Publish threat model in documentation

[evankanderson]

Check in a format threat model, following up on the commitment in cncf/toc#1509 (comment) (Better late than never!)

Proposed Changes

• Adds a formal threat model for Knative Serving and Eventing
  • This combines the draft contents from the community repo with the AdaLogics report, and adds a bunch of new content that I've been meaning to write. It does not currently include diagrams, though I may add some later.

Once this is merged, I intend to redirect the draft threat model from the community repo to this documentation.

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: evankanderson

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [evankanderson]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

✅ Deploy Preview for knative ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	409c453
🔍 Latest deploy log	https://app.netlify.com/projects/knative/deploys/682c0757918f420008bcc927
😎 Deploy Preview	https://deploy-preview-6263--knative.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[evankanderson]

I moved this to verifying-cli.md, as it didn't really fit with the rest of the overview

[dprotaso]

bump @davidhadas

[davidhadas]

I believe we were planning to move from mailing report to github for reporting a security vulnerability. This ode snot have to be done in this PR, but I thought to bring this up in case we chose to also do it here.

[evankanderson]

I was going to do that as a follow-on, as we haven't set up private vulnerability reporting consistently on all the repos yet.

[davidhadas]

This first paragraph try to answer the question when do we use the Knative threat model rather than describing what it is or giving any useful information for it. I think it a side note how we may use it and not a good way to start the document.

[evankanderson]

I moved this paragraph to a "Usage of this document" coda.

[davidhadas]

This second paragraph seem to frame the Knative threat model and its relationship with best practices - again I do not think it is a helpful starting statement for a page spelling out what is the Knative threat model - the information should be in the doc, but we first need to layout what is the Knative threat model...

[davidhadas]

This third paragraph does provide some information about what the threat model is. I do think we need to find a way to make it more comprehensive and say what it is and not what it is not (i.e. not talk about multiple clusters in here , multiple clusters can be discussed at a later limitations section maybe). Maybe start by stating that Knative is an extension to the Kubernetes control plan that automates certain Kubernetes control mechanisms, offering a more abstracted service to users. Give some more information about what is a Knative service and what it encompass. Stating the association between users and namespaces, the association between resources and namespaces and between Knative serivces and namespaces.

Than, we can move to make some initial statmenet on the security model, e.g. that the security threat model includes attacks by malicious knative users, or by other Kubernetes users or by other unauthorized users on the Knative control plan, or on resources/services/namespaces that are not designated to them and.... (see what else we should say on this initial description of the threat model). Once we put all that in writing we can draw the line to say that the Knative Threat Model does not include.... attacks on the underlying Kubernetes system unless they are faciliated by Knative presence and our assumptions about the Kubernets following best practices. In this context we should say that it is Knative responsibility to ensure K~native services follow best practices by default but Knatiev may support user configurations which do not support best practices as long as user actively set them as such.... etc.

[evankanderson]

Thanks for the feedback! I've moved this to the first paragraph, to define the goals of the project. As this threat model aims to cover both serving and eventing, I'm not sure that defining what a Knative Service is (and not what Brokers, Triggers, Sources, etc are) makes sense here, rather than by linking to the existing component descriptions.

I added a sentence here to clarify what the namespace-as-a-service tenancy model means:

Each team (users in a namespace) should be isolated from affecting the
configuration, availability, or integrity of applications in other namespaces.

[davidhadas]

I made some changes to make it more specific to Knative, to start highlighting the threat model of Knative - beyond the one of K8s.

The main theme of this doc in my view is:

We extend the K8s control plan.
We have these actors and components (teams in namespaces etc., components in the control plans...).
Our control plan has Admin privileges and serves all teams

Threats:

1. There are threats that teams will attack the control plan.
2. There are threats that teams will attack each other
3. There are threats that others on the same cluster will attack the control plan.
4. There are threats that others on the same cluster will attack one of the teams (or its application)
5. There are threats that third party will attack the control plan
6. There are threats that third party will attack one of the teams (or its application)
   I think these are the 6 main bundles of threats to point out and analyze in some high level suitable for this doc.

[davidhadas]

Suggested change

	Knative aims to support application teams from a single organization working in
	Knative extends the Kubernetes control plan offering a more abstracted service to users. As such, the Knative threat model require protecting Knative specific control services as well as the underlying Kubernetes infrastructure.
	Knative aims to support application teams from a single organization working in

[davidhadas]

Suggested change

	resources within a common cluster, sharing control plane and node resources.
	resources within a common cluster, sharing both the Knative control plane, the underlying Kubernetes control plan and node resources.

[davidhadas]

Suggested change

	Each team (users in a namespace) should be isolated from affecting the
	Each team (users in a namespace) should be isolated and protected from intentional or unintentional misconduct by other teams using a different namespace; and by other users running in the same Kubernetes cluster; and by any third party. Knative users and any other user running on the same cluster should not be able to affect the Knative control plane, its

[davidhadas]

Suggested change

	configuration, availability, or integrity of applications in other namespaces.
	configuration, availability. They should also not be able to obtain private information of any of the Knative services other than their own, or affect the integrity of applications in other namespaces.