Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update threat model #24760

Merged
merged 1 commit into from
Apr 13, 2023
Merged

Update threat model #24760

merged 1 commit into from
Apr 13, 2023

Conversation

ferozsalam
Copy link
Contributor

  • Incorporate feedback on transparent encryption with regards to network attackers
  • Add recommended controls for Hubble
  • Also some minor formatting tweaks to bring the document in line with our style guide

Update threat model
2146b8b 
- Incorporate feedback on transparent encryption with regards to network attackers
- Add recommended controls for Hubble

Signed-off-by: Feroz Salam <feroz@isovalent.com>
@ferozsalam ferozsalam added the release-note/misc This PR makes changes that have no direct user impact. label Apr 5, 2023
@ferozsalam ferozsalam requested review from a team as code owners April 5, 2023 09:47
zacharysarah
zacharysarah approved these changes Apr 5, 2023
View reviewed changes
Copy link
Contributor

@zacharysarah zacharysarah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LVGTM from a docs perspective. ✨

Screenshot 2023-04-05 at 3 03 38 PM

😻

Documentation/security/threat-model.rst
Comment on lines +410 to +414
| Network data | - Without transparent encryption, an attacker |
| | could inspect traffic between workloads in both |
| | overlay and native routing modes. |
| | - Denial of service could occur depending on the |
| | behavior of the attacker. |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! ✨

Documentation/security/threat-model.rst
@@ -725,21 +687,23 @@ Overall Recommendations
To summarize the recommended controls to be used when configuring a
production Kubernetes cluster with Cilium:

1. Ensure that Kubernetes roles are scoped correctly to the requirements of your
#. Ensure that Kubernetes roles are scoped correctly to the requirements of your
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good practice on numbering. Have you verified that your local build renders ordered steps correctly?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, all looks good to me!

pchaigno
pchaigno approved these changes Apr 11, 2023
View reviewed changes
Copy link
Member

@pchaigno pchaigno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Feroz!

(Completely unrelated: your @isovalent.com email address isn't linked to your GitHub account.)

@pchaigno pchaigno added area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. labels Apr 11, 2023
@joestringer joestringer added the needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch label Apr 11, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.13.2 Apr 11, 2023
@joestringer joestringer merged commit 20a7081 into master Apr 13, 2023
35 checks passed
@joestringer joestringer deleted the pr/update-threat-model branch April 13, 2023 20:45
@gentoo-root gentoo-root added this to Needs backport from master in 1.13.3 Apr 14, 2023
@gentoo-root gentoo-root removed this from Needs backport from master in 1.13.2 Apr 14, 2023
@nbusseneau nbusseneau mentioned this pull request Apr 20, 2023
Merged
15 tasks
@nbusseneau nbusseneau added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Apr 20, 2023
@sayboras sayboras added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Apr 26, 2023
@thorn3r thorn3r moved this from Needs backport from main to Backport done to v1.13 in 1.13.3 May 17, 2023
@thorn3r thorn3r mentioned this pull request May 17, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joestringer joestringer joestringer approved these changes

@pchaigno pchaigno pchaigno approved these changes

@zacharysarah zacharysarah zacharysarah approved these changes

@rolinh rolinh Awaiting requested review from rolinh

Assignees
No one assigned
Labels
area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. release-note/misc This PR makes changes that have no direct user impact.
Projects
No open projects
1.13.3
Backport done to v1.13
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@ferozsalam @joestringer @pchaigno @zacharysarah @nbusseneau @sayboras