English | 한국어 | 日本語 | 中文

keiailab/operator-commons is imported by downstream Kubernetes operators. A vulnerability in this library can directly affect the operational security of those downstream consumers.

Do not file a public issue.

Use one of the following private channels:

1. GitHub Security Advisory (preferred): https://github.com/keiailab/operator-commons/security/advisories/new
2. Email: security@keiailab.com (PGP optional):
   • PGP fingerprint: 89A4 0947 6828 CB99 2338 C378 651E 51AF 520B CB78.

• Affected version (release tag or commit SHA).
• Affected package (pkg/security, pkg/webhook, etc.).
• Reproduction steps (a minimal repro if possible; declare it when the reproduction depends on a downstream environment).
• Impact assessment — the scope of downstream consumer impact.
• A self-assessed CVSS score, if available.

Vulnerabilities that affect the public API are embargoed until downstream consumers can release fixes concurrently. Maintainers share a private advisory with downstream maintainers ahead of disclosure.

The library is currently in v0.x. Public APIs may break; security patches are released only against the latest minor.

When a dependency is added or upgraded, the PR body cites the license and CVE review. Dependabot / Renovate automatic-update PRs are prioritised for review.

This library is MIT only, with a charter goal of zero AGPL / BUSL transitive dependencies (docs/kb/adr/0001-charter.md). A license audit runs at every minor release.

Operators that import this library should:

1. Use pkg/security — call the restricted PodSecurity SecurityContext builder rather than rolling your own.
2. Use pkg/webhook — do not re-implement version validation.
3. Use pkg/networkpolicy — deny-by-default NetworkPolicy builder.
4. Track the latest patch of github.com/keiailab/operator-commons in go.mod (Renovate automatic PRs).

© 2026 keiailab · MIT · keiailab.com