| Version | Supported |
|---|---|
| 0.1.x | β |
We take security issues seriously. If you discover a security vulnerability in this project, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please report vulnerabilities by emailing:
π§ [email protected]
Include the following in your report:
- Description β A clear description of the vulnerability
- Reproduction Steps β Step-by-step instructions to reproduce the issue
- Impact β What an attacker could achieve by exploiting this vulnerability
- Affected Component β Which component is affected (Controller, Webhook, Governance API)
- Environment β Kubernetes/OpenShift version, Go/Node.js version, and any relevant configuration
- Suggested Fix β If you have a recommendation (optional)
| Step | Timeline |
|---|---|
| Acknowledgment of your report | Within 48 hours |
| Initial assessment and triage | Within 5 business days |
| Status update on the fix | Within 10 business days |
| Security patch release | Dependent on severity |
| Severity | Description | Target Resolution |
|---|---|---|
| Critical | Remote code execution, privilege escalation to cluster-admin, SCC bypass allowing unrestricted pod creation | 72 hours |
| High | Authentication bypass, unauthorized SCC migration plan approval, audit log tampering | 7 days |
| Medium | Information disclosure of migration state, denial of service on governance API | 14 days |
| Low | Minor information leaks, non-exploitable edge cases | Next release |
- We follow coordinated vulnerability disclosure.
- We will work with you to understand and resolve the issue before any public disclosure.
- We request a 90-day disclosure window from the initial report.
- Credit will be given to reporters in the security advisory (unless anonymity is requested).
When deploying the SCC Orchestration System, follow these recommendations:
- Always use TLS for webhook communication β generate certificates using
scripts/generate-certs.sh - Rotate TLS certificates regularly
- Never commit certificates or private keys to version control
- Apply the principle of least privilege for all service accounts
- Use the provided RBAC manifests in
deploy/base/controller/anddeploy/base/webhook/ - Restrict access to the Governance API to authorized namespaces only
- All provided Dockerfiles run as non-root users (
distroless/static:nonrootfor Go,USER nodefor Node.js) - Do not override the
USERdirective in production - Use read-only root filesystems where possible
- Scan container images regularly for known CVEs
- Enable authentication on the Governance API in production environments
- Configure RBAC policies to restrict who can approve migration plans
- Audit logs are immutable β ensure persistent storage is configured
- Restrict network access between components using Kubernetes NetworkPolicies
- The Admission Webhook should only be reachable from the Kubernetes API server
- The Governance API should only be reachable from the Controller and Webhook
| Environment Variable | Component | Purpose |
|---|---|---|
TLS_CERT_FILE |
Webhook | Path to TLS certificate |
TLS_KEY_FILE |
Webhook | Path to TLS private key |
GOVERNANCE_API_URL |
Controller, Webhook | Governance API endpoint |
RBAC_ENABLED |
Governance API | Enable/disable RBAC enforcement |
AUDIT_LOG_ENABLED |
Governance API | Enable/disable audit logging |
- SCC Privilege Gap: The risk engine evaluates privilege escalation risk between source and target SCCs. High-risk migrations (e.g.,
restrictedβprivileged) require explicit governance approval. - Webhook Bypass: If the webhook becomes unavailable, Kubernetes
failurePolicy: Failensures pods are not admitted without SCC validation. Verify this setting indeploy/base/webhook/webhook-config.yaml. - Governance API Isolation: The governance plane runs as a separate service to prevent compromise of the policy engine from affecting cluster operations.