Date   

SIG-Security Tech Lead nominations

Jeyappragash Jeyakeerthi
 

Dear Technical Oversight Committee,


On December 16th 2020, the SIG-Security co-chairs along with then TOC liason’s Liz Rice and Justin Cormack, agreed to nominate three Tech Leads for SIG-Security: Ashutosh Narkar, Aradhana Chetal and Andres Vega.


“Tech leads are assigned following a 2/3 majority vote of the TOC and a 2/3 majority vote of SIG Chairs” — cncf-sig elections


Thank you!

Jeyappragash.J.J

(On behalf of SIG-Security Chairs)


TL Candidates - Dec 2020


Ashutosh Narkar 


Aradhana Chetal 


Andres Vega

  • SIG-Security highlights

  • Professional affiliations: 

    • VMWare

  • Github: @anvega

  • CNCF Projects:

    • SPIFFE/SPIRE

  • SIG-Security 

    • Security Assess. Review lead: Harbor

    • Security Assess. Review lead: Cloud Buildpaks

    • Security Assess. participant: SPIFFE/SPIRE

    • Security Day program committee 2020 NA

    • Facilitator for SIG meetings, and in general good with making calls more lively (1)

    • Participating in organization of CN Sec. Day 2021 EU

    • Commits (5)

    • Issues (13)




[RFC] Inclusive Naming Initiative workstreams

Stephen Augustus
 

Hey everyone,

Some of y'all have asked how you can get more involved in the Inclusive Naming Initiative and the group has just proposed a set of potential workstreams.
If you're interested, feel free to pop by the GitHub discussion and let us know where you'd like to help out/lead: https://github.com/inclusivenaming/org/discussions/12

-- Stephen


Re: Agenda for today

Liz Rice
 

Aha, I see in the public working doc today's meeting is down as cancelled. Enjoy your extra hour! 


On Tue, Dec 15, 2020 at 1:08 PM Liz Rice <liz@...> wrote:
Hi everyone, 

Amye is OOO today (I believe unexpectedly) and I’m not quite sure where we are with an agenda for the TOC call today. Does anyone have something they were prepared / planning to discuss? 

Cheers,
Liz


Agenda for today

Liz Rice
 

Hi everyone, 

Amye is OOO today (I believe unexpectedly) and I’m not quite sure where we are with an agenda for the TOC call today. Does anyone have something they were prepared / planning to discuss? 

Cheers,
Liz


[TOC] Nominations Open through 12pm PT, January 11, 2021

Amye Scavarda Perrin
 

5 seats are open for nomination by the GB and End User Community.
Nominations are open for the two Selecting Groups.

We will be publishing the list of qualified nominees at the end of the qualification process.

Timeline:
December 14: Nominations open – 12 PM PT
January 11: Nominations close - 12 PM PT
Jan 11: Qualification period opens
Jan 25: Qualification period closes
Jan 25: Election opens, Voting occurs by a time-limited Condorcet-IRV ranking in CIVS
Feb 1: Election closes at 12pm Pacific, results announced

--
Amye Scavarda Perrin | Program Manager | amye@...


Re: OPA to graduation

jkrach@...
 

We've also been using OPA in production for use cases such as:
1. microservice authorization policy
2. internal webapp authorization policies via Envoy filter
3. kafka authorization

We also spoke at Kubecon 2019 about some of our use cases, you can check it out here: https://www.youtube.com/watch?v=LhgxFICWsA8

Gatekeeper / K8S admission is actually one of the main use cases we still haven't fully integrated (in the works though)!


[cncf-dex-maintainers] [Announcement] First Maintainers Circle: Thursday! You're Invited!

Stephen Augustus
 

(Forwarding to the TOC + ContribStrat mailing lists as well.)

Join us next week for the first edition of the Maintainers Circle!
Details below from Paris. :)

-- Stephen

---------- Forwarded message ---------
From: Paris <paris.pittman@...>
Date: Fri, Dec 11, 2020 at 11:38 AM
Subject: [cncf-dex-maintainers] [Announcement] First Maintainers Circle: Thursday! You're Invited!
To: <maintainers@...>


Please forward this to other maintainers and folks making key decisions for the project; not solely the TOC voting members(reviewers, approvers, committee members, et al.).

💫 SIG Contributor Strategy welcomes you to the first edition of the Maintainers Circle.💫
This Thursday, December 17th. 
In this first session, we will talk about burnout and time management. 
Full details and future sessions in the works in our repo. A tl;dr: Dorothy Howard, FOSS Researcher and Wikipedia Maintainer with the University of California, San Diego, and Aaron Crickenberger, Emeritus Steering Committee member and SIG Testing Chair for the Kubernetes project will be joining us to share their experiences and research. 

These interactive learning sessions will have ample opportunities to talk to your peers from across projects in small groups and hear from speakers that are academics, researchers, growth consultants, and other maintainers on topics that aren’t widely discussed. You'll be able to introduce yourself and the role you play.

To RSVP:
Join #maintainers-circle on CNCF Slack (https://slack.cncf.io/) and emoji react to the post (that’s it!)

To add this to your calendar:
Grab the sig-contributor-strategy meetings on the CNCF Calendar: https://www.cncf.io/calendar/
They will be re-labeled with the title of Maintainer Circle shortly.  

Wish this was during another day/time that is better for you?
Let us know with the time range options: https://doodle.com/poll/z5gg4p6qyxedgf2c. We will make a schedule for 2021 to include times to better accommodate participants. 


See you soon,
Paris
SIG Contributor Strategy 





--
To unsubscribe from this group and stop receiving emails from it, send an email to maintainers+unsubscribe@....


Re: [VOTE] Open Policy Agent from incubating to graduated

Kiran Mova
 

+1 NB


On Fri, Dec 11, 2020 at 2:08 PM Dave Zolotusky via lists.cncf.io <dzolo=spotify.com@...> wrote:
+1 binding

~Dave


Re: [VOTE] Open Policy Agent from incubating to graduated

Dave Zolotusky
 

+1 binding

~Dave


Re: [VOTE] Open Policy Agent from incubating to graduated

Frederick Kautz
 

+1 NB

This is an incredibly important project, and I think we are only seeing the beginning of its impact. Congratulations to the team for their achievements!

On Dec 9, 2020, at 11:22 AM, John Belamaric via lists.cncf.io <jbelamaric=google.com@...> wrote:

+1 nb


Re: OPA to graduation

Gareth Rushgrove
 

On Wed, 9 Dec 2020 at 19:11, Liz Rice <liz@lizrice.com> wrote:

I really like OPA, and the project is doing tons of things really well, but I am struggling to add a +1 on the voting thread for it. When we move something to graduation, the TOC is sending a strong message that we think it's ready for end users to run in production - but to me it's not exactly clear what we're recommending. Anecdotally it seems to me that for a lot of folks in our community, OPA is synonymous with Gatekeeper. And that's a really useful component, and I don't want to do a disservice to the great work being done on it, but I don't think it's necessarily true that webhook + Gatekeeper is a robust, scalable solution that end users can assume they can deploy today with little-to-no risk.

I am very open to hearing why my concern is misplaced - for example am I missing messaging about other situations where OPA is being widely used, or how Gatekeeper is positioned?
I think Gatekeeper is interesting, but it's a sub-project of Open
Policy Agent, not the whole thing. Anecdotally I mainly talk to a lot
more folks using OPA outside Kubernetes than those just using it for
Kubernetes-related use cases. Download stats are imperfect, but do
bring some data points.

At least direct from GitHub, Conftest
(https://github.com/open-policy-agent/conftest/, another sub-project)
gets a lot more direct downloads than OPA. That's intentional (at
least to me, as the creator and one of the maintainers!) as it's
intended for local individual usage. It's developers downloading it to
their desktops, from homebrew or direct from GitHub.

The latest Conftest release has seen ~7000 downloads across platforms
(not including the container image) and was shipped <1 month ago (14th
November).

The Docker Hub published images tell the other part of the story

10M+
https://hub.docker.com/r/openpolicyagent/opa/

1M+
https://hub.docker.com/r/openpolicyagent/gatekeeper

100k+
https://hub.docker.com/r/openpolicyagent/conftest (formerly
https://hub.docker.com/r/instrumenta/conftest)

Gatekeeper here outstrips Conftest, given it's server vs local use
case. OPA itself is more popular still, because while Gatekeeper is
only for Kubernetes, OPA itself can be used with Kubernetes, but it's
also used for other generic policy use cases in the broader cloud
native ecosystem.

GitHub Stars (pah!) are interesting in microcosm here as well:

Conftest - 1.5k
Gatekeeper - 1.4k
OPA - 4.3k

But that's also just direct usage. OPA itself I'd argue is also partly
something others build on top of as a library. Others will have other
private and public examples, but for instance
https://forsetisecurity.org/docs/latest/configure/real-time-enforcer/opa-engine.html
or https://docs.ceph.com/en/latest/radosgw/opa/.

What ties all of those OPA-powered tools together is the Rego policy
language and I think that's an important aspect here with regards to
graduation. Another datapoint was there was enough Rego code on GitHub
for them to add support for code search and highlighting last year
https://github.com/github/linguist/pull/4371#issuecomment-533053406.
The amount of public Rego code has continued to grow as well
https://github.com/search?utf8=%E2%9C%93&type=Code&ref=searchresults&q=extension%3Arego+package,
from around 200 results a over a year ago to more than 7000 now. Note
as well most of the Rego written, by its nature, is going to be
private.

Hopefully that's useful context about the project and ecosystem. There
are likely some good user stories as well that others can share to
compliment my data deluge. The Gatekeeper folks can probably comment
on Gatekeeper specifically too, but Open Policy Agent is a bigger
project with a broader impact on the wider cloud native community I
feel.

Gareth



--
Gareth Rushgrove
@garethr

garethr.dev
devopsweekly.com


Re: OPA to graduation

Joe Searcy
 

I can't speak for everyone, but we are, and have been for the last 2+ years, been making great use of OPA in production across our entire fleet of Kubernetes clusters and several other ecosystem components. While I do agree that some folks associate OPA with Gatekeeper, OPA is much more ubiquitous. The admission controller model with OPA is very popular, but other example of how we use it are:

- Custom authorization policies within Envoy/Gloo
- Generic RBAC for several in-house built tools/apps
- Custom Token validation
- Generic CI/CD conformance 
- Kubernetes Fleet conformance (cross-cluster policy)

We run 100's of OPA instances as both containers and as embedded libraries.

Use cases like Conftest come to mind as well.


Re: [VOTE] Open Policy Agent from incubating to graduated

John Belamaric
 

+1 nb


Re: OPA to graduation

John Belamaric
 

+1 nb

On Mon, Sep 28, 2020 at 11:44 AM Andrés Vega <andresvega1@...> wrote:
Working in synchronicity from the authentication problem space adjacent to authorization, it has been fascinating to watch OPA evolve and grow in both adoption and maturity. 

In every SPIFFE and SPIRE conversation, OPA always surfaces as the best architectural fit for a comprehensive identity and authorization solution. While there is a learning curve to Rego, people do manage to wrap their heads around it as it pays dividends in return.

As Joe, I'd like to see overtime further standardization of the APIs. 

+1 NB


Andres


Re: OPA to graduation

Liz Rice
 

I really like OPA, and the project is doing tons of things really well, but I am struggling to add a +1 on the voting thread for it. When we move something to graduation, the TOC is sending a strong message that we think it's ready for end users to run in production - but to me it's not exactly clear what we're recommending. Anecdotally it seems to me that for a lot of folks in our community, OPA is synonymous with Gatekeeper. And that's a really useful component, and I don't want to do a disservice to the great work being done on it, but I don't think it's necessarily true that webhook + Gatekeeper is a robust, scalable solution that end users can assume they can deploy today with little-to-no risk.  

I am very open to hearing why my concern is misplaced - for example am I missing messaging about other situations where OPA is being widely used, or how Gatekeeper is positioned? 


Re: [VOTE] Open Policy Agent from incubating to graduated

Klaus Ma
 

+1 nb :)

On Wed, Dec 9, 2020 at 6:27 AM Jakub Scholz <jakub@...> wrote:
+1 (non-binding)

On Wed, Sep 30, 2020 at 6:06 PM Amye Scavarda Perrin <ascavarda@...> wrote:
The Open Policy Agent project has applied for graduation from incubation to graduated. (https://github.com/cncf/toc/pull/520)

The due diligence document can be found here: https://docs.google.com/document/d/19M5fTpe57rQIMNxawRl5wSWvJUapuzY-CkV4O5pvieU/edit
 
Brendan Burns has called for public comment: https://lists.cncf.io/g/cncf-toc/message/5281

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

--
Amye Scavarda Perrin | Program Manager | amye@...


Re: [VOTE] Open Policy Agent from incubating to graduated

Jakub Scholz <jakub@...>
 

+1 (non-binding)

On Wed, Sep 30, 2020 at 6:06 PM Amye Scavarda Perrin <ascavarda@...> wrote:
The Open Policy Agent project has applied for graduation from incubation to graduated. (https://github.com/cncf/toc/pull/520)

The due diligence document can be found here: https://docs.google.com/document/d/19M5fTpe57rQIMNxawRl5wSWvJUapuzY-CkV4O5pvieU/edit
 
Brendan Burns has called for public comment: https://lists.cncf.io/g/cncf-toc/message/5281

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

--
Amye Scavarda Perrin | Program Manager | amye@...


Re: [VOTE] Open Policy Agent from incubating to graduated

Emily Fox
 

+1 NB
~Emily Fox
@TheMoxieFox


On Tue, Dec 8, 2020 at 12:58 PM kensipe <kensipe@...> wrote:
+1 NB

On Dec 8, 2020, at 11:10 AM, Isaac Mosquera via lists.cncf.io <isaac=armory.io@...> wrote:

+1 NB 



On Tue, Dec 8, 2020 5:08 PM, Brandon Lum lumjjb@... wrote:
+1 NB


On Tue, Dec 8, 2020 at 12:05 PM Ricardo Aravena <raravena80@...> wrote:
+1 nb


On Wed, Sep 30, 2020 at 9:01 AM Amye Scavarda Perrin <ascavarda@...> wrote:
The Open Policy Agent project has applied for graduation from incubation to graduated. (https://github.com/cncf/toc/pull/520)

The due diligence document can be found here: https://docs.google.com/document/d/19M5fTpe57rQIMNxawRl5wSWvJUapuzY-CkV4O5pvieU/edit
 
Brendan Burns has called for public comment: https://lists.cncf.io/g/cncf-toc/message/5281 

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

-- 
Amye Scavarda Perrin | Program Manager | amye@...






#velocity,

I S A A C  M O S Q U E R A
Chief Technology Officer
p: 703.795.5322


Re: [VOTE] Open Policy Agent from incubating to graduated

kensipe
 

+1 NB

On Dec 8, 2020, at 11:10 AM, Isaac Mosquera via lists.cncf.io <isaac=armory.io@...> wrote:

+1 NB 



On Tue, Dec 8, 2020 5:08 PM, Brandon Lum lumjjb@... wrote:
+1 NB


On Tue, Dec 8, 2020 at 12:05 PM Ricardo Aravena <raravena80@...> wrote:
+1 nb


On Wed, Sep 30, 2020 at 9:01 AM Amye Scavarda Perrin <ascavarda@...> wrote:
The Open Policy Agent project has applied for graduation from incubation to graduated. (https://github.com/cncf/toc/pull/520)

The due diligence document can be found here: https://docs.google.com/document/d/19M5fTpe57rQIMNxawRl5wSWvJUapuzY-CkV4O5pvieU/edit
 
Brendan Burns has called for public comment: https://lists.cncf.io/g/cncf-toc/message/5281 

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

-- 
Amye Scavarda Perrin | Program Manager | amye@...






#velocity,

I S A A C  M O S Q U E R A
Chief Technology Officer
p: 703.795.5322


Re: [VOTE] Open Policy Agent from incubating to graduated

Jon Mittelhauser
 

+1 nb

 

From: <cncf-toc@...> on behalf of "Isaac Mosquera via lists.cncf.io" <isaac=armory.io@...>
Reply-To: <isaac@...>
Date: Tuesday, December 8, 2020 at 9:10 AM
To: Brandon Lum <lumjjb@...>
Cc: Ricardo Aravena <raravena80@...>, Amye Scavarda Perrin <ascavarda@...>, CNCF TOC <cncf-toc@...>
Subject: Re: [cncf-toc] [VOTE] Open Policy Agent from incubating to graduated

 

+1 NB 

 

 

On Tue, Dec 8, 2020 5:08 PM, Brandon Lum lumjjb@... wrote:

+1 NB

 

 

On Tue, Dec 8, 2020 at 12:05 PM Ricardo Aravena <raravena80@...> wrote:

+1 nb

 

 

On Wed, Sep 30, 2020 at 9:01 AM Amye Scavarda Perrin <ascavarda@...> wrote:

The Open Policy Agent project has applied for graduation from incubation to graduated. (https://github.com/cncf/toc/pull/520)

The due diligence document can be found here: https://docs.google.com/document/d/19M5fTpe57rQIMNxawRl5wSWvJUapuzY-CkV4O5pvieU/edit
 
Brendan Burns has called for public comment: https://lists.cncf.io/g/cncf-toc/message/5281

Please vote (+1/0/-1) by replying to this thread.

Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support!

 

--

Amye Scavarda Perrin | Program Manager | amye@...

 

#velocity,

 

I S A A C  M O S Q U E R A

Chief Technology Officer

p: 703.795.5322

741 - 760 of 6293