search

cncf / sandbox

Applications for Sandbox go here! β³πŸ“¦πŸ§ͺ
Apache License 2.0
129 stars 21 forks source link

[Sandbox] stacker #73

Closed rchamarthy closed 2 months ago

rchamarthy commented 9 months ago

Application contact emails

ravi@chamarthy.dev rchincha@cisco.com

Project Summary

a vendor-neutral OCI-native container image builder

Project Description

Software supply chain security is front and center in the minds of all security practitioners, especially given vital US government compliance requirements. stacker and OCI registries such as zot (a CNCF sandbox project) make a vendor-neutral end-to-end (build, publish, deploy) secure software supply chain viable.

Differentiation:

  1. stacker is general-purpose and can be used for any programming language environment
  2. stacker is vendor-neutral and strictly conforms to OCI specs
  3. SBOM generation and strict validation is part of the image building process itself instead of a post-processing step
  4. stacker can consume, publish and co-locate these artifacts with the container images using OCI refererrers
  5. stacker's capabilities are a superset of other commonly used tools such as docker and podman
  6. Container images and artifacts generated by stacker along with a OCI-native registry such as zot are readily compatible with the rest of the container and Kubernetes ecosystem in terms of deployment and enforcement of security policies

Org repo URL (provide if all repos under the org are in scope of the application)

https://github.com/project-stacker

Project repo URL in scope of application

https://github.com/project-stacker/stacker

Additional repos in scope of the application

https://github.com/project-stacker/stacker-bom https://github.com/project-stacker/stacker-build-push-action

Website URL

https://stackerbuild.io

Roadmap

https://github.com/orgs/project-stacker/projects/1

Roadmap context

Contributing Guide

https://github.com/project-stacker/stacker/blob/main/CONTRIBUTING.md

Code of Conduct (CoC)

https://github.com/project-stacker/stacker/blob/main/CODE_OF_CONDUCT.md

Adopters

https://github.com/project-stacker/stacker/blob/main/ADOPTERS.md

Contributing or Sponsoring Org

https://www.cisco.com

Maintainers file

https://github.com/project-stacker/stacker/blob/main/MAINTAINERS.md

IP Policy

Trademark and accounts

Why CNCF?

The goals of this project are compatible with CNCF.

Benefit to the Landscape

  1. Vendor-neutral since strong conformance to OCI specs
  2. Helps meet secure software supply chain requirements

Cloud Native 'Fit'

"Application Definition & Image Build"

Container images are the defacto application lifecycle mechanism in the cloud native world making CNCF a great fit for this project since it can also be readily used to meet secure software supply chain requirements in a vendor-neutral fashion.

Cloud Native 'Integration'

Although stacker is a standalone tool, the container images and artifacts it produces can be stored on OCI registries such as zot and deployed in Kubernetes. Furthermore, the artifacts such as SBOMs that it produces can be used for policy enforcement using tools such as Kyverno.

Cloud Native Overlap

Similarities:

  1. https://www.cncf.io/projects/ko/ - ko can also generate OCI images but are specific to certain programming languages
  2. https://github.com/oras-project/oras - oras can push and pull OCI images, however they cannot build them

Similar projects

Similar projects:

https://github.com/containers/buildah https://github.com/docker/buildx

Landscape

yes

Business Product or Service to Project separation

N/A

Project presentations

https://github.com/project-stacker/stacker#conference-talks

Project champions

Stephen Augustus - https://github.com/justaugustus

Additional information

No response

jberkus commented 9 months ago

What is the main reason for this project to be in CNCF, instead of in OCI?

rchincha commented 9 months ago

@jberkus Indeed, there is an overlap and arguments as follows:

Belongs in OCI because it primarily deals with OCI specs. However, beyond the under-the-hood implementation detail, constrained by ecosystem and use cases.

Belongs in CNCF because the use cases in terms of build, deploy, policy enforcement of container images are arguably under the purvey of CNCF due to various projects and broader use cases - Kubernetes, registries, Kyverno etc. Hence, the following is a good fit. https://landscape.cncf.io/card-mode?category=application-definition-image-build&grouping=category

Full disclosure - stacker is the from the same team that submitted zot (https://www.cncf.io/projects/zot/) and pairs/interacts well with the latter. Furthermore, along with Kyverno (https://kyverno.io/docs/security/#fetching-the-sbom-for-kyverno), enables a OCI-based (hence vendor neutral) end-to-end software provenance pipeline.

rchincha commented 4 months ago

https://github.com/kubernetes/kubernetes/issues/121742 ^ another data point why a tool such as stacker is needed.

Also, with recent PRs merged, stacker project is in a much better shape to tackle software supply chain security aligning with OCI artifacts work, meaning, it can produce both container images and sboms - enforcing that "everything must be accounted for" during build stage itself.

https://stackerbuild.io/v1.0.0/user_guide/generate_sbom/

rchincha commented 4 months ago

"Landscape: no" updated to "yes"

https://landscape.cncf.io/?item=app-definition-and-development--application-definition-image-build--stacker

jberkus commented 3 months ago

TAG-CS note:

Project stacker currently has:

rchincha commented 3 months ago

@jberkus

no written governance (yet)

^ is this a blocker?

jberkus commented 3 months ago

@rchincha Incoming Sandbox projects are not required to have written governance. It is a credit to the project if they do have one, and if the project is a single-company project, having a good written governance may reassure the TOC around product/project separation.

mrbobbytables commented 3 months ago

Follow-up from today's sandbox review, Stacker will be moved to a vote. πŸ‘ But please coordinate a project review with TAG-Runtime /vote

git-vote[bot] commented 3 months ago

Vote created

@mrbobbytables has called for a vote on [Sandbox] stacker (#73).

The members of the following teams have binding votes: Team
@cncf/cncf-toc

Non-binding votes are also appreciated as a sign of support!

How to vote

You can cast your vote by reacting to this comment. The following reactions are supported:

In favor Against Abstain
πŸ‘ πŸ‘Ž πŸ‘€

Please note that voting for multiple options is not allowed and those votes won't be counted.

The vote will be open for 2months 30days 2h 52m 48s. It will pass if at least 66% of the users with binding votes vote In favor πŸ‘. Once it's closed, results will be published here as a new comment.

mrbobbytables commented 3 months ago

/check-vote

git-vote[bot] commented 3 months ago

Vote status

So far 9.09% of the users with binding vote are in favor (passing threshold: 66%).

Summary

In favor Against Abstain Not voted
1 0 0 10

Binding votes (1)

User Vote Timestamp
TheFoxAtWork In favor 2024-06-12 18:22:12.0 +00:00:00
@dims Pending
@rochaporto Pending
@angellk Pending
@mauilion Pending
@linsun Pending
@dzolotusky Pending
@kevin-wangzefeng Pending
@cathyhongzhang Pending
@nikhita Pending
@kgamanji Pending

Non-binding votes (1)

 | User | Vote | Timestamp | | ---- | :---: | :-------: | | ramizpolic | In favor | 2024-06-15 18:43:34.0 +00:00:00 |
mrbobbytables commented 3 months ago

/check-vote

git-vote[bot] commented 3 months ago

Votes can only be checked once a day.

mrbobbytables commented 3 months ago

/check-vote

git-vote[bot] commented 3 months ago

Vote status

So far 81.82% of the users with binding vote are in favor (passing threshold: 66%).

Summary

In favor Against Abstain Not voted
9 0 0 2

Binding votes (9)

User Vote Timestamp
kevin-wangzefeng In favor 2024-06-18 3:54:07.0 +00:00:00
dzolotusky In favor 2024-06-18 5:13:08.0 +00:00:00
angellk In favor 2024-06-18 13:11:48.0 +00:00:00
linsun In favor 2024-06-18 14:26:33.0 +00:00:00
TheFoxAtWork In favor 2024-06-12 18:22:12.0 +00:00:00
nikhita In favor 2024-06-18 4:32:44.0 +00:00:00
rochaporto In favor 2024-06-18 7:59:05.0 +00:00:00
dims In favor 2024-06-18 13:47:59.0 +00:00:00
kgamanji In favor 2024-06-18 6:38:17.0 +00:00:00
@mauilion Pending
@cathyhongzhang Pending

Non-binding votes (1)

 | User | Vote | Timestamp | | ---- | :---: | :-------: | | ramizpolic | In favor | 2024-06-15 18:43:34.0 +00:00:00 |
git-vote[bot] commented 3 months ago

Vote closed

The vote passed! πŸŽ‰

81.82% of the users with binding vote were in favor (passing threshold: 66%).

Summary

In favor Against Abstain Not voted
9 0 0 2

Binding votes (9)

User Vote Timestamp
@dzolotusky In favor 2024-06-18 5:13:08.0 +00:00:00
@nikhita In favor 2024-06-18 4:32:44.0 +00:00:00
@angellk In favor 2024-06-18 13:11:48.0 +00:00:00
@kevin-wangzefeng In favor 2024-06-18 3:54:07.0 +00:00:00
@rochaporto In favor 2024-06-18 7:59:05.0 +00:00:00
@dims In favor 2024-06-18 13:47:59.0 +00:00:00
@kgamanji In favor 2024-06-18 6:38:17.0 +00:00:00
@linsun In favor 2024-06-18 14:26:33.0 +00:00:00
@TheFoxAtWork In favor 2024-06-12 18:22:12.0 +00:00:00

Non-binding votes (1)

 | User | Vote | Timestamp | | ---- | :---: | :-------: | | @ramizpolic | In favor | 2024-06-15 18:43:34.0 +00:00:00 |
Cmierly commented 2 months ago

Hello and congrats on being accepted as a CNCF Sandbox project!

Here is the link to your onboarding task list: https://github.com/cncf/sandbox/issues/140

Feel free to reach out with any questions you might have!