|
Re: [VOTE] Open Policy Agent from incubating to graduated
Kiran Mova
|
||
|
|
||
|
Re: [VOTE] Open Policy Agent from incubating to graduated
+1 binding ~Dave
|
||
|
|
||
|
Re: [VOTE] Open Policy Agent from incubating to graduated
+1 NB
toggle quoted messageShow quoted text
This is an incredibly important project, and I think we are only seeing the beginning of its impact. Congratulations to the team for their achievements!
On Dec 9, 2020, at 11:22 AM, John Belamaric via lists.cncf.io <jbelamaric=google.com@...> wrote:
|
||
|
|
||
|
Re: OPA to graduation
Gareth Rushgrove
On Wed, 9 Dec 2020 at 19:11, Liz Rice <liz@...> wrote:
I think Gatekeeper is interesting, but it's a sub-project of Open Policy Agent, not the whole thing. Anecdotally I mainly talk to a lot more folks using OPA outside Kubernetes than those just using it for Kubernetes-related use cases. Download stats are imperfect, but do bring some data points. At least direct from GitHub, Conftest (https://github.com/open-policy-agent/conftest/, another sub-project) gets a lot more direct downloads than OPA. That's intentional (at least to me, as the creator and one of the maintainers!) as it's intended for local individual usage. It's developers downloading it to their desktops, from homebrew or direct from GitHub. The latest Conftest release has seen ~7000 downloads across platforms (not including the container image) and was shipped <1 month ago (14th November). The Docker Hub published images tell the other part of the story 10M+ https://hub.docker.com/r/openpolicyagent/opa/ 1M+ https://hub.docker.com/r/openpolicyagent/gatekeeper 100k+ https://hub.docker.com/r/openpolicyagent/conftest (formerly https://hub.docker.com/r/instrumenta/conftest) Gatekeeper here outstrips Conftest, given it's server vs local use case. OPA itself is more popular still, because while Gatekeeper is only for Kubernetes, OPA itself can be used with Kubernetes, but it's also used for other generic policy use cases in the broader cloud native ecosystem. GitHub Stars (pah!) are interesting in microcosm here as well: Conftest - 1.5k Gatekeeper - 1.4k OPA - 4.3k But that's also just direct usage. OPA itself I'd argue is also partly something others build on top of as a library. Others will have other private and public examples, but for instance https://forsetisecurity.org/docs/latest/configure/real-time-enforcer/opa-engine.html or https://docs.ceph.com/en/latest/radosgw/opa/. What ties all of those OPA-powered tools together is the Rego policy language and I think that's an important aspect here with regards to graduation. Another datapoint was there was enough Rego code on GitHub for them to add support for code search and highlighting last year https://github.com/github/linguist/pull/4371#issuecomment-533053406. The amount of public Rego code has continued to grow as well https://github.com/search?utf8=%E2%9C%93&type=Code&ref=searchresults&q=extension%3Arego+package, from around 200 results a over a year ago to more than 7000 now. Note as well most of the Rego written, by its nature, is going to be private. Hopefully that's useful context about the project and ecosystem. There are likely some good user stories as well that others can share to compliment my data deluge. The Gatekeeper folks can probably comment on Gatekeeper specifically too, but Open Policy Agent is a bigger project with a broader impact on the wider cloud native community I feel. Gareth -- Gareth Rushgrove @garethr garethr.dev devopsweekly.com
|
||
|
|
||
|
Re: OPA to graduation
I can't speak for everyone, but we are, and have been for the last 2+ years, been making great use of OPA in production across our entire fleet of Kubernetes clusters and several other ecosystem components. While I do agree that some folks associate OPA with Gatekeeper, OPA is much more ubiquitous. The admission controller model with OPA is very popular, but other example of how we use it are: We run 100's of OPA instances as both containers and as embedded libraries.
|
||
|
|
||
|
Re: [VOTE] Open Policy Agent from incubating to graduated
John Belamaric
+1 nb
|
||
|
|
||
|
Re: OPA to graduation
John Belamaric
+1 nb
On Mon, Sep 28, 2020 at 11:44 AM Andrés Vega <andresvega1@...> wrote: Working in synchronicity from the authentication problem space adjacent to authorization, it has been fascinating to watch OPA evolve and grow in both adoption and maturity.
|
||
|
|
||
|
Re: OPA to graduation
Liz Rice
I really like OPA, and the project is doing tons of things really well, but I am struggling to add a +1 on the voting thread for it. When we move something to graduation, the TOC is sending a strong message that we think it's ready for end users to run in production - but to me it's not exactly clear what we're recommending. Anecdotally it seems to me that for a lot of folks in our community, OPA is synonymous with Gatekeeper. And that's a really useful component, and I don't want to do a disservice to the great work being done on it, but I don't think it's necessarily true that webhook + Gatekeeper is a robust, scalable solution that end users can assume they can deploy today with little-to-no risk.
I am very open to hearing why my concern is misplaced - for example am I missing messaging about other situations where OPA is being widely used, or how Gatekeeper is positioned?
|
||
|
|
||
|
Re: [VOTE] Open Policy Agent from incubating to graduated
Klaus Ma
+1 nb :)
On Wed, Dec 9, 2020 at 6:27 AM Jakub Scholz <jakub@...> wrote:
|
||
|
|
||
|
Re: [VOTE] Open Policy Agent from incubating to graduated
Jakub Scholz <jakub@...>
+1 (non-binding)
On Wed, Sep 30, 2020 at 6:06 PM Amye Scavarda Perrin <ascavarda@...> wrote:
|
||
|
|
||
|
Re: [VOTE] Open Policy Agent from incubating to graduated
+1 NB ~Emily Fox @TheMoxieFox
On Tue, Dec 8, 2020 at 12:58 PM kensipe <kensipe@...> wrote:
|
||
|
|
||
|
Re: [VOTE] Open Policy Agent from incubating to graduated
+1 NB
toggle quoted messageShow quoted text
|
||
|
|
||
|
Re: [VOTE] Open Policy Agent from incubating to graduated
Jon Mittelhauser
+1 nb
From: <cncf-toc@...> on behalf of "Isaac Mosquera via lists.cncf.io" <isaac=armory.io@...>
On Tue, Dec 8, 2020 5:08 PM, Brandon Lum lumjjb@... wrote:
|
||
|
|
||
|
Re: [VOTE] Open Policy Agent from incubating to graduated
Isaac Mosquera
On Tue, Dec 8, 2020 5:08 PM, Brandon Lum lumjjb@... wrote:
|
||
|
|
||
|
Re: [VOTE] Open Policy Agent from incubating to graduated
Brandon Lum
+1 NB
On Tue, Dec 8, 2020 at 12:05 PM Ricardo Aravena <raravena80@...> wrote:
|
||
|
|
||
|
Re: [VOTE] Open Policy Agent from incubating to graduated
Ricardo Aravena
+1 nb
On Wed, Sep 30, 2020 at 9:01 AM Amye Scavarda Perrin <ascavarda@...> wrote:
|
||
|
|
||
|
Re: [EXTERNAL] [cncf-toc] [VOTE] Open Policy Agent from incubating to graduated
Tim St. Clair
+1 Non-binding
From: cncf-toc@... <cncf-toc@...> on behalf of Davanum Srinivas via lists.cncf.io <davanum=gmail.com@...>
Sent: Tuesday, December 8, 2020 10:48 AM To: bburns@... <bburns@...> Cc: CNCF TOC <cncf-toc@...>; ascavarda@... <ascavarda@...> Subject: Re: [EXTERNAL] [cncf-toc] [VOTE] Open Policy Agent from incubating to graduated +1 Non-binding
Davanum Srinivas ::
https://twitter.com/dims
|
||
|
|
||
|
Re: [EXTERNAL] [cncf-toc] [VOTE] Open Policy Agent from incubating to graduated
+1 Non-binding
--
Davanum Srinivas :: https://twitter.com/dims
|
||
|
|
||
|
Re: [EXTERNAL] [cncf-toc] [VOTE] Open Policy Agent from incubating to graduated
Brendan Burns
+1, Binding
From: cncf-toc@... <cncf-toc@...> on behalf of Amye Scavarda Perrin via lists.cncf.io <ascavarda=linuxfoundation.org@...>
Sent: Wednesday, September 30, 2020 9:00 AM To: CNCF TOC <cncf-toc@...> Subject: [EXTERNAL] [cncf-toc] [VOTE] Open Policy Agent from incubating to graduated The Open Policy Agent project has applied for graduation from incubation to graduated. (https://github.com/cncf/toc/pull/520)
The due diligence document can be found here: https://docs.google.com/document/d/19M5fTpe57rQIMNxawRl5wSWvJUapuzY-CkV4O5pvieU/edit Brendan Burns has called for public comment: https://lists.cncf.io/g/cncf-toc/message/5281 Please vote (+1/0/-1) by replying to this thread. Remember that the TOC has binding votes only, but we do appreciate non-binding votes from the community as a sign of support! Amye Scavarda Perrin | Program Manager |
amye@...
|
||
|
|
||
|
[RFC] Refining the way we communicate deprecations/wide-reaching changes to the project
Forwarding here as well, if anyone is interested in leaving feedback. -- Stephen ---------- Forwarded message --------- From: Stephen Augustus <stephen.k8s@...> Date: Wed, Dec 2, 2020, 22:56 Subject: [k8s-steering] [RFC] Refining the way we communicate deprecations/wide-reaching changes to the project To: Kubernetes developer/contributor discussion <kubernetes-dev@...> Cc: steering <steering@...> Hey Kubernetes Community, tl;dr -- words are hard sometimes and we should take some time and care to assess the way we wield them. Looking for feedback on https://github.com/kubernetes/community/issues/5344. --- As we go through deprecations and infrastructure changes in the project, it might be a worthwhile exercise to assess and refine the way we communicate them. I can think of a few recent examples that caused some panic and required additional lift from contributors to reframe or contort/extend support to accommodate:
Without policing contributors, as maintainers of the project, we also have a responsibility to users to be careful and deliberate with our communications outside of the project, whether it be Twitter, Hacker News, etc., etc. So how can we improve? I think depending on the scope of a change, the following SIGs should be involved in crafting comms:
I'm curious to hear everyone's thoughts here. -- Stephen You received this message because you are subscribed to the Google Groups "steering" group. To unsubscribe from this group and stop receiving emails from it, send an email to steering+unsubscribe@.... To view this discussion on the web visit https://groups.google.com/a/kubernetes.io/d/msgid/steering/CAOqU-DRtVQRC79v1xM5zVpQ11hWoyqdhgrhOamkVQ3%2B5kJw44A%40mail.gmail.com.
|
||
|
|