From 0ee9a48bce8c71327becbccb9e397d9e52058aaf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Dec 2023 10:26:45 -0800 Subject: [PATCH 01/11] Bump postcss and autoprefixer in /website/themes/docsy/userguide (#1118) Bumps [postcss](https://github.com/postcss/postcss) to 8.4.31 and updates ancestor dependency [autoprefixer](https://github.com/postcss/autoprefixer). These dependencies need to be updated together. Updates `postcss` from 7.0.39 to 8.4.31 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/7.0.39...8.4.31) Updates `autoprefixer` from 9.5.0 to 10.4.16 - [Release notes](https://github.com/postcss/autoprefixer/releases) - [Changelog](https://github.com/postcss/autoprefixer/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/autoprefixer/compare/9.5.0...10.4.16) --- updated-dependencies: - dependency-name: postcss dependency-type: indirect - dependency-name: autoprefixer dependency-type: direct:development ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Nate-Smithline --- .../themes/docsy/userguide/package-lock.json | 145 ++++++------------ website/themes/docsy/userguide/package.json | 2 +- 2 files changed, 44 insertions(+), 103 deletions(-) diff --git a/website/themes/docsy/userguide/package-lock.json b/website/themes/docsy/userguide/package-lock.json index 6fa606a7d..88f75f003 100644 --- a/website/themes/docsy/userguide/package-lock.json +++ b/website/themes/docsy/userguide/package-lock.json @@ -47,44 +47,17 @@ } }, "autoprefixer": { - "version": "9.5.0", - "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-9.5.0.tgz", - "integrity": "sha512-hMKcyHsZn5+qL6AUeP3c8OyuteZ4VaUlg+fWbyl8z7PqsKHF/Bf8/px3K6AT8aMzDkBo8Bc11245MM+itDBOxQ==", + "version": "10.4.16", + "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.16.tgz", + "integrity": "sha512-7vd3UC6xKp0HLfua5IjZlcXvGAGy7cBAXTg2lyQ/8WpNhd6SiZ8Be+xm3FyBSYJx5GKcpRCzBh7RH4/0dnY+uQ==", "dev": true, "requires": { - "browserslist": "^4.4.2", - "caniuse-lite": "^1.0.30000947", + "browserslist": "^4.21.10", + "caniuse-lite": "^1.0.30001538", + "fraction.js": "^4.3.6", "normalize-range": "^0.1.2", - "num2fraction": "^1.2.2", - "postcss": "^7.0.14", - "postcss-value-parser": "^3.3.1" - }, - "dependencies": { - "chalk": { - "version": "2.4.2", - "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz", - "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==", - "requires": { - "supports-color": "^5.3.0" - }, - "dependencies": { - "supports-color": { - "version": "5.5.0", - "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz", - "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==" - } - } - }, - "source-map": { - "version": "0.6.1", - "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", - "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==" - }, - "supports-color": { - "version": "6.1.0", - "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz", - "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==" - } + "picocolors": "^1.0.0", + "postcss-value-parser": "^4.2.0" } }, "binary-extensions": { @@ -103,41 +76,21 @@ } }, "browserslist": { - "version": "4.21.5", - "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.21.5.tgz", - "integrity": "sha512-tUkiguQGW7S3IhB7N+c2MV/HZPSCPAAiYBZXLsBhFB/PCy6ZKKsZrmBayHV9fdGV/ARIfJ14NkxKzRDjvp7L6w==", + "version": "4.22.1", + "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.22.1.tgz", + "integrity": "sha512-FEVc202+2iuClEhZhrWy6ZiAcRLvNMyYcxZ8raemul1DYVOVdFsbqckWLdsixQZCpJlwe77Z3UTalE7jsjnKfQ==", "dev": true, "requires": { - "caniuse-lite": "^1.0.30001449", - "electron-to-chromium": "^1.4.284", - "node-releases": "^2.0.8", - "update-browserslist-db": "^1.0.10" - }, - "dependencies": { - "caniuse-lite": { - "version": "1.0.30001468", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001468.tgz", - "integrity": "sha512-zgAo8D5kbOyUcRAgSmgyuvBkjrGk5CGYG5TYgFdpQv+ywcyEpo1LOWoG8YmoflGnh+V+UsNuKYedsoYs0hzV5A==", - "dev": true - }, - "electron-to-chromium": { - "version": "1.4.334", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.334.tgz", - "integrity": "sha512-laZ1odk+TRen6q0GeyQx/JEkpD3iSZT7ewopCpKqg9bTjP1l8XRfU3Bg20CFjNPZkp5+NDBl3iqd4o/kPO+Vew==", - "dev": true - }, - "node-releases": { - "version": "2.0.10", - "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.10.tgz", - "integrity": "sha512-5GFldHPXVG/YZmFzJvKK2zDSzPKhEp0+ZR5SVaoSag9fsL5YgHbUHDfnG5494ISANDcK4KwPXAx2xqVEydmd7w==", - "dev": true - } + "caniuse-lite": "^1.0.30001541", + "electron-to-chromium": "^1.4.535", + "node-releases": "^2.0.13", + "update-browserslist-db": "^1.0.13" } }, "caniuse-lite": { - "version": "1.0.30000954", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30000954.tgz", - "integrity": "sha512-Wopmc0eVSSG1d9/O4JTn0OmGhUfhEHNkHhoCjUrGSImvHI+2YQWkOI1RRNTUFNSHbSAD8J41jbdZrPP4r32cbQ==", + "version": "1.0.30001546", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001546.tgz", + "integrity": "sha512-zvtSJwuQFpewSyRrI3AsftF6rM0X80mZkChIt1spBGEvRglCrjTniXvinc8JKRoqTwXAgvqTImaN9igfSMtUBw==", "dev": true }, "chokidar": { @@ -182,6 +135,12 @@ "path-type": "^4.0.0" } }, + "electron-to-chromium": { + "version": "1.4.543", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.543.tgz", + "integrity": "sha512-t2ZP4AcGE0iKCCQCBx/K2426crYdxD3YU6l0uK2EO3FZH0pbC4pFz/sZm2ruZsND6hQBTcDWWlo/MLpiOdif5g==", + "dev": true + }, "emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", @@ -225,6 +184,12 @@ "to-regex-range": "^5.0.1" } }, + "fraction.js": { + "version": "4.3.6", + "resolved": "https://registry.npmjs.org/fraction.js/-/fraction.js-4.3.6.tgz", + "integrity": "sha512-n2aZ9tNfYDwaHhvFTkhFErqOMIb8uyzSQ+vGJBjZyanAKZVbGUQ1sngfk9FdkBw7G26O7AgNjLcecLffD1c7eg==", + "dev": true + }, "fs-extra": { "version": "11.1.1", "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-11.1.1.tgz", @@ -365,6 +330,12 @@ "picomatch": "^2.3.1" } }, + "node-releases": { + "version": "2.0.13", + "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.13.tgz", + "integrity": "sha512-uYr7J37ae/ORWdZeQ1xxMJe3NtdmqMC/JZK+geofDrkLUApKRHPd18/TxtBOJ4A0/+uUIliorNrfYV6s1b02eQ==", + "dev": true + }, "normalize-path": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz", @@ -374,13 +345,7 @@ "normalize-range": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/normalize-range/-/normalize-range-0.1.2.tgz", - "integrity": "sha1-LRDAa9/TEuqXd2laTShDlFa3WUI=", - "dev": true - }, - "num2fraction": { - "version": "1.2.2", - "resolved": "https://registry.npmjs.org/num2fraction/-/num2fraction-1.2.2.tgz", - "integrity": "sha1-b2gragJ6Tp3fpFZM0lidHU5mnt4=", + "integrity": "sha512-bdok/XvKII3nUpklnV6P2hxtMNrCboOjAcyBuQnWEhO665FwrSNRxU+AqpsyvO6LgGYPspN+lu5CLtw4jPRKNA==", "dev": true }, "path-type": { @@ -407,24 +372,6 @@ "integrity": "sha512-udgsAY+fTnvv7kI7aaxbqwWNb0AHiB0qBO89PZKPkoTmGOgdbrHDKD+0B2X4uTfJ/FT1R09r9gTsjUjNJotuog==", "dev": true }, - "postcss": { - "version": "7.0.39", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.39.tgz", - "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==", - "dev": true, - "requires": { - "picocolors": "^0.2.1", - "source-map": "^0.6.1" - }, - "dependencies": { - "picocolors": { - "version": "0.2.1", - "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-0.2.1.tgz", - "integrity": "sha512-cMlDqaLEqfSaW8Z7N5Jw+lyIW869EzT73/F5lhtY9cLGoVxSXznfgfXMO0Z5K0o0Q2TkTXq+0KFsdnSe3jDViA==", - "dev": true - } - } - }, "postcss-cli": { "version": "10.1.0", "resolved": "https://registry.npmjs.org/postcss-cli/-/postcss-cli-10.1.0.tgz", @@ -466,9 +413,9 @@ } }, "postcss-value-parser": { - "version": "3.3.1", - "resolved": "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-3.3.1.tgz", - "integrity": "sha512-pISE66AbVkp4fDQ7VHBwRNXzAAKJjw4Vw7nWI/+Q3vuly7SNfgYXvm6i5IgFylHGK5sP/xHAbB7N49OS4gWNyQ==", + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-4.2.0.tgz", + "integrity": "sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ==", "dev": true }, "pretty-hrtime": { @@ -528,12 +475,6 @@ "integrity": "sha512-n6KkmvKS0623igEVj3FF0OZs1gYYJ0o0Hj939yc1fyxl2xt+xYpLnzJB6xBSqOfV9ZFLEWodBBN/heZJahuIJQ==", "dev": true }, - "source-map": { - "version": "0.6.1", - "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz", - "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==", - "dev": true - }, "string-width": { "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", @@ -576,9 +517,9 @@ "dev": true }, "update-browserslist-db": { - "version": "1.0.10", - "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.0.10.tgz", - "integrity": "sha512-OztqDenkfFkbSG+tRxBeAnCVPckDBcvibKd35yDONx6OU8N7sqgwc7rCbkJ/WcYtVRZ4ba68d6byhC21GFh7sQ==", + "version": "1.0.13", + "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.0.13.tgz", + "integrity": "sha512-xebP81SNcPuNpPP3uzeW1NYXxI3rxyJzF3pD6sH4jE7o/IX+WtSpwnVU+qIsDPyk0d3hmFQ7mjqc6AtV604hbg==", "dev": true, "requires": { "escalade": "^3.1.1", diff --git a/website/themes/docsy/userguide/package.json b/website/themes/docsy/userguide/package.json index 13317be01..a626cbac3 100644 --- a/website/themes/docsy/userguide/package.json +++ b/website/themes/docsy/userguide/package.json @@ -18,7 +18,7 @@ "homepage": "https://github.com/bep/tech-doc-hugo#readme", "dependencies": {}, "devDependencies": { - "autoprefixer": "^9.5.0", + "autoprefixer": "^10.4.16", "postcss-cli": "^10.1.0" } } From 513487aba44fecddc96e4fecc66ef0851f3fc13e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Dec 2023 12:29:16 -0800 Subject: [PATCH 02/11] Bump postcss from 8.4.20 to 8.4.31 in /website (#1120) Signed-off-by: Nate-Smithline --- website/package-lock.json | 18 +++++++++--------- website/package.json | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/website/package-lock.json b/website/package-lock.json index bc30e4d4e..19d747325 100644 --- a/website/package-lock.json +++ b/website/package-lock.json @@ -354,9 +354,9 @@ } }, "nanoid": { - "version": "3.3.4", - "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.4.tgz", - "integrity": "sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw==", + "version": "3.3.6", + "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.6.tgz", + "integrity": "sha512-BGcqMMJuToF7i1rt+2PWSNVnWIkGCU78jBG3RxO/bZlnZPK2Cmi2QaffxGO/2RvWi9sL+FAiRiXMgsyxQ1DIDA==", "dev": true }, "node-releases": { @@ -402,14 +402,14 @@ "dev": true }, "postcss": { - "version": "8.4.20", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.20.tgz", - "integrity": "sha512-6Q04AXR1212bXr5fh03u8aAwbLxAQNGQ/Q1LNa0VfOI06ZAlhPHtQvE4OIdpj4kLThXilalPnmDSOD65DcHt+g==", + "version": "8.4.31", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.31.tgz", + "integrity": "sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ==", "dev": true, "requires": { - "nanoid": "3.3.4", - "picocolors": "1.0.0", - "source-map-js": "1.0.2" + "nanoid": "^3.3.6", + "picocolors": "^1.0.0", + "source-map-js": "^1.0.2" } }, "postcss-cli": { diff --git a/website/package.json b/website/package.json index 960eee9bf..df8208418 100644 --- a/website/package.json +++ b/website/package.json @@ -18,7 +18,7 @@ "homepage": "https://github.com/google/docsy-example#readme", "devDependencies": { "autoprefixer": "^10.4.0", - "postcss": "^8.3.7", + "postcss": "^8.4.31", "postcss-cli": "^9.0.2" } } From 8673238061457ba2ebb049d3b382a0a10b00dae8 Mon Sep 17 00:00:00 2001 From: Nate-Smithline Date: Tue, 12 Dec 2023 06:35:37 -0500 Subject: [PATCH 03/11] Created Self-Assessment of Containerd Project Signed-off-by: Nate-Smithline Co-authored-by: Vivek Radhakrishnan Co-authored-by: Swati Baleri Co-authored-by: Sunny Li Signed-off-by: Nate-Smithline --- Containerd/self-assessment.md | 350 ++++++++++++++++++++++++++++++++++ 1 file changed, 350 insertions(+) create mode 100644 Containerd/self-assessment.md diff --git a/Containerd/self-assessment.md b/Containerd/self-assessment.md new file mode 100644 index 000000000..b5af4a51d --- /dev/null +++ b/Containerd/self-assessment.md @@ -0,0 +1,350 @@ +# Self-assessment +The Self-assessment is the initial document for projects to begin thinking about the +security of the project, determining gaps in their security, and preparing any security +documentation for their users. This document is ideal for projects currently in the +CNCF **sandbox** as well as projects that are looking to receive a joint assessment and +currently in CNCF **incubation**. + +For a detailed guide with step-by-step discussion and examples, check out the free +Express Learning course provided by Linux Foundation Training & Certification: +[Security Assessments for Open Source Projects](https://training.linuxfoundation.org/express-learning/security-self-assessments-for-open-source-projects-lfel1005/). + +# Self-assessment outline + +## Table of contents + +* [Metadata](#metadata) + * [Security links](#security-links) +* [Overview](#overview) + * [Actors](#actors) + * [Actions](#actions) + * [Background](#background) + * [Goals](#goals) + * [Non-goals](#non-goals) +* [Self-assessment use](#self-assessment-use) +* [Security functions and features](#security-functions-and-features) +* [Project compliance](#project-compliance) +* [Secure development practices](#secure-development-practices) +* [Security issue resolution](#security-issue-resolution) +* [Appendix](#appendix) + +## Metadata + +A table at the top for quick reference information, later used for indexing. + +| | | +| -- | -- | +| Software | https://github.com/containerd/containerd | +| Security Provider | No | +| Languages | Go, C++ | +| SBOM | [Packages](https://github.com/containerd/containerd/tree/main/pkg) [Versions](https://github.com/containerd/containerd/tree/main/version) | +| | | + +### Security links + +Provide the list of links to existing security documentation for the project. You may +use the table below as an example: +| Doc | url | +| -- | -- | +| Security file | https://github.com/containerd/project/blob/main/SECURITY.md | +| Default and optional configs | https://github.com/containerd/containerd/blob/main/docs/man/containerd-config.toml.5.md https://github.com/containerd/containerd/blob/main/docs/cri/config.md https://github.com/containerd/containerd/blob/main/docs/hosts.md | + +## Overview + +Containerd is a Cloud Native Computing Foundation (CNCF) Project focused on providing the core functionalities for container orchestration. Specifically architected to focus on modularity and compatibility, this provides a secure and minimal approach making it a great option for integrating into different container systems. + +![Sample Image](https://github.com/containerd/containerd/blob/main/docs/historical/design/architecture.png) + +### Background + +Containerd, a fundamental tool in the realm of containerization, provides a dependable and standardized approach to managing containers. It is a lightweight yet powerful container runtime, ensuring a consistent and efficient experience. + +Originally developed by Docker, Inc. as an integral part of the Docker project, Containerd has evolved with the dynamic container ecosystem. Docker's decision to separate container runtime functionality led to Containerd, an independent project dedicated to container management. + +#### Core Features: + +**- Image and Container Management:** + +Containerd oversees the entire lifecycle of containers, handling tasks such as image storage, transfer, execution, and supervision. Its capabilities also extend to other essential operations like pushing, pulling, and managing container images. + +**- Pluggable Architecture:** + +Containerd boasts a modular and adaptable architecture, allowing for the assembly and reassembly of independent components. This flexibility caters to the diverse requirements of container environments. + +**- Security:** + +With a strong emphasis on security, Containerd implements features like user namespaces and seccomp profiles. These measures enhance container isolation, ensuring a robust security posture. + +**- Compatibility:** + +Aligned with the Open Container Initiative (OCI) specifications, Containerd ensures compatibility with other runtimes and tools adhering to the OCI standard. This compatibility facilitates easy transitions between container runtimes supporting OCI. + +**- CLI and APIs:** + +Containerd provides well-defined APIs for programmatic interaction with container runtimes. Additionally, its Command-Line Interface (CLI) allows manual management of containers and images. + +**- Production Ready:** + +Widely adopted in multiple container orchestration platforms and cloud-native environments, Containerd has proven itself as a production-ready solution. Its reliability is evidenced by its integration into various deployments of containerized applications. + +**- Community and Governance:** + +As an open-source project under the Cloud Native Computing Foundation (CNCF), Containerd benefits from a diverse community of contributors. This collaborative approach ensures transparent decision-making, promoting inclusiveness and continuous improvement. + +### Actors + +**- Containerd Core:** + +Role: Serves as the core orchestration engine, managing the execution of container-related actions. +Significance: Defines the fundamental behavior of the container runtime, providing the essential framework for container management. + +**- Container Runtimes:** + +Role: Executes containers based on specifications provided by containerd, interacting directly with the underlying operating system. +Significance: Key players responsible for translating container configurations into actual running instances, ensuring compatibility and adherence to standards. + +**- Image Registries:** + +Role: Acts as repositories for container images, collaborating with containerd in tasks such as image pulling, pushing, and managing metadata. +Significance: Critical components for image distribution, storage, and retrieval, forming a pivotal part of the containerized ecosystem. + +**- System Administrators:** + +Role: Configures, monitors, and maintains containerd in the broader system context, overseeing its integration into the overall infrastructure. +Responsibilities: Involves setup, continuous monitoring, optimization, and troubleshooting of containerd to ensure seamless operation. + +**- Developers/Contributors:** + +Role: Actively contributes to the containerd project through codebase enhancements, bug fixes, and feature development. +Responsibilities: Shapes the evolution of containerd, addressing issues, introducing improvements, and ensuring the project's ongoing robustness. + +**- End Users:** +Role: Leverage containerd for deploying, managing, and orchestrating containerized applications. +Interaction: Engage with containerd through various interfaces and tools, contributing to the widespread adoption and integration of containerized solutions. + +### Actions + +**- Container Lifecycle Management:** + +Description: Orchestrates the complete lifecycle of containers, covering creation, initialization, termination, and removal. +Significance: Acts as the backbone of container orchestration, ensuring the smooth execution of containerized applications throughout their lifecycle. + +**- Image Operations:** + +Description: Manages various image-related operations, including pulling images from repositories, pushing images to registries, and handling image metadata. +Significance: Central to image management within the container ecosystem, enabling efficient distribution and storage of container images. + +**- Resource Isolation and Management:** + +Description: Enforces robust resource isolation for individual containers, including CPU, memory, and network resources. +Significance: Optimizes resource utilization, preventing interference between containers and ensuring performance isolation. + +**- Network Configuration:** + +Description: Configures and manages network settings for containers, facilitating communication and maintaining network isolation. +Significance: Ensures effective container communication while safeguarding against security vulnerabilities through proper network segmentation. + +**- Security Implementation:** + +Description: Implements comprehensive security measures within containers, covering access controls, encrypted communication, and permission management. +Significance: Strengthens the overall security posture of containerized applications, mitigating potential vulnerabilities and ensuring secure execution. + +### Goals + +**- Component Independence:** + +Components should not have tight dependencies on each other, allowing them to be used independently while maintaining a natural flow when used together. + +**- Primitives over Abstractions:** + +Containerd should expose primitives to solve problems instead of building high-level abstractions in the API. This allows flexibility for higher-level implementations. + +**- Extensibility:** + +Containerd should provide defined extension points for various components, allowing alternative implementations to be swapped. For example, it uses runc as the default runtime but supports other runtimes conforming to the OCI Runtime specification. + +**- Defaults:** + +Containerd comes with default implementations for various components, chosen by maintainers. These defaults should only change if better technology emerges. + +**- Scope Clarity:** + +The project scope is clearly defined, and any changes require a 100% vote from all maintainers. The whitelist approach ensures that anything not mentioned in scope is considered out of scope. + +### Non-goals + +**- Component Tight Coupling:** + +Components should not have tight dependencies, promoting independence. + +**- High-Level Abstractions in API:** + +Avoid building high-level abstractions in the API, focus on exposing primitives. + +**- Acceptance of Additional Implementations:** + +Additional implementations for core components should not be accepted into the core repository and should be developed separately. + +**- Build as a First-Class API:** + +Building images is considered a higher-level feature and is out of scope. + +**- Volume Management:** + +Volume management for external data is out of scope. The API supports mounts, binds, etc., allowing different volume systems to be built on top. + +**- Logging Persistence:** + +Logging persistence is considered out of scope. Clients can handle and persist container STDIO as needed. + +## Self-assessment use + +This self-assessment is created by the Containerd team to perform an internal analysis of the project's security. It is not intended to provide a security audit of Containerd, or function as an independent assessment or attestation of Containerd's security health. + +This document serves to provide Containerd users with an initial understanding of Containerd's security, where to find existing security documentation, Containerd plans for security, and general overview of Containerd security practices, both for development of Containerd as well as security of Containerd. + +This document provides the CNCF TAG-Security with an initial understanding of Containerd to assist in a joint-assessment, necessary for projects under incubation. Taken together, this document and the joint-assessment serve as a cornerstone for if and when Containerd seeks graduation and is preparing for a security audit. + +## Security functions and features + +#### Critical + +**- Namespaces:** + +Namespaces creates more security and efficiency by allowing multiple consumers to use the same containerd without conflicts. It has the benefit of separation of containers and images, while sharing content. Addionally, it keeps the designs as simple as it needs to be. + +**- Capabilities:** + +Containerd pushes toward a least-privilege process for managing access. This limits kernel capabilities for processes. Other systems with less least-privilege could create vulnerabilities and increase their attack surfaces. + +**- Isolation:** + +With its capability systems and namespaces, containerd provides industry standard resource isolation, ensuring the resources remain isolated and secured. Resource isolation is crucial for namespaces to function as intended and vice versa. + +**- Modularity:** + +Containerd allows people to use different container systems. This gives users of containerd authority over runtimes, but if not properly handled, could lead to severe access. + +#### Security Relevant + +**- Plug-ins:** + +Containerd is built with a modular architecture so that other technologies can be integrated to enable new capabilities. The advantage with containerd is that these plugins can enhance the functionality of the system without needing to rebuild the containerd itself. + +Popular systems include metadata, container managers, filesystem differentiators, and GRPC APIs. While this is a strength of Containerd, this modularity has been the culprit of most of its previous problems. This is mostly up to others and containerd has many times not handled these plugins correctly, leading to information being unnecessary leaked. In a way, one of its greatest strengths is its greatest security vulnerability. + +**- Network Security:** + +Containerd allows for network isolation, helping lockdown containers with network changes. This prevents unauthorzed communication, but needs to be monitored properly. + +**- Trust:** + +Containerd only stores identical content once, reducing risk of storing multiple copies of vulnerable content, thereby reducing the attack surface. If more things are uploaded, this needs to be monitored as it has a big effect on the attack surface. + +## Project compliance + +Containerd is not documented as meeting any major security standards except for having bypassed a test in fuzzing. The testing done by Adacompliance deemed that the fuzzing prevention was strong and with further testing was incredibly robust for industry application. + +It is reasonable to suggest its minimal framework could support CIS Benchmarks on least privilege and access control policies in ISO. However, there is no public documentation with proof to having matched any of these requirements. + +## Secure development practices + +**Development pipeline:** + +- Containerd contributors must sign commits to ensure contributor identity and prevent unauthorized code changes. +- Containerd images are immutable and signed. Additionally, all images are signed with a GPG key, which helps to verify the authenticity of the image. +- Continuous integration and deployment pipelines automatically test all changes in Containerd, enabling prompt issue detection. +- The open-source code, hosted on GitHub, encourages transparency and community involvement in reviews, aiding in early issue detection. +- All pull requests to the containerd codebase must be reviewed by at least two reviewers before they can be merged. +- Compliant with industry standards, including NIST SP 800-190 and CIS Docker Benchmark, Containerd prioritizes security and reliability benchmarks. It integrates with image scanning tools (Clair, Synk, Trivy, etc.), promoting trusted image registries. +- Containerd employs privilege-dropping techniques, supports Seccomp profiles, and can operate in unprivileged user mode to minimize attack surfaces and limit security impact. +- Resource quotas and cgroups enforce fair resource allocation, preventing resource exhaustion attacks in Containerd. +- TLS encryption safeguards data exchange, and secure networking configurations and communication protocols protect against unauthorized access. +- The use of secure communication protocols, such as HTTPS, when communicating with external services to protect data from exposure is also promoted. +- Security audits occur regularly (CNCF fuzzing audit, community-driven audits, etc.) complemented by a responsible disclosure policy for discreetly reporting and addressing security issues before public disclosure. +- Containerd releases updates with security patches, performance enhancements, and bug fixes, while comprehensive documentation guides secure deployment (https://containerd.io/docs/). + +**Communication Channels:** + +- *Internal*: The Containerd team mostly communicates with each other through Slack, GitHub, or email lists internally. +- *Inbound*: Prospective and existing users can communicate with the Containerd team through GitHub issues, mailing lists, or the dedicated Slack channel. +- *Outbound*: The containerd team communicates with its users through the containerd blog, social media channels such as Twitter and GitHub, and through mailing lists. + +**Ecosystem:** + +Containerd plays a pivotal role in the cloud-native ecosystem due to its core functionality as a lightweight container runtime, its integration with various container orchestration platforms, and its active participation in open-source projects. This makes it an essential component for building, deploying, and managing scalable and reliable cloud-native applications. + + +## Security issue resolution + +**- Responsible Disclosures Process**: + +The responsible disclosure process for containerd is designed to manage the identification of security issues, incidents, or vulnerabilities, whether discovered internally or externally. If a security issue is found within the project team, it is reported using the same procedures as external reports. External discoveries are encouraged to follow a responsible disclosure process, which involves reporting the issue either on GitHub or via email. GitHub is the primary platform, allowing individuals to navigate to the security tab, access the Advisories tab, and use the "Report a vulnerability" option. Alternatively, an email can be sent to security@containerd.io, including details of the issue and steps to reproduce. Reporters should anticipate an acknowledgment within 24 hours and are advised to contact any committer directly if there's no response. + +**- Vulnerability Response Process**: + +The responsibility for responding to a reported vulnerability rests with the committers of containerd. Once a committer confirms the relevance of the reported vulnerability, a draft security advisory is created on GitHub. Reports can be submitted through GitHub or via email to security@containerd.io. Reporters interested in participating in the discussion can provide their GitHub usernames for an invitation. Alternatively, they can opt to receive updates via email. If the vulnerability is accepted, a timeline for developing a patch, public disclosure, and patch release is established. In cases where an embargo period precedes public disclosure, an announcement is sent to the security announce mailing list, detailing the vulnerability scope, patch release date, and public disclosure date. Reporters are expected to engage in the discussion of the timeline and adhere to agreed-upon dates for public disclosure. + +**- Incident Response**: + +Defined procedures are in place for triaging reported vulnerabilities, assessing their severity and relevance. The confirmation process involves validating the reported vulnerability to determine its authenticity and impact. If the vulnerability is confirmed, the involved parties, including the reporter(s), are notified. A timeline for developing a patch and making updates available is determined. Depending on the embargo period, the vulnerability and patch release details are publicly disclosed using the security announce mailing list. Reporters are expected to comply with agreed-upon dates for public disclosure, ensuring a responsible and coordinated release of information. This process ensures a systematic and transparent approach to handling security issues, promoting responsible disclosure, and achieving timely resolution. + +## Appendix + + +* Known Issues Over Time: + + There have been some problems in the past with the plugins that containerd has. Even though it is a feature, it has led to problems when the plugins are not correctly inputted. + - https://github.com/containerd/containerd/pull/7347 + - https://github.com/containerd/containerd/pull/8056 + + There is also a few issues with its ability to access resources. In attempt to keep least-privilege access, the dulling out when available can be problematic + - https://github.com/containerd/containerd/issues/3351 + - https://www.cvedetails.com/cve/CVE-2023-25153/ + - https://www.cvedetails.com/cve/CVE-2022-31030/ + - https://www.cvedetails.com/cve/CVE-2022-23471/ + - https://www.cvedetails.com/cve/CVE-2021-32760/ + + +* Record in catching issues in code review or automated testing: + + **Current Level: [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/1271/badge)](https://www.bestpractices.dev/projects/1271)** + + The project achieved the following + - Basics: 13/13 passed + - Change Control: 9/9 passed + - Reporting: 8/8 passed + - Quality: 13/13 passed + - Security: 16/16 passed + - Analysis: 8/8 passed + + +* Case Studies: + + Demonstrates how Red Hat OpenShift, integrated with containerd, streamlines containerization adoption and simplifies Kubernetes management. + + https://swapnasagarpradhan.medium.com/install-a-kubernetes-cluster-on-rhel8-with-conatinerd-b48b9257877a + + Explores how containerd simplifies container management on Google Kubernetes Engine (GKE), Google Cloud's fully managed Kubernetes service. + + https://cloud.google.com/kubernetes-engine + + Delves into the integration of containerd with Amazon Elastic Container Service (ECS), Amazon Web Services' container orchestration service + + https://aws.amazon.com/blogs/containers/tag/containerd/ + + Explores how containerd enables organizations to effectively manage containers on Azure Kubernetes Service (AKS), Microsoft Azure's managed Kubernetes service + + https://azure.microsoft.com/en-us/updates/generally-available-containerd-support-for-windows-in-aks/ + +* Related Projects / Vendors: + + https://www.docker.com/products/container-runtime/ + + https://cri-o.io/ + + https://humalect.com/blog/containerd-vs-docker/ + + https://www.wallarm.com/cloud-native-products-101/containerd-vs-docker-what-is-the-difference-between-the-tools/ + + From 248d6e21e4e27d644e5c5c438e56517045334194 Mon Sep 17 00:00:00 2001 From: nomnomninja <150766910+nomnomninja@users.noreply.github.com> Date: Thu, 14 Dec 2023 15:57:12 -0500 Subject: [PATCH 04/11] Removed template text and added more information for related vendors Signed-off-by: nomnomninja <150766910+nomnomninja@users.noreply.github.com> Signed-off-by: Nate-Smithline --- Containerd/self-assessment.md | 36 +++++++++++++++-------------------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/Containerd/self-assessment.md b/Containerd/self-assessment.md index b5af4a51d..697bc743c 100644 --- a/Containerd/self-assessment.md +++ b/Containerd/self-assessment.md @@ -5,10 +5,6 @@ documentation for their users. This document is ideal for projects currently in CNCF **sandbox** as well as projects that are looking to receive a joint assessment and currently in CNCF **incubation**. -For a detailed guide with step-by-step discussion and examples, check out the free -Express Learning course provided by Linux Foundation Training & Certification: -[Security Assessments for Open Source Projects](https://training.linuxfoundation.org/express-learning/security-self-assessments-for-open-source-projects-lfel1005/). - # Self-assessment outline ## Table of contents @@ -34,7 +30,7 @@ A table at the top for quick reference information, later used for indexing. | | | | -- | -- | -| Software | https://github.com/containerd/containerd | +| Software | [containerd](https://github.com/containerd/containerd) | | Security Provider | No | | Languages | Go, C++ | | SBOM | [Packages](https://github.com/containerd/containerd/tree/main/pkg) [Versions](https://github.com/containerd/containerd/tree/main/version) | @@ -262,7 +258,7 @@ It is reasonable to suggest its minimal framework could support CIS Benchmarks o - TLS encryption safeguards data exchange, and secure networking configurations and communication protocols protect against unauthorized access. - The use of secure communication protocols, such as HTTPS, when communicating with external services to protect data from exposure is also promoted. - Security audits occur regularly (CNCF fuzzing audit, community-driven audits, etc.) complemented by a responsible disclosure policy for discreetly reporting and addressing security issues before public disclosure. -- Containerd releases updates with security patches, performance enhancements, and bug fixes, while comprehensive documentation guides secure deployment (https://containerd.io/docs/). +- Containerd releases updates with security patches, performance enhancements, and bug fixes, while comprehensive [documentation](https://containerd.io/docs/) guides secure deployment. **Communication Channels:** @@ -321,30 +317,28 @@ Defined procedures are in place for triaging reported vulnerabilities, assessing * Case Studies: - Demonstrates how Red Hat OpenShift, integrated with containerd, streamlines containerization adoption and simplifies Kubernetes management. - - https://swapnasagarpradhan.medium.com/install-a-kubernetes-cluster-on-rhel8-with-conatinerd-b48b9257877a - - Explores how containerd simplifies container management on Google Kubernetes Engine (GKE), Google Cloud's fully managed Kubernetes service. - - https://cloud.google.com/kubernetes-engine + [Demonstrates how Red Hat OpenShift, integrated with containerd, streamlines containerization adoption and simplifies Kubernetes management.](https://swapnasagarpradhan.medium.com/install-a-kubernetes-cluster-on-rhel8-with-conatinerd-b48b9257877a) - Delves into the integration of containerd with Amazon Elastic Container Service (ECS), Amazon Web Services' container orchestration service + [Explores how containerd simplifies container management on Google Kubernetes Engine (GKE), Google Cloud's fully managed Kubernetes service.](https://cloud.google.com/kubernetes-engine) - https://aws.amazon.com/blogs/containers/tag/containerd/ + [Delves into the integration of containerd with Amazon Elastic Container Service (ECS), Amazon Web Services' container orchestration service](https://aws.amazon.com/blogs/containers/tag/containerd/) - Explores how containerd enables organizations to effectively manage containers on Azure Kubernetes Service (AKS), Microsoft Azure's managed Kubernetes service - - https://azure.microsoft.com/en-us/updates/generally-available-containerd-support-for-windows-in-aks/ + [Explores how containerd enables organizations to effectively manage containers on Azure Kubernetes Service (AKS), Microsoft Azure's managed Kubernetes service](https://azure.microsoft.com/en-us/updates/generally-available-containerd-support-for-windows-in-aks/) * Related Projects / Vendors: + Docker uses Containerd for Container management, it offers complete container management service such as image building, user interface and a built-in runtime. + https://www.docker.com/products/container-runtime/ - + https://humalect.com/blog/containerd-vs-docker/ + https://www.wallarm.com/cloud-native-products-101/containerd-vs-docker-what-is-the-difference-between-the-tools/ + + Cri-o and containerd are both container runtimes, but they serve different purposes and have different relationships with Kubernetes. Cri-o is designed specifically for Kubernetes and has a smaller footprint, which is optimized for resource usage within Kubernetes. It leverages containerd's core functionalities for image management and execution, but adds Kubernetes-specific features and optimizations. + https://cri-o.io/ - https://humalect.com/blog/containerd-vs-docker/ - https://www.wallarm.com/cloud-native-products-101/containerd-vs-docker-what-is-the-difference-between-the-tools/ + + From 16303bf47b6615127b33f5cc9792d4d9e00dd837 Mon Sep 17 00:00:00 2001 From: Nate-Smithline Date: Thu, 14 Dec 2023 17:33:40 -0500 Subject: [PATCH 05/11] fixed first comment and added more details on who authored the doc Signed-off-by: Nate-Smithline --- Containerd/self-assessment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Containerd/self-assessment.md b/Containerd/self-assessment.md index 697bc743c..4bedcfad3 100644 --- a/Containerd/self-assessment.md +++ b/Containerd/self-assessment.md @@ -195,7 +195,7 @@ Logging persistence is considered out of scope. Clients can handle and persist c ## Self-assessment use -This self-assessment is created by the Containerd team to perform an internal analysis of the project's security. It is not intended to provide a security audit of Containerd, or function as an independent assessment or attestation of Containerd's security health. +This self-assessment was authored by Swati Baleri, Vivek Radhakrishnan, Swati Baleri, Sunny Li, and Nathan Smith with a format established by the Containerd maintainers. The purpose of this document is to perform an internal analysis of the project's security. It is not intended to provide a security audit of Containerd, or function as an independent assessment or attestation of Containerd's security health. This document serves to provide Containerd users with an initial understanding of Containerd's security, where to find existing security documentation, Containerd plans for security, and general overview of Containerd security practices, both for development of Containerd as well as security of Containerd. From 710752d7d16b3a7f94f51139247ba5a8fc569927 Mon Sep 17 00:00:00 2001 From: Sunny Li <100388296+sunnnnyli@users.noreply.github.com> Date: Thu, 14 Dec 2023 18:27:30 -0500 Subject: [PATCH 06/11] Re-added the changes in actor section Signed-off-by: Sunny Li <100388296+sunnnnyli@users.noreply.github.com> --- Containerd/self-assessment.md | 25 +++++++------------------ 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/Containerd/self-assessment.md b/Containerd/self-assessment.md index 4bedcfad3..d2928876d 100644 --- a/Containerd/self-assessment.md +++ b/Containerd/self-assessment.md @@ -91,32 +91,21 @@ As an open-source project under the Cloud Native Computing Foundation (CNCF), Co **- Containerd Core:** -Role: Serves as the core orchestration engine, managing the execution of container-related actions. -Significance: Defines the fundamental behavior of the container runtime, providing the essential framework for container management. +Role: Serves as the core orchestration engine, managing the complete lifecycle of containers. +Functionality: Coordinates tasks such as image storage, transfer, execution, and supervision. Ensures a consistent and efficient containerized application experience. +Isolation: Adopts a modular design, separating concerns to prevent unauthorized access and actions. Implements access controls to reinforce security. **- Container Runtimes:** Role: Executes containers based on specifications provided by containerd, interacting directly with the underlying operating system. -Significance: Key players responsible for translating container configurations into actual running instances, ensuring compatibility and adherence to standards. +Functionality: Translates container configurations into running instances, ensuring compatibility and adherence to standards. +Isolation: Operates within well-defined boundaries, utilizing namespaces and cgroups for robust process and resource isolation. **- Image Registries:** Role: Acts as repositories for container images, collaborating with containerd in tasks such as image pulling, pushing, and managing metadata. -Significance: Critical components for image distribution, storage, and retrieval, forming a pivotal part of the containerized ecosystem. - -**- System Administrators:** - -Role: Configures, monitors, and maintains containerd in the broader system context, overseeing its integration into the overall infrastructure. -Responsibilities: Involves setup, continuous monitoring, optimization, and troubleshooting of containerd to ensure seamless operation. - -**- Developers/Contributors:** - -Role: Actively contributes to the containerd project through codebase enhancements, bug fixes, and feature development. -Responsibilities: Shapes the evolution of containerd, addressing issues, introducing improvements, and ensuring the project's ongoing robustness. - -**- End Users:** -Role: Leverage containerd for deploying, managing, and orchestrating containerized applications. -Interaction: Engage with containerd through various interfaces and tools, contributing to the widespread adoption and integration of containerized solutions. +Functionality: Stores and facilitates the distribution of container images, supporting seamless integration with containerd for efficient image management. +Isolation: Maintains a separate identity to prevent unauthorized modifications. Implements access controls to secure image repositories. ### Actions From 1334051db3cddd743a94620d5184e9938dea28b6 Mon Sep 17 00:00:00 2001 From: Nate-Smithline Date: Fri, 15 Dec 2023 11:09:48 -0500 Subject: [PATCH 07/11] Fixed all changes from Andrew, aka sublimino, thank you Signed-off-by: Nate-Smithline --- Containerd/self-assessment.md | 29 +++++++++++------------------ tag-security | 1 + 2 files changed, 12 insertions(+), 18 deletions(-) create mode 160000 tag-security diff --git a/Containerd/self-assessment.md b/Containerd/self-assessment.md index d2928876d..8f805b655 100644 --- a/Containerd/self-assessment.md +++ b/Containerd/self-assessment.md @@ -1,11 +1,4 @@ -# Self-assessment -The Self-assessment is the initial document for projects to begin thinking about the -security of the project, determining gaps in their security, and preparing any security -documentation for their users. This document is ideal for projects currently in the -CNCF **sandbox** as well as projects that are looking to receive a joint assessment and -currently in CNCF **incubation**. - -# Self-assessment outline +# Containerd Self-assessment ## Table of contents @@ -26,7 +19,6 @@ currently in CNCF **incubation**. ## Metadata -A table at the top for quick reference information, later used for indexing. | | | | -- | -- | @@ -36,26 +28,27 @@ A table at the top for quick reference information, later used for indexing. | SBOM | [Packages](https://github.com/containerd/containerd/tree/main/pkg) [Versions](https://github.com/containerd/containerd/tree/main/version) | | | | + ### Security links -Provide the list of links to existing security documentation for the project. You may -use the table below as an example: + | Doc | url | | -- | -- | | Security file | https://github.com/containerd/project/blob/main/SECURITY.md | | Default and optional configs | https://github.com/containerd/containerd/blob/main/docs/man/containerd-config.toml.5.md https://github.com/containerd/containerd/blob/main/docs/cri/config.md https://github.com/containerd/containerd/blob/main/docs/hosts.md | + ## Overview -Containerd is a Cloud Native Computing Foundation (CNCF) Project focused on providing the core functionalities for container orchestration. Specifically architected to focus on modularity and compatibility, this provides a secure and minimal approach making it a great option for integrating into different container systems. +Containerd is a container runtime focused on providing the core functionalities for managing container lifecycles. Specifically architected to focus on modularity and compatibility, it provides a secure and minimal approach making it a great option for integrating into different container orchestrators. -![Sample Image](https://github.com/containerd/containerd/blob/main/docs/historical/design/architecture.png) +![Overview Image](https://github.com/containerd/containerd/blob/main/docs/historical/design/architecture.png) ### Background Containerd, a fundamental tool in the realm of containerization, provides a dependable and standardized approach to managing containers. It is a lightweight yet powerful container runtime, ensuring a consistent and efficient experience. -Originally developed by Docker, Inc. as an integral part of the Docker project, Containerd has evolved with the dynamic container ecosystem. Docker's decision to separate container runtime functionality led to Containerd, an independent project dedicated to container management. +Originally developed by Docker, Inc. as an integral part of the Docker project, containerd has evolved with the dynamic container ecosystem. Docker's decision to separate container runtime functionality from the runc project led to containerd, an independent project dedicated to container management. #### Core Features: @@ -73,7 +66,7 @@ With a strong emphasis on security, Containerd implements features like user nam **- Compatibility:** -Aligned with the Open Container Initiative (OCI) specifications, Containerd ensures compatibility with other runtimes and tools adhering to the OCI standard. This compatibility facilitates easy transitions between container runtimes supporting OCI. +Aligned with the Open Container Initiative (OCI) specifications, containerd ensures compatibility with other runtimes and tools adhering to the OCI standard. This compatibility facilitates easy transitions between container runtimes supporting OCI. **- CLI and APIs:** @@ -91,7 +84,7 @@ As an open-source project under the Cloud Native Computing Foundation (CNCF), Co **- Containerd Core:** -Role: Serves as the core orchestration engine, managing the complete lifecycle of containers. +Role: The core container orchestration engine, managing the complete container lifecycle. Functionality: Coordinates tasks such as image storage, transfer, execution, and supervision. Ensures a consistent and efficient containerized application experience. Isolation: Adopts a modular design, separating concerns to prevent unauthorized access and actions. Implements access controls to reinforce security. @@ -103,7 +96,7 @@ Isolation: Operates within well-defined boundaries, utilizing namespaces and cgr **- Image Registries:** -Role: Acts as repositories for container images, collaborating with containerd in tasks such as image pulling, pushing, and managing metadata. +Role: Repositories for container images, providing storage and retrieval for containerd in tasks such as image pulling, pushing, and metadata management. Functionality: Stores and facilitates the distribution of container images, supporting seamless integration with containerd for efficient image management. Isolation: Maintains a separate identity to prevent unauthorized modifications. Implements access controls to secure image repositories. @@ -184,7 +177,7 @@ Logging persistence is considered out of scope. Clients can handle and persist c ## Self-assessment use -This self-assessment was authored by Swati Baleri, Vivek Radhakrishnan, Swati Baleri, Sunny Li, and Nathan Smith with a format established by the Containerd maintainers. The purpose of this document is to perform an internal analysis of the project's security. It is not intended to provide a security audit of Containerd, or function as an independent assessment or attestation of Containerd's security health. +This self-assessment was authored by Swati Baleri, Vivek Radhakrishnan, Sunny Li, and Nathan Smith with a format established by the Containerd maintainers. The purpose of this document is to perform an internal analysis of the project's security. It is not intended to provide a security audit of Containerd, or function as an independent assessment or attestation of Containerd's security health. This document serves to provide Containerd users with an initial understanding of Containerd's security, where to find existing security documentation, Containerd plans for security, and general overview of Containerd security practices, both for development of Containerd as well as security of Containerd. diff --git a/tag-security b/tag-security new file mode 160000 index 000000000..20ec9e835 --- /dev/null +++ b/tag-security @@ -0,0 +1 @@ +Subproject commit 20ec9e8359193e2c7c7fbb2aee771b38b2e03680 From 0118c4c31ada32f5c61381ec9838269366bb3797 Mon Sep 17 00:00:00 2001 From: Nate-Smithline Date: Fri, 15 Dec 2023 11:14:23 -0500 Subject: [PATCH 08/11] Fixed all changes from Andrew, aka sublimino, thank you Signed-off-by: Nate-Smithline --- tag-security | 1 - 1 file changed, 1 deletion(-) delete mode 160000 tag-security diff --git a/tag-security b/tag-security deleted file mode 160000 index 20ec9e835..000000000 --- a/tag-security +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 20ec9e8359193e2c7c7fbb2aee771b38b2e03680 From a895bb10625f2824f2d933bf0a74566c4489a089 Mon Sep 17 00:00:00 2001 From: Raga Date: Tue, 16 Jan 2024 13:24:34 -0600 Subject: [PATCH 09/11] Update Containerd/self-assessment.md Co-authored-by: torinvdb <65670557+torinvdb@users.noreply.github.com> Signed-off-by: Raga --- Containerd/self-assessment.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Containerd/self-assessment.md b/Containerd/self-assessment.md index 8f805b655..61c18107e 100644 --- a/Containerd/self-assessment.md +++ b/Containerd/self-assessment.md @@ -1,5 +1,7 @@ # Containerd Self-assessment +This assessment was created by community members as part of the [Security Pals](https://github.com/cncf/tag-security/issues/1102) process and is currently pending changes from the maintainer team. + ## Table of contents * [Metadata](#metadata) From 73c7c6902a44e66d4ed819c3314897578da9a7b2 Mon Sep 17 00:00:00 2001 From: Raga Date: Tue, 16 Jan 2024 13:24:47 -0600 Subject: [PATCH 10/11] Update Containerd/self-assessment.md Co-authored-by: torinvdb <65670557+torinvdb@users.noreply.github.com> Signed-off-by: Raga --- Containerd/self-assessment.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Containerd/self-assessment.md b/Containerd/self-assessment.md index 61c18107e..d229961f5 100644 --- a/Containerd/self-assessment.md +++ b/Containerd/self-assessment.md @@ -24,6 +24,7 @@ This assessment was created by community members as part of the [Security Pals]( | | | | -- | -- | +| Assessment Stage | Incomplete | | Software | [containerd](https://github.com/containerd/containerd) | | Security Provider | No | | Languages | Go, C++ | From 2024e07ebd49964a1338c9866902d5bed812196d Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Tue, 27 Aug 2024 16:49:42 -0500 Subject: [PATCH 11/11] Corrected file location Signed-off-by: Eddie Knight --- .../assessments/projects/containerd}/self-assessment.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {Containerd => community/assessments/projects/containerd}/self-assessment.md (100%) diff --git a/Containerd/self-assessment.md b/community/assessments/projects/containerd/self-assessment.md similarity index 100% rename from Containerd/self-assessment.md rename to community/assessments/projects/containerd/self-assessment.md