Security Advisories
Purpose: For security officers, provides published security advisories, CVE tracking, and patching timelines.
Overview
openCenter tracks security vulnerabilities across all platform components — Kubernetes, Helm charts, container images, and infrastructure dependencies. This document describes how CVEs are identified, assessed, patched, and communicated.
CVE Tracking
Vulnerabilities are tracked from three sources:
| Source | Scope | Frequency |
|---|---|---|
| Kubernetes security announcements | Kubernetes core, kubelet, API server | As published |
| GitHub Dependabot / Advisory DB | Go modules, Helm charts, container base images | Continuous |
| Harbor Trivy scanner | All container images in the platform registry | On push + scheduled |
Severity Classification
openCenter follows the CVSS v3.1 scoring system:
| CVSS Score | Severity | Response Target |
|---|---|---|
| 9.0–10.0 | Critical | Patch within 72 hours |
| 7.0–8.9 | High | Patch within 7 days |
| 4.0–6.9 | Medium | Patch in next scheduled release |
| 0.1–3.9 | Low | Patch at maintainer discretion |
Patching Process
Platform Components (openCenter-gitops-base)
- The vulnerability is identified in a Helm chart or container image
- The updated chart version or image tag is tested in a staging cluster
- The base manifest in
openCenter-gitops-baseis updated with the patched version - A new tag is created on
openCenter-gitops-base - Customer clusters pin to the new tag in their GitRepository source
- FluxCD reconciles the update to the cluster
Kubernetes Core
- Kubespray is updated to reference the patched Kubernetes version
- The cluster is upgraded using the standard Kubespray upgrade playbook
- Control plane nodes are upgraded first, then worker nodes (rolling)
Container Base Images
- Harbor scans detect the vulnerability in a running image
- The upstream image is rebuilt or a patched version is pulled
- For air-gapped environments, a new Zarf package is built with the patched image
Notification Channels
Security advisories are communicated through:
- Git commits: Each patch includes a commit message referencing the CVE ID
- Release notes: Tagged releases on
openCenter-gitops-baselist resolved CVEs - Customer communication: Critical and High severity CVEs are communicated directly to affected customers with remediation steps
Checking for Known Vulnerabilities
Scan running images with Harbor
Navigate to Harbor UI → Projects → select project → Repositories. Each image shows its scan status and vulnerability count.
Scan locally with Trivy
# Scan a specific image
trivy image <registry>/<image>:<tag>
# Scan all images in a Helm release
kubectl get pods -n <namespace> -o jsonpath='{.items[*].spec.containers[*].image}' | tr ' ' '\n' | sort -u | xargs -I{} trivy image {}
Check Kubernetes version for known CVEs
kubectl version --short
# Compare against https://kubernetes.io/docs/reference/issues-security/official-cve-feed/
Reporting a Vulnerability
If you discover a vulnerability in an openCenter component:
- Do not open a public GitHub issue
- Email the security contact listed in
SECURITY.mdin the affected repository - Include: affected component, version, CVE ID (if known), reproduction steps
- Expect acknowledgment within 48 hours
Further Reading
- Air-Gap Compliance — vulnerability scanning in disconnected environments
- Defense-in-Depth Model — security architecture overview