From 81af0d249782f9877281457f257c065279574494 Mon Sep 17 00:00:00 2001 From: John Krug Date: Fri, 31 Jan 2025 14:40:50 +0100 Subject: [PATCH 1/5] review for active voice, language and some formatting. Signed-off-by: John Krug --- docs/disclosure.md | 31 +++--- docs/introduction.md | 23 ++--- docs/personas.md | 1 - docs/quick-start.md | 219 ++++++++++++++++++++++++++----------------- 4 files changed, 158 insertions(+), 116 deletions(-) diff --git a/docs/disclosure.md b/docs/disclosure.md index a08b4d5b4a4..a5eee643fe5 100644 --- a/docs/disclosure.md +++ b/docs/disclosure.md @@ -13,37 +13,36 @@ doc-topic: [security, disclosure] -The Kubewarden team greatly appreciates investigative work into security +The Kubewarden team appreciates investigative work into security vulnerabilities carried out by well-intentioned, ethical security researchers. -We follow the practice of [responsible -disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) in order to -best protect Kubewarden's user-base from the impact of security issues. On our -side, this means: - -- We will respond to security incidents on priority. -- We will release fixes for issues as soon as is practical, keeping in mind - that not all risks are created equal. -- We will always transparently let the community know about any incident that +Kubewarden follows the practice of [responsible +disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) to +best protect Kubewarden's user-base from the impact of security issues. On +Kubewarden's side, this means: + +- Kubewarden responds to security incidents on priority. +- Kubewarden releases fixes for issues as soon as is practical, prioritizing by risk. +- Kubewarden always transparently lets the community know about any incident that affects them. If you have found a security vulnerability in Kubewarden, the easiest way to report a vulnerability is through the [Security tab on GitHub](https://github.com/kubewarden/community/security/advisories). This -mechanism allows maintainers to communicate privately with you, and you do not +mechanism allows maintainers to communicate privately with you, and you don't need to encrypt your messages. -Alternatively, you can can disclose it responsibly by emailing +Alternatively, you can disclose it responsibly by emailing [cncf-kubewarden-maintainers@lists.cncf.io](mailto:cncf-kubewarden-maintainers@lists.cncf.io) in an **unencrypted** message. Please do not discuss potential vulnerabilities in public without validating with us first. -You can also come talk to us at our [slack-room] in the Kubernetes Slack server. +You can also come talk in our [slack-room] on the Kubernetes Slack server. -On receipt the security team will: +On receipt the security team: -- Review the report, verify the vulnerability and respond with confirmation +- Reviews the report, verifies the vulnerability and responds with confirmation and/or further information requests. -- Once the reported security bug has been addressed we will notify the +- After addressing the reported security bug Kubewarden notifies the Researcher, who is then welcome to optionally disclose publicly. Please, refer to the [community diff --git a/docs/introduction.md b/docs/introduction.md index b11ba8ec933..7c4078bd859 100644 --- a/docs/introduction.md +++ b/docs/introduction.md @@ -44,7 +44,8 @@ Kubewarden offers flexibility for policy admission and enforcement in a Kubernet ## New to Kubewarden? -If new to the Kubewarden project start with the [Quick start guide](./quick-start.md) +If new to the Kubewarden project start with the +[Quick start guide](./quick-start.md) and the [architecture](./explanations/architecture.md) page. Then it depends where your interests take you. For policy developers there are language specific sections in the tutorials. @@ -61,10 +62,9 @@ As stated on [WebAssembly's official website](https://webassembly.org/): > compilation target for programming languages, enabling deployment on > the web for client and server applications. -Wasm was originally conceived as a browser "extension". -However, efforts are being made by the WebAssembly -community to allow the execution of Wasm code outside -browsers. +Wasm was originally conceived as a browser "extension". However, the +WebAssembly community is engaged in efforts to allow the execution of Wasm code +outside browsers. ## Why use WebAssembly? @@ -77,15 +77,12 @@ architecture and operating system. For example, a policy developed and built on Apple Silicon can run on AMD64/Intel64 Linux without conversion. -Policy authors can reuse their skills, tools and best -practices. Policies are "traditional" programs that can have reusable -blocks (regular libraries), can be linted and tested, and be -plugged into current CI and CD workflows. +Policy authors can reuse their skills, tools and best practices. Policies are +"traditional" programs that can have reusable blocks (regular libraries). You +can lint and test them and you can plug them into current CI and CD workflows. ## Policy distribution -Kubewarden policies can be served by a regular web server or, -better, be published from an OCI compliant registry. - -Kubewarden policies can be stored inside an OCI compliant registry as +You can serve Kubewarden policies using a standard web server or, better, you +can be publish them in an OCI compliant registry as [OCI artifacts](https://github.com/opencontainers/artifacts). diff --git a/docs/personas.md b/docs/personas.md index a4353ef6fdc..b0bbcc041ed 100644 --- a/docs/personas.md +++ b/docs/personas.md @@ -13,7 +13,6 @@ doc-topic: [explanation] - |Persona|Description| |-|-| |**Policy user**|Someone who takes a policy and uses it in a cluster. They deploy policies and observe results. They configure the policy settings but don't write the policy internal code (if there is any).| diff --git a/docs/quick-start.md b/docs/quick-start.md index 33605ebe786..0c5c9f5c93b 100644 --- a/docs/quick-start.md +++ b/docs/quick-start.md @@ -24,44 +24,48 @@ doc-topic: [quick-start] The Kubewarden stack comprises: -- Some [[< cluster-admission-policy >]] resources: this is how policies are defined for Kubernetes clusters +- Some [[< cluster-admission-policy >]] resources: this is how policies are +defined for Kubernetes clusters. -- Some [[< policy-server >]] resources: representing a deployment of a Kubewarden -`PolicyServer`. Your administrator's policies are loaded and evaluated by the Kubewarden -`PolicyServer` +- Some [[< policy-server >]] resources: representing a deployment of a +Kubewarden `PolicyServer`. The Kubewarden `PolicyServer` loads and evaluates +your administrator's policies. -- Some [[< admission-policy >]] resources: policies for a defined namespace +- Some [[< admission-policy >]] resources: policies for a defined namespace. -- A deployment of a `kubewarden-controller`: this controller monitors the -[[< cluster-admission-policy >]] resources and interacts with the Kubewarden -[[< policy-server >]] components. +- A deployment of a `kubewarden-controller`: this controller monitors the [[< +cluster-admission-policy >]] resources and interacts with the Kubewarden [[< +policy-server >]] components. :::tip -The Kubernetes Custom Resource Definitions (CRDs) defined by Kubewarden are -described [here](reference/CRDs.md). +Kubewarden describes its Kubernetes Custom Resource Definitions (CRDs) +[here](reference/CRDs.md). -Furthermore, Kubewarden CRDs mentioned in this tutorial and in the whole -documentation have short names, which are easier to use. These are the short -names for all the CRDs: +Kubewarden CRDs mentioned in this tutorial and in the whole documentation have +short names, which are easier to use. These are the short names for all the +CRDs: -| Resource | shortName | -| ---------------------------- | --------- | -| AdmissionPolicies | **ap** | -| ClusterAdmissionPolicies | **cap** | -| AdmissionPolicyGroups | **apg** | -| ClusterAdmissionPolicyGroups | **capg** | -| PolicyServers | **ps** | +| Resource | shortName | +| - | - | +| AdmissionPolicies | **ap** | +| ClusterAdmissionPolicies | **cap** | +| AdmissionPolicyGroups | **apg** | +| ClusterAdmissionPolicyGroups | **capg** | +| PolicyServers | **ps** | ::: ## Installation :::info Authentication -Kubewarden policies can be retrieved from the GitHub container registry at https://ghcr.io. -You need authentication to use the repository with the Kubewarden CLI, a [GitHub personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) (PAT). -Their documentation guides you through creating one if you haven't already done so. -Then you authenticate with a command like: + +You can retrieve Kubewarden policies from the GitHub container registry at +[https://ghcr.io](https://ghcr.io). You need authentication to use the +repository with the Kubewarden CLI, a [GitHub personal access +token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) +(PAT). Their documentation guides you through creating one if you haven't +already done so. Then you authenticate with a command like: ```console echo $PAT | docker login ghcr.io --username --password-stdin @@ -79,7 +83,8 @@ helm repo add kubewarden https://charts.kubewarden.io helm repo update kubewarden ``` -Install the following Helm charts inside the `kubewarden` namespace in your Kubernetes cluster: +Install the following Helm charts inside the `kubewarden` namespace in your +Kubernetes cluster: - `kubewarden-crds`, which registers the [[< cluster-admission-policy >]], [[< admission-policy >]] and [[< policy-server >]] Custom Resource Definitions. Also, @@ -92,8 +97,9 @@ Install the following Helm charts inside the `kubewarden` namespace in your Kube scanner installation [documentation page](../howtos/audit-scanner). ::: -- `kubewarden-defaults`, which will create a `PolicyServer` resource named `default`. It can also install a set of - recommended policies to secure your cluster by enforcing some well known best practices. +- `kubewarden-defaults`, which creates a `PolicyServer` resource named +`default`. It can also install a set of recommended policies to secure your +cluster by enforcing some well known best practices. ```console helm install --wait -n kubewarden --create-namespace kubewarden-crds kubewarden/kubewarden-crds @@ -108,20 +114,29 @@ helm install --wait -n kubewarden kubewarden-defaults kubewarden/kubewarden-defa ``` :::caution -Since [`v0.4.0`](https://github.com/kubewarden/kubewarden-controller/releases/tag/v0.4.0), a `PolicyServer` resource named `default` will not be created using the `kubewarden-controller` chart. -Now a Helm chart called `kubewarden-defaults`, installs -the default policy server. - -This means that if you aren't using the latest version of the `kubewarden-controller` and are trying to upgrade or delete, -your default policy server won't be upgraded or deleted. -So, you might run into issues if you try to install the `kubewarden-defaults` with some conflicting information, for example, the same policy server name. -To be able to take advantage of future upgrades in the `kubewarden-defaults` Helm chart remove the -existing `PolicyServer` resource created by the `kubewarden-controller` before installing the new chart. -Now you can update your policy server using Helm upgrades without resource conflicts. -When you remove the `PolicyServer`, all the policies bound to it will be removed as well. + +Since +[`v0.4.0`](https://github.com/kubewarden/kubewarden-controller/releases/tag/v0.4.0), +a `PolicyServer` resource named `default` will not be created using the +`kubewarden-controller` chart. Now a Helm chart called `kubewarden-defaults`, +installs the default policy server. + +This means that if you aren't using the latest version of the +`kubewarden-controller` and are trying to upgrade or delete, your default +policy server won't be upgraded or deleted. So, you might run into issues if +you try to install the `kubewarden-defaults` with some conflicting information, +for example, the same policy server name. To be able to take advantage of +future upgrades in the `kubewarden-defaults` Helm chart remove the existing +`PolicyServer` resource created by the `kubewarden-controller` before +installing the new chart. Now you can update your policy server using Helm +upgrades without resource conflicts. When you remove the `PolicyServer`, all +the policies bound to it will be removed as well. + ::: -The default configuration values are sufficient for most deployments. All options are documented [here](https://charts.kubewarden.io/#configuration). +The default configuration values are sufficient for most deployments. The +[documentation](https://charts.kubewarden.io/#configuration) describes all the +options. ## Main components @@ -133,8 +148,8 @@ Kubewarden has three main components which you will interact with: ### `PolicyServer` -A Kubewarden `PolicyServer` is managed by the `kubewarden-controller`. -Multiple [[< policy-server >]]s can be deployed in the same Kubernetes cluster. +The `kubewarden-controller` manages a Kubewarden `PolicyServer`. +You can deploy multiple [[< policy-server >]]s in the same Kubernetes cluster. A `PolicyServer` validates incoming requests by executing Kubewarden policies against them. @@ -160,12 +175,11 @@ Check the [latest released `PolicyServer` version](https://github.com/kubewarden Overview of the attributes of the `PolicyServer` resource: - -| Required | Placeholder | Description | -|:--------:| ------------------- | ----------------------------- | +| Required | Placeholder | Description | +|:-:| - | - | | Y | `image` | The name of the container image | | Y | `replicas` | The number of desired instances | -| N | `serviceAccountName` | The name of the `ServiceAccount` to use for the `PolicyServer` deployment. If no value is provided, the default `ServiceAccount` from the namespace, where the `kubewarden-controller` is installed, will be used | +| N | `serviceAccountName` | The name of the `ServiceAccount` to use for the `PolicyServer` deployment. If no value is provided, the default `ServiceAccount` from the namespace, where the `kubewarden-controller` is installed, is used | | N | `env` | The list of environment variables | | N | `annotations` | The list of annotations | @@ -175,10 +189,12 @@ Changing any of these attributes causes a `PolicyServer` deployment with the new The [[< cluster-admission-policy >]] resource is the core of the Kubewarden stack. It defines how policies evaluate requests. -Enforcing policies is the most common operation which a Kubernetes administrator performs. -You can declare as many policies as you want, each targets one or more Kubernetes resources (that is, `pods`, `Custom Resource` and others). -You also specify the type of operations applied to targeted resources. -The operations available are `CREATE`, `UPDATE`, `DELETE` and `CONNECT`. +Enforcing policies is the most common operation which a Kubernetes +administrator performs. You can declare as many policies as you want, each +targets one or more Kubernetes resources (that is, `pods`, `Custom Resource` +and others). You also specify the type of operations applied to targeted +resources. The operations available are `CREATE`, `UPDATE`, `DELETE` and +`CONNECT`. Default [[< cluster-admission-policy >]] configuration: @@ -207,33 +223,44 @@ spec: Overview of the attributes of the [[< cluster-admission-policy >]] resource: -| Required | Placeholder | Description | -| :------: | --------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| N | `policy-server` | Identifies an existing `PolicyServer` object. The policy will be served only by this `PolicyServer` instance. A [[< cluster-admission-policy >]] that doesn't have an explicit `PolicyServer`, will be served by the one named `default` | -| Y | `module` | The location of the Kubewarden policy. The following schemes are allowed: | -| N | | - `registry`: The policy is downloaded from an [OCI artifacts](https://github.com/opencontainers/artifacts) compliant container registry. Example: `registry://` | -| N | | - `http`, `https`: The policy is downloaded from a regular HTTP(s) server. Example: `https://` | -| N | | - `file`: The policy is loaded from a file in the computer file system. Example: `file:///` | -| Y | `resources` | The Kubernetes resources evaluated by the policy | -| Y | `operations` | What operations for the previously given types should be forwarded to this admission policy by the API server for evaluation. | -| Y | `mutating` | A boolean value that must be set to `true` for policies that can mutate incoming requests | -| N | `settings` | A free-form object that contains the policy configuration values | -| N | `failurePolicy` | The action to take if the request evaluated by a policy results in an error. The following options are allowed: | -| N | | - `Ignore`: an error calling the webhook is ignored and the API request is allowed to continue | -| N | | - `Fail`: an error calling the webhook causes the admission to fail and the API request to be rejected | +| Required | Placeholder | Description | +| :--: | - | - | +| N | `policy-server` | Identifies an existing `PolicyServer` object. The policy will be served only by this `PolicyServer` instance. The policy server named `default` serves a [[< cluster-admission-policy >]] without an explicit `PolicyServer`. | +| Y | `module` | The location of the Kubewarden policy. Kubewarden permits the following schemes: | +| N | | - `registry`: The policy is downloaded from an [OCI artifacts](https://github.com/opencontainers/artifacts) compliant container registry. Example: `registry://`. | +| N | | - `http`, `https`: The policy is downloaded from a regular HTTP(s) server. Example: `https://`. | +| N | | - `file`: The policy is loaded from a file in the computer file system. Example: `file:///`. | +| Y | `resources` | The Kubernetes resources evaluated by the policy. | +| Y | `operations` | What operations for the previously given types to forward to this admission policy by the API server for evaluation. | +| Y | `mutating` | A boolean value to be set to `true` for policies that can mutate incoming requests. | +| N | `settings` | A free-form object that contains the policy configuration values. | +| N | `failurePolicy` | The action to take if the request evaluated by a policy results in an error. Permitted options: | +| N | | - `Ignore`: ignore an error calling the webhook, and the API request continues. | +| N | | - `Fail`: an error calling the webhook causes the admission to fail and the API request is rejected. | :::note -The [[< cluster-admission-policy >]] resources are registered with a `*` webhook `scope`, which means that registered webhooks forward all requests matching the given `resources` and `operations` — either namespaced or cluster-wide resources. + +The [[< cluster-admission-policy >]] resources are registered with a `*` +webhook `scope`. This means that registered webhooks forward all requests +matching the given `resources` and `operations`, either namespaced or +cluster-wide resources. + ::: ### AdmissionPolicy [[< admission-policy >]] is a namespace-wide resource. -The policy processes only the requests that are targeting the Namespace where the [[< admission-policy >]] is defined. -Other than that, there are no functional differences between the [[< admission-policy >]] and [[< cluster-admission-policy >]] resources. +The policy only processes requests targeting the Namespace with +the [[< admission-policy >]] defined. +Other than that, there are no functional differences between the +[[< admission-policy >]] and [[< cluster-admission-policy >]] resources. :::info -[[< admission-policy >]] requires Kubernetes 1.21.0 or greater. This is because we're using the `kubernetes.io/metadata.name` label, which was introduced in Kubernetes 1.21.0 + +[[< admission-policy >]] requires Kubernetes 1.21.0 or greater. This is because +Kubewarden uses the `kubernetes.io/metadata.name` label, introduced in +Kubernetes 1.21.0 + ::: The complete documentation of these Custom Resources can be found [here](https://github.com/kubewarden/kubewarden-controller/blob/main/docs/crds/README.asciidoc) or on [docs.crds.dev](https://doc.crds.dev/github.com/kubewarden/kubewarden-controller). @@ -270,8 +297,10 @@ This produces the following output: clusteradmissionpolicy.policies.kubewarden.io/privileged-pods created ``` -When a [[< cluster-admission-policy >]] is defined, the status is set to `pending`, and it will force a rollout of the targeted `PolicyServer`. -In our example, it's the `PolicyServer` named `default`. You can monitor the rollout by running the following command: +When a [[< cluster-admission-policy >]] is defined, the status is set to +`pending`, and it forces a rollout of the targeted `PolicyServer`. In our +example, it's the `PolicyServer` named `default`. You can monitor the rollout +by running the following command: ```console kubectl get clusteradmissionpolicy.policies.kubewarden.io/privileged-pods @@ -284,9 +313,13 @@ NAME POLICY SERVER MUTATING STATUS privileged-pods default false pending ``` -Once the new policy is ready to be served, the `kubewarden-controller` will register a [ValidatingWebhookConfiguration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#validatingwebhookconfiguration-v1-admissionregistration-k8s-io) object. +Once the new policy is ready to be served, the `kubewarden-controller` will +register a +[ValidatingWebhookConfiguration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#validatingwebhookconfiguration-v1-admissionregistration-k8s-io) +object. -The [[< cluster-admission-policy >]] status will be set to `active` once the Deployment is done for every `PolicyServer` instance. +The [[< cluster-admission-policy >]] status is set to `active` once the +Deployment completes for every `PolicyServer` instance. Show [[< validating-webhook-configuration >]]s with the following command: ```console @@ -301,9 +334,9 @@ clusterwide-privileged-pods 1 9s ``` Once the [[< cluster-admission-policy >]] is active and the -[[< validating-webhook-configuration >]] is registered, you can test the policy. +[[< validating-webhook-configuration >]] registers, you can test the policy. -First, let's create a Pod with a Container _not_ in `privileged` mode: +First, you can create a Pod with a Container _not_ in `privileged` mode: ```console kubectl apply -f - <]]s and [[< mutating-webhook-configuration >]]s created by kubewarden should be deleted, this can be checked with: +Kubewarden deletes [[< validating-webhook-configuration >]]s and +[[< mutating-webhook-configuration >]]s +it has created. Check this with: ```console kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io -l "kubewarden" @@ -392,7 +436,8 @@ kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io -l "kub kubectl get mutatingwebhookconfigurations.admissionregistration.k8s.io -l "kubewarden" ``` -If these resources are not automatically removed, remove them manually by using the following command: +If these resources aren't automatically removed, remove them manually using +the following command: ```console kubectl delete -l "kubewarden" validatingwebhookconfigurations.admissionregistration.k8s.io @@ -404,7 +449,9 @@ kubectl delete -l "kubewarden" mutatingwebhookconfigurations.admissionregistrati ## Wrapping up -[[< cluster-admission-policy >]] is the core resource that a cluster operator has to manage. The `kubewarden-controller` module automatically takes care of the configuration for the rest of the resources needed to run the policies. +[[< cluster-admission-policy >]] is the core resource that a cluster operator +has to manage. The `kubewarden-controller` module automatically takes care of +the configuration for the rest of the resources needed to run the policies. ## What's next? @@ -415,9 +462,9 @@ policies as shown in the [following chapters](tutorials/writing-policies/rego/01-intro-rego.md).
+ Full list of available policies on ArtifactHub
- From 8e870290a7face7dd824fea99597ea5e6b565c9b Mon Sep 17 00:00:00 2001 From: John Krug Date: Fri, 31 Jan 2025 16:58:56 +0100 Subject: [PATCH 2/5] Update docs/disclosure.md Co-authored-by: Daria Vladykina Signed-off-by: John Krug --- docs/disclosure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/disclosure.md b/docs/disclosure.md index a5eee643fe5..43a40ca19a6 100644 --- a/docs/disclosure.md +++ b/docs/disclosure.md @@ -13,7 +13,7 @@ doc-topic: [security, disclosure] -The Kubewarden team appreciates investigative work into security +The Kubewarden team appreciates investigative work on security vulnerabilities carried out by well-intentioned, ethical security researchers. Kubewarden follows the practice of [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) to From ae0bca373a34053a3476e34c8f813e31dba7cbc1 Mon Sep 17 00:00:00 2001 From: John Krug Date: Fri, 31 Jan 2025 16:59:12 +0100 Subject: [PATCH 3/5] Update docs/disclosure.md Co-authored-by: Daria Vladykina Signed-off-by: John Krug --- docs/disclosure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/disclosure.md b/docs/disclosure.md index 43a40ca19a6..22317644b60 100644 --- a/docs/disclosure.md +++ b/docs/disclosure.md @@ -17,7 +17,7 @@ The Kubewarden team appreciates investigative work on security vulnerabilities carried out by well-intentioned, ethical security researchers. Kubewarden follows the practice of [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) to -best protect Kubewarden's user-base from the impact of security issues. On +best protect Kubewarden's user base from the impact of security issues. On Kubewarden's side, this means: - Kubewarden responds to security incidents on priority. From d5c3c6214175afa8556d760eacac35954ff3cd6d Mon Sep 17 00:00:00 2001 From: John Krug Date: Fri, 31 Jan 2025 16:59:51 +0100 Subject: [PATCH 4/5] Update docs/disclosure.md Co-authored-by: Daria Vladykina Signed-off-by: John Krug --- docs/disclosure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/disclosure.md b/docs/disclosure.md index 22317644b60..081344bc5de 100644 --- a/docs/disclosure.md +++ b/docs/disclosure.md @@ -38,7 +38,7 @@ with us first. You can also come talk in our [slack-room] on the Kubernetes Slack server. -On receipt the security team: +On receipt, the security team: - Reviews the report, verifies the vulnerability and responds with confirmation and/or further information requests. From 2c88bf7f579fae8afe0cb8225171bbe7a8becf9b Mon Sep 17 00:00:00 2001 From: John Krug Date: Fri, 31 Jan 2025 17:00:12 +0100 Subject: [PATCH 5/5] Update docs/disclosure.md Co-authored-by: Daria Vladykina Signed-off-by: John Krug --- docs/disclosure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/disclosure.md b/docs/disclosure.md index 081344bc5de..4c94163aa3d 100644 --- a/docs/disclosure.md +++ b/docs/disclosure.md @@ -42,7 +42,7 @@ On receipt, the security team: - Reviews the report, verifies the vulnerability and responds with confirmation and/or further information requests. -- After addressing the reported security bug Kubewarden notifies the +- After addressing the reported security bug, Kubewarden notifies the Researcher, who is then welcome to optionally disclose publicly. Please, refer to the [community