Merge pull request #39644 from cailynse/KEP-3202-blog

Add Blog Post for KEP-3202 beta (CVE feed)
2023-04-11 19:02:30 -07:00 · 2023-04-11 19:02:30 -07:00 · 703ca72a01
parent 91ab310e51 9411b28ffb
commit 703ca72a01
1 changed files with 64 additions and 0 deletions
--- a/content/en/blog/_posts/2023-04-25-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md
+++ b/content/en/blog/_posts/2023-04-25-Updates-to-the-Auto-refreshing-Official-CVE-Feed/index.md
@ -0,0 +1,64 @@
+---
+layout: blog
+title: Updates to the Auto-refreshing Official CVE Feed
+date: 2023-04-25
+slug: k8s-cve-feed-beta
+---
+
+**Authors**: Cailyn Edwards (Shopify), Mahé Tardy (Isovalent), Pushkar Joglekar
+
+Since launching the [Auto-refreshing Official CVE feed](/docs/reference/issues-security/official-cve-feed/) as an alpha
+feature in the 1.25 release, we have made significant improvements and updates. We are excited to announce the release of the
+beta version of the feed. This blog post will outline the feedback received, the changes made, and talk about how you can help 
+as we prepare to make this a stable feature in a future Kubernetes Release.
+
+
+## Feedback from end-users
+
+SIG Security received some feedback from end-users:
+- The JSON CVE Feed [did not comply](https://github.com/kubernetes/website/issues/36808)
+  with the [JSON Feed specification](https://www.jsonfeed.org/) as its name would suggest.
+- The feed could also [support RSS](https://github.com/kubernetes/sig-security/issues/77)
+  in addition to JSON Feed format.
+- Some metadata could be [added](https://github.com/kubernetes/sig-security/issues/72) to indicate the freshness of
+  the feed overall, or [specific CVEs](https://github.com/kubernetes/sig-security/issues/63). Another suggestion was 
+  to [indicate](https://github.com/kubernetes/sig-security/issues/71) which Prow job recently updated the feed. See 
+  more ideas directly on the [the umbrella issue](https://github.com/kubernetes/sig-security/issues/1).
+- The feed Markdown table on the website [should be ordered](https://github.com/kubernetes/sig-security/issues/73)
+  from the most recent to the least recently announced CVE.
+
+## Summary of changes
+
+In response, the SIG did a [rework of the script generating the JSON feed](https://github.com/kubernetes/sig-security/pull/76)
+to comply with the JSON Feed specification from generation and add a
+`last_updated` root field to indicate overall freshness. This redesign needed a
+[corresponding fix on the Kubernetes website side](https://github.com/kubernetes/website/pull/38579)
+for the CVE feed page to continue to work with the new format.
+
+After that, [RSS feed support](https://github.com/kubernetes/website/pull/39513)
+could be added transparently so that end-users can consume the feed in their
+preferred format.
+
+Overall, the redesign based on the JSON Feed specification, which this time broke
+backward compatibility, will allow updates in the future to address the rest of
+the issue while being more transparent and less disruptive to end-users.
+
+### Updates
+| **Title**                                                                                                    | **Issue**                                                       | **Status**                                                                                                                                                                                                                      |
+| ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| CVE Feed: JSON feed should pass jsonfeed spec validator | [kubernetes/webite#36808](https://github.com/kubernetes/website/issues/36808) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) |
+| CVE Feed: Add lastUpdatedAt as a metadata field | [kubernetes/sig-security#72](https://github.com/kubernetes/sig-security/issues/72) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) |
+| Support RSS feeds by generating data in Atom format | [kubernetes/sig-security#77](https://github.com/kubernetes/sig-security/issues/77) | closed, addressed by [kubernetes/website#39513](https://github.com/kubernetes/website/pull/39513)|
+| CVE Feed: Sort Markdown Table from most recent to least recently announced CVE | [kubernetes/sig-security#73](https://github.com/kubernetes/sig-security/issues/73) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) |
+| CVE Feed: Include a timestamp field for each CVE indicating when it was last updated | [kubernetes/sig-security#63](https://github.com/kubernetes/sig-security/issues/63) | closed, addressed by [kubernetes/sig-security#76](https://github.com/kubernetes/sig-security/pull/76) |
+| CVE Feed: Add Prow job link as a metadata field | [kubernetes/sig-security#71](https://github.com/kubernetes/sig-security/issues/71) | closed, addressed by [kubernetes/sig-security#83](https://github.com/kubernetes/sig-security/pull/83) |
+
+## What's next?
+
+In preparation to [graduate](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-stages) the feed 
+to stable i.e. `General Availability` stage, SIG Security is still gathering feedback from end users who are using the updated beta feed.
+
+To help us continue to improve the feed in future Kubernetes Releases please share feedback by adding a comment to
+this [tracking issue](https://github.com/kubernetes/sig-security/issues/1) or
+let us know on [#sig-security-tooling](https://kubernetes.slack.com/archives/C01CUSVMHPY)
+Kubernetes Slack channel, join [Kubernetes Slack here](https://slack.k8s.io).