[KEP-3203] Fetch and Render CVE JSON Feed

[PushkarJ]

Description

• Pull JSON blob from queried issues
• Use layout output formats + templates to generate HTML table and JSON blob
• Add localized strings and caption for CVE feed
• Add a new page to describe details about CVE feed and how to use it
• Update existing pages and link the official CVE feed from it

Notes for Reviewers

Why are we regenerating JSON blob from the JSON blob in the bucket ?

• Not all fields stored in the bucket are needed
• JSON download directly to a file with Hugo data templates is not possible
• Gives us better control and ability to add extra fields as needed
• Pulling data through hugo data templates allow us to reuse built-in caching mechanisms

Why not version control the JSON blob?

To avoid multiple sources of truth. The content in the bucket will remain the only source of truth as the JSON blob is constructed from GitHub issues with label official-cve-feed (See this for more info: kubernetes/test-infra#23428). However, as a break glass, there is an option to temporarily push the JSON blob by overriding the layouts json file with raw JSON in cases where push to bucket fails or if bucket is inaccessible.

Are the locations for the layouts files correct?

Current locations are mostly my guess, so happy to refactor them as needed

TODO:

• Update JSON blob location to k8s GCS bucket
• Add more description in the PR
• Address PR feedback from superseded PR

Preview: https://deploy-preview-35228--kubernetes-io-main-staging.netlify.app/docs/reference/issues-security/official-cve-feed/
KEP tracker: kubernetes/enhancements#3203
xref: kubernetes/sig-security#1
supersedes #31051 and #34765
/hold
/sig security docs

[netlify]

✅ Pull request preview available for checking

Built without sensitive environment variables

Name	Link
🔨 Latest commit	b1e8d8e
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/62d9a28cdb345e00093a058a
😎 Deploy Preview	https://deploy-preview-35228--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[netlify]

✅ Pull request preview available for checking

Built without sensitive environment variables

Name	Link
🔨 Latest commit	cafe6d2
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/62e953f31034230008c457f9
😎 Deploy Preview	https://deploy-preview-35228--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[sftim]

• Paths within static that are actually generated should include generated in their path. A find and grep should show some existing paths that follow that convention.
• I'd name gen-cve-feed.sh as fetch-cve-feed.sh

❓ How do we make sure that people don't accidentally commit that fetched file?

❓ For a container build, shouldn't the fetch happen inside the container?

[sftim]

Rendered page LGTM

[sftim]

Should this PR target the dev-1.25 branch?

(I'm not sure - do we want to add the feed with the v1.25 release, or perhaps actually combine the blog announcement for the new feed with the switch-on)

We have options, and several of them are good. I want to be clear on which option we're picking so I can based my approval decision on that context.

[PushkarJ]

@sftim I think the #35608 blog being published along with the CVE feed being available by v1.25 sounds like a good idea to me. I have switched target branch to dev-1.25 now.

[sftim]

@sftim I think the #35608 blog being published along with the CVE feed being available by v1.25 sounds like a good idea to me

I'm not sure I understand. Which of these is right:

• the feed goes live on v1.25 release day
• the feed goes live after v1.25 release day, simultaneous with the blog announcement about the new feed going live
• something else!

?

[PushkarJ]

What I meant was, the feed goes live on v1.25 release day, the feature blog is followed soon after (in next few days). This will allow the feed to have some soak time to iron out any issues we find after going live :)

[sftim]

What I meant was, the feed goes live on v1.25 release day, the feature blog is followed soon after (in next few days). This will allow the feed to have some soak time to iron out any issues we find after going live :)

Sounds good to me.

/approve
/remove-label tide/merge-method-squash

[sftim]

(I'd like somebody else to add the LGTM here)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nehaLohia27, sftim

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [sftim]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[PushkarJ]

/cc @nehaLohia27 @savitharaghunathan

(Tagging you both for /lgtm and/or review comments)

[reylejano]

/milestone 1.25
/assign @kcmartin

[reylejano]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 7581df102046b8f3ddd1be864ad4b2ad7561bd2b

[katcosgrove]

Hi from the Comms team! We have you tracked for a feature blog, but the link provided to us was a KEP, not a placeholder blog PR. Are you still intending to have a feature blog for this release?

[sftim]

Announcement blog article will be added via #35608