alongside Open Horizon

    • Any CLI command integration?

    • ...

  • GaTech students would like to contribute to this effort

    • Are there existing issues we could point them to?

    • Are there small-ish items they could work on, with or without supervision?

Action items

Create documentation for bare Linux host deployments, to finish out Goal 1.