From 8c75a8b589af57269fabdaa21875bc122bc7342b Mon Sep 17 00:00:00 2001 From: Ricardo Lopes Date: Mon, 27 May 2024 11:52:06 +0100 Subject: [PATCH] docs: add policy for consuming and upgrading dependencies Signed-off-by: Ricardo Lopes --- SECURITY-INSIGHTS.yml | 2 ++ docs/dependencies-policy.md | 43 +++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 docs/dependencies-policy.md diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml index 619041dc6b..0750830c69 100644 --- a/SECURITY-INSIGHTS.yml +++ b/SECURITY-INSIGHTS.yml @@ -32,6 +32,8 @@ dependencies: dependencies-lists: - https://github.com/kubernetes/kube-state-metrics/blob/main/go.mod - https://github.com/kubernetes/kube-state-metrics/blob/main/Dockerfile + env-dependencies-policy: + policy-url: https://github.com/kubernetes/kube-state-metrics/blob/main/docs/dependencies-policy.md documentation: - https://github.com/kubernetes/kube-state-metrics/tree/main/docs security-testing: diff --git a/docs/dependencies-policy.md b/docs/dependencies-policy.md new file mode 100644 index 0000000000..d998321419 --- /dev/null +++ b/docs/dependencies-policy.md @@ -0,0 +1,43 @@ +# Dependencies Policy + +## Purpose + +This policy describes how kube-state-metrics maintainers consume third-party packages. + +## Scope + +This policy applies to all kube-state-metrics maintainers and all third-party packages used in the kube-state-metrics project. + +## Policy + +kube-state-metrics maintainers must follow these guidelines when consuming third-party packages: + +- Only use third-party packages that are necessary for the functionality of kube-state-metrics. +- Use the latest version of all third-party packages whenever possible. +- Avoid using third-party packages that are known to have security vulnerabilities. +- Pin all third-party packages to specific versions in the kube-state-metrics codebase. +- Use a dependency management tool, such as Go modules, to manage third-party dependencies. + +## Procedure + +When adding a new third-party package to kube-state-metrics, maintainers must follow these steps: + +1. Evaluate the need for the package. Is it necessary for the functionality of kube-state-metrics? +2. Research the package. Is it actively maintained? Does it have a good reputation? +3. Choose a version of the package. Use the latest version whenever possible. +4. Pin the package to the specific version in the kube-state-metrics codebase. +5. Update the kube-state-metrics documentation to reflect the new dependency. + +## Enforcement + +This policy is enforced by the kube-state-metrics maintainers. + +Maintainers are expected to review each other's code changes to ensure that they comply with this policy. + +## Exceptions + +Exceptions to this policy may be granted by the kube-state-metrics project owners on a case-by-case basis. + +## Credits + +This policy was adapted from Kubescape's [Environment Dependencies Policy](https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md).