1 of 54

CNCF TOC Meeting

Mar 5, 2019

1

2 of 54

LF Antitrust Policy Notice

CNCF meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.

Examples of types of actions that are prohibited at CNCF meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.

2

3 of 54

Meeting Logistics

Meeting Minutes / Planning Doc
Time: Mar 5 2019 8AM (PT)
https://zoom.us/j/967220397
Or Telephone:

Dial:

+1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll)
+1 855 880 1246 (US Toll Free) or +1 877 369 0926 (US Toll Free)

Meeting ID: 967 220 397
International numbers: https://zoom.us/zoomconference

3

4 of 54

TOC - Members Present Today

Alexis Richardson <alexis@weave.works>
Brendan Burns <bburns@microsoft.com>
Brian Grant <briangrant@google.com> [REGRETS]
Jeff Brewer <Jeff_Brewer@intuit.com>
Joe Beda <jbeda@vmware.com>
Kelsey Hightower <khightower@google.com>
Matt Klein <mklein@lyft.com>
Quinton Hoole <quinton.hoole@huawei.com>
Xiang Li <x.li@alibaba-inc.com>

Note: TOC meetings require a quorum of two-thirds of the TOC total members to take a vote or make any decision. If a TOC meeting fails to meet the quorum requirement, discussions may proceed, however there shall be no voting or decisions.

4

5 of 54

Agenda

Standard Agenda

Welcome
Containerd Graduation!
Projects and End User Community (Cheryl)
New CNCF Project Presentation Meetings
CNCF SIGs Finalization
Community Presentation:

OPA Annual Review + Incubation Review

CNF Test Bed
Community Backlog
Open Q&A

5

6 of 54

Congrats Containerd!

6

7 of 54

KubeCon + CloudNativeCon

Europe 2019 (sponsorships open until March)

Co-lo events now open!
Barcelona: May 20-23, 2019
FYI: Talk notifications pushed to 3/11�

China 2019 (sponsorships)

Shanghai: June 24-26, 2019�

North America 2019 (sponsorships open)

San Diego: November 18-21, 2019

Cloud Native Computing Foundation

7

8 of 54

FYI: Summer of Code + CNCF

Call to action for projects to submit ideas:

https://github.com/cncf/soc#project-ideas

8

9 of 54

Project Presentation Meetings

We have a project backlog! :)

https://github.com/cncf/toc/projects/2

New Meeting to go through project presentation backlog:

2nd Tuesday of the month @ 8am PT
Goal is to do 2 projects at a time at this meeting

9

10 of 54

Projects and End User Community (Cheryl)

10

11 of 54

Case studies

I would like every non-sandbox CNCF project to publish a case study in 2019. It requires a one hour interview, either over the phone or at KubeCon CloudNativeCon.

Sign up to do a case study.

Note that case studies are only for end users, ie. organizations that do not sell cloud native services.

11

12 of 54

End User Forums

The goal is to enable CNCF projects and SIGs to meet the End User Community and gather requirements and feedback.

Project maintainers and SIG leads can sign up for a 30 minute Q&A slot.

Already scheduled: Fluentd, containerd, ContribEx/Scheduling/Multicluster SIGS, CloudEvents & Serverless WG

“That's a really great meeting for our work! And thanks very much for your support during the meeting :)”

12

13 of 54

CNCF SIGs

13

14 of 54

CNCF SIGs

The TOC has a desire to improve WGs (see CNCF SIGs Proposal)

A CNCF SIG will oversee and coordinate the interests pertaining to a logical area of needs of end users and/or projects. Examples of such areas include security, testing, observability, storage, networking, etc. The area overseen by a SIG is typically met by a set of CNCF projects, and may also represent a cross-cutting feature group shared by several projects (like security and observability). SIG’s are:

long lived groups that report to the Technical Oversight Committee.
led primarily by recognised experts in the relevant field(s), supported by other contributors

CNCF SIGs are modelled on Kubernetes SIGS. Differences are intended to be minimal to avoid confusion - unavoidable differences are described here.

14

15 of 54

CNCF SIGs: Examples

Traffic (networking, service discovery, load balancing, service mesh, RPC, pubsub, etc)

Envoy, Linkerd, NATS, gRPC, CoreDNS, CNI

Observability (monitoring, logging, tracing, profiling, etc.)

Prometheus, OpenTracing, Fluentd, Jaeger, Cortex, OpenMetrics,

Governance (security, auth, authorization, auditing, policy enforcement, compliance, GDPR, cost management, etc)

SPIFFE, SPIRE, Open Policy Agent, Notary, TUF, Falco,

App Dev, Ops & Testing (PaaS, Serverless, Operators, CI/CD, Conformance, Chaos Eng, Scalability and Reliability measurement etc.)

Helm, CloudEvents, Telepresence, Buildpacks, (CNCF CI)

Core and Applied Architectures (orchestration, scheduling, container runtimes, sandboxing technologies, packaging and distribution, specialized architectures thereof (e.g. Edge, IoT, Big Data, AI/ML, etc).

Kubernetes, containerd, rkt, Harbor, Dragonfly, Virtual Kubelet

Storage (Block and File Stores, Databases, Key-Value stores etc)

TiKV, etcd, Vitess, Rook

15

16 of 54

CNCF SIGs: Next Steps

Lets vote on the proposal:

https://github.com/cncf/toc/pull/194

Suggest piloting CNCF SIGs with Governance/Security first:

Governance (security, auth, authorization, auditing, policy enforcement, compliance, GDPR, cost management, etc)

SPIFFE, SPIRE, Open Policy Agent, Notary, TUF, Falco,

16

17 of 54

OPA Annual/Incubation Review

Torin Sandall - openpolicyagent.org

https://github.com/cncf/toc/pull/199

17

18 of 54

Open Policy Agent (OPA)

OPA is a general-purpose policy engine�
Goal: unify policy enforcement across the stack

Authorization: Can Identity I do Operation O on Resource R?
Admission control: What invariants does workload W violate?
Data filtering: What rows and columns should alice be allowed to read?�

Provides a declarative language, Go library/daemon for integration, and tooling to help author/test/debug/analyze policies.�
OPA started at Styra in 2016. Joined CNCF Sandbox in March 2018. Sponsored by Ken Owens and Brian Grant.

openpolicyagent.org

19 of 54

Community

	March '17-'18	March '18-'19	Recent Velocity (approx/week)
Commits	410 commits (93% Styra)	480 commits (74.58% styra, 7.08% chef, 4.58% cisco, 13.75% other)	n/a
Contributors	17	41	n/a
Docker Hub pulls	~80,000	~480,000	10,000
Slack	123	604	15 new users
Repos w/ .rego files	n/a	~100	2 new repos
GitHub Stars	260	1800	19 new stars

See CNCF's DevStats for more details.

openpolicyagent.org

20 of 54

Progress since entering Sandbox

Project:

Bi-weekly community meetings now held
Governance model defined
CII best practices (passing)
External security audit completed by Cure53 (sponsored by CNCF)

Features:

Bundle/Status/Decision Log APIs
Initial version of Rego ⇒ Wasm compiler
Support data filtering use cases (SQL & ElasticSearch translation)
Security: TLS client authentication (contributed by community)
Built-in functions: JWTs, date/time, CIDR, globbing, and regex (contributed by community)

Integrations: Envoy (ext_authz), Ceph, Minio, Flask, Kong, Kafka

openpolicyagent.org

21 of 54

Gatekeeper project

Gatekeeper (formerly known as Azure/kubernetes-policy-controller) integrates OPA and Kubernetes enabling flexible admission control policy enforcement and auditing.�
Kicked off in January 2019 by Google, Microsoft, Styra, and others

Weekly community meetings with participants from Red Hat, Commonwealth Bank of Australia, Replicated HQ, Capital One, Intuit, and others.�

Gatekeeper MVP includes:

Auditing capability (e.g., what resources are missing "time-to-live" annotation?)
Standard policy library for common use cases (e.g., ingress conflicts, label management, etc.)
CRDs for loading policies, instantiating policies, etc.

Gatekeeper brings new maintainers to the OPA organization from Google and Microsoft.

openpolicyagent.org

22 of 54

Production

Pre-production

Evaluating

See KubeCon Austin '17 and Seattle '18 talks.

openpolicyagent.org

23 of 54

Use Case: Authorization

Uses OPA to enforce access control in microservices across a variety of languages and frameworks for thousands of instances in their cloud infrastructure. Netflix takes advantage of OPA's ability to bring in contextual information and data from remote resources in order to evaluate policies in a flexible and consistent manner. For a description of how Netflix has architected access control with OPA check out this talk from KubeCon Austin 2017.

openpolicyagent.org

24 of 54

Use Case: API Authorization

Integrates OPA to implement IAM-style access control and enumerate user->resource permissions in Chef Automate V2. The integration utilizes OPA's Partial Evaluation feature to reduce evaluation time (in exchange for higher update latency.)

openpolicyagent.org

25 of 54

Use Case: k8s Admission Control

Uses OPA as a validating and mutating admission controller to implement various security, multi-tenancy, and risk management policies across approximately 50 clusters and 1,000 namespaces. For more information on how Intuit uses OPA see this talk from KubeCon Seattle 2018.

openpolicyagent.org

26 of 54

Use Case: k8s admission control

Uses OPA for a mix of validating and mutating admission control use cases in their Kubernetes clusters. Use cases include patching image pull secrets, load balancer properties, and tolerations based on context stored on namespaces. OPA is deployed on multiple clusters with ~100 nodes and ~300 namespaces total.

openpolicyagent.org

27 of 54

A Fortune 100 Company...

Uses OPA to implement validating admission control and fine-grained authorization policies in production on ~10 Kubernetes clusters with ~1,000 nodes. They also integrate OPA into their PKI as part of a Certificate RA that serves these clusters.

openpolicyagent.org

28 of 54

Thank you!

github.com/open-policy-agent/opa

Incubation Proposal: https://github.com/cncf/toc/pull/199

slack.openpolicyagent.org

29 of 54

CNF Test Bed

29

30 of 54

CNF Testbed

Open source initiative from CNCF (similar to CNCF.ci, DevStats)

https://github.com/cncf/cnf-testbed

Compare performance of:

Virtual Network Functions (VNFs) on OpenStack, and
Cloud native Network Functions (CNFs) on Kubernetes

Identical networking code packaged as:

containers, or virtual machines (VMs)

Running on top of identical on-demand hardware from the bare metal hosting company Packet
See presentation for more information

VNFs

CNFs

BARE-METAL�SERVER

IDENTICAL HARDWARE

IDENTICAL NETWORKING CODE

OPENSTACK

VIRTUAL MACHINE

VM

#include

KUBERNETES

CONTAINER

30

31 of 54

How Can You Engage?

Have your engineers replicate our results from github.com/cncf/cnf-testbed with an API key from packet.com/cnf
Create pull requests to improve Kubernetes or OpenStack deployments
Create pull requests to have the CNF Testbed run on your bare metal servers or other cloud bare metal servers like AWS i3.metal
Package your internal network functions into VNFs and CNFs and run on your instance of the testbed

We don’t need to see the code but would love to see the results

Help improve performance running CNFs on top of virtualized hardware

31

32 of 54

Thank You!

32

33 of 54

Project Review/Backlog

See spreadsheets!

Project priorities
Review backlog
→ send suggestions to TOC list

33

34 of 54

Upcoming Meetings

Next Meeting is March 12th

Community Presentation: cri-o + ?

Meetings are the first and third Tuesdays of the month
There is also a meeting the 2nd Tuesday for project presentations only

34

35 of 54

Thank You

35

36 of 54

Keycloak

https://github.com/keycloak/keycloak

36

37 of 54

Open Source Identity and Access Management

for Modern Applications and Services

https://www.keycloak.org

Stian Thorgersen (Red Hat)

Bolesław Dawidowicz (Red Hat)

38 of 54

What is Keycloak?

Open Source
Identity and Access Management
Designed for Modern Applications, APIs and Services (Cloud Native)

39 of 54

Keycloak Overview

40 of 54

Feature Highlights

OpenID Connect / OAuth2 Authorization Server
SAML 2.0 Identity Provider
UMA (User Managed Access) v2
Brokering with LDAP, OpenID Connect, SAML 2.0, custom
Admin REST API, UI and CLI
Extensible via pluggable SPIs and themes
Lightweight and easy to start using

41 of 54

Easily secure apps and services

Keycloak stores users, provides login screens, etc.
Secure applications and services with

Keycloak Client Adapters
Keycloak Client Proxy
OpenID Connect compatible libraries
SAML 2.0 compatible libraries

Secure your app with few lines of code only (literally)

42 of 54

Clustering

43 of 54

Authorization Services

44 of 54

Istio Service Mesh

Istio is leveraging OpenID Connect for End User Authentication
Keycloak first provider with working Istio integration Demo

Participating in Istio Community Working Groups

45 of 54

Project Origins

Project started around early 2013
Rapid adoption thanks to ease of use and quick integration with existing applications and services

https://github.com/keycloak/keycloak/graphs/contributors

46 of 54

Community

Github - https://github.com/keycloak/keycloak

Stars: 2,847
Forks: 1,534
Commits: 11,065
Contributors: 279

Mailing lists

keycloak-users@jboss.org: ~300 posts/month
keycloak-dev@jboss.org: ~150 posts/month

Downloads

Docker jboss/keycloak pull count: 5,298,563
Server ZIP downloads: 3,600/month

Stats updated 28 September 2018

47 of 54

Website Visits

www.keycloak.org - unique visitors per week

48 of 54

Active Contributors

20+ Red Hat resources working on project full time
70+ Active contributors from wide range of companies

Amazon*	Aitio Finland	Codegy	Eurodata AG	Airpas Aviation	Topicus	Acando	msg-systems	Stocksoftware
RedHat*	Alfresco	Cofinpro	Exponea	HealthPartners	Kisters	QSD	Nicologies	Heidelberg Mobil
Samsung*	Amplify Learning	CoreFiling	Facebook	Stocksoftware	Linkyard	Quest Software	Ocrolus.	Tom Sawyer Software
Talend*	AOE	Crystalline	First8	Iris-it	MC2 DEV	Service Planet	Ordami	Cambio Healthcare Systems
Uber*	Arktekk	Cupenya	Fit2Cloud	Itesoft	Metaphor	Simacan B.V.	Owlr-com	European Commission - Joint Research Center
Hitachi*	Canoo	DigitalState	GiavaCMS	Jive	Morphean	Smartling	Pandium	Polish Air Navigation Services Agency
Mesosphere*	CNRS ATILF	Equinux	GoodBytes	Kantega	Unify	SoftwareMill	Perficient	3River Development LLC
Telekom-PD	Tradeshift	Virginia Tech	Trilogy Group	Promergent	* CNCF Members

Obtained from GitHub Profiles of contributors to https://github.com/keycloak/keycloak

49 of 54

Public References

Accenture

Actinver

Akvo Foundation

Appier

BISPRO

Bluestem Brands, Inc

Bundesversicherungsamt

Capgemini

Chassi

CloudNative Inc.

Copenhagen Optimization

Curecomp GmbH

Cybertech

Devsu

Devoxx / Voxxed

DUENE e.V - project

DukeCon

European Synchrotron Radiation Facility

Fluance AG

Hewlett-Packard Enterprise

Hitachi

INEAT

Inventage

ISAAC

ITROI Solutions

Kindly Ops, LLC

msg systems ag

Netdava International

Ohio Supercomputer Center

Okta

PharmaPartners B.V.

Plivo

Price Insight

Prodesan

Quest Software

Research Industrial Software Engineering (RISE)

Sportsbet.com.au

Stack Labs

Storebrand

Synekus

Synetek Solutions

Taklane

TrackingSport

TRT9 - Brasil

UnitedHealthcare

+ More individuals

From recent Keycloak community survey

50 of 54

Recognition

https://www.thoughtworks.com/radar/platforms/keycloak

Keycloak is an open source identity and access management solution that makes it easy to secure applications or microservices with little to no code

51 of 54

How Keycloak is deployed

From recent Keycloak community survey

52 of 54

Why Keycloak fits CNCF?

True Open Source Developed in the Open in an Open Way
Healthy Community
Focused - Objecting Feature Creep

Keycloak choosed to not support CAS or WS* and focus only on OAuth2/OIDC and SAML2

Embracing OpenID Connect and OAuth2 ecosystem

Spec of choice for Cloud Native projects

Aimed for Application Developers

Offloading developer from adding typical Auth/Authz/IdM features into application.

Lightweight, portable and easy to use both in Cloud and locally
Highly customizable and pluggable

53 of 54

What do we expect from CNCF?

Keycloak becoming a CNCF sandbox project :)
Boosting wider community adoption

Establishing Keycloak as the de facto OAuth2/OpenID Connect solution within �OpenSource and Cloud Native

CI infrastructure fundings for per PR testing

Right now leveraging free plan on Travis
Considering CNCF Cluster: github.com/cncf/cluster

54 of 54

Roadmap Highlights

Gatekeeper

External adapter / proxy to secure applications and services

Rolling upgrades
Storage improvements
Kubernetes/OpenShift Operators
Observability
Being The IdP of Choice for Istio ;)