From 8c75a8b589af57269fabdaa21875bc122bc7342b Mon Sep 17 00:00:00 2001 From: Ricardo Lopes Date: Mon, 27 May 2024 11:52:06 +0100 Subject: [PATCH 1/2] docs: add policy for consuming and upgrading dependencies Signed-off-by: Ricardo Lopes --- SECURITY-INSIGHTS.yml | 2 ++ docs/dependencies-policy.md | 43 +++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 docs/dependencies-policy.md diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml index 619041dc6b..0750830c69 100644 --- a/SECURITY-INSIGHTS.yml +++ b/SECURITY-INSIGHTS.yml @@ -32,6 +32,8 @@ dependencies: dependencies-lists: - https://github.com/kubernetes/kube-state-metrics/blob/main/go.mod - https://github.com/kubernetes/kube-state-metrics/blob/main/Dockerfile + env-dependencies-policy: + policy-url: https://github.com/kubernetes/kube-state-metrics/blob/main/docs/dependencies-policy.md documentation: - https://github.com/kubernetes/kube-state-metrics/tree/main/docs security-testing: diff --git a/docs/dependencies-policy.md b/docs/dependencies-policy.md new file mode 100644 index 0000000000..d998321419 --- /dev/null +++ b/docs/dependencies-policy.md @@ -0,0 +1,43 @@ +# Dependencies Policy + +## Purpose + +This policy describes how kube-state-metrics maintainers consume third-party packages. + +## Scope + +This policy applies to all kube-state-metrics maintainers and all third-party packages used in the kube-state-metrics project. + +## Policy + +kube-state-metrics maintainers must follow these guidelines when consuming third-party packages: + +- Only use third-party packages that are necessary for the functionality of kube-state-metrics. +- Use the latest version of all third-party packages whenever possible. +- Avoid using third-party packages that are known to have security vulnerabilities. +- Pin all third-party packages to specific versions in the kube-state-metrics codebase. +- Use a dependency management tool, such as Go modules, to manage third-party dependencies. + +## Procedure + +When adding a new third-party package to kube-state-metrics, maintainers must follow these steps: + +1. Evaluate the need for the package. Is it necessary for the functionality of kube-state-metrics? +2. Research the package. Is it actively maintained? Does it have a good reputation? +3. Choose a version of the package. Use the latest version whenever possible. +4. Pin the package to the specific version in the kube-state-metrics codebase. +5. Update the kube-state-metrics documentation to reflect the new dependency. + +## Enforcement + +This policy is enforced by the kube-state-metrics maintainers. + +Maintainers are expected to review each other's code changes to ensure that they comply with this policy. + +## Exceptions + +Exceptions to this policy may be granted by the kube-state-metrics project owners on a case-by-case basis. + +## Credits + +This policy was adapted from Kubescape's [Environment Dependencies Policy](https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md). From 9917008f7ef20dc4035125d8327f0e0a2d050248 Mon Sep 17 00:00:00 2001 From: Ricardo Lopes Date: Tue, 28 May 2024 10:31:31 +0100 Subject: [PATCH 2/2] docs: lint markdown Signed-off-by: Ricardo Lopes --- docs/dependencies-policy.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/dependencies-policy.md b/docs/dependencies-policy.md index d998321419..d1e0d5e945 100644 --- a/docs/dependencies-policy.md +++ b/docs/dependencies-policy.md @@ -12,20 +12,20 @@ This policy applies to all kube-state-metrics maintainers and all third-party pa kube-state-metrics maintainers must follow these guidelines when consuming third-party packages: -- Only use third-party packages that are necessary for the functionality of kube-state-metrics. -- Use the latest version of all third-party packages whenever possible. -- Avoid using third-party packages that are known to have security vulnerabilities. -- Pin all third-party packages to specific versions in the kube-state-metrics codebase. -- Use a dependency management tool, such as Go modules, to manage third-party dependencies. +* Only use third-party packages that are necessary for the functionality of kube-state-metrics. +* Use the latest version of all third-party packages whenever possible. +* Avoid using third-party packages that are known to have security vulnerabilities. +* Pin all third-party packages to specific versions in the kube-state-metrics codebase. +* Use a dependency management tool, such as Go modules, to manage third-party dependencies. ## Procedure When adding a new third-party package to kube-state-metrics, maintainers must follow these steps: -1. Evaluate the need for the package. Is it necessary for the functionality of kube-state-metrics? -2. Research the package. Is it actively maintained? Does it have a good reputation? -3. Choose a version of the package. Use the latest version whenever possible. -4. Pin the package to the specific version in the kube-state-metrics codebase. +1. Evaluate the need for the package. Is it necessary for the functionality of kube-state-metrics? +2. Research the package. Is it actively maintained? Does it have a good reputation? +3. Choose a version of the package. Use the latest version whenever possible. +4. Pin the package to the specific version in the kube-state-metrics codebase. 5. Update the kube-state-metrics documentation to reflect the new dependency. ## Enforcement