Join the kubernetes-security-announce group for security and vulnerability announcements related to the Kubernetes ecosystem.

You can also subscribe to an RSS feed of these announcements using this link.

Instructions for reporting a vulnerability can be found on the Kubernetes Security and Disclosure Information page.

Kubebuilder is tested against the latest three Kubernetes releases, in alignment with the Kubernetes version and version skew support policy.

However, each version is only tested with the dependencies used for its release. For detailed information, please refer to the compatibility and support policy on GitHub.

Kubebuilder maintains a policy of releasing updates for the latest CLI version (currently v4). Older versions (v1, v2, v3) are no longer supported, and no releases will be produced for them. It is recommended to ensure that any project scaffolded by Kubebuilder remains aligned with the latest release.

Kubebuilder employs automated scanning via Dependabot and GitHub Actions within its CI/CD pipeline. This process detects vulnerabilities in dependencies and configurations, generating daily or weekly reports prioritized for the latest supported versions.

• Dependabot Configuration: You can review the setup in .github/dependabot.yml.
• Security Checks: Security checks are enabled in the Kubebuilder repository settings.
• Code Scanning: The .github/workflows/codeql.yml workflow scans the master and book-v4 branches, which typically contain the latest release code. Other release branches may not be scanned.

Projects generated by Kubebuilder are designed for ease of development and are not configured with production-grade security settings. For example, default configurations do not enable cert-manager or perform proper certificate validation, which may not be suitable for production environments. Ensure that you make the necessary adjustments to security settings before releasing your solution for production.