Donate Contour to CNCF #330
Conversation
|
Happy to help and support |
|
Thanks @michmike ! @monadic so you're interested in sponsoring? @mattklein123 is there a reason something like this wouldn't just become an Envoy sub project or would you prefer for it to be a standalone project? |
|
Yes I am interested |
I discussed this with the Contour team. There are pros/cons to both scenarios. On the pro side, it's very closely aligned with Envoy and would make a great official addition to the ecosystem. On the con side, we don't have any process within the project for doing something like this and would have to develop it. Additionally, it's unclear how this would effect the overall ecosystem of Contour competitors. Overall, I think going into the CNCF directly is simpler. We can always change things later depending on how things evolve IMO. I'm happy to help sponsor this also along with @monadic |
|
@mattklein123 and @monadic , i will add you as our TOC sponsors. thank you! |
jbeda
added
incubation
new project
|
This is in SIG-Network for review. |
|
@leecalcote and CNCF-SIG-Network team, the technical due diligence document for Contour is located at https://docs.google.com/document/d/1IIUDRch-8EEbcSFVK4sNL6Op5QJkIBrJi4SwbBjXiXU/edit?usp=sharing. we look forward to your feedback |
|
@kenowens12: any updates here? |
|
@amye I'm doing some private DD with Contour users. I need a bit more time to complete that. Thank you! |
|
@mattklein123: Checking in here, any movement? |
|
@mattklein123 friendly ping while Amye is out on vacation, you OK with kicking off an incubating vote? https://docs.google.com/document/d/1IIUDRch-8EEbcSFVK4sNL6Op5QJkIBrJi4SwbBjXiXU/edit |
|
Which process is this submission following? Is this ready for public comments? |
|
@VinodAnandan https://github.com/cncf/toc/blob/master/process/project_proposals.adoc#incubation-process It's been ready for public comment since March 19th TOC Incubation Sponsor determines when DD is “done” and I believe @mattklein123 is making that call this week after syncing up last week. |
|
If I haven't misunderstood, the comment link you have posted is asking feedback from @leecalcote and SIG Network. If a DD is not "done", how can someone ask for public comments? Who is responsible to notify the mailing lists to get public comments. How long a DD should wait for the public comments? Going through the documents I have multiple comments, I just want to verify that the TOCs have already approved the DD ("done"). |
|
I was planning on calling for the vote today/tomorrow. I had assumed that people that wanted to comment would have already done so either on the DD document or in this PR. If that's not the case, let's have a few days for public comments and we can do the vote next Monday. @VinodAnandan and community, fire away! |
|
@mattklein123 Thanks for completing the due diligence. This submission was just moved to the "In Public Comment Period" column and the public comment announcement was sent before 3 hours. As per the official process, the Due Diligence review is 2-6 weeks. It's a bit unusual that the particular submission was a bit out of normal from the beginning itself. In the document, the mission statement says that "To be the most secure, performant, scalable, and available ingress controller" but when I checked the landscape ( https://github.com/projectcontour/community/blob/master/LANDSCAPE.md ), Contour is the only one without authentication, why wasn't the authentication a priority in version 1.0? Where can I find a high-level roadmap for the project? When I compared the GitHub popularity with other projects mentioned in the landscape, both the current numbers and trend is the lowest compared to other projects mentioned there. Has this been reviewed and are there any plans to improve? What are the organizations other than VMware that are officially contributing to the Contour Project? How is the "count author" value mentioned in the document calculated? Is there any document/links to find and that are highlighting the details of recent (6 months, 1 year ) contribution stats? I noticed that the main two external contributors mentioned in the table have stopped contributing recently? Is there any specific reason for it ( changing sponsoring company etc? ) At the time of the submission ( 7 Jan ) of this project, I have checked for the Governance document and I couldn't find one at that time and it seems like there is a new document created on 18 Mar. Is this acceptable from the TOC? |
|
Hi @VinodAnandan, thank you for reading through our documentation and asking insightful questions. My name is Michael Michael, and I am one of the maintainers of Contour. I am also a long standing contributor in CNCF projects as a maintainer of Harbor as well as a chair in a Kubernetes SIG. I will try to address all your concerns. Feel free to ping me in private (i am @m2 on the CNCF and the K8s Slack channels) or continue the discussion here on followup items.
It is true the due diligence period needs to be 2-6 weeks. We started the due diligence with the TOC and CNCF sig-network on Jan 16th. Then, all the documents were ready and available for DD review on March 19th. You are correct that the email to the TOC mailing list did not go out until yesterday. We are not trying to short-circuit the process. If anyone has feedback, we would love to hear it.
I would like to separate the
The due diligence document has a section on releases and roadmap, ultimately pointing to https://github.com/projectcontour/contour/blob/master/RELEASES.md. The Contour team maintains an up-to-date project board where our prioritized backlog and what we plan to work on next is viewable. We also have additional “parking lots” where we have grouped features that are of similar priority. We intend to work on these features after we go through the prioritized backlog. We develop Contour in the open, and more than a few times a user request has come in, we evaluated it, and decided it was important for us to work on it immediately due to the impact to the community.
From the Contour perspective, we develop the project in the open and we are open to any and all contributors. We also created a philosophy document to outline how we engage with the community and the table stakes that Contour has set in terms of our vision and goals.
These are outlined in the “Key Health Statistics” section of the DD document. VMware is the main contributor to Contour, but as you can see, we are not the only ones. For example, Tero Saarni (@tsaarni) from Ericsson, drove two key sets of features: client auth so users can use certificates to validate access from outside the cluster and the automatic refresh of secrets with Contour<>Envoy.
The count author is a total count of all PRs, Issues, Commits by a github user
If you are asking for contribution stats and dates per individual user, we don’t have that handy. It is not hard to compute, but it does involve manual labor to create out of the github APIs. What we do have though is charts on the contributions by date for VMware and non-VMware contributors and those are included in the DD document. Those charts go back 2 years.
Maybe it is possible they got the features they wanted/needed. We don’t have all the information on company associations since some of the data is private and not shared by the github API.
That is a question for the TOC. We were always operating Contour with that governance in mind, we just never put it down on paper. The DD process offered a great checklist and reminder to ensure we document and follow best practices on operating healthy open source projects. |
|
Hi @michmike thank you very much for your reply. As per the CNCF TOC approved process https://github.com/cncf/toc/blob/master/process/project_proposals.adoc#incubation-process , Due Diligence : 2-3 months, Due Diligence review : 2-6 weeks, TOC vote : up to 6 weeks, and I believe this is for a submission which completely meets criteria, it may take even more time ( NATS is waiting 1.5+ years) for projects which don't meet all criteria at the time of submission. I am not quite sure how to make the "most secure" software without having the basic security functionalities like authentication. And I don't believe that comparing authentication and WAF is appropriate. If you are saying that the project is achieving "most secure" by secure software development practice, could you please let us know
Why is the adopter file empty? ( https://github.com/projectcontour/contour/blob/master/ADOPTERS.md ) Where can we find three independent end users interviews? Have the CNCF staff completed the governance and legal DD? |
Contour is secure for the features we deliver. With this specific example in mind, if you want to front end your K8s services with auth, that's not a feature Contour has today. We are working on it and will deliver it soon because it is an important feature, but it is still just a feature. Contour can be an excellent and functional ingress controller with or without it. We are adding auth not because it would make Contour more secure, because it really will not. Auth will make users’ services more secure and it is an important feature to our community.
We don’t have a threat model to share publicly. If and when we are accepted into the CNCF, we will work with sig-security on an assessment to Contour. That’s a very valuable exercise and I have been through it with Harbor.
We execute a variety of static analysis tools. I have listed them below. We also periodically run gosec, but it has way too many false positives and has not impressed us as a tool. You have a valid point though and we are going to immediately enable gosec as part of the PR process/checks.
We have not used any DAST tools because Contour is not a web application. It does not listen to user requests, it is not vulnerable to cross-site scripting attacks, as it has no user-facing functionality aside from the Kubernetes API
We don’t use any security scanning tools on a daily basis. However, we periodically use gosec as mentioned above and have also verified our container images using vulnerability scanners. However, those vulnerability scanners can’t properly scan Contour because there is no underlying operating system in our container image. It is just our binaries in there. What they can do is check the binary signature of Contour and make sure no vulnerabilities are reported for Contour in NVD databases. We have zero such CVEs currently and we plan to follow our established security process if a vulnerability is reported.
We have not had a public pentest yet, as that is part of the requirements for going to graduation stage. We look forward to potentially partnering with CNCF and Cure53 on a security audit.
We are working with some of our users on filling in details in our adopters file. From the CNCF criteria, this is a graduation stage criterion. Matt Klein from the TOC has conducted private interviews with Contour users to satisfy the incubation criteria. Even though some enterprises don’t want to be named publicly as users of Contour, Adobe, PhishLabs, kintone.io, Replicated, and Kinvolk have all been using Contour and talked or tweeted about it publicly. This thread also has additional customer testimonials.
I can’t speak for the CNCF staff. That’s a question for @caniszczyk and @amye |
|
@michmike thank you for your reply. Static Application Security Testing (SAST): Not all linter will be considered in this category, gosec is one of the many SAST tools that can be utilised for go projects. Thanks to the project team for enabling the gosec yesterday ( projectcontour/contour#2526 ) and fixing the argument injection vulnerability. The gosec is a great tool and the false positive can be reduced by configuring the tool properly. Dynamic Application Security Testing (DAST): Tools under this category can be used to test APIs not just web applications. Open Source Software (OSS) Security (CVE) issues are not only associated to the OS packages but also with the application dependencies including the go modules (e.g: CVE-2020-12118), gosec can't scan for the Common Vulnerabilities and Exposures (CVE) with OSS, it scans for the Common Weakness Enumeration (CWE). |
Just to clarify; if this refers to the change that I think it does, there was no argument injection issue here. gosec was not able to prove that the argument used was actually a local constant, and emitted a warning. I hoisted the constant because there was no need for the indirection and it made gosec happy. There was no vulnerability here. I'd also be very happy to shepherd changes from anyone who is interested in improving Contour CI, including applying any useful static analysis tooling. |
|
@jpeach Thank you for your reply. The SAST tools may not always find exploitable findings, but it will help with the secure coding and to reduce the weaknesses and vulnerabilities with the applications. As an example, the NIST formally deprecated use of SHA-1 and there are secure alternatives. For exploitable findings, Pentesting and DAST tools can be more useful. |
|
I’m about to add my +1 on the incubation vote. Governance looks well set up and there are significant contributions from outside VMware, but just for the record I wanted to note that I’d like to see Contour working to add maintainers from other organizations going forward. |
|
@lizrice absolutely, that's our goal. There are a few contributors that are heavily investing in the project and are moving towards maintainer status. |
|
Welcome contour, onboarding will be tracked here: cncf/sandbox#280 https://lists.cncf.io/g/cncf-toc/message/4932 +1 Binding: note: Quorum is 10 as Jeff Brewer has been away |
This is the proposal to add Contour to the CNCF.
Name of Project: Contour
Description: Contour is an open source Kubernetes ingress controller providing the control plane for the Envoy edge and service proxy. Contour supports dynamic configuration updates and multi-team ingress delegation out of the box while maintaining a lightweight profile.
The technical due diligence document for Contour is located at https://docs.google.com/document/d/1IIUDRch-8EEbcSFVK4sNL6Op5QJkIBrJi4SwbBjXiXU/edit?usp=sharing