Lightning Round at Security Slam 2023
Published: March 6th, 2024
Empowering Kubernetes with a day of security hygiene and new-contributor onboarding
December 15, 2023, marked a significant day in the world of Kubernetes, as the community came together for a special Lightning Round of the Security Slam.
Organized by Sonatype with support from CNCF and TAG Security, the Security Slam was a month-long event that occurred in 2022 and 2023, with an aim to improve supply chain security at the source by improving hygiene across CNCF projects.
The Lightning Round took a different approach. Instead of working on a wide variety of improvements across the entire CNCF ecosystem, the focus was laser-sharp for this one-day event: Enhance the security hygiene of Kubernetes subprojects. As a secondary goal, we sought to onboard new Kubernetes contributors, a vital yet challenging task.
Partnership behind the Lightning Round
The event was a concerted effort. Planning and organization was driven by Sonatype and the CNCF, while the Google Open Source Security Team (GOSST) sponsored hoodies for participants and maintainers, adding a touch of warmth and solidarity.
We were proud to sponsor the Lightning Round of the CNCF Security Slam. Its focus on finding practical security solutions for Kubernetes subprojects demonstrates the power of collaborative problem-solving, a value we strongly support for a secure cloud-native ecosystem.
Bob Callaway
Participants were mentored during the event by Kubernetes maintainers Adolfo García Veytia, Carlos Eduardo Arango Gutierrez, Mahamed Ali, and Manuel Rüger. These four played a pivotal role in streamlining activities, leading to numerous GitHub pull requests being successfully merged into the subprojects!
We did a lot, and learned a lot during this event. Working with Kubernetes maintainers and new contributors, we were able to create meaningful contributions as well as meaningful connections during the Lightning Round. There are things coming in 2024 that have their roots in the experiences we gained here.
Eddie Knight
Sonatype
Overall goal: Improve security hygiene
In a focused effort to bolster Kubernetes’ security and onboard new contributors, maintainers opened the gates for contributions from the wider community during this special event.
With a mindful approach to inclusivity and effectiveness, organizers paired participants with tasks that matched their experience levels, ensuring a balanced and productive environment. This thoughtful structuring was central to the event’s design, accommodating a limited number of seats per experience bracket to maximize engagement and impact.
The aforementioned mentors played a pivotal role in streamlining activities, leading to numerous GitHub pull requests for the subprojects.
Two express learning courses from the Linux Foundation were specially created for the event, aiming to provide structured on-demand learning (LFEL1006 and LFEL1007). These courses helped to quickly get participants up to speed on things like the CLOMonitor, OpenSSF Scorecard, and common solutions for provenance and software supply chain security.
Execution: A showcase of success
Following the kickoff webinar where participants were divided into groups and given instructions, they were encouraged to use Zoom breakout rooms to coordinate and share knowledge throughout the day.
Noteworthy pull requests and issues were created on the subprojects by the following twenty participants:
- Cloud Provider AWS: Parth Inamdar, Rohan.S. Jamadagni
- Gateway API: Hrittik Roy
- Karpenter: Suruchi Kumari, Sreeram Venkitesh, Ricardo Lopes, Yash Pimple
- Kompose: Debabrata Sarkar, Dipesh Rawat, Rudraksh Karpe
- Kube State Metrics: Dale Henries, Shafeeque E S, Juan Escalada, Sujay Dey
- Kueue: Paul Schweigert, Jeff Bailey, Ashish Malik
- Minikube: Sonu Singh, Pranav Kamath KV, Sandipan Panda
I started contributing to the Kubernetes security space this year. After this event I am confident enough to make some significant contributions in the upcoming year.
Ashish Malik
Participant
I believe the event raised the security awareness for both new contributors as well as subproject maintainers. This opened the door for new contributors to get started and become active members of the community and its projects.
Ricardo Lopes
Participant
Events like this bring so many new contributors like me, who are using the Kubernetes ecosystem but don’t know how they can contribute back to the community. Events like this not only help us understand how we can contribute but also motivate us.
Debabrata Sarkar
Participant
It was nice to have a focused way to make some contributions to the Kubernetes ecosystem. The barrier to entry to make contributions is usually fairly high (good first issues get snapped up quickly, and unless you know a maintainer it’s hard to find things to work on), so this event definitely helped bring the good vibes.
Paul Schweigert
Participant
Lessons and future steps
While the event was a success, there were several lessons learned that we believe will help similar events in the future.
- Maintainers volunteering as mentors were taxed or intimidated by the long day of work, especially as it was scheduled during working hours for US participants.
- In contrast to the previous point, many participants from timezones such as IST struggled with the schedule as it required them to work late into the night if they wanted to participate live with their peers.
- We learned that more help was needed for maintainers reviewing pull requests, especially seeing as PRs were being raised at the beginning of the winter break.
- Most, if not all, participants appear to have been exclusively motivated by the desire to participate in a community-driven activity rather than prizes… but the prizes help communicate that this is a real event with support from the most respected software security organizations in the community.
While this event achieved many of the goals we hoped for, I believe it would be more impactful to have a future event that is more similar to the main CNCF Security Slam: a multi-day or week-long event that has larger support from the CNCF and is announced far in advance. This way we can provide ongoing guidance and support to best mentor new long term contributors.
Eduardo Arango Gutierrez
NVIDIA (Maintainer Mentor)
As we look ahead, we hope to incorporate Kubernetes subprojects into future Security Slam events from the outset. This change would spread the event out over multiple days or weeks, while also inviting more people from the community into the planning process.
Observations related to participant motivation will help influence activity selection and pre-event promotion in the future, while notes related to maintainer’s needs show us that we need to plan ahead for improved post-event support.
The Lightning Round of the Security Slam 2023 served as a stepping stone toward a more secure and inclusive Kubernetes community. Stay tuned as we continue to break down barriers and build up our collective security expertise!