Home Explore Blog CI



kubernetes
1st chunk of `content/en/blog/_posts/2017-05-00-Kubernetes-Security-Process-Explained.md`
c69f77ed5f9a93430c7c872d8c3c7316e29dd8c28df25d2a0000000100000aba
---
title: " Dancing at the Lip of a Volcano: The Kubernetes Security Process - Explained "
date: 2017-05-18
slug: kubernetes-security-process-explained
url: /blog/2017/05/Kubernetes-Security-Process-Explained
author: >
  Brandon Philips (CoreOS),
  Jess Frazelle (Google)
---
Software running on servers underpins ever growing amounts of the world's commerce, communications, and physical infrastructure. And nearly all of these systems are connected to the internet; which means vital security updates must be applied rapidly. As software developers and IT professionals, we often find ourselves dancing on the edge of a volcano: we may either fall into magma induced oblivion from a security vulnerability exploited before we can fix it, or we may slide off the side of the mountain because of an inadequate process to address security vulnerabilities.   

The Kubernetes community believes that we can help teams restore their footing on this volcano with a foundation built on Kubernetes. And the bedrock of this foundation requires a process for quickly acknowledging, patching, and releasing security updates to an ever growing community of Kubernetes users.   

With over 1,200 contributors and [over a million lines of code](https://www.openhub.net/p/kubernetes), each release of Kubernetes is a massive undertaking staffed by brave volunteer [release managers](https://github.com/kubernetes/community/wiki). These normal releases are fully transparent and the process happens in public. However, security releases must be handled differently to keep potential attackers in the dark until a fix is made available to users.  

We drew inspiration from other open source projects in order to create the [**Kubernetes security release process**](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-release/release.md). Unlike a regularly scheduled release, a security release must be delivered on an accelerated schedule, and we created the [Product Security Team](https://git.k8s.io/security/security-release-process.md#product-security-committee-psc) to handle this process.

This team quickly selects a lead to coordinate work and manage communication with the persons that disclosed the vulnerability and the Kubernetes community. The security release process also documents ways to measure vulnerability severity using the [Common Vulnerability Scoring System (CVSS) Version 3.0 Calculator](https://www.first.org/cvss/calculator/3.0). This calculation helps inform decisions on release cadence in the face of holidays or limited developer bandwidth. By making severity criteria transparent we are able to better set expectations and hit critical timelines during an incident where we strive to:
Title: Introduction to Kubernetes Security Release Process
Summary
The Kubernetes community acknowledges the importance of rapid security updates due to the increasing reliance on internet-connected software. To address vulnerabilities efficiently, they've established a security release process inspired by other open-source projects. This process involves a dedicated Product Security Team that manages communication, assesses vulnerability severity using CVSS, and coordinates accelerated security releases, ensuring users receive timely fixes while keeping potential attackers unaware until the fix is available.