Auto-refreshing Official CVE Feed

[PushkarJ]

trafficstars

Enhancement Description

• One-line enhancement description (can be used as a release note): Auto-refreshing official CVE feed
• Slack thread about Code Freeze discussion: https://kubernetes.slack.com/archives/C2C40FMNF/p1659035059991979
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-security/3203-auto-refreshing-official-cve-feed
• Discussion Link: https://docs.google.com/document/d/1GgmmNYN88IZ2v2NBiO3gdU8Riomm0upge_XNVxEYXp0/edit#heading=h.ash02v8wrjia
• Primary contact (assignee): @PushkarJ
• Responsible SIGs: @kubernetes/sig-security
• Tracking issue: https://github.com/kubernetes/sig-security/issues/1
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.25
  • Beta release target (x.y): 1.27
  • Stable release target (x.y):
• [x] Alpha
  • [x] KEP (k/enhancements) update PR(s): #3204
  • [x] Code (k/k) update PR(s): N/A
  • [x] Docs (k/website) update PR(s): https://github.com/kubernetes/website/pull/35228
  • [x] Org k/k8s.io PR(s): https://github.com/kubernetes/k8s.io/pull/4009
  • [x] Infra k/test-infra PR(s):
    • https://github.com/kubernetes/test-infra/pull/26896
    • https://github.com/kubernetes/test-infra/pull/26988
    • https://github.com/kubernetes/test-infra/pull/26990
  • [x] Security k/sig-security PR(s):
    • https://github.com/kubernetes/sig-security/pull/55
    • https://github.com/kubernetes/sig-security/pull/57
  • [x] Feature blog: https://github.com/kubernetes/website/pull/35608 and https://github.com/kubernetes/contributor-site/pull/330
• [x] Beta
  • [X] KEP (k/enhancements) update PR(s): https://github.com/kubernetes/enhancements/pull/3828
  • [X] Code (k/k) update PR(s): N/A
  • [x] Docs (k/website) update(s):
    • https://github.com/kubernetes/website/pull/38579
    • https://github.com/kubernetes/website/pull/39513
    • https://github.com/kubernetes/website/pull/39727
  • [X] Security k/sig-security PR(s):
    • https://github.com/kubernetes/sig-security/pull/76
    • https://github.com/kubernetes/sig-security/pull/75
    • https://github.com/kubernetes/sig-security/pull/83
  • [x] Feature blog PR: https://github.com/kubernetes/website/pull/39644

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[PushkarJ]

/sig security docs

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[PushkarJ]

/remove-lifecycle stale

[jasonbraganza]

Hello @PushkarJ, @nehaLohia27 👋, 1.25 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PST on Thursday June 16, 2022.

For note, This enhancement is targeting for stage alpha for 1.25 (correct me, if otherwise)

Here's where this enhancement currently stands:

• [ ] KEP file using the latest template has been merged into the k/enhancements repo.
• [ ] KEP status is marked as implementable
• [ ] KEP has a updated detailed test plan section filled out
• [ ] KEP has up to date graduation criteria
• [ ] KEP has a production readiness review that has been completed and merged into k/enhancements.

Looks like for this one, we would need to update the open PR https://github.com/kubernetes/enhancements/pull/3204/ with the following:

• Update the kep.yaml file to reflect the latest milestone information
• Please update the Test plan section, so that it incorporates the updated detailed test plan section requirements
• Please update the Graduation criteria section with appropriate details.

For note, the status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[PushkarJ]

Thank you for the detailed feedback @jasonbraganza . I believe the latest updates to PR #3204 should resolve the pending items. Please let us know if anything else is missing!

[jasonbraganza]

Thank you so much, @PushkarJ! I’ll update the KEP in our enhancements sheet to tracked

[Atharva-Shinde]

Hi @PushkarJ, Enhancements team here again 👋

Checking in as we approach Code Freeze at 01:00 UTC on Wednesday, 3rd August 2022.

Please ensure that the following items are completed before the code-freeze:

• [ ] All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• [ ] All PRs are fully merged by the code freeze deadline.

Currently, the status of the enhancement is marked as at-risk

Thanks :)

[PushkarJ]

Thanks for the reminder @Atharva-Shinde. Added all the relevant PRs in the issue description now :)

[cici37]

The relevant PRs against this KEP:

• Docs (k/website) update PR(s): https://github.com/kubernetes/website/pull/35228
• Org k/k8s.io PR(s): https://github.com/kubernetes/k8s.io/pull/4009 and
• Infra k/test-infra PR(s): https://github.com/kubernetes/test-infra/pull/26896 For tracking purpose. cc @Priyankasaggu11929

[Priyankasaggu11929]

@PushkarJ I have marked this enhancement as tracked. 🙂

[PushkarJ]

Thank you @Priyankasaggu11929 and @cici37

[PushkarJ]

@Priyankasaggu11929 @cici37 all PRs except https://github.com/kubernetes/website/pull/35228 are now merged !!!

[PushkarJ]

All PRs are merged! Working on feature blog now: https://github.com/kubernetes/website/pull/35608

[PushkarJ]

:sparkles: Kubernetes v1.25 is live :sparkles:

What that means is that the official CVE feed built as part of KEP-3203 is live too. You can find it here:

• Markdown: https://kubernetes.io/docs/reference/issues-security/official-cve-feed
• JSON: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/index.json

Upcoming blog posts to be published on Sept 12 will cover more details

[PushkarJ]

/stage beta

[jeremyrickard]

/milestone v1.27

[Atharva-Shinde]

Hello @PushkarJ 👋, Enhancements team here.

Just checking in as we approach Enhancements freeze on 18:00 PDT Thursday 9th February 2023.

This enhancement is targeting for stage beta for 1.27 (correct me, if otherwise)

Here's where this enhancement currently stands:

• [ ] KEP readme using the latest template has been merged into the k/enhancements repo.
• [X] KEP status is marked as implementable for latest-milestone: 1.27
• [ ] KEP readme has a updated detailed test plan section filled out
• [X] KEP readme has up to date graduation criteria
• [ ] KEP has a production readiness review that has been completed and merged into k/enhancements.

For this KEP, we would just need to update the following:

• Update it's test plan section to be in compliance with the latest KEP readme template
• Add response for this question in the Scalability questionnaire of the KEP readme

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[PushkarJ]

Update it's test plan section to be in compliance with the latest KEP readme template Add response for this question in the Scalability questionnaire of the KEP readme

@Atharva-Shinde thank you for the highlight on next steps. The testplan updates and the scalability question won't apply here as this is an out of tree enhancement i.e. we are not making changes to k/k

I am working on addressing others as part of https://github.com/kubernetes/enhancements/pull/3828 Let me know if this PR needs any update to conform with latest template of README

[Atharva-Shinde]

Hey again @PushkarJ Please try to get the KEP PR #3828 (addressing the changes required), merged before tomorrow's Enhancement Freeze :) The status of this enhancement is still marked as at risk

[Atharva-Shinde]

@Atharva-Shinde thank you for the highlight on next steps. The testplan updates and the scalability question won't apply here as this is an out of tree enhancement i.e. we are not making changes to k/k

I am working on addressing others as part of https://github.com/kubernetes/enhancements/pull/3828 Let me know if this PR needs any update to conform with latest template of README

ack 👍

[marosset]

With #3828 merged this enhancement meets all the requirements to be tracked for v1.27 Thanks @PushkarJ!

[sftim]

:thought_balloon: we can - if we're sure we want to - publish our advisories to https://github.com/kubernetes/kubernetes/security/advisories

it's not as simple because we have lots of repos but only one official CVE ID list.

[sftim]

The CVE feed is now a valid JSON feed. See https://kubernetes.io/docs/reference/issues-security/official-cve-feed/

[PushkarJ]

Yes @sftim !! Big 👍 to @mtardy

To clarify the feed was a valid JSON before too but didn't conform to JSONFeed Spec.

Now it is indeed valid: https://validator.jsonfeed.org/?url=https%3A%2F%2Fkubernetes.io%2Fdocs%2Freference%2Fissues-security%2Fofficial-cve-feed%2Findex.json

[Atharva-Shinde]

Hey again @PushkarJ 👋 Enhancements team here, Just checking in as we approach 1.27 code freeze at 17:00 PDT on Tuesday 14th March 2023. As this is an out of tree enhancement please ensure that all the PRs related to this KEP are linked in the Issue description. And as always, we are here to help if any questions come up. Thanks!

[PushkarJ]

Thank you @Atharva-Shinde. Updated the description to include all relevant PRs.

[mickeyboxell]

@PushkarJ was there a Docs PR opened against dev-1.27 branch in the k/website repo?

If not, please take a look at Documenting for a release - PR Ready for Review to get your PR ready for review as soon as possible. 01:00 UTC Wednesday 22nd March 2023 / 17:00 PDT Tuesday 21st March 2023 is the official deadline.

This PR will need a doc review by Tuesday 4th April 2023 to get this into the release. Please reach out to required SIGs to get their review. Thank you!

[mickeyboxell]

As discussed in Slack, this does not need a 1.27 Docs PR because its Docs PRs are targeted to master / main branch.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten