|
Re: "Steering committee" discussion
alexis richardson
"Projects struggling to get maintainers when the owning entity is unwilling to give up control to the community" This mostly does not happen. Although due to some bad actors, it can. Mostly projects are a handful of people on a mission, struggling to make it work, in the face of massive demands and uncertainty. "What would the mechanism used to be sure that a “plan” for a community controlled roadmap becomes a reality?" The SC model could generate * quarterly roadmap * contributor ladder * contingency plan a
|
|||||||||
|
|
|||||||||
|
Re: "Steering committee" discussion
Bob Wise (AWS)
What would the mechanism used to be sure that a “plan” for a community controlled roadmap becomes a reality? At present, holding graduation as the milestone for that is, imho, one of the most critical functions the CNCF has.
Projects struggling to get maintainers when the owning entity is unwilling to give up control to the community seems like a natural consequence.
-bw
From: <cncf-toc@...> on behalf of Liz Rice <liz@...>
Thanks everyone who came to the TOC call today - with extra thanks to Alexis for initiating the idea in the first place. I've tried to capture the key points:
Problem statement summary: projects that are controlled by a single vendor struggle to meet the current graduation requirement to have maintainers from multiple organizations (for valid reasons such as, they tend to hire the folks who are expert in that project). This multi-organization requirement is intended to address two concerns: 1. longevity of the project (in the event that a vendor is acquired or goes out of business) 2. ensuring that the project roadmap is community controlled, and not only run in the commercial interest of the vendor (we want to avoid feature hold-back) We recognize that the current multi-org requirement may not be the only (or even necessarily the best) way to address those concerns
Key points
If this broadly reflects the consensus we can start on wordsmithing the graduation requirement changes in GitHub.
Many thanks everyone for your comments and feedback around these ideas!
Liz
|
|||||||||
|
|
|||||||||
|
Re: "Steering committee" discussion
alexis richardson
I wish to note that it was @cra's idea. I just wrote about it and
toggle quoted messageShow quoted text
then talked about it a lot.
On Tue, Sep 29, 2020 at 6:43 PM Liz Rice <liz@...> wrote:
|
|||||||||
|
|
|||||||||
|
"Steering committee" discussion
Liz Rice
Thanks everyone who came to the TOC call today - with extra thanks to Alexis for initiating the idea in the first place. I've tried to capture the key points: Problem statement summary: projects that are controlled by a single vendor struggle to meet the current graduation requirement to have maintainers from multiple organizations (for valid reasons such as, they tend to hire the folks who are expert in that project). This multi-organization requirement is intended to address two concerns: 1. longevity of the project (in the event that a vendor is acquired or goes out of business) 2. ensuring that the project roadmap is community controlled, and not only run in the commercial interest of the vendor (we want to avoid feature hold-back) We recognize that the current multi-org requirement may not be the only (or even necessarily the best) way to address those concerns Key points
If this broadly reflects the consensus we can start on wordsmithing the graduation requirement changes in GitHub. Many thanks everyone for your comments and feedback around these ideas! Liz
|
|||||||||
|
|
|||||||||
|
Re: FOSS Governance Library
This is great! Here's another solid resource that we put together last year that covers the "openness of projects" along with some criteria to look at.
On Tue, Sep 29, 2020 at 11:36 AM Matt Farina <matt@...> wrote:
--
Chris Aniszczyk (@cra) | +1-512-961-6719
|
|||||||||
|
|
|||||||||
|
FOSS Governance Library
Matt Farina
Since we have been talking governance, I just noticed a new catalog of FOSS Governance documents launched. It's at https://fossgovernance.org/. It has pointers to many governance docs on many open source projects. Cheers, Matt
|
|||||||||
|
|
|||||||||
|
Re: OPA to graduation
Andrés Vega
Working in synchronicity from the authentication problem space adjacent to authorization, it has been fascinating to watch OPA evolve and grow in both adoption and maturity.
In every SPIFFE and SPIRE conversation, OPA always surfaces as the best architectural fit for a comprehensive identity and authorization solution. While there is a learning curve to Rego, people do manage to wrap their heads around it as it pays dividends in return. As Joe, I'd like to see overtime further standardization of the APIs. +1 NB Andres
|
|||||||||
|
|
|||||||||
|
Agenda for TOC meeting for 9/29
Amye Scavarda Perrin
Hi all, We'll be meeting tomorrow at 8am Pacific, discussing graduation requirements around maintainer diversity. Presentation: https://docs.google.com/presentation/d/1Y0hfqLyxt1D0ThmPaQLRsejA8-8xlG5_yy2rGA1-fS4/edit#slide=id.g25ca91f87f_0_168 Thanks! -- amye -- Amye Scavarda Perrin | Program Manager | amye@...
|
|||||||||
|
|
|||||||||
|
Re: OPA to graduation
alexis richardson
Something something "doomed to reinvent lisp"... +1, nb
On Mon, 28 Sep 2020, 20:14 Joe Beda, <jbeda@...> wrote:
|
|||||||||
|
|
|||||||||
|
Re: OPA to graduation
Joe Beda <jbeda@...>
+1 NB
Agree with Gareth that there is no silver bullet here. Just like programming languages there are preferences and different needs and no one size fits all solution.
That being said, I think that OPA clearly hits a sweet spot and has a growing community. And the CNCF is welcoming to ~competing projects so graduating OPA doesn’t mean that other alternatives can’t also be supported and part of the CNCF umbrella.
One thing that I’d, personally, like to see is more standardization around the interfaces to these type of systems. Is it possible to replace OPA with another similar system and not have to retool the APIs to the policy engine? Would be interesting to standardize around some other interfaces to OPA too like the way that side-channel data is specified/presented and the way that decision information is surfaced back up to external monitoring/logging systems. (I’ve passed this on to the OPA folks so it should be a surprise to them.)
Joe
From:
cncf-toc@... <cncf-toc@...> +1 NB
|
|||||||||
|
|
|||||||||
|
Re: [RESULT] Emily Fox approved as co-chair for SIG Security
Santiago Torres Arias <santiago@...>
Congratulations, Emily!
toggle quoted messageShow quoted text
On Mon, Sep 28, 2020 at 08:00:00AM -0700, Amye Scavarda Perrin wrote:
Emily Fox for SIG Security Chair:
|
|||||||||
|
|
|||||||||
|
[RESULT] Emily Fox approved as co-chair for SIG Security
Amye Scavarda Perrin
Emily Fox for SIG Security Chair: https://lists.cncf.io/g/cncf-toc/message/5303 +1 Binding 7/10 Justin Cormack: https://lists.cncf.io/g/cncf-toc/message/5312 Michelle Noorali: https://lists.cncf.io/g/cncf-toc/message/5315 Liz Rice: https://lists.cncf.io/g/cncf-toc/message/5318 Alena Prokharchyk: https://lists.cncf.io/g/cncf-toc/message/5319 Katie Gamanji: https://lists.cncf.io/g/cncf-toc/message/5325 Saad Ali: https://lists.cncf.io/g/cncf-toc/message/5326 Matt Klein: https://lists.cncf.io/g/cncf-toc/message/5327 +1 NB Justin Cappos https://lists.cncf.io/g/cncf-toc/message/5304 Brandon Lum: https://lists.cncf.io/g/cncf-toc/message/5305 Chase Pettet:https://lists.cncf.io/g/cncf-toc/message/5306 Paris Pittman: https://lists.cncf.io/g/cncf-toc/message/5307 John Hillegass: https://lists.cncf.io/g/cncf-toc/message/5308 Sarah Allen: https://lists.cncf.io/g/cncf-toc/message/5309 Gadi Naor: https://lists.cncf.io/g/cncf-toc/message/5310 Frederick Kautz: https://lists.cncf.io/g/cncf-toc/message/5311 Santiago Torres Arias: https://lists.cncf.io/g/cncf-toc/message/5313 Andrew Martin: https://lists.cncf.io/g/cncf-toc/message/5314 Ricardo Aravena: https://lists.cncf.io/g/cncf-toc/message/5316 Siddharth Bhadri: https://lists.cncf.io/g/cncf-toc/message/5320 Ashutosh Narkar: https://lists.cncf.io/g/cncf-toc/message/5321 Andrés Vega: https://lists.cncf.io/g/cncf-toc/message/5323 Amye Scavarda Perrin | Program Manager | amye@...
|
|||||||||
|
|
|||||||||
|
Re: OPA to graduation
Jim Bugwadia
+1 NB I am a maintainer of Kyverno (https://github.com/nirmata/kyverno/blob/master/README.md), which as mentioned above is an alternative to OPA/Gatekeeper. We believe that policies are essential to wider (and safer) enterprise adoption of Kubernetes, which is why we built Kyverno to be easy to use and maintain for all Kubernetes users.
I agree with all the points above on the steep learning curve and ongoing challenges of managing OPA policies in Rego. However, my understanding of the incubating-to-graduation requirements is that they are based on project usage and maturity. Assuming OPA meets all listed graduation requirements, and assuming that there will be other alternatives like Kyverno, etc. that will ideally become part of the CNCF ecosystem (Kyverno is planning sandbox submission), I see overall value and benefits in OPA graduating to help promote one available approach for managing policies in Kubernetes. Regards, Jim
On Sun, Sep 27, 2020 at 2:10 AM Gareth Rushgrove <gareth@...> wrote: +1 NB
|
|||||||||
|
|
|||||||||
|
Re: OPA to graduation
Gareth Rushgrove
+1 NB
I'm biased here, as one of the maintainers of the Conftest project which is now part of OPA. I wanted to address the point above about Rego. I'm an unashamed DSL nerd. I was a user and contributor to Puppet and then worked there. I was an early Docker user, gave talks about Dockerfile and then worked at Docker. I originally built Conftest in order to provide a better local developer experience to OPA because I wanted to use Rego. But, I'm also a fan of Chef. I spent last week putting together a bunch of demos using Pulumi. I like general purpose programming languages too. Oh, and I like data as well. I contributed to Ansible. I wanted to like Jsonnet, really like CUE, like aspects of YTT. I can reason about the trade offs between these 3 different approaches to configuration for what would be an unreasonable length of time for most people. As a user and contributor I've been through a few generations of tools in this space as a user and developer, and I fully expect to see several more generations too. That's maddening to some, and fun for me. I have strange hobbies. The reality here is most end users have a strong preference for tools in one of those groups at any given moment in time. This isn't a new observation. It's worth reading the Configuration Complexity Clock from back in 2012 as it's still as relevant here as when it was written https://mikehadlow.blogspot.com/2012/05/configuration-complexity-clock.html That is to say we'll likely see 3 distinct policy approaches over time, one DSL, one data and one general purpose language. In fact we already see projects like k-rail (using Go for authoring policies https://github.com/cruise-automation/k-rail) and Kyverno (using YAML for authoring https://github.com/nirmata/kyverno) OPA today focuses on one of these approaches, my experience tells me there will always be folks who prefer one of the others, and that's fine. The CNCF shouldn't enforce one approach or another, but look at usage. The Open Policy Agent community in general has also been working on lowering the barrier to learning Rego. The rego playground in particular is invaluable https://play.openpolicyagent.org/. Rego adoption has been growing rapidly, it's nature means most rego is written behind private repos but https://github.com/github/linguist/issues/4219 shows 296 rego files publicly on GitHub in January 2019. Today there are more than 6000 https://github.com/search?utf8=%E2%9C%93&type=Code&ref=searchresults&q=extension%3Arego+package+NOT+nothack. There has also been work done around sharing, so many end users can use Open Policy Agent without needing to write rego. For instance we were one of the first communities to define OCI Artifact metadata (https://github.com/open-policy-agent/opa/issues/1413) which then powers features like https://aws.amazon.com/blogs/containers/oci-artifact-support-in-amazon-ecr/. Hopefully that's a useful viewpoint and addition to the conversation. Gareth
|
|||||||||
|
|
|||||||||
|
Re: OPA to graduation
Gadi Naor
-1 NB The community around this project is great and there is a consensus on problem space. Having the benefit of solving and working with customers on Kubernetes security compliance and authorization challenges for quite some time, and integrating OPA as part of our engine - I've witnessed unanimous feedback that OPA REGO has a steep learning curve, and high touch ongoing costs. Nowadays with building blocks such as WASM, and motion around IaC that use real programming languages (Pulumi & CDK) I believe the ecosystem should strive to make the life of engineering teams easier, possibly in their comfort zone programming language (hey, Go, JS ... can work fine on documents) rather than introducing a new, none intuitive, high touch programming language. Also, with regards to OPA applications such as Gatekeeper , Kafka Authorizer, conftest and others - Are those OPA applications proposed for graduation? Gatekeeper constraints and templates is gr8 - and I'd vote to graduate Gatekeeper with at least none REGO working PoC. Gadi
On Sat, Sep 19, 2020 at 7:49 PM <nuhamind2@...> wrote: I believe similar point about the core-project/heart-of-the-system maintainership is raised on the past graduation proposal --
Securing Kubernetes & Service Mesh. Anywhere. Bridging Security & DevOps.
|
|||||||||
|
|
|||||||||
|
CNCF Awards now open for nominations
Amye Scavarda Perrin
We're starting the nomination process for our ambassador, committer and community awards.
Nominations will open today, and close on October 16nd. We'll be announcing the awards at KubeCon + CloudNativeCon Virtual North America. Voting (open from October 19 through October 26th) will be performed using the CIVS tool, using emails from the CNCF database for the following groups: CNCF Ambassadors are eligible to vote for the Top Ambassador CNCF Maintainers are eligible to vote for the Top Committer Amye Scavarda Perrin | Program Manager | amye@...
|
|||||||||
|
|
|||||||||
|
Re: [SIG-Security] Nomination of Emily Fox as co-chair
Matt Klein
+1
On Mon, Sep 21, 2020 at 4:13 PM Jeyappragash Jeyakeerthi <jj@...> wrote:
|
|||||||||
|
|
|||||||||
|
Re: [SIG-Security] Nomination of Emily Fox as co-chair
Saad Ali
+1 binding
Thank you for volunteering!
|
|||||||||
|
|
|||||||||
|
Re: [SIG-Security] Nomination of Emily Fox as co-chair
Katie Gamanji
+1 binding Exciting times!
On Tue, 22 Sep 2020, 20:44 , <andresvega1@...> wrote: +1
|
|||||||||
|
|
|||||||||
|
Re: Sandbox Projects included from September 8 TOC meeting
John Belamaric
We discussed this in the SIG Architecture meeting today. While generally workload controllers are within scope of the Kubernetes project, it is up to SIG Apps to decide if they are willing to take these on as SIG-sponsored projects. As Matt suggests, it's fine for these to exist as external workload controllers. With respect to upstreaming, the preference of SIG Arch would be to see individual features move into existing workload controllers as they mature, rather than creation of whole new controllers. The goal here would be to avoid a proliferation of controllers that makes choices very difficult for consumers. Of course, if there is some fundamental difference between the new controller and all existing ones, then a new one may be warranted. But creation of a new one should be done with an abundance of caution. Again this would ultimately be the decision of SIG Apps. Thanks, John
On Mon, Sep 21, 2020 at 1:31 PM <szihaI@...> wrote: The OpenKruise project agree with the Sig App's assessment completely. We, too, believe while up-streaming some of the features to the core workloads is possible, the majority of the controllers and features is best to remain as a separate project.
|
|||||||||
|
|
