|
| 1 | +--- |
| 2 | +layout: blog |
| 3 | +title: Announcing the Auto-refreshing Official Kubernetes CVE Feed |
| 4 | +date: 2022-09-12 |
| 5 | +slug: k8s-cve-feed-alpha |
| 6 | +--- |
| 7 | + |
| 8 | +**Author**: Pushkar Joglekar (VMware) |
| 9 | + |
| 10 | +A long-standing request from the Kubernetes community has been to have a |
| 11 | +programmatic way for end users to keep track of Kubernetes security issues |
| 12 | +(CVEs, named after the database that tracks public security issues across |
| 13 | +different products and vendors). Accompanying the release of Kubernetes v1.25, |
| 14 | +we are excited to announce availability of such |
| 15 | +a [feed](docs/reference/issues-security/official-cve-feed/) as an `alpha` |
| 16 | +feature. This blog will cover the background, scope and details on how this |
| 17 | +feature was implemented. |
| 18 | + |
| 19 | +## Motivation |
| 20 | + |
| 21 | +With the growing number of eyes on Kubernetes, the number of CVEs related to |
| 22 | +Kubernetes have increased. Although most CVEs that directly, indirectly, or |
| 23 | +transitively impact Kubernetes are regularly fixed, there is no single place for |
| 24 | +the end users of Kubernetes to programmatically subscribe or pull the data of |
| 25 | +fixed CVEs. Current options are either broken or incomplete. |
| 26 | + |
| 27 | +## Scope |
| 28 | + |
| 29 | +### Goals |
| 30 | + |
| 31 | +Create a periodically auto-refreshing, human and machine-readable list of |
| 32 | +official Kubernetes CVEs |
| 33 | + |
| 34 | +### Non-Goals |
| 35 | + |
| 36 | +* Triage and vulnerability disclosure will continue to be done by SRC (Security |
| 37 | + Response Committee). |
| 38 | +* Listing CVEs that are identified in build time dependencies and container |
| 39 | + images are out of scope. |
| 40 | +* Only official CVEs announced by the Kubernetes SRC will be published in the |
| 41 | + feed. |
| 42 | + |
| 43 | +### Personas and User stories |
| 44 | + |
| 45 | +* **End Users**: Persons or teams who _use_ Kubernetes to deploy applications |
| 46 | + they own |
| 47 | +* **Platform Providers**: Persons or teams who _manage_ Kubernetes clusters |
| 48 | +* **Maintainers**: Persons or teams who _create_ and _support_ Kubernetes |
| 49 | + releases through their work in Kubernetes Community - via various Special |
| 50 | + Interest Groups and Committees. |
| 51 | + |
| 52 | +## Implementation Details |
| 53 | + |
| 54 | +A supporting |
| 55 | +[contributor blog](https://kubernetes.dev/blog/2022/09/12/k8s-cve-feed-alpha/) |
| 56 | +was published that describes in depth on how this CVE feed was implemented to |
| 57 | +ensure the feed was reasonably protected against tampering and was automatically |
| 58 | +updated after a new CVE was announced. |
| 59 | + |
| 60 | +## What's Next? |
| 61 | + |
| 62 | +As we move towards graduation of this feature from alpha to beta, SIG Security |
| 63 | +are gathering feedback from end users who are using this alpha feed. |
| 64 | + |
| 65 | +So in order to improve the feed in future Kubernetes Releases, if you have any |
| 66 | +feedback, please let us know by adding a comment to |
| 67 | +this [tracking issue](https://github.com/kubernetes/sig-security/issues/1) or |
| 68 | +let us know on |
| 69 | +[#sig-security-tooling](https://kubernetes.slack.com/archives/C01CUSVMHPY) Kubernetes Slack channel. |
| 70 | +(Request an invite here to join: https://communityinviter.com/apps/kubernetes/community) |
| 71 | + |
| 72 | +_A special shout out and massive thanks to Neha Lohia |
| 73 | +[(@nehalohia27)](https://github.com/nehalohia27) and Tim Bannister [(@sftim)](https://github.com/sftim) for their stellar collaboration for |
| 74 | +many months from "ideation to implementation" of this feature._ |
0 commit comments