Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Donate Contour to CNCF #330

Merged
merged 8 commits into from Jul 7, 2020
Merged

Donate Contour to CNCF #330

merged 8 commits into from Jul 7, 2020

Conversation

michmike
Copy link
Contributor

@michmike michmike commented Jan 7, 2020

This is the proposal to add Contour to the CNCF.

Name of Project: Contour
Description: Contour is an open source Kubernetes ingress controller providing the control plane for the Envoy edge and service proxy.​ Contour supports dynamic configuration updates and multi-team ingress delegation out of the box while maintaining a lightweight profile.

The technical due diligence document for Contour is located at https://docs.google.com/document/d/1IIUDRch-8EEbcSFVK4sNL6Op5QJkIBrJi4SwbBjXiXU/edit?usp=sharing

@monadic
Copy link
Contributor

@monadic monadic commented Jan 7, 2020

Happy to help and support

@caniszczyk caniszczyk requested a review from mattklein123 Jan 7, 2020
@caniszczyk caniszczyk added this to In progress (due diligence/presentation) in Initial Project Triage & Sandbox Projects Backlog via automation Jan 7, 2020
@caniszczyk
Copy link
Contributor

@caniszczyk caniszczyk commented Jan 7, 2020

Thanks @michmike !

@monadic so you're interested in sponsoring?

@mattklein123 is there a reason something like this wouldn't just become an Envoy sub project or would you prefer for it to be a standalone project?

@monadic
Copy link
Contributor

@monadic monadic commented Jan 7, 2020

Yes I am interested

@mattklein123
Copy link
Contributor

@mattklein123 mattklein123 commented Jan 7, 2020

@mattklein123 is there a reason something like this wouldn't just become an Envoy sub project or would you prefer for it to be a standalone project?

I discussed this with the Contour team. There are pros/cons to both scenarios. On the pro side, it's very closely aligned with Envoy and would make a great official addition to the ecosystem. On the con side, we don't have any process within the project for doing something like this and would have to develop it. Additionally, it's unclear how this would effect the overall ecosystem of Contour competitors. Overall, I think going into the CNCF directly is simpler. We can always change things later depending on how things evolve IMO.

I'm happy to help sponsor this also along with @monadic

@michmike
Copy link
Contributor Author

@michmike michmike commented Jan 7, 2020

@mattklein123 and @monadic , i will add you as our TOC sponsors. thank you!
@caniszczyk , that's a really good question and something we explored with the Envoy team. Like Matt mentioned, going to CNCF is simpler and provides a clear path towards open governance

@jbeda jbeda added incubation new project and removed sandbox labels Jan 7, 2020
proposals/contour.adoc Outdated Show resolved Hide resolved
@amye amye moved this from In progress (due diligence/presentation) to SIG Review in Initial Project Triage & Sandbox Projects Backlog Jan 8, 2020
proposals/contour.adoc Outdated Show resolved Hide resolved
@erinaboyd
Copy link
Contributor

@erinaboyd erinaboyd commented Feb 19, 2020

@lizrice @amye Does this need to go back through the SIGs?
I noticed a footnote from January 8th but haven't seen an update since then.
It would also need to get new sponsors since Alexis is now no longer able to sponsor.
Thoughts?

@amye
Copy link
Contributor

@amye amye commented Feb 19, 2020

This is in SIG-Network for review.

@michmike
Copy link
Contributor Author

@michmike michmike commented Mar 19, 2020

@leecalcote and CNCF-SIG-Network team, the technical due diligence document for Contour is located at https://docs.google.com/document/d/1IIUDRch-8EEbcSFVK4sNL6Op5QJkIBrJi4SwbBjXiXU/edit?usp=sharing. we look forward to your feedback

@amye
Copy link
Contributor

@amye amye commented Apr 17, 2020

@kenowens12: any updates here?

@mattklein123
Copy link
Contributor

@mattklein123 mattklein123 commented Apr 18, 2020

@amye I'm doing some private DD with Contour users. I need a bit more time to complete that. Thank you!

@amye
Copy link
Contributor

@amye amye commented May 7, 2020

@mattklein123: Checking in here, any movement?

@amye amye removed this from Needs SIG Review & Recommendation in Initial Project Triage & Sandbox Projects Backlog May 7, 2020
@amye amye added this to Needs SIG Review & Recommendation in Incubation Projects Backlog May 7, 2020
@amye amye moved this from Needs SIG Review & Recommendation to Needs TOC Review & Sponsor in Incubation Projects Backlog May 7, 2020
@caniszczyk
Copy link
Contributor

@caniszczyk caniszczyk commented May 11, 2020

@mattklein123 friendly ping while Amye is out on vacation, you OK with kicking off an incubating vote?

https://docs.google.com/document/d/1IIUDRch-8EEbcSFVK4sNL6Op5QJkIBrJi4SwbBjXiXU/edit

@VinodAnandan
Copy link

@VinodAnandan VinodAnandan commented May 11, 2020

Which process is this submission following? Is this ready for public comments?

@caniszczyk caniszczyk moved this from Needs TOC Review & Sponsor to In Due Diligence in Incubation Projects Backlog May 11, 2020
@caniszczyk
Copy link
Contributor

@caniszczyk caniszczyk commented May 11, 2020

@VinodAnandan https://github.com/cncf/toc/blob/master/process/project_proposals.adoc#incubation-process

It's been ready for public comment since March 19th
#330 (comment)

TOC Incubation Sponsor determines when DD is “done” and I believe @mattklein123 is making that call this week after syncing up last week.

@VinodAnandan
Copy link

@VinodAnandan VinodAnandan commented May 11, 2020

If I haven't misunderstood, the comment link you have posted is asking feedback from @leecalcote and SIG Network. If a DD is not "done", how can someone ask for public comments? Who is responsible to notify the mailing lists to get public comments. How long a DD should wait for the public comments? Going through the documents I have multiple comments, I just want to verify that the TOCs have already approved the DD ("done").

@mattklein123
Copy link
Contributor

@mattklein123 mattklein123 commented May 12, 2020

I was planning on calling for the vote today/tomorrow. I had assumed that people that wanted to comment would have already done so either on the DD document or in this PR. If that's not the case, let's have a few days for public comments and we can do the vote next Monday.

@VinodAnandan and community, fire away!

@amye amye moved this from In Due Diligence to In Public Comment Period in Incubation Projects Backlog May 12, 2020
@VinodAnandan
Copy link

@VinodAnandan VinodAnandan commented May 12, 2020

@mattklein123 Thanks for completing the due diligence.

This submission was just moved to the "In Public Comment Period" column and the public comment announcement was sent before 3 hours. As per the official process, the Due Diligence review is 2-6 weeks. It's a bit unusual that the particular submission was a bit out of normal from the beginning itself.

In the document, the mission statement says that "To be the most secure, performant, scalable, and available ingress controller" but when I checked the landscape ( https://github.com/projectcontour/community/blob/master/LANDSCAPE.md ), Contour is the only one without authentication, why wasn't the authentication a priority in version 1.0?

Where can I find a high-level roadmap for the project?

When I compared the GitHub popularity with other projects mentioned in the landscape, both the current numbers and trend is the lowest compared to other projects mentioned there. Has this been reviewed and are there any plans to improve?

What are the organizations other than VMware that are officially contributing to the Contour Project?

How is the "count author" value mentioned in the document calculated?

Is there any document/links to find and that are highlighting the details of recent (6 months, 1 year ) contribution stats?

I noticed that the main two external contributors mentioned in the table have stopped contributing recently? Is there any specific reason for it ( changing sponsoring company etc? )

At the time of the submission ( 7 Jan ) of this project, I have checked for the Governance document and I couldn't find one at that time and it seems like there is a new document created on 18 Mar. Is this acceptable from the TOC?

@michmike
Copy link
Contributor Author

@michmike michmike commented May 14, 2020

Hi @VinodAnandan, thank you for reading through our documentation and asking insightful questions. My name is Michael Michael, and I am one of the maintainers of Contour. I am also a long standing contributor in CNCF projects as a maintainer of Harbor as well as a chair in a Kubernetes SIG. I will try to address all your concerns. Feel free to ping me in private (i am @m2 on the CNCF and the K8s Slack channels) or continue the discussion here on followup items.

This submission was just moved to the "In Public Comment Period" column and the public comment announcement was sent before 3 hours. As per the official process, the Due Diligence review is 2-6 weeks. It's a bit unusual that the particular submissions were a bit out of normal from the beginning itself.

It is true the due diligence period needs to be 2-6 weeks. We started the due diligence with the TOC and CNCF sig-network on Jan 16th. Then, all the documents were ready and available for DD review on March 19th. You are correct that the email to the TOC mailing list did not go out until yesterday. We are not trying to short-circuit the process. If anyone has feedback, we would love to hear it.

In the document, the mission statement says that "To be the most secure, performant, scalable, and available ingress controller" but when I checked the landscape ( https://github.com/projectcontour/community/blob/master/LANDSCAPE.md ), Contour is the only one without authentication, why wasn't the authentication a priority in version 1.0?

I would like to separate the is a product secure question from does a product have feature x. There is a difference between intrinsic security (is the system itself secure) and security features. We could build in a WAF but that would be out of scope for Contour and not aligned with our vision. The important thing we would like to note is that the features Contour delivers are done securely. A great example is being able to run the control plane in different pods (perhaps on different nodes with different service accounts) so that if an envoy is compromised it doesn't get privileged (TLS secret) access to the rest of the cluster. That type of architecture was designed with security, availability and scalability in mind. Authentication is a feature that you can add on top of ingress, and this is one of the highest priority items for us to work on next. You can view additional design and implementation details on supporting auth in Contour here.

Where can I find a high-level roadmap for the project?

The due diligence document has a section on releases and roadmap, ultimately pointing to https://github.com/projectcontour/contour/blob/master/RELEASES.md. The Contour team maintains an up-to-date project board where our prioritized backlog and what we plan to work on next is viewable. We also have additional “parking lots” where we have grouped features that are of similar priority. We intend to work on these features after we go through the prioritized backlog. We develop Contour in the open, and more than a few times a user request has come in, we evaluated it, and decided it was important for us to work on it immediately due to the impact to the community.

When I compared the GitHub popularity with other projects mentioned in the landscape, both the current numbers and trend is the lowest compared to other projects mentioned there. Has this been reviewed and are there any plans to improve?

From the Contour perspective, we develop the project in the open and we are open to any and all contributors. We also created a philosophy document to outline how we engage with the community and the table stakes that Contour has set in terms of our vision and goals.

What are the organizations other than VMware that are officially contributing to the Contour Project?

These are outlined in the “Key Health Statistics” section of the DD document. VMware is the main contributor to Contour, but as you can see, we are not the only ones. For example, Tero Saarni (@tsaarni) from Ericsson, drove two key sets of features: client auth so users can use certificates to validate access from outside the cluster and the automatic refresh of secrets with Contour<>Envoy.

How is the "count author" value mentioned in the document calculated?

The count author is a total count of all PRs, Issues, Commits by a github user

Is there any document/links to find and that are highlighting the details of recent (6 months, 1 year ) contribution stats?

If you are asking for contribution stats and dates per individual user, we don’t have that handy. It is not hard to compute, but it does involve manual labor to create out of the github APIs. What we do have though is charts on the contributions by date for VMware and non-VMware contributors and those are included in the DD document. Those charts go back 2 years.

I noticed that the main two external contributors mentioned in the table have stopped contributing recently? Is there any specific reason for it ( changing sponsoring company etc? )

Maybe it is possible they got the features they wanted/needed. We don’t have all the information on company associations since some of the data is private and not shared by the github API.

At the time of the submission ( 7 Jan ) of this project, I have checked for the Governance document and I couldn't find one at that time and it seems like there is a new document created on 18 Mar. Is this acceptable from the TOC?

That is a question for the TOC. We were always operating Contour with that governance in mind, we just never put it down on paper. The DD process offered a great checklist and reminder to ensure we document and follow best practices on operating healthy open source projects.

@VinodAnandan
Copy link

@VinodAnandan VinodAnandan commented May 15, 2020

Hi @michmike thank you very much for your reply.

As per the CNCF TOC approved process https://github.com/cncf/toc/blob/master/process/project_proposals.adoc#incubation-process , Due Diligence : 2-3 months, Due Diligence review : 2-6 weeks, TOC vote : up to 6 weeks, and I believe this is for a submission which completely meets criteria, it may take even more time ( NATS is waiting 1.5+ years) for projects which don't meet all criteria at the time of submission.

I am not quite sure how to make the "most secure" software without having the basic security functionalities like authentication. And I don't believe that comparing authentication and WAF is appropriate. If you are saying that the project is achieving "most secure" by secure software development practice, could you please let us know

  • Where is the threat model for the project?
  • What are the SAST tools (e.g: gosec ) /service project use?
  • What are the DAST tools (e.g: Zap ) /service project use?
  • What are the OSS security scanning tools/service project use?
  • How many public pentest has been completed? Where can we find the reports?

Why is the adopter file empty? ( https://github.com/projectcontour/contour/blob/master/ADOPTERS.md )

Where can we find three independent end users interviews?

Have the CNCF staff completed the governance and legal DD?

@michmike
Copy link
Contributor Author

@michmike michmike commented May 15, 2020

I am not quite sure how to make the "most secure" software without having the basic security functionalities like authentication. And I don't believe that comparing authentication and WAF is appropriate. If you are saying that the project is achieving "most secure" by secure software development practice, could you please let us know

Contour is secure for the features we deliver. With this specific example in mind, if you want to front end your K8s services with auth, that's not a feature Contour has today. We are working on it and will deliver it soon because it is an important feature, but it is still just a feature. Contour can be an excellent and functional ingress controller with or without it. We are adding auth not because it would make Contour more secure, because it really will not. Auth will make users’ services more secure and it is an important feature to our community.

Where is the threat model for the project?

We don’t have a threat model to share publicly. If and when we are accepted into the CNCF, we will work with sig-security on an assessment to Contour. That’s a very valuable exercise and I have been through it with Harbor.

What are the SAST tools (e.g: gosec ) /service project use?

We execute a variety of static analysis tools. I have listed them below. We also periodically run gosec, but it has way too many false positives and has not impressed us as a tool. You have a valid point though and we are going to immediately enable gosec as part of the PR process/checks.

bodyclose: checks whether HTTP response body is closed successfully [fast: true, auto-fix: false]
deadcode: Finds unused code [fast: true, auto-fix: false]
errcheck: Errcheck is a program for checking for unchecked errors in go programs. These unchecked errors can be critical bugs in some cases [fast: true, auto-fix: false]
goimports: Goimports does everything that gofmt does. Additionally it checks unused imports [fast: true, auto-fix: true]
gosimple (megacheck): Linter for Go source code that specializes in simplifying a code [fast: true, auto-fix: false]
govet (vet, vetshadow): Vet examines Go source code and reports suspicious constructs, such as Printf calls whose arguments do not align with the format string [fast: true, auto-fix: false]
ineffassign: Detects when assignments to existing variables are not used [fast: true, auto-fix: false]
misspell: Finds commonly misspelled English words in comments [fast: true, auto-fix: true]
staticcheck (megacheck): Staticcheck is a go vet on steroids, applying a ton of static analysis checks [fast: true, auto-fix: false]
structcheck: Finds unused struct fields [fast: true, auto-fix: false]
typecheck: Like the front-end of a Go compiler, parses and type-checks Go code [fast: true, auto-fix: false]
unconvert: Remove unnecessary type conversions [fast: true, auto-fix: false]
unparam: Reports unused function parameters [fast: true, auto-fix: false]
unused (megacheck): Checks Go code for unused constants, variables, functions and types [fast: false, auto-fix: false]
varcheck: Finds unused global variables and constants [fast: true, auto-fix: false]

What are the DAST tools (e.g: Zap ) /service project use?

We have not used any DAST tools because Contour is not a web application. It does not listen to user requests, it is not vulnerable to cross-site scripting attacks, as it has no user-facing functionality aside from the Kubernetes API

What are the OSS security scanning tools/service project use?

We don’t use any security scanning tools on a daily basis. However, we periodically use gosec as mentioned above and have also verified our container images using vulnerability scanners. However, those vulnerability scanners can’t properly scan Contour because there is no underlying operating system in our container image. It is just our binaries in there. What they can do is check the binary signature of Contour and make sure no vulnerabilities are reported for Contour in NVD databases. We have zero such CVEs currently and we plan to follow our established security process if a vulnerability is reported.

How many public pentest has been completed? Where can we find the reports?

We have not had a public pentest yet, as that is part of the requirements for going to graduation stage. We look forward to potentially partnering with CNCF and Cure53 on a security audit.

Why is the adopter file empty? ( https://github.com/projectcontour/contour/blob/master/ADOPTERS.md ) Where can we find three independent end users interviews?

We are working with some of our users on filling in details in our adopters file. From the CNCF criteria, this is a graduation stage criterion. Matt Klein from the TOC has conducted private interviews with Contour users to satisfy the incubation criteria. Even though some enterprises don’t want to be named publicly as users of Contour, Adobe, PhishLabs, kintone.io, Replicated, and Kinvolk have all been using Contour and talked or tweeted about it publicly. This thread also has additional customer testimonials.

Have the CNCF staff completed the governance and legal DD?

I can’t speak for the CNCF staff. That’s a question for @caniszczyk and @amye

@VinodAnandan
Copy link

@VinodAnandan VinodAnandan commented May 16, 2020

@michmike thank you for your reply.

Static Application Security Testing (SAST): Not all linter will be considered in this category, gosec is one of the many SAST tools that can be utilised for go projects. Thanks to the project team for enabling the gosec yesterday ( projectcontour/contour#2526 ) and fixing the argument injection vulnerability. The gosec is a great tool and the false positive can be reduced by configuring the tool properly.

Dynamic Application Security Testing (DAST): Tools under this category can be used to test APIs not just web applications.

Open Source Software (OSS) Security (CVE) issues are not only associated to the OS packages but also with the application dependencies including the go modules (e.g: CVE-2020-12118), gosec can't scan for the Common Vulnerabilities and Exposures (CVE) with OSS, it scans for the Common Weakness Enumeration (CWE).

@jpeach
Copy link

@jpeach jpeach commented May 16, 2020

Thanks to the project team for enabling the gosec yesterday ( projectcontour/contour#2526 ) and fixing the argument injection vulnerability.

Just to clarify; if this refers to the change that I think it does, there was no argument injection issue here. gosec was not able to prove that the argument used was actually a local constant, and emitted a warning. I hoisted the constant because there was no need for the indirection and it made gosec happy. There was no vulnerability here.

I'd also be very happy to shepherd changes from anyone who is interested in improving Contour CI, including applying any useful static analysis tooling.

@VinodAnandan
Copy link

@VinodAnandan VinodAnandan commented May 26, 2020

@jpeach Thank you for your reply. The SAST tools may not always find exploitable findings, but it will help with the secure coding and to reduce the weaknesses and vulnerabilities with the applications. As an example, the NIST formally deprecated use of SHA-1 and there are secure alternatives. For exploitable findings, Pentesting and DAST tools can be more useful.

@lizrice
Copy link
Contributor

@lizrice lizrice commented Jun 2, 2020

I’m about to add my +1 on the incubation vote.

Governance looks well set up and there are significant contributions from outside VMware, but just for the record I wanted to note that I’d like to see Contour working to add maintainers from other organizations going forward.

@michmike
Copy link
Contributor Author

@michmike michmike commented Jun 2, 2020

@lizrice absolutely, that's our goal. There are a few contributors that are heavily investing in the project and are moving towards maintainer status.

@amye amye moved this from In Public Comment Period to Needs TOC Vote in Incubation Projects Backlog Jun 4, 2020
@caniszczyk caniszczyk merged commit 8be0b8b into cncf:master Jul 7, 2020
@caniszczyk
Copy link
Contributor

@caniszczyk caniszczyk commented Jul 7, 2020

Welcome contour, onboarding will be tracked here: #483

https://lists.cncf.io/g/cncf-toc/message/4932

+1 Binding: note: Quorum is 10 as Jeff Brewer has been away
Matt Klein: https://lists.cncf.io/g/cncf-toc/message/4737
Alena Prokharchyk: https://lists.cncf.io/g/cncf-toc/message/4748
Liz Rice: https://lists.cncf.io/g/cncf-toc/message/4770
Sheng Liang: https://lists.cncf.io/g/cncf-toc/message/4771
Justin Cormack: https://lists.cncf.io/g/cncf-toc/message/4776
Michelle Noorali: https://lists.cncf.io/g/cncf-toc/message/4855
Brendan Burns: https://lists.cncf.io/g/cncf-toc/message/4858
Saad Ali: https://lists.cncf.io/g/cncf-toc/message/4864

@amye amye moved this from Needs TOC Vote to Done in Incubation Projects Backlog Jul 9, 2020
@amye amye removed this from Done in Incubation Projects Backlog Jul 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
incubation new project tag-network
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet