potiuk opened a new pull request, #841:
URL: https://github.com/apache/solr-operator/pull/841

   **This is a proposal for the Solr PMC to review — please correct, reject, or 
discuss as needed.** The maintainers are the decision-makers; nothing here is a 
requirement.
   
   This adds a **v0 draft threat model** (`THREAT_MODEL.md`) for the Solr 
Operator plus the conventional `AGENTS.md → SECURITY.md → THREAT_MODEL.md` 
discoverability chain, so an automated agentic security scanner can 
mechanically find the project's security model.
   
   **Context.** The ASF Security team is preparing Apache Solr's repositories 
for an automated agentic security scan. Discoverability (the scanner being able 
to follow `AGENTS.md → SECURITY.md → model`) is the one hard gate — without it 
a scan can't run. The Solr *search server* (`apache/solr`) already has its 
model merged; this PR is the equivalent for the **operator**, whose attack 
surface is entirely different (a privileged Kubernetes controller, not a search 
engine). The model cross-references `apache/solr`'s `THREAT_MODEL.md` for 
everything on the managed-Solr side.
   
   **This is a v0 draft — mostly `*(inferred)*`.** The Security team drafted it 
from the repo's own public artefacts (CRD types, the operator `ClusterRole`, 
`main.go` flag defaults, the Helm values, the auth/TLS docs) using the 
[`threat-model-producer`](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573)
 rubric. Every claim carries a provenance tag; every `*(inferred)*` tag routes 
to a matching question in **§14 Open questions**. The fastest way to review is 
to **react** to §14 (a one-line confirm / correct / strike per question) rather 
than compose from scratch — we then fold your answers in and the tags become 
`*(maintainer)*`.
   
   A few concrete things the draft flags for your confirmation (all §14): the 
all-namespaces watch + cluster-wide `ClusterRole` default; 
`tls-skip-verify-server=true` (operator→Solr cert verification off by default); 
the bootstrap `security.json` passwords being generated with `math/rand` rather 
than `crypto/rand`; and the confused-deputy surface where a namespace tenant's 
CR fields drive the privileged operator. These are proposed dispositions, not 
assertions — your call.
   
   **Scope note:** the Solr Operator was one of the repos flagged for scope 
confirmation in the scan enrollment. If the PMC would rather **not** include 
the operator in this cycle, just close the PR and we'll drop it — no problem. 
If you'd rather own the model yourselves, close it and we'll wait.
   
   Questions / pushback welcome. Happy to adjust structure, file placement, or 
wording to match project house style.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to