Author : Pushkar Joglekar (VMware)
A long-standing request from the Kubernetes community has been to have a programmatic way for end users to keep track of Kubernetes security issues (also called "CVEs", after the database that tracks public security issues across different products and vendors). Accompanying the release of Kubernetes v1.25, we are excited to announce availability of such a feed as an
alphafeature. This blog will cover the background and scope of this new service.
With the growing number of eyes on Kubernetes, the number of CVEs related to Kubernetes have increased. Although most CVEs that directly, indirectly, or transitively impact Kubernetes are regularly fixed, there is no single place for the end users of Kubernetes to programmatically subscribe or pull the data of fixed CVEs. Current options are either broken or incomplete.
Create a periodically auto-refreshing, human and machine-readable list of official Kubernetes CVEs
- Triage and vulnerability disclosure will continue to be done by SRC (Security Response Committee).
- Listing CVEs that are identified in build time dependencies and container images are out of scope.
- Only official CVEs announced by the Kubernetes SRC will be published in the feed.
- End Users : Persons or teams who use Kubernetes to deploy applications they own
- Platform Providers : Persons or teams who manage Kubernetes clusters
- Maintainers : Persons or teams who create and support Kubernetes releases through their work in Kubernetes Community - via various Special Interest Groups and Committees.
In order to graduate this feature, SIG Security is gathering feedback from end users who are using this alpha feed.
So in order to improve the feed in future Kubernetes Releases, if you have any feedback, please let us know by adding a comment to this tracking issue or let us know on#sig-security-toolingKubernetes Slack channel. (Join Kubernetes Slack here)