Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: add policy for consuming and upgrading dependencies #2402

Merged
merged 2 commits into from
Jun 4, 2024
Merged

docs: add policy for consuming and upgrading dependencies #2402

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8c75a8b
docs: add policy for consuming and upgrading dependencies
ricardoapl May 27, 2024
9917008
docs: lint markdown
ricardoapl May 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions SECURITY-INSIGHTS.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ dependencies:
dependencies-lists:
- https://github.com/kubernetes/kube-state-metrics/blob/main/go.mod
- https://github.com/kubernetes/kube-state-metrics/blob/main/Dockerfile
env-dependencies-policy:
policy-url: https://github.com/kubernetes/kube-state-metrics/blob/main/docs/dependencies-policy.md
documentation:
- https://github.com/kubernetes/kube-state-metrics/tree/main/docs
security-testing:
Expand Down
43 changes: 43 additions & 0 deletions docs/dependencies-policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# Dependencies Policy

## Purpose

This policy describes how kube-state-metrics maintainers consume third-party packages.

## Scope

This policy applies to all kube-state-metrics maintainers and all third-party packages used in the kube-state-metrics project.

## Policy

kube-state-metrics maintainers must follow these guidelines when consuming third-party packages:

* Only use third-party packages that are necessary for the functionality of kube-state-metrics.
* Use the latest version of all third-party packages whenever possible.
* Avoid using third-party packages that are known to have security vulnerabilities.
* Pin all third-party packages to specific versions in the kube-state-metrics codebase.
* Use a dependency management tool, such as Go modules, to manage third-party dependencies.

## Procedure

When adding a new third-party package to kube-state-metrics, maintainers must follow these steps:

1. Evaluate the need for the package. Is it necessary for the functionality of kube-state-metrics?
2. Research the package. Is it actively maintained? Does it have a good reputation?
3. Choose a version of the package. Use the latest version whenever possible.
4. Pin the package to the specific version in the kube-state-metrics codebase.
5. Update the kube-state-metrics documentation to reflect the new dependency.

## Enforcement

This policy is enforced by the kube-state-metrics maintainers.

Maintainers are expected to review each other's code changes to ensure that they comply with this policy.

## Exceptions

Exceptions to this policy may be granted by the kube-state-metrics project owners on a case-by-case basis.

## Credits

This policy was adapted from Kubescape's [Environment Dependencies Policy](https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md).