|
| 1 | +--- |
| 2 | +layout: blog |
| 3 | +title: Announcing the Auto-refreshing Official Kubernetes CVE Feed |
| 4 | +date: 2022-09-12 |
| 5 | +slug: k8s-cve-feed-alpha |
| 6 | +--- |
| 7 | + |
| 8 | +**Author**: Pushkar Joglekar (VMware) |
| 9 | + |
| 10 | +A long-standing request from the Kubernetes community has been to have a |
| 11 | +programmatic way for end users to keep track of Kubernetes security issues |
| 12 | +(also called "CVEs", after the database that tracks public security issues across |
| 13 | +different products and vendors). Accompanying the release of Kubernetes v1.25, |
| 14 | +we are excited to announce availability of such |
| 15 | +a [feed](/docs/reference/issues-security/official-cve-feed/) as an `alpha` |
| 16 | +feature. This blog will cover the background and scope of this new service. |
| 17 | + |
| 18 | +## Motivation |
| 19 | + |
| 20 | +With the growing number of eyes on Kubernetes, the number of CVEs related to |
| 21 | +Kubernetes have increased. Although most CVEs that directly, indirectly, or |
| 22 | +transitively impact Kubernetes are regularly fixed, there is no single place for |
| 23 | +the end users of Kubernetes to programmatically subscribe or pull the data of |
| 24 | +fixed CVEs. Current options are either broken or incomplete. |
| 25 | + |
| 26 | +## Scope |
| 27 | + |
| 28 | +### What This Does |
| 29 | + |
| 30 | +Create a periodically auto-refreshing, human and machine-readable list of |
| 31 | +official Kubernetes CVEs |
| 32 | + |
| 33 | +### What This Doesn't Do |
| 34 | + |
| 35 | +* Triage and vulnerability disclosure will continue to be done by SRC (Security |
| 36 | + Response Committee). |
| 37 | +* Listing CVEs that are identified in build time dependencies and container |
| 38 | + images are out of scope. |
| 39 | +* Only official CVEs announced by the Kubernetes SRC will be published in the |
| 40 | + feed. |
| 41 | + |
| 42 | +### Who It's For |
| 43 | + |
| 44 | +* **End Users**: Persons or teams who _use_ Kubernetes to deploy applications |
| 45 | + they own |
| 46 | +* **Platform Providers**: Persons or teams who _manage_ Kubernetes clusters |
| 47 | +* **Maintainers**: Persons or teams who _create_ and _support_ Kubernetes |
| 48 | + releases through their work in Kubernetes Community - via various Special |
| 49 | + Interest Groups and Committees. |
| 50 | + |
| 51 | +## Implementation Details |
| 52 | + |
| 53 | +A supporting |
| 54 | +[contributor blog](https://kubernetes.dev/blog/2022/09/12/k8s-cve-feed-alpha/) |
| 55 | +was published that describes in depth on how this CVE feed was implemented to |
| 56 | +ensure the feed was reasonably protected against tampering and was automatically |
| 57 | +updated after a new CVE was announced. |
| 58 | + |
| 59 | +## What's Next? |
| 60 | + |
| 61 | +In order to graduate this feature, SIG Security |
| 62 | +is gathering feedback from end users who are using this alpha feed. |
| 63 | + |
| 64 | +So in order to improve the feed in future Kubernetes Releases, if you have any |
| 65 | +feedback, please let us know by adding a comment to |
| 66 | +this [tracking issue](https://github.com/kubernetes/sig-security/issues/1) or |
| 67 | +let us know on |
| 68 | +[#sig-security-tooling](https://kubernetes.slack.com/archives/C01CUSVMHPY) |
| 69 | +Kubernetes Slack channel. |
| 70 | +(Join [Kubernetes Slack here](https://slack.k8s.io)) |
| 71 | + |
| 72 | +_A special shout out and massive thanks to Neha Lohia |
| 73 | +[(@nehalohia27)](https://github.com/nehalohia27) and Tim |
| 74 | +Bannister [(@sftim)](https://github.com/sftim) for their stellar collaboration |
| 75 | +for many months from "ideation to implementation" of this feature._ |
0 commit comments