-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
doc: add .github/SECURITY.md with further information
- Loading branch information
1 parent
f7a02ad
commit 11b5759
Showing
1 changed file
with
59 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| # Security Policy | ||
|
|
||
| ## Security Announcements | ||
|
|
||
| Join the [kubernetes-security-announce] group for security and vulnerability announcements related to the Kubernetes ecosystem. | ||
|
|
||
| You can also subscribe to an RSS feed of these announcements using [this link][kubernetes-security-announce-rss]. | ||
|
|
||
| ## Reporting a Vulnerability | ||
|
|
||
| Instructions for reporting a vulnerability can be found on the [Kubernetes Security and Disclosure Information] page. | ||
|
|
||
| ## Supported Versions | ||
|
|
||
| Kubebuilder is tested against and will support the latest three Kubernetes releases, | ||
| in alignment with the [Kubernetes version and version skew support policy]. | ||
|
|
||
| However, please note: | ||
|
|
||
| - **Automated Testing**: Kubebuilder's automated tests run with dependencies released for the scaffold produced by Kubebuilder CLI. For more information, refer to the [compatibility and support policy on GitHub][compatibility-policy]. | ||
| - **Dependency Releases**: Kubebuilder may rely on external project releases to address CVEs or ensure compliance with security updates. | ||
| - **Release Policy**: Kubebuilder maintains a policy of releasing updates for the latest CLI version (currently v4). Older versions (v1, v2, v3) are no longer supported, and no patch releases will be produced for them. It is recommended to ensure that any project scaffolded by Kubebuilder remains aligned with the latest release. | ||
|
|
||
| ## Automated Vulnerability Scanning | ||
|
|
||
| Kubebuilder employs automated scanning via Dependabot and GitHub Actions within its CI/CD pipeline. This process detects vulnerabilities in dependencies and configurations, generating daily or weekly reports that are prioritized for the latest supported versions. | ||
|
|
||
| - **Dependabot Configuration**: You can review the setup in `.github/dependabot.yml`. | ||
| - **Security Checks**: Security checks are enabled in the Kubebuilder repository settings. | ||
| - **Code Scanning**: The `.github/workflows/codeql.yml` workflow scans the `master` and `book-v4` branches, which typically contain the latest release code. Other release branches may not be scanned. | ||
|
|
||
| ## Production-Grade Security | ||
|
|
||
| Projects generated by Kubebuilder are designed for ease of development and are **not** configured with production-grade | ||
| security settings. For example, default configurations do not enable cert-manager or perform proper certificate validation, | ||
| which may not be suitable for production environments. Ensure that you make the necessary adjustments to | ||
| security settings before releasing your solution for production. | ||
|
|
||
| ## Security Recommendations | ||
|
|
||
| To ensure best practices and maintain security compliance, Kubebuilder recommends the following: | ||
|
|
||
| - **Upgrade Regularly**: Users should stay updated with new releases and use the [Project Upgrade Assistant][project-upgrade-assistant] to re-scaffold projects with the latest version. Alternatively, users can manually upgrade by reviewing sample changes in the [`testdata`][testdata-directory] directory in the root and comparing differences across [tagged releases][kubebuilder-releases]. | ||
| - **Code Review**: Regularly review code for `TODO (user)` comments in the source files to address suggestions and implement recommended adjustments. | ||
| - **Monitor Project Dependencies**: Users should stay informed of updates and security practices for key dependencies in Kubebuilder projects, including [`controller-runtime`][controller-runtime], [`cert-manager`][cert-manager], [`controller-tools`][controller-tools], [`kustomize`][kustomize], and [Kubernetes][kubernetes]. | ||
|
|
||
| [kubernetes-security-announce]: https://groups.google.com/forum/#!forum/kubernetes-security-announce | ||
| [kubernetes-security-announce-rss]: https://groups.google.com/forum/feed/kubernetes-security-announce/msgs/rss_v2_0.xml?num=50 | ||
| [Kubernetes version and version skew support policy]: https://kubernetes.io/docs/setup/release/version-skew-policy/#supported-versions | ||
| [Kubernetes Security and Disclosure Information]: https://kubernetes.io/docs/reference/issues-security/security/#report-a-vulnerability | ||
| [compatibility-policy]: ./../README.md#versions-compatibility-and-supportability | ||
| [project-upgrade-assistant]: https://book.kubebuilder.io/reference/rescaffold | ||
| [testdata-directory]: https://github.com/kubernetes-sigs/kubebuilder/tree/master/testdata | ||
| [kubebuilder-releases]: https://github.com/kubernetes-sigs/kubebuilder/releases | ||
| [controller-runtime]: https://github.com/kubernetes-sigs/controller-runtime | ||
| [cert-manager]: https://github.com/cert-manager/cert-manager | ||
| [controller-tools]: https://github.com/kubernetes-sigs/controller-tools | ||
| [kustomize]: https://github.com/kubernetes-sigs/kustomize | ||
| [kubernetes]: https://kubernetes.io |