[ANNOUNCE] Kubernetes Security Release Process

[Brandon Philips]

Hello Everyone-

tl;dr Kubernetes has a community organized security release process designed by folks in SIG Auth. Read more on the community repo doc. Or learn more at KubeCon.

Several months ago a bunch of people scrambled to release Kubernetes v1.4.3 and communicate the security impact of the release. The lack of a documented process and security response team made that release painful for those involved. So, SIG Auth was charged with coming up with a new plan.

Over the course of 8 or so weeks a document was created, first as a Google Doc, then as a community repo PR with input from experts both inside and outside of the Kubernetes community. The document outlines the steps from private or public disclosure, fix development, a release, and finally public communication.

Again, learn more more by reading the document on the community repo doc. Or come see the talk Jess and me are giving at KubeCon to learn more.

Jess Frazelle and I are the primary authors of this process but it was a huge team effort (see full list at end), thank you! I would like especially thank four people who have been working hard to ensure that the build infrastructure is in-place to support this security process:  Sen Lu (@krzyzacy), Erick Fejta (@fejta), Jess Frazelle (@jessfraz), Jordan Liggitt (@liggitt). Thank you everyone (including those I likely missed)!

Cheers,

Brandon

Security process input from: Kees Cook, Greg Kroah-Hartman, Davanum Srinivas, Jordan Liggitt, Matthew Garrett, Kurt Seifried, Adam Heczko, Piotr Siwczak, Kurt Seifried, David Barry, Eric Tune, Tim St. Clair (@timstclair), Robert Bailey. Thank you!

[Sarah Novotny]

Many thanks to all of you who contributed to this effort.  And many more to Brandon for leading the charge.

Having a defined and published security process is one of the Core Infrastructure Initiative requirements (which we need to graduate from incubation inside the CNCF when we're ready to consider that.)

sarah