search

kubernetes / enhancements

Enhancements tracking repo for Kubernetes
Apache License 2.0
3.45k stars 1.49k forks source link

Auto-refreshing Official CVE Feed #3203

Open PushkarJ opened 2 years ago

PushkarJ commented 2 years ago

Enhancement Description

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

PushkarJ commented 2 years ago

/sig security docs

k8s-triage-robot commented 2 years ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

PushkarJ commented 2 years ago

/remove-lifecycle stale

jasonbraganza commented 2 years ago

Hello @PushkarJ, @nehaLohia27 👋, 1.25 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PST on Thursday June 16, 2022.

For note, This enhancement is targeting for stage alpha for 1.25 (correct me, if otherwise)

Here's where this enhancement currently stands:

Looks like for this one, we would need to update the open PR https://github.com/kubernetes/enhancements/pull/3204/ with the following:

For note, the status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

PushkarJ commented 2 years ago

Thank you for the detailed feedback @jasonbraganza . I believe the latest updates to PR #3204 should resolve the pending items. Please let us know if anything else is missing!

jasonbraganza commented 2 years ago

Thank you so much, @PushkarJ! I’ll update the KEP in our enhancements sheet to tracked

Atharva-Shinde commented 2 years ago

Hi @PushkarJ, Enhancements team here again 👋

Checking in as we approach Code Freeze at 01:00 UTC on Wednesday, 3rd August 2022.

Please ensure that the following items are completed before the code-freeze:

Currently, the status of the enhancement is marked as at-risk

Thanks :)

PushkarJ commented 2 years ago

Thanks for the reminder @Atharva-Shinde. Added all the relevant PRs in the issue description now :)

cici37 commented 2 years ago

The relevant PRs against this KEP:

Priyankasaggu11929 commented 2 years ago

@PushkarJ I have marked this enhancement as tracked. 🙂

PushkarJ commented 2 years ago

Thank you @Priyankasaggu11929 and @cici37

PushkarJ commented 2 years ago

@Priyankasaggu11929 @cici37 all PRs except https://github.com/kubernetes/website/pull/35228 are now merged !!!

PushkarJ commented 2 years ago

All PRs are merged! Working on feature blog now: https://github.com/kubernetes/website/pull/35608

PushkarJ commented 2 years ago

:sparkles: Kubernetes v1.25 is live :sparkles:

What that means is that the official CVE feed built as part of KEP-3203 is live too. You can find it here:

Upcoming blog posts to be published on Sept 12 will cover more details

PushkarJ commented 1 year ago

/stage beta

jeremyrickard commented 1 year ago

/milestone v1.27

Atharva-Shinde commented 1 year ago

Hello @PushkarJ 👋, Enhancements team here.

Just checking in as we approach Enhancements freeze on 18:00 PDT Thursday 9th February 2023.

This enhancement is targeting for stage beta for 1.27 (correct me, if otherwise)

Here's where this enhancement currently stands:

For this KEP, we would just need to update the following:

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

PushkarJ commented 1 year ago

Update it's test plan section to be in compliance with the latest KEP readme template Add response for this question in the Scalability questionnaire of the KEP readme

@Atharva-Shinde thank you for the highlight on next steps. The testplan updates and the scalability question won't apply here as this is an out of tree enhancement i.e. we are not making changes to k/k

I am working on addressing others as part of https://github.com/kubernetes/enhancements/pull/3828 Let me know if this PR needs any update to conform with latest template of README

Atharva-Shinde commented 1 year ago

Hey again @PushkarJ Please try to get the KEP PR #3828 (addressing the changes required), merged before tomorrow's Enhancement Freeze :) The status of this enhancement is still marked as at risk

Atharva-Shinde commented 1 year ago

@Atharva-Shinde thank you for the highlight on next steps. The testplan updates and the scalability question won't apply here as this is an out of tree enhancement i.e. we are not making changes to k/k

I am working on addressing others as part of https://github.com/kubernetes/enhancements/pull/3828 Let me know if this PR needs any update to conform with latest template of README

ack 👍

marosset commented 1 year ago

With #3828 merged this enhancement meets all the requirements to be tracked for v1.27 Thanks @PushkarJ!

sftim commented 1 year ago

:thought_balloon: we can - if we're sure we want to - publish our advisories to https://github.com/kubernetes/kubernetes/security/advisories

it's not as simple because we have lots of repos but only one official CVE ID list.

sftim commented 1 year ago

The CVE feed is now a valid JSON feed. See https://kubernetes.io/docs/reference/issues-security/official-cve-feed/

PushkarJ commented 1 year ago

Yes @sftim !! Big 👍 to @mtardy

To clarify the feed was a valid JSON before too but didn't conform to JSONFeed Spec.

Now it is indeed valid: https://validator.jsonfeed.org/?url=https%3A%2F%2Fkubernetes.io%2Fdocs%2Freference%2Fissues-security%2Fofficial-cve-feed%2Findex.json

Atharva-Shinde commented 1 year ago

Hey again @PushkarJ 👋 Enhancements team here, Just checking in as we approach 1.27 code freeze at 17:00 PDT on Tuesday 14th March 2023. As this is an out of tree enhancement please ensure that all the PRs related to this KEP are linked in the Issue description. And as always, we are here to help if any questions come up. Thanks!

PushkarJ commented 1 year ago

Thank you @Atharva-Shinde. Updated the description to include all relevant PRs.

mickeyboxell commented 1 year ago

@PushkarJ was there a Docs PR opened against dev-1.27 branch in the k/website repo?

If not, please take a look at Documenting for a release - PR Ready for Review to get your PR ready for review as soon as possible. 01:00 UTC Wednesday 22nd March 2023 / 17:00 PDT Tuesday 21st March 2023 is the official deadline.

This PR will need a doc review by Tuesday 4th April 2023 to get this into the release. Please reach out to required SIGs to get their review. Thank you!

mickeyboxell commented 1 year ago

As discussed in Slack, this does not need a 1.27 Docs PR because its Docs PRs are targeted to master / main branch.

k8s-triage-robot commented 10 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 9 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

tabbysable commented 9 months ago

/remove-lifecycle rotten

sftim commented 8 months ago

What should be in scope for the CVE feed? See https://github.com/kubernetes/website/issues/45576 for context.

Do we list all vulnerabilities, or just the ones that are vulnerabilities in k/k?

PushkarJ commented 6 months ago

Thanks @sftim I have added this in scope for beta-> GA graduation. More Intuittive path right now to me seems to be that SIG Security Tooling maintainers create a duplicate issue in k/k with the right labels linking the one created by SRC. I have proposed it in https://github.com/kubernetes/kubernetes/issues/123964#issuecomment-2119316156 to get feedback from SRC on this

k8s-triage-robot commented 3 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 2 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

sftim commented 2 months ago

/remove-lifecycle rotten /lifecycle stale

We should progress this (or drop the existing feed :grimacing:)

k8s-triage-robot commented 1 month ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

tabbysable commented 1 week ago

/remove-lifecycle rotten