Hello Everyone-
tl;dr Kubernetes has a community organized security release process designed by folks in SIG Auth. Read more on the
community repo doc. Or learn more at
KubeCon.
Several months ago a bunch of people scrambled to release Kubernetes v1.4.3 and
communicate the security impact of the release. The lack of a documented process and security response team made that release painful for those involved. So, SIG Auth was charged with coming up with a new plan.
Over the course of 8 or so weeks a document was created, first as a
Google Doc, then as a
community repo PR with input from experts both inside and outside of the Kubernetes community. The document outlines the steps from
private or public disclosure, fix development, a release, and finally public communication.
Again, learn more more by reading the document on the
community repo doc. Or come see the talk Jess and me are giving at
KubeCon to learn more.
Jess Frazelle and I are the primary authors of this process but it was a huge team effort (see full list at end), thank you! I would like especially thank four people who have been working hard to ensure that the build infrastructure is in-place to support this security process: Sen Lu (@krzyzacy), Erick Fejta (@fejta), Jess Frazelle (@jessfraz), Jordan Liggitt (@liggitt). Thank you everyone (including those I likely missed)!
Cheers,
Brandon
Security process input from: Kees Cook, Greg Kroah-Hartman, Davanum Srinivas, Jordan Liggitt, Matthew Garrett, Kurt Seifried, Adam Heczko, Piotr Siwczak, Kurt Seifried, David Barry, Eric Tune, Tim St. Clair (@timstclair), Robert Bailey. Thank you!