|
Re: CNCF Storage SIG - Mission/Purpose/Ownership?
Quinton Hoole <quinton@...>
Hi Saad Speaking personally, it would be great to have you as a TL on the CNCF Storage SIG. Regarding your other questions around SIG scope, have you read this yet? That spells out in broad strokes what the responsibilities of CNCF SIGs are in general. What I have undertaken to do is write up a draft charter of what exactly this means for the CNCF Storage SIG. We can then review and finalize this draft with the TOC. It would be great to have your input. Q
On Wed, Apr 10, 2019 at 1:38 PM Saad Ali <saadali@...> wrote:
--
Quinton Hoole quinton@...
|
|
|
|
|
|
CNCF Storage SIG - Mission/Purpose/Ownership?
Saad Ali <saadali@...>
Hi CNCF Storage WG, Following up on the CNCF Storage WG meeting this morning: I'm considering throwing my hat in to the ring as a possible TL for the proposed CNCF Storage SIG. I'm currently Co-chair/TL of SIG Storage. That said, I'd first like to understand what this new CNCF SIG will own? The Kubernetes Storage SIG, for example, has clear ownership of the Kubernetes volume sub-system. This, CNCF storage workgroup, so far has produced whitepapers on the storage landscape, surveyed users, and hosted presentations from 3rd party storage projects. While all valuable, these are short term tasks. My goal here is to make sure we act intentionally with a clear mission and purpose. A group without something to own will, at best, waste time, and, at worst, cause unnecessary conflict. To that end, I want to make sure the SIG has an obvious, long-term ownership of something concrete. Thoughts? What do we think will be the long term sustainability strategy for this new SIG? What will it own? Thanks, Saad Ali
|
|
|
|
|
|
Re: CNCF Storage SIG - Mission/Purpose/Ownership?
Hi Saad,
Thanks for throwing your hat into the ring ! :-)
(apologies for the long email, but the info will hopefully benefit the rest of the mailing list too)
The CNCF SIGs are being setup to help the TOC as the CNCF continues to scale with the growing list of projects and members. All the detail for the proposal/formation of the CNCF SIGs is available here: https://github.com/cncf/toc/blob/master/sigs/cncf-sigs.md
In summary, the general objectives are:
and the specific responsibilities of the SIG include:
Project Handling:
End User Education (Outbound Communication)
End User Input Gathering (Inbound Communication)
Community Enablement
As Trusted Expert Advisors to the TOC
See Example Responsibilities of a CNCF SIG.
The first set of SIGs as per the proposal and the TOC members who will act as liaison with the SIG are:
Hope this helps,
Kind Regards, Alex
From: Saad Ali <saadali@...>
Hi CNCF Storage WG,
Following up on the CNCF Storage WG meeting this morning: I'm considering throwing my hat in to the ring as a possible TL for the proposed CNCF Storage SIG. I'm currently Co-chair/TL of SIG Storage.
That said, I'd first like to understand what this new CNCF SIG will own?
The Kubernetes Storage SIG, for example, has clear ownership of the Kubernetes volume sub-system. This, CNCF storage workgroup, so far has produced whitepapers on the storage landscape, surveyed users, and hosted presentations from 3rd party storage projects. While all valuable, these are short term tasks.
My goal here is to make sure we act intentionally with a clear mission and purpose. A group without something to own will, at best, waste time, and, at worst, cause unnecessary conflict. To that end, I want to make sure the SIG has an obvious, long-term ownership of something concrete.
Thoughts? What do we think will be the long term sustainability strategy for this new SIG? What will it own?
Thanks,
Saad Ali
|
|
|
|
|
|
Re: RFC: Strimzi
alexis richardson
David
toggle quoted messageShow quoted text
Thanks. I would prioritise open governance over reducing your committers, but up to you. Re quotas. Any multi-tenant system that holds data for any length of time faces the question of how available resources may be allocated to tenants. Typically a quota system is used. If your users are single tenant, then you don't need this. a
On Wed, Apr 10, 2019 at 8:19 AM <dingham@...> wrote:
|
|
|
|
|
|
Re: RFC: Strimzi
David Ingham
Hi,
Thank you for your comments and the opportunity to present Strimzi to the TOC yesterday. We are keen to work towards neutral open governance of the project and think that the link to the Cortex governance is a good starting point. Until now the project has prioritised ease of administration over more formal processes for PR review and merging, but now is a good time to start adopting a more formal model. We will therefore start by reducing the number of our own committers and explore expanding the pool of non-Red Hat committers on the project (this might however take some more time). We’ll keep you informed on our progress. During the call it was clear that other people were also interested in the idea of having a standalone Zookeeper deployment - without Apache Kafka. In order to make a start on some initial design work for this it would be great to get more input from those people about how they think this would be used. For example, if they had other Zookeeper-dependent projects in mind it would be great to know about them. Can you elaborate on the idea around quotas? We think the idea here would be a messaging-agnostic custom resource/API expressing a quota for authenticated message senders to (abstract) message destinations, but we’re not sure we understood you correctly. Finally, if we addressed these points are there other TOC members who would be willing to sponsor the project or do others have further issues they would like to discuss?
|
|
|
|
|
|
Re: RFC: Keycloak project presentation
Stian Thorgersen <sthorger@...>
Keycloak does indeed have built-in support for MFA, but it is currently limited to one-time passwords (HOTP or TOTP). It is possible to extend Keycloak to add additional custom MFA mechanisms and we have community users that use SMS, hardware tokens, etc. with Keycloak. That being said we are aware of limitations here which will be addressed in the near future. The limitations are mainly lack of additional built-in types (SMS, email, backup, etc.) as well as support for users to have choice between multiple mechanisms. Until recently we have not actually seen much demand to go beyond one-time password support, but with WebAuthn becoming an official web standard there is now a lot of demand for it. It is a high priority to the Keycloak team to deliver improvements in this area as well as WebAuthn support and we are aiming to have this available in the next few months. We also have several community contributors working on this together with us, one group is working on a WebAuthn library for Java (https://github.com/webauthn4j/webauthn4j) and corresponding authenticator for Keycloak (https://github.com/webauthn4j/keycloak-webauthn-authenticator - this will be added directly to Keycloak in the future), another group is working on addition to authentication flows to allow for choices of MFA mechanisms. In summary our plans are: * Add support for admins to be able to manage what MFA mechanisms should be available * Add support for users to configure multiple mechanisms through account console and selecting a default. During login users will be prompted for the default, but have choice to use an alternative * Add support for WebAuthn to be used as a 2FA mechanisms in addition to password, and also a primary authentication mechanism for passwordless experience More details can be found in our design brief for WebAuthn here https://github.com/keycloak/keycloak-community/blob/master/design/web-authn-two-factor.md. The brief on application initiated actions is also relevant (https://github.com/keycloak/keycloak-community/blob/master/design/application-initiated-actions.md). There will be two more related design briefs coming soon, one on passwordless experience for WebAuthn and another on extensions we are making to authentication flows (a contributor from the community is currently working on a proposal for this). I hope this clears your concerns around MFA, if not I'm happy to discuss it further.
On Tue, 9 Apr 2019 at 19:56, Christopher LILJENSTOLPE <cdl@...> wrote:
|
|
|
|
|
|
Re: RFC: Keycloak project presentation
Stian Thorgersen <sthorger@...>
As this may come up I wanted to clarify the relationship between Keycloak and RH-SSO. Keycloak is the community project and is freely available for anyone to use. RH-SSO is built directly from Keycloak source and each RH-SSO version is based on a specific Keycloak version (https://www.keycloak.org/support.html). There are no feature add-ons or any code that is not open source, everything is done in the open. Other than branding, the only difference between Keycloak and RH-SSO is that for productised builds Red Hat builds all dependencies from source internally, while for community projects we use available public releases of dependencies (from Maven Central mostly).
On Tue, 9 Apr 2019 at 17:47, Chris Aniszczyk <caniszczyk@...> wrote: The Keycloak project presented today:
|
|
|
|
|
|
Re: RFC: Keycloak project presentation
sthorger@...
Actually, domain-mode is not relevant. Domain-mode is a feature of WildFly that allows creating and managing a group of servers, but this is not relevant in Kubernetes since it already has this capability. The relevant section of the documentation is https://www.keycloak.org/docs/latest/server_installation/index.html#_standalone-ha-mode as well as the documentation for the container image https://github.com/jboss-dockerfiles/keycloak/blob/master/server/README.md. For HA and scalability Keycloak relies on the embedded Infinispan server, which in turn relies on JGroups. Infinispan (https://infinispan.org/) is a distributed in-memory key/value data store, and JGroups (http://www.jgroups.org/) is a toolkit for reliable messaging. JGroups supports both UDP and TCP for transport and has a range of discovery protocols it supports for different environments. Keycloak uses Infinispan for two purposes. Firstly, it is used as an invalidation cache which allows us to heavily cache data from the database. Secondly, it is used as a distributed cache for sessions. By default sessions are distributed to the nodes in the cluster and each session is stored in one node, but it is easy to enable replication of sessions where more than one node holds a replica. We have plenty of large companies using both Keycloak as well as customers of Red Hat using RH-SSO (Red Hat's supported build of Keycloak, I will send a separate mail further explaining the difference here) that are deploying it in HA within a single site and we have quite a few that are deploying it to multiple-sites as well. Red Hat itself relies on RH-SSO as both are internal IdP and our external IdP (https://developers.redhat.com/blog/2019/02/14/red-hat-sso-high-availability-hybrid-cloud/). We also have several community users and customers that are deploying Keycloak with millions of users. During one of the keynotes (https://www.redhat.com/fr/about/videos/summit-2018-keynote-emerging-technology-and-innovation-chris-wright) at last years Red Hat Summit we demonstrated RH-SSO running not just multi-site, but multi-cloud. We had RH-SSO available in AWS, Azure and a private cloud, with load balanced between the 3 clouds and also showed fail-over during the keynote. I hope this answers the concerns around HA and scalability, but I'm happy to follow-up if there are still some questions around this.
On Tue, 9 Apr 2019 at 19:39, Quinton Hoole <quinton.hoole@...> wrote: Thanks for the presentation. Very informative.
|
|
|
|
|
|
Re: RFC: Keycloak project presentation
Christopher LILJENSTOLPE <cdl@...>
Greetings, Sorry I could not make the call today, but I did want to raise some concerns I have had over Keycloak. One is the fact that, at heart, it is still a login/password system. There is some ability to add MFA, but right now it is not really part of the standard mechanics, as far as I can see, and certainly does not allow multiple MFA capabilities - which is rapidly becoming a requirement and 'expected' behavior of an auth system. I know there are issues open to look at this, but it seems as if there is no consensus within the keycloak community as to how to address those capabilities/requirements. Without a clear path to enable more modern authentication practices, I'm pretty sure I wouldn't be able to support (I'm non-binding) adoption. Christopher
On Tue, Apr 9, 2019 at 8:47 AM Chris Aniszczyk <caniszczyk@...> wrote: The Keycloak project presented today: --
Christopher LILJENSTOLPE Co-Founder & CTO, Solutions Tigera cdl@... | @liljenstolpe | @liljenstolpe Follow us: Blog | Twitter | LinkedIn Zero Trust Network Security & Continuous Compliance for Modern Applications
|
|
|
|
|
|
Re: RFC: Keycloak project presentation
Quinton Hoole
Thanks for the presentation. Very informative.
The questions I (and Joe) had around HA and scalability are at least partially answered in the installation documentation: https://www.keycloak.org/docs/latest/server_installation/index.html#_domain-mode If there is any more detailed information available on the HA and scalability design, and what's happening under the hood in that area, that would be useful. Q ________________________________________ From: cncf-toc@... [cncf-toc@...] on behalf of boleslaw.dawidowicz@... [boleslaw.dawidowicz@...] Sent: Tuesday, April 09, 2019 8:55 AM To: Chris Aniszczyk Cc: CNCF TOC Subject: Re: [cncf-toc] RFC: Keycloak project presentation There is nothing RHT enterprise specific and it is backed fully by proven upstream technologies with active communities. Regarding clustering and concerns expressed in the chat there is a way to configure clustering on Kubernetes. We have people in the commnity running deployments like that. Same for cross site replication. If there is need to address more specific questions or perform a a deeper dive we would be happy to do so. Would like to thank for the opportunity to present the project to the TOC today. On Tue, Apr 9, 2019 at 5:47 PM Chris Aniszczyk <caniszczyk@...> wrote:
|
|
|
|
|
|
Re: RFC: Strimzi
alexis richardson
I am a potential sponsor.
for me to buy in: I'd like to see a neutral gov & roadmap plus plans from david on achieving unambiguous neutrality, plus thoughts on what would be useful as a 'spun out' tool, eg ZK, Quotas, .. example of lean governance that works for one project https://github.com/cortexproject/cortex/blob/master/GOVERNANCE.md On Tue, Apr 9, 2019 at 9:00 AM Chris Aniszczyk <caniszczyk@...> wrote:
|
|
|
|
|
|
RFC: Strimzi
Hey all, we heard from the Strimzi project today:
https://github.com/cncf/toc/issues/138 There were questions about if the ZK aspects of the operator could be pulled out as its own project. There were also other questions around other kafka operators in the ecosystem. Anyways, the Strimzi project is looking for TOC sponsors for the sandbox. -- Chris Aniszczyk (@cra) | +1-512-961-6719
|
|
|
|
|
|
Re: RFC: Keycloak project presentation
boleslaw.dawidowicz@gmail.com
There is nothing RHT enterprise specific and it is backed fully by
proven upstream technologies with active communities. Regarding clustering and concerns expressed in the chat there is a way to configure clustering on Kubernetes. We have people in the commnity running deployments like that. Same for cross site replication. If there is need to address more specific questions or perform a a deeper dive we would be happy to do so. Would like to thank for the opportunity to present the project to the TOC today. On Tue, Apr 9, 2019 at 5:47 PM Chris Aniszczyk <caniszczyk@...> wrote:
|
|
|
|
|
|
RFC: Keycloak project presentation
The Keycloak project presented today:
https://github.com/cncf/toc/pull/176 The TOC, especially Joe had some questions on how Keycloak was deployed on Wildfly (vs the RHT enterprise version of that). This project is also fairly high up the stack compared to what we normally accept in CNCF imho. We also didn't have a full roster of TOC members so I'd like to ensure we have a wide set of eyes on this topic. Jeff was also interested in being one of the sponsors for the sandbox potentially. Anyways, wanted to move the discussion to the mailing list. -- Chris Aniszczyk (@cra) | +1-512-961-6719
|
|
|
|
|
|
Re: thought leadership
Vineet Gupta
Hello All, I would like to second Erin’s idea for CNCF role in telco softwares, they are majorly driven towards NFV base deployments . Since I am coming from telco security companies a large transformation is happening in telcos to move towards what’s been done in Airship project and some other proprietary softwares in NFV space . As carriers we are looking to have a technical direction from CNCF which collaborated with what has been done in OPNFV space so far and how cloud native projects can be well integrated in OPNFV stack seamlessly . Almost all the efforts in telcos this year is directed towards building up products which conforms to the security and edge deployment focused. So it would be great to have some CNCF landscape project to directly integrate with MANO and NFVI in plugins and extension point to integrate. Not sure if there would be anything in KubeCon Barcelona for the same but I would appreciate thoughts and guidance here from members. Thanks much
On Sat 23 Mar 2019 at 19:45, Sarah Allen <sarah@...> wrote:
|
|
|
|
|
|
Agenda for 4/9/2019 TOC Meeting
Hey all, we are meeting tomorrow, focused on community presentations
to catch up on the CNCF community presentation backlog: https://docs.google.com/presentation/d/1bijEpuwaaa6jR1D5PAjyW731-j6Xc1TFHJuUh_FwwK8/edit#slide=id.g25ca91f87f_0_0 https://docs.google.com/document/d/1jpoKT12jf2jTf-2EJSAl4iTdA7Aoj_uiI19qIaECNFc/edit# We will be hearing from the NSM, Keycloak and Strimzi communities. -- Chris Aniszczyk (@cra) | +1-512-961-6719
|
|
|
|
|
|
[RESULT] CRI-O project proposal (incubation)
The CRI-O project has been approved to join the CNCF incubator: https://github.com/cncf/toc/pull/177 +1 binding TOC votes (6/9): Matt: https://lists.cncf.io/g/cncf-toc/message/3018 Alexis: https://lists.cncf.io/g/cncf-toc/message/3019 Brian: https://lists.cncf.io/g/cncf-toc/message/3020 Joe: https://lists.cncf.io/g/cncf-toc/message/3021 Michelle: https://lists.cncf.io/g/cncf-toc/message/3024 Xiang: https://lists.cncf.io/g/cncf-toc/message/3039 +1 non-binding community votes: Randy Abernethy: https://lists.cncf.io/g/cncf-toc/message/3015 Chris Short: https://lists.cncf.io/g/cncf-toc/message/3016 Davanum Srinivas: https://lists.cncf.io/g/cncf-toc/message/3017 Gilbert Song: https://lists.cncf.io/g/cncf-toc/message/3035 Ihor Dvoretskyi: https://lists.cncf.io/g/cncf-toc/message/3036Yassine Tijani: https://lists.cncf.io/g/cncf-toc/message/3037 Sonya Koptyev: https://lists.cncf.io/g/cncf-toc/message/3038 Nick Chase: https://lists.cncf.io/g/cncf-toc/message/3040 Iftach Schonbaum: https://lists.cncf.io/g/cncf-toc/message/3042 Pengfei Ni: https://lists.cncf.io/g/cncf-toc/message/3043 Marius Grigoriu: https://lists.cncf.io/g/cncf-toc/message/3045 Thomas Mclennan: https://lists.cncf.io/g/cncf-toc/message/3046 徐翔轩: https://lists.cncf.io/g/cncf-toc/message/3049 Thanks all for voting, we look forward to cultivating the CRI-O community! Chris Aniszczyk (@cra) | +1-512-961-6719
|
|
|
|
|
|
Re: [VOTE] fluentd moving to graduation
Gilbert Song
+1 (non-binding)
On Fri, Mar 29, 2019 at 9:35 AM Chris Aniszczyk <caniszczyk@...> wrote: fluentd has requested to move to the graduation maturity level:
|
|
|
|
|
|
Re: [VOTE] fluentd moving to graduation
Brewer, Jeff
+1 binding
From: cncf-toc@... <cncf-toc@...>
On Behalf Of Michelle Noorali via Lists.Cncf.Io
This email is from an external sender.
+1 binding From:
cncf-toc@... <cncf-toc@...> on behalf of Rausch, Matt via Lists.Cncf.Io <mrausch=nipr.com@...>
+1 (non-binding)
From: cncf-toc@... <cncf-toc@...>
On Behalf Of Yash Thakkar
+1 (non-binding)
On Tue 2 Apr, 2019, 10:52 PM Chiradeep Vittal, <chiradeep.vittal@...> wrote:
----------------------------------------- CONFIDENTIALITY NOTICE This message and any attachments are from the NIPR and are intended only for the addressee. Information contained herein is confidential, and may be privileged or exempt from disclosure pursuant to applicable federal or state law. This message is not intended as a waiver of the confidential, privileged or exempted status of the information transmitted. Unauthorized forwarding, printing, copying, distribution or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error.
|
|
|
|
|
|
Re: [VOTE] fluentd moving to graduation
Michelle Noorali
+1 binding
From: cncf-toc@... <cncf-toc@...> on behalf of Rausch, Matt via Lists.Cncf.Io <mrausch=nipr.com@...>
Sent: Tuesday, April 2, 2019 4:07 PM To: Chris Aniszczyk; CNCF TOC Cc: cncf-toc@... Subject: Re: [cncf-toc] [VOTE] fluentd moving to graduation +1 (non-binding)
From: cncf-toc@... <cncf-toc@...>
On Behalf Of Yash Thakkar
+1 (non-binding)
On Tue 2 Apr, 2019, 10:52 PM Chiradeep Vittal, <chiradeep.vittal@...> wrote:
----------------------------------------- CONFIDENTIALITY NOTICE This message and any attachments are from the NIPR and are intended only for the addressee. Information contained herein is confidential, and may be privileged or exempt from disclosure pursuant to applicable federal or state law. This message is not intended as a waiver of the confidential, privileged or exempted status of the information transmitted. Unauthorized forwarding, printing, copying, distribution or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error.
|
|
|
|