Kubernetes Enhances the Official CVE Feed: What Developers Should Know

Since the introduction of the auto-refreshing official CVE feed as an alpha feature in version 1.25, we have made significant improvements and updates. We are pleased to announce the release of the beta version of the feed. In this blog post, we will discuss the feedback received, the changes made, and the ways to support this as we prepare to make it a stable feature in a future Kubernetes release.

Feedback from End Users

The SIG Security team received some feedback from end users:

• The JSON CVE feed did not conform to the JSON Feed specification, as the name might suggest.
• The feed could also support RSS in addition to the JSON Feed format.
• Some metadata could be added to indicate the freshness of the feed overall or specific CVEs. Another suggestion was to show which Prow job last updated the feed. More ideas can be found directly in the main issue.
• The Markdown table of the feed on the website should be sorted from the most recently announced to the least recently announced CVEs.

Summary of Changes

In response, the SIG created a revamp script for generating the JSON feed to conform to the JSON Feed specification and added a last_updated field to indicate overall freshness. This redesign required a corresponding fix on the Kubernetes website to ensure the CVE feed page continues to work with the new format.

Subsequently, RSS feed support was transparently added, allowing end users to consume the feed in their preferred format.

Overall, the redesign based on the JSON Feed specification, which this time broke backward compatibility, will enable future updates to address the remaining issues while being more transparent and less disruptive for end users.

The continuous improvement of the CVE feed is another step towards a more secure and user-friendly Kubernetes environment. At ayedo, we work closely with the Kubernetes community to ensure that such developments are effectively implemented in practice.

Source: Kubernetes Blog