-
Notifications
You must be signed in to change notification settings - Fork 14.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Feature Blog] Auto-refreshing Official CVE Feed - Alpha
- Covers scope, goals, non-goals and personas - Links to feature page and supporting contributor blog
- Loading branch information
Showing
1 changed file
with
74 additions
and
0 deletions.
There are no files selected for viewing
74 changes: 74 additions & 0 deletions
74
...log/_posts/2022-09-12-Announcing-the-Auto-Refreshing-Official-CVE-Feed/index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
--- | ||
layout: blog | ||
title: Announcing the Auto-refreshing Official Kubernetes CVE Feed | ||
date: 2022-09-12 | ||
slug: k8s-cve-feed-alpha | ||
--- | ||
|
||
**Author**: Pushkar Joglekar (VMware) | ||
|
||
A long-standing request from the Kubernetes community has been to have a | ||
programmatic way for end users to keep track of Kubernetes security issues | ||
(CVEs, named after the database that tracks public security issues across | ||
different products and vendors). Accompanying the release of Kubernetes v1.25, | ||
we are excited to announce availability of such | ||
a [feed](docs/reference/issues-security/official-cve-feed/) as an `alpha` | ||
feature. This blog will cover the background, scope and details on how this | ||
feature was implemented. | ||
|
||
## Motivation | ||
|
||
With the growing number of eyes on Kubernetes, the number of CVEs related to | ||
Kubernetes have increased. Although most CVEs that directly, indirectly, or | ||
transitively impact Kubernetes are regularly fixed, there is no single place for | ||
the end users of Kubernetes to programmatically subscribe or pull the data of | ||
fixed CVEs. Current options are either broken or incomplete. | ||
|
||
## Scope | ||
|
||
### Goals | ||
|
||
Create a periodically auto-refreshing, human and machine-readable list of | ||
official Kubernetes CVEs | ||
|
||
### Non-Goals | ||
|
||
* Triage and vulnerability disclosure will continue to be done by SRC (Security | ||
Response Committee). | ||
* Listing CVEs that are identified in build time dependencies and container | ||
images are out of scope. | ||
* Only official CVEs announced by the Kubernetes SRC will be published in the | ||
feed. | ||
|
||
### Personas and User stories | ||
|
||
* **End Users**: Persons or teams who _use_ Kubernetes to deploy applications | ||
they own | ||
* **Platform Providers**: Persons or teams who _manage_ Kubernetes clusters | ||
* **Maintainers**: Persons or teams who _create_ and _support_ Kubernetes | ||
releases through their work in Kubernetes Community - via various Special | ||
Interest Groups and Committees. | ||
|
||
## Implementation Details | ||
|
||
A supporting | ||
[contributor blog](https://kubernetes.dev/blog/2022/09/12/k8s-cve-feed-alpha/) | ||
was published that describes in depth on how this CVE feed was implemented to | ||
ensure the feed was reasonably protected against tampering and was automatically | ||
updated after a new CVE was announced. | ||
|
||
## What's Next? | ||
|
||
As we move towards graduation of this feature from alpha to beta, SIG Security | ||
are gathering feedback from end users who are using this alpha feed. | ||
|
||
So in order to improve the feed in future Kubernetes Releases, if you have any | ||
feedback, please let us know by adding a comment to | ||
this [tracking issue](https://github.com/kubernetes/sig-security/issues/1) or | ||
let us know on | ||
[#sig-security-tooling](https://kubernetes.slack.com/archives/C01CUSVMHPY) Kubernetes Slack channel. | ||
(Request an invite here to join: https://communityinviter.com/apps/kubernetes/community) | ||
|
||
_A special shout out and massive thanks to Neha Lohia | ||
[(@nehalohia27)](https://github.com/nehalohia27) and Tim Bannister [(@sftim)](https://github.com/sftim) for their stellar collaboration for | ||
many months from "ideation to implementation" of this feature._ |