|
Agenda for TOC meeting for 9/29
Amye Scavarda Perrin
Hi all, We'll be meeting tomorrow at 8am Pacific, discussing graduation requirements around maintainer diversity. Presentation: https://docs.google.com/presentation/d/1Y0hfqLyxt1D0ThmPaQLRsejA8-8xlG5_yy2rGA1-fS4/edit#slide=id.g25ca91f87f_0_168 Thanks! -- amye -- Amye Scavarda Perrin | Program Manager | amye@...
|
|||||||||
|
|
|||||||||
|
Re: OPA to graduation
alexis richardson
Something something "doomed to reinvent lisp"... +1, nb
On Mon, 28 Sep 2020, 20:14 Joe Beda, <jbeda@...> wrote:
|
|||||||||
|
|
|||||||||
|
Re: OPA to graduation
Joe Beda <jbeda@...>
+1 NB
Agree with Gareth that there is no silver bullet here. Just like programming languages there are preferences and different needs and no one size fits all solution.
That being said, I think that OPA clearly hits a sweet spot and has a growing community. And the CNCF is welcoming to ~competing projects so graduating OPA doesn’t mean that other alternatives can’t also be supported and part of the CNCF umbrella.
One thing that I’d, personally, like to see is more standardization around the interfaces to these type of systems. Is it possible to replace OPA with another similar system and not have to retool the APIs to the policy engine? Would be interesting to standardize around some other interfaces to OPA too like the way that side-channel data is specified/presented and the way that decision information is surfaced back up to external monitoring/logging systems. (I’ve passed this on to the OPA folks so it should be a surprise to them.)
Joe
From:
cncf-toc@... <cncf-toc@...> +1 NB
|
|||||||||
|
|
|||||||||
|
Re: [RESULT] Emily Fox approved as co-chair for SIG Security
Santiago Torres Arias <santiago@...>
Congratulations, Emily!
toggle quoted messageShow quoted text
On Mon, Sep 28, 2020 at 08:00:00AM -0700, Amye Scavarda Perrin wrote:
Emily Fox for SIG Security Chair:
|
|||||||||
|
|
|||||||||
|
[RESULT] Emily Fox approved as co-chair for SIG Security
Amye Scavarda Perrin
Emily Fox for SIG Security Chair: https://lists.cncf.io/g/cncf-toc/message/5303 +1 Binding 7/10 Justin Cormack: https://lists.cncf.io/g/cncf-toc/message/5312 Michelle Noorali: https://lists.cncf.io/g/cncf-toc/message/5315 Liz Rice: https://lists.cncf.io/g/cncf-toc/message/5318 Alena Prokharchyk: https://lists.cncf.io/g/cncf-toc/message/5319 Katie Gamanji: https://lists.cncf.io/g/cncf-toc/message/5325 Saad Ali: https://lists.cncf.io/g/cncf-toc/message/5326 Matt Klein: https://lists.cncf.io/g/cncf-toc/message/5327 +1 NB Justin Cappos https://lists.cncf.io/g/cncf-toc/message/5304 Brandon Lum: https://lists.cncf.io/g/cncf-toc/message/5305 Chase Pettet:https://lists.cncf.io/g/cncf-toc/message/5306 Paris Pittman: https://lists.cncf.io/g/cncf-toc/message/5307 John Hillegass: https://lists.cncf.io/g/cncf-toc/message/5308 Sarah Allen: https://lists.cncf.io/g/cncf-toc/message/5309 Gadi Naor: https://lists.cncf.io/g/cncf-toc/message/5310 Frederick Kautz: https://lists.cncf.io/g/cncf-toc/message/5311 Santiago Torres Arias: https://lists.cncf.io/g/cncf-toc/message/5313 Andrew Martin: https://lists.cncf.io/g/cncf-toc/message/5314 Ricardo Aravena: https://lists.cncf.io/g/cncf-toc/message/5316 Siddharth Bhadri: https://lists.cncf.io/g/cncf-toc/message/5320 Ashutosh Narkar: https://lists.cncf.io/g/cncf-toc/message/5321 Andrés Vega: https://lists.cncf.io/g/cncf-toc/message/5323 Amye Scavarda Perrin | Program Manager | amye@...
|
|||||||||
|
|
|||||||||
|
Re: OPA to graduation
Jim Bugwadia
+1 NB I am a maintainer of Kyverno (https://github.com/nirmata/kyverno/blob/master/README.md), which as mentioned above is an alternative to OPA/Gatekeeper. We believe that policies are essential to wider (and safer) enterprise adoption of Kubernetes, which is why we built Kyverno to be easy to use and maintain for all Kubernetes users.
I agree with all the points above on the steep learning curve and ongoing challenges of managing OPA policies in Rego. However, my understanding of the incubating-to-graduation requirements is that they are based on project usage and maturity. Assuming OPA meets all listed graduation requirements, and assuming that there will be other alternatives like Kyverno, etc. that will ideally become part of the CNCF ecosystem (Kyverno is planning sandbox submission), I see overall value and benefits in OPA graduating to help promote one available approach for managing policies in Kubernetes. Regards, Jim
On Sun, Sep 27, 2020 at 2:10 AM Gareth Rushgrove <gareth@...> wrote: +1 NB
|
|||||||||
|
|
|||||||||
|
Re: OPA to graduation
Gareth Rushgrove
+1 NB
I'm biased here, as one of the maintainers of the Conftest project which is now part of OPA. I wanted to address the point above about Rego. I'm an unashamed DSL nerd. I was a user and contributor to Puppet and then worked there. I was an early Docker user, gave talks about Dockerfile and then worked at Docker. I originally built Conftest in order to provide a better local developer experience to OPA because I wanted to use Rego. But, I'm also a fan of Chef. I spent last week putting together a bunch of demos using Pulumi. I like general purpose programming languages too. Oh, and I like data as well. I contributed to Ansible. I wanted to like Jsonnet, really like CUE, like aspects of YTT. I can reason about the trade offs between these 3 different approaches to configuration for what would be an unreasonable length of time for most people. As a user and contributor I've been through a few generations of tools in this space as a user and developer, and I fully expect to see several more generations too. That's maddening to some, and fun for me. I have strange hobbies. The reality here is most end users have a strong preference for tools in one of those groups at any given moment in time. This isn't a new observation. It's worth reading the Configuration Complexity Clock from back in 2012 as it's still as relevant here as when it was written https://mikehadlow.blogspot.com/2012/05/configuration-complexity-clock.html That is to say we'll likely see 3 distinct policy approaches over time, one DSL, one data and one general purpose language. In fact we already see projects like k-rail (using Go for authoring policies https://github.com/cruise-automation/k-rail) and Kyverno (using YAML for authoring https://github.com/nirmata/kyverno) OPA today focuses on one of these approaches, my experience tells me there will always be folks who prefer one of the others, and that's fine. The CNCF shouldn't enforce one approach or another, but look at usage. The Open Policy Agent community in general has also been working on lowering the barrier to learning Rego. The rego playground in particular is invaluable https://play.openpolicyagent.org/. Rego adoption has been growing rapidly, it's nature means most rego is written behind private repos but https://github.com/github/linguist/issues/4219 shows 296 rego files publicly on GitHub in January 2019. Today there are more than 6000 https://github.com/search?utf8=%E2%9C%93&type=Code&ref=searchresults&q=extension%3Arego+package+NOT+nothack. There has also been work done around sharing, so many end users can use Open Policy Agent without needing to write rego. For instance we were one of the first communities to define OCI Artifact metadata (https://github.com/open-policy-agent/opa/issues/1413) which then powers features like https://aws.amazon.com/blogs/containers/oci-artifact-support-in-amazon-ecr/. Hopefully that's a useful viewpoint and addition to the conversation. Gareth
|
|||||||||
|
|
|||||||||
|
Re: OPA to graduation
Gadi Naor
-1 NB The community around this project is great and there is a consensus on problem space. Having the benefit of solving and working with customers on Kubernetes security compliance and authorization challenges for quite some time, and integrating OPA as part of our engine - I've witnessed unanimous feedback that OPA REGO has a steep learning curve, and high touch ongoing costs. Nowadays with building blocks such as WASM, and motion around IaC that use real programming languages (Pulumi & CDK) I believe the ecosystem should strive to make the life of engineering teams easier, possibly in their comfort zone programming language (hey, Go, JS ... can work fine on documents) rather than introducing a new, none intuitive, high touch programming language. Also, with regards to OPA applications such as Gatekeeper , Kafka Authorizer, conftest and others - Are those OPA applications proposed for graduation? Gatekeeper constraints and templates is gr8 - and I'd vote to graduate Gatekeeper with at least none REGO working PoC. Gadi
On Sat, Sep 19, 2020 at 7:49 PM <nuhamind2@...> wrote: I believe similar point about the core-project/heart-of-the-system maintainership is raised on the past graduation proposal --
Securing Kubernetes & Service Mesh. Anywhere. Bridging Security & DevOps.
|
|||||||||
|
|
|||||||||
|
CNCF Awards now open for nominations
Amye Scavarda Perrin
We're starting the nomination process for our ambassador, committer and community awards.
Nominations will open today, and close on October 16nd. We'll be announcing the awards at KubeCon + CloudNativeCon Virtual North America. Voting (open from October 19 through October 26th) will be performed using the CIVS tool, using emails from the CNCF database for the following groups: CNCF Ambassadors are eligible to vote for the Top Ambassador CNCF Maintainers are eligible to vote for the Top Committer Amye Scavarda Perrin | Program Manager | amye@...
|
|||||||||
|
|
|||||||||
|
Re: [SIG-Security] Nomination of Emily Fox as co-chair
Matt Klein
+1
On Mon, Sep 21, 2020 at 4:13 PM Jeyappragash Jeyakeerthi <jj@...> wrote:
|
|||||||||
|
|
|||||||||
|
Re: [SIG-Security] Nomination of Emily Fox as co-chair
Saad Ali
+1 binding
Thank you for volunteering!
|
|||||||||
|
|
|||||||||
|
Re: [SIG-Security] Nomination of Emily Fox as co-chair
Katie Gamanji
+1 binding Exciting times!
On Tue, 22 Sep 2020, 20:44 , <andresvega1@...> wrote: +1
|
|||||||||
|
|
|||||||||
|
Re: Sandbox Projects included from September 8 TOC meeting
John Belamaric
We discussed this in the SIG Architecture meeting today. While generally workload controllers are within scope of the Kubernetes project, it is up to SIG Apps to decide if they are willing to take these on as SIG-sponsored projects. As Matt suggests, it's fine for these to exist as external workload controllers. With respect to upstreaming, the preference of SIG Arch would be to see individual features move into existing workload controllers as they mature, rather than creation of whole new controllers. The goal here would be to avoid a proliferation of controllers that makes choices very difficult for consumers. Of course, if there is some fundamental difference between the new controller and all existing ones, then a new one may be warranted. But creation of a new one should be done with an abundance of caution. Again this would ultimately be the decision of SIG Apps. Thanks, John
On Mon, Sep 21, 2020 at 1:31 PM <szihaI@...> wrote: The OpenKruise project agree with the Sig App's assessment completely. We, too, believe while up-streaming some of the features to the core workloads is possible, the majority of the controllers and features is best to remain as a separate project.
|
|||||||||
|
|
|||||||||
|
Re: [SIG-Security] Nomination of Emily Fox as co-chair
Andrés Vega
+1
Emily has gone above and beyond to avail herself as a technical leader to the community. Among many other things, she was instrumental in the review of the SPIFFE/SPIRE security assessment. -Andres
|
|||||||||
|
|
|||||||||
|
Keylime accepted into Sandbox
Amye Scavarda Perrin
At today's TOC meeting, Keylime passed with a majority of the TOC and is included into Sandbox. Welcome Keylime! Our next Sandbox review session is November 10th, we'll be reviewing all projects that applied after September 8th. Amye Scavarda Perrin | Program Manager | amye@...
|
|||||||||
|
|
|||||||||
|
Re: [SIG-Security] Nomination of Emily Fox as co-chair
Ashutosh Narkar
+1 nb, Emily is a great person and I believe she would be an excellent co-chair of Sig-Security. Thanks Ash
On Tue, Sep 22, 2020 at 9:01 AM Siddharth Bhadri <sbhadri@...> wrote:
|
|||||||||
|
|
|||||||||
|
Re: [SIG-Security] Nomination of Emily Fox as co-chair
+1 NB
Thanks & Regards, Siddharth Bhadri
Infoblox | Next Level Networking
From: <cncf-toc@...> on behalf of "Alena Prokharchyk via lists.cncf.io" <aprokharchyk=apple.com@...>
+1 binding, Emily is great!
-alena.
|
|||||||||
|
|
|||||||||
|
Re: [SIG-Security] Nomination of Emily Fox as co-chair
Alena Prokharchyk
+1 binding, Emily is great!
toggle quoted messageShow quoted text
-alena.
|
|||||||||
|
|
|||||||||
|
Re: [SIG-Security] Nomination of Emily Fox as co-chair
Liz Rice
+1 binding
On Tue, Sep 22, 2020 at 4:36 PM Ricardo Aravena <raravena80@...> wrote:
|
|||||||||
|
|
|||||||||
|
Buildpacks incubation public comment period
Justin Cormack
Cloud Native Buildpacks has applied to move from sandbox to incubation I am the TOC sponsor for this project. This is the due diligence document https://docs.google.com/document/d/1tb3mK5cJmaQLO8xR__9NaH2GMrdn3WPjAZFBJYsXrxY/edit The public comment period is now open for 2 weeks, and all SIGs, end users, TOC members, and community members are welcome to comment by replying to this thread. Justin Cormack
|
|||||||||
|
|
