Blog: Implementing the Auto-refreshing Official Kubernetes CVE Feed

Author : Pushkar Joglekar (VMware) Accompanying the release of Kubernetes v1. 25, we announced availability of an official CVE feed as an alpha feature. This blog will cover how we implemented this feature. An auto-refreshing CVE feed allows users and implementers to programmatically fetch the list of CVEs announced by the Kubernetes SRC (Security Response Committee). To ensure freshness and minimal maintainer overhead, the feed updates automatically by fetching the CVE related information from the CVE announcement GitHub Issues. Creating these issues is already part of the existing Security Response Committee (SRC) workflow. Until December 2021, it was not possible to filter for issues or PRs that are tied to CVEs announced by Kubernetes SRC. We added a new label, official-cve-feed to address that, and SIG-Security labelled relevant issues with it. The in-scope issues are closed issues for which there is a CVE ID(s) and is officially announced as a Kubernetes security vulnerability by SRC. You can now filter on all of these issues and find them here. For future security vulnerabilities, we added the label to the SRC playbook so that all the future in-scope issues will automatically have this label. For the next step, we created a prow job in order to periodically query the GitHub REST API and pull the relevant issues.