|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Security Announcements |
| 4 | + |
| 5 | +Join the [kubernetes-security-announce] group for security and vulnerability announcements related to the Kubernetes ecosystem. |
| 6 | + |
| 7 | +You can also subscribe to an RSS feed of these announcements using [this link][kubernetes-security-announce-rss]. |
| 8 | + |
| 9 | +## Reporting a Vulnerability |
| 10 | + |
| 11 | +Instructions for reporting a vulnerability can be found on the [Kubernetes Security and Disclosure Information] page. |
| 12 | + |
| 13 | +## Supported Versions |
| 14 | + |
| 15 | +Kubebuilder is tested against the latest three Kubernetes releases, in alignment with the [Kubernetes version and version skew support policy](https://kubernetes.io/docs/setup/release/version-skew-policy/). |
| 16 | + |
| 17 | +However, each version is only tested with the dependencies used for its release. For detailed information, please refer to the [compatibility and support policy on GitHub][compatibility-policy]. |
| 18 | + |
| 19 | +## Release Policy |
| 20 | + |
| 21 | +Kubebuilder maintains a policy of releasing updates for the latest CLI version (currently v4). Older versions (v1, v2, v3) are no longer supported, and no releases will be produced for them. It is recommended to ensure that any project scaffolded by Kubebuilder remains aligned with the latest release. |
| 22 | + |
| 23 | +## Automated Vulnerability Scanning |
| 24 | + |
| 25 | +Kubebuilder employs automated scanning via Dependabot and GitHub Actions within its CI/CD pipeline. This process detects vulnerabilities in dependencies and configurations, generating daily or weekly reports prioritized for the latest supported versions. |
| 26 | + |
| 27 | +- **Dependabot Configuration**: You can review the setup in `.github/dependabot.yml`. |
| 28 | +- **Security Checks**: Security checks are enabled in the Kubebuilder repository settings. |
| 29 | +- **Code Scanning**: The `.github/workflows/codeql.yml` workflow scans the `master` and `book-v4` branches, which typically contain the latest release code. Other release branches may not be scanned. |
| 30 | + |
| 31 | +## Production-Grade Security |
| 32 | + |
| 33 | +Projects generated by Kubebuilder are designed for ease of development and are **not** configured with production-grade security settings. For example, default configurations do not enable cert-manager or perform proper certificate validation, which may not be suitable for production environments. Ensure that you make the necessary adjustments to security settings before releasing your solution for production. |
| 34 | + |
| 35 | +[kubernetes-security-announce]: https://groups.google.com/forum/#!forum/kubernetes-security-announce |
| 36 | +[kubernetes-security-announce-rss]: https://groups.google.com/forum/feed/kubernetes-security-announce/msgs/rss_v2_0.xml?num=50 |
| 37 | +[Kubernetes version and version skew support policy]: https://kubernetes.io/docs/setup/release/version-skew-policy/#supported-versions |
| 38 | +[Kubernetes Security and Disclosure Information]: https://kubernetes.io/docs/reference/issues-security/security/#report-a-vulnerability |
| 39 | +[compatibility-policy]: ./../README.md#versions-compatibility-and-supportability |
| 40 | +[project-upgrade-assistant]: https://book.kubebuilder.io/reference/rescaffold |
| 41 | +[testdata-directory]: https://github.com/kubernetes-sigs/kubebuilder/tree/master/testdata |
| 42 | +[kubebuilder-releases]: https://github.com/kubernetes-sigs/kubebuilder/releases |
0 commit comments