feat(docs): Kubeflow Security Self Assessment

[andreyvelich]

Part of: #858, #851

This is initial Kubeflow Security Self-Assessment document required for CNCF graduation.

Source: https://tag-security.cncf.io/community/assessments/guide/self-assessment/#project-compliance

The document structure is similar to Knative and KServe self-assessments.

/hold for review

/assign @kubeflow/kubeflow-steering-committee @kubeflow/wg-training-leads @kubeflow/wg-pipeline-leads @kubeflow/wg-notebooks-leads @kubeflow/wg-manifests-leads @kubeflow/wg-data-leads @kubeflow/red-hat @kubeflow/wg-automl-leads @castrojo @kubeflow/kubeflow-outreach-committee

[juliusvonkohout]

Suggested change

	- **Attend** the _Kubeflow Manifests WG_ meeting ([meeting notes](https://docs.google.com/document/d/1je_qzoJCAVXndxeJAgA8cdugvYZfsgrAi7HP_WDeUN0/edit), [community calendar](https://www.kubeflow.org/docs/about/community/#kubeflow-community-calendars)).
	- **Attend** the _Kubeflow Platform (manifests & security) WG_ meeting ([meeting notes](https://docs.google.com/document/d/1je_qzoJCAVXndxeJAgA8cdugvYZfsgrAi7HP_WDeUN0/edit), [community calendar](https://www.kubeflow.org/docs/about/community/#kubeflow-community-calendars)).

[andreyvelich]

@juliusvonkohout We haven't established the Platform or Security WG yet as part of this discussion: #837

Can we agree on the new WG, SIG, or Committee, and update the README after it ?

cc @kimwnasptd @thesuperzapper

[juliusvonkohout]

This i also how we call the meeting on the website and calendar entry.

[andreyvelich]

Yes, but we haven't established this working group yet. Can we officially create this working group here, and then update this doc ?

[juliusvonkohout]

Done #896 CC @kimwnasptd

[juliusvonkohout]

May we use a compact markdown table ?

Suggested change

<table>

<thead>

<tr>

<th>Name</th>

<th>Information</th>

</tr>

</thead>

<tbody>

<tr>

<td>Assessment Stage</td>

<td>Incomplete</td>

</tr>

<tr>

<td>Software</td>

<td>

<a href="https://github.com/kubeflow/spark-operator">Kubeflow Spark Operator</a>,

<a href="https://github.com/kubeflow/notebooks">Kubeflow Notebooks</a>,

<a href="https://github.com/kubeflow/trainer">Kubeflow Trainer</a>,

<a href="https://github.com/kubeflow/katib">Kubeflow Katib</a>,

<a href="https://github.com/kubeflow/model-registry">Kubeflow Model Registry</a>,

<a href="https://github.com/kubeflow/pipelines">Kubeflow Pipelines</a>

</td>

</tr>

<tr>

<td>Security Provider?</td>

<td>No. Kubeflow projects are not security providers</td>

</tr>

<tr>

<td>Languages</td>

<td>Python, Go, TypeScript</td>

</tr>

</tbody>

</table>

| Name | Information |

|---|---|

| Assessment Stage | Incomplete |

| Software | [Kubeflow Spark Operator](https://github.com/kubeflow/spark-operator), [Kubeflow Notebooks](https://github.com/kubeflow/notebooks), [Kubeflow Trainer](https://github.com/kubeflow/trainer), [Kubeflow Katib](https://github.com/kubeflow/katib), [Kubeflow Model Registry](https://github.com/kubeflow/model-registry), [Kubeflow Pipelines](https://github.com/kubeflow/pipelines) |

| Security Provider? | No. Kubeflow projects are not security providers |

| Languages | Python, Go, TypeScript |

Name	Information
Assessment Stage	Incomplete
Software	Kubeflow Spark Operator, Kubeflow Notebooks, Kubeflow Trainer, Kubeflow Katib, Kubeflow Model Registry, Kubeflow Pipelines
Security Provider?	No. Kubeflow projects are not security providers
Languages	Python, Go, TypeScript

[andreyvelich]

I didn't add it since my editor formats the table due to very long 3rd row with Kubeflow Projects.
If you think, that is better, I can disable my formatter and use your table.

[juliusvonkohout]

Suggested change

	- Kubeflow Platform security policy: https://github.com/kubeflow/pipelines/blob/master/SECURITY.md

[juliusvonkohout]

See kubeflow/manifests#3187

[andreyvelich]

As part of self-assessment we say that Kubeflow consists of six open source project, and I keep it consistent everywhere in the doc (e.g. Security links, SBOM, Actors and Actions to avoid confusion for CNCF and security audit.
Additionally, we didn't ask to perform security audit for Kubeflow Manifests.

Thus, I am not sure if we should include the Kubeflow Manifests security policy.

[juliusvonkohout]

Lets try to stay close to the official what is kubeflow text

Suggested change

	Kubeflow is the foundation of tools for AI platforms on Kubernetes. Kubeflow projects address
	each stage in [the AI lifecycle](https://www.kubeflow.org/docs/started/architecture/#introducing-the-ml-lifecycle)
	with support for best-in-class open source [tools and frameworks](https://www.kubeflow.org/docs/started/architecture/#kubeflow-ecosystem).
	Kubeflow projects make AI simple, scalable, and portable.
	Kubeflow is the foundation of tools for AI Platforms on Kubernetes.
	AI platform teams can build on top of Kubeflow by using each project independently or deploying the
	entire AI reference platform to meet their specific needs. The Kubeflow AI reference platform is
	composable, modular, portable, and scalable, backed by an ecosystem of Kubernetes-native
	projects that cover every stage of the [AI lifecycle]((https://www.kubeflow.org/docs/started/architecture/#introducing-the-ml-lifecycle)) with support for best-in-class open source [tools and frameworks](https://www.kubeflow.org/docs/started/architecture/#kubeflow-ecosystem).

[andreyvelich]

Yes, I will update it once we merge this PR: kubeflow/kubeflow#7734

[juliusvonkohout]

I think we do enforce Kustomize and helm

Suggested change

	- Kubeflow doesn't enforce a deployment method or distribution for Kubeflow projects.
	- Support another deployment method next to Kustomize and Helm manifests

[andreyvelich]

I think, @thesuperzapper added this no-goal to the GTR doc: https://docs.google.com/document/d/15CZtkk3x-YIUaNnaRzIZaIKrfDfT6is_PAlRDIoBKgQ/edit?tab=t.0

@thesuperzapper Can you give context here please ?

[juliusvonkohout]

Suggested change

	Kubeflow Platform: https://www.bestpractices.dev/en/projects/9940

[andreyvelich]

Same comment as here: #871 (comment)

[juliusvonkohout]

See kubeflow/manifests#3187

Suggested change

	- https://github.com/kubeflow/manifests/blob/master/CONTRIBUTING.md

[juliusvonkohout]

Suggested change

	- `#kubeflow-platform`

[juliusvonkohout]

Suggested change

	- https://github.com/kubeflow/pipelines/blob/master/SECURITY.md

[juliusvonkohout]

@andreyvelich i added my comments
/hold

[andreyvelich]

cc @chensun @droctothorpe @HumairAK @james-jwu to review KFP docs.

[zazulam]

@andreyvelich no objections from my end on the KFP sections, they look good to me.

[tarilabs]

Thank you @andreyvelich , some minor/hopefully-helpful comments below 🙏

[tarilabs]

Suggested change

	- https://github.com/kubeflow/model-registry/blob/main/go.mod
	- https://github.com/kubeflow/model-registry/blob/main/go.mod, https://github.com/kubeflow/model-registry/blob/main/clients/python/pyproject.toml

[droctothorpe]

Sorry for all the nits, @andreyvelich. Thank you so much for steering this! 🙏

[andreyvelich]

Thanks everyone for your review!
If that initial version looks good, we can merge it and improve it over time.

[andreyvelich]

/hold cancel

[andreyvelich]

TODO: Change it to v1 once code is migrated.
cc @andyatmiami @thesuperzapper

[franciscojavierarceo]

/approve
/lgtm

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: franciscojavierarceo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• security/OWNERS [franciscojavierarceo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment