Blog: Implementing the Auto-refreshing Official Kubernetes CVE Feed

Implementing the Auto-refreshing Official Kubernetes CVE Feed Implementation Details Pre-requisites Building on existing tooling Design Considerations Integrity and Access Control Protections Freshness Guarantees What’s Next? Author : Pushkar Joglekar (VMware) Accompanying the release of Kubernetes v1.25, we announced availability of an official CVE feed as an alpha feature. This blog will cover how we implemented this feature. alpha An auto-refreshing CVE feed allows users and implementers to programmatically fetch the list of CVEs announced by the Kubernetes SRC (Security Response Committee). To ensure freshness and minimal maintainer overhead, the feed updates automatically by fetching the CVE related information from the CVE announcement GitHub Issues. Creating these issues is already part of the existing Security Response Committee (SRC) workflow. Until December 2021, it was not possible to filter for issues or PRs that are tied to CVEs announced by Kubernetes SRC. We added a new label, official-cve-feed to address that, and SIG-Security labelled relevant issues with it. The in-scope issues are closed issues for which there is a CVE ID(s) and is officially announced as a Kubernetes security vulnerability by SRC. You can now filter on all of these issues and find them here. official-cve-feed closed For future security vulnerabilities, we added the label to the SRC playbook so that all the future in-scope issues will automatically have this label. For the next step, we created a prow job in order to periodically query the GitHub REST API and pull the relevant issues. The job runs every two hours and pushes the CVE related information fetched from GitHub into a Google Cloud Bucket.