Securing 5G Control Plane using KubeArmor. [ref1] [ref2]
Application Process Principles
Required
[x] Give a presentation and engage with the domain specific TAG(s) to increase awareness
KubeArmor was presented to WG Policy in TAG Secuirty on 2021-06-09, and can be discovered at YT Link.
- [ ] **TAG provides insight/recommendation of the project in the context of the landscape**
To be completed by TAG Security.
- [x] **All project metadata and resources are [vendor-neutral](https://contribute.cncf.io/maintainers/community/vendor-neutrality/).**
Yes
- [ ] **Review and acknowledgement of expectations for [Sandbox](https://sandbox.cncf.io) projects and requirements for moving forward through the CNCF Maturity levels.**
Handled as part of https://github.com/cncf/toc/issues/752
- [ ] **Due Diligence Review.**
Completion of this due diligence document, resolution of concerns raised, and presented for public comment satisifies the Due Diligence Review criteria.
TBD by TOC Sponsor
- [x] **Additional documentation as appropriate for project type, e.g.: installation documentation, end user documentation, reference implementation and/or code samples.**
- End User Documentation - https://docs.kubearmor.io/kubearmor/
- Architecture - https://github.com/kubearmor/KubeArmor/blob/main/contribution/KubeArmor%20Design.pdf
## Governance and Maintainers
Note: this section may be augmented by the completion of a Governance Review from TAG Contributor Strategy.
### Suggested
- [x] **Clear and discoverable project governance documentation.**
[Project Governance](https://github.com/KubeArmor/KubeArmor/blob/main/GOVERNANCE.md)
- [x] **Governance has continuously been iterated upon by the project as a result of their experience applying it, with the governance history demonstrating evolution of maturity alongside the project's maturity evolution.**
Initial maintainers were from AccuKnox primarily. We have independent maintainers and few other contributors who are shaping up to take the ownership of the modules. KubeArmor now has [8 Maintainers](https://github.com/KubeArmor/KubeArmor/blob/main/MAINTAINERS.md#project-maintainers) from 4 organizations and 6 Committers from 4 organizations.
### Required
- [x] **Document complete list of current maintainers, including names, contact information, domain of responsibility, and affiliation.**
Complete list of current maintainers can be found at [MAINTAINERS.md](https://github.com/KubeArmor/KubeArmor/blob/main/MAINTAINERS.md#project-maintainers)
- [x] **A number of active maintainers which is appropriate to the size and scope of the project.**
KubeArmor now has [8 Maintainers](https://github.com/KubeArmor/KubeArmor/blob/main/MAINTAINERS.md#project-maintainers) from 4 organizations
- [x] **Code and Doc ownership in Github and elsewhere matches documented governance roles.**
[Github Teams reflect the documented roles](https://github.com/orgs/kubearmor/teams/maintainers)
- [x] **Document agreement that project will adopt CNCF Code of Conduct.**
KubeArmor adopts [CNCF Code of Conduct](https://github.com/kubearmor/KubeArmor/blob/main/CODE_OF_CONDUCT.md)
- [x] **CNCF Code of Conduct is cross-linked from other governance documents.**
Code of Conduct referenced in [GOVERNANCE.md](https://github.com/kubearmor/KubeArmor/blob/main/GOVERNANCE.md#code-of-conduct)
- [x] **All subprojects, if any, are listed.**
NA
## Contributors and Community
Note: this section may be augmented by the completion of a Governance Review from TAG Contributor Strategy.
### Suggested
NA
### Required
- [x] **Clearly defined and discoverable process to submit issues or changes.**
[CONTRIBUTING.md](https://github.com/kubearmor/kubearmor/blob/main/CONTRIBUTING.md)
- [x] **Project must have, and document, at least one public communications channel for users and/or contributors.**
Slack Link documented in [README](https://github.com/kubearmor/KubeArmor/tree/main?tab=readme-ov-file#contributors-busts_in_silhouette)
- [x] **List and document all project communication channels, including subprojects (mail list/slack/etc.). List any non-public communications channels and what their special purpose is.**
All KubeArmor communications are public
- [x] **Up-to-date public meeting schedulers and/or integration with CNCF calendar.**
Community Meetings are documented in [README](https://github.com/kubearmor/KubeArmor/tree/main?tab=readme-ov-file#contributors-busts_in_silhouette)
We held biweekly community meetings consistently (total 52 since Sep 2021). The community did not skip a single meeting since its inception. The meeting records can be found in [here](https://docs.google.com/document/d/1IqIIG9Vz-PYpbUwrH0u99KYEM1mtnYe6BHrson4NqEs/edit).
- [x] **Documentation of how to contribute, with increasing detail as the project matures.**
[CONTRIBUTING.md](https://github.com/kubearmor/kubearmor/blob/main/CONTRIBUTING.md)
- [x] **Demonstrate contributor activity and recruitment.**
The KubeArmor devstats page and dashboards can be found [here](https://kubearmor.devstats.cncf.io/d/8/dashboards?orgId=1&refresh=15m&search=open).
- The community has significantly grown since the project entered the CNCF sandbox.
- Number of contributors: 30+ -> **150+**
- Github stars: 100+ -> **1070+**
- Github forks: 30+ -> **265**
- Contributing organizations: 5+ -> **30+**
- [New PRs in last year](https://kubearmor.devstats.cncf.io/d/15/new-prs-in-repository-groups?orgId=1)
- KubeArmor maintainer team has mentored more than 10 candidates as part of LFX and GSoC mentorships.
According to devstats, KubeArmor currently has [252](https://kubearmor.devstats.cncf.io/d/18/overall-project-statistics-table?orgId=1) contributors from [40](https://kubearmor.devstats.cncf.io/d/5/companies-table?orgId=1) companies belonging to 15 countries.
The project averages at [~100 contributions from around ~16 contributors](https://kubearmor.devstats.cncf.io/d/74/contributions-chart?orgId=1&var-period=m&var-metric=commits&var-repogroup_name=All&var-country_name=All&var-company_name=All&var-company=all) per month according to kubearmor.devstats.cncf.io contained within [30 merged PRs](https://kubearmor.devstats.cncf.io/d/74/contributions-chart?orgId=1&var-period=m&var-metric=mergedprs&var-repogroup_name=All&var-country_name=All&var-company_name=All&var-company=all&from=now-1y&to=now-9d) on average per month for the last year.
## Engineering Principles
### Suggested
- [x] **History of regular, quality releases.**
KubeArmor uses the [semantic versioning scheme](https://semver.org/#semantic-versioning-specification-semver).
KubeArmor follows roughly once every two months release cadence with version numbers using format of MAJOR.MINOR.PATCH. The latest release is v1.3.5
We have releases documented at: https://github.com/KubeArmor/KubeArmor/releases.
KubeArmor has a release cadence of once in two month release cycle.
### Required
- [x] **Document project goals and objectives that illustrate the project’s differentiation in the Cloud Native landscape as well as outlines how this project fulfills an outstanding need and/or solves a problem differently.**
KubeArmor supports inline mitigation for preventing attacks. [Differentiation Document](https://github.com/kubearmor/KubeArmor/blob/main/getting-started/differentiation.md)
- [x] **Document what the project does, and why it does it - including viable cloud native use cases.**
All of KubeArmor usecase are documented and updated at https://github.com/kubearmor/KubeArmor/blob/main/getting-started/use-cases/hardening.md
- [x] **Document and maintain a public roadmap or other forward looking planning document or tracking mechanism.**
The backlog/roadmap for KubeArmor can be found [here](https://github.com/orgs/kubearmor/projects/9/views/1).
- [x] **Document overview of project architecture and software design that demonstrates viable cloud native use cases, as part of the project's documentation.**
KubeArmor Design and Architecture is documented at - Architecture - https://github.com/kubearmor/KubeArmor/blob/main/contribution/KubeArmor%20Design.pdf
- [x] **Document the project's release process.**
KubeArmor Release Process is documented as part of [Release Wiki](https://github.com/kubearmor/KubeArmor/wiki/KubeArmor-manual-tests-before-releases)
## Security
Note: this section may be augemented by a joint-assessment performed by TAG Security.
### Required
- [x] **Clearly defined and discoverable process to report security issues.**
See [SECURITY.md](https://github.com/KubeArmor/KubeArmor/blob/main/SECURITY.md)
- [x] **Enforcing Access Control Rules to secure the code base against attacks (Example: two factor authentication enforcement, and/or use of ACL tools.)**
We follow Security Practices based on OpenSSF Security Score Card
https://securityscorecards.dev/viewer/?uri=github.com/kubearmor/KubeArmor
It includes
- Branch Protection
- Token Permissions
- SAST
- CI Best Practices
- [x] **Document assignment of security response roles and how reports are handled.**
See [SECURITY.md](https://github.com/KubeArmor/KubeArmor/blob/main/SECURITY.md). All Maintainers are responsible for reacting to incident reports.
- [ ] **Document Security Self-Assessment.**
In Progress as part of https://github.com/kubearmor/KubeArmor/issues/1186
- [x] **Achieve the Open Source Security Foundation (OpenSSF) Best Practices passing badge.**
https://www.bestpractices.dev/en/projects/5401
## Ecosystem
### Required
- [x] **Publicly documented list of adopters, which may indicate their adoption level (dev/trialing, prod, etc.)**
Adoption of KubeArmor is tracked in our [ADOPTERS.md](https://github.com/kubearmor/kubearmor/blob/main/ADOPTERS.md) file.
Owing to the nature of security software, only a small subset are willing to be listed.
- [x] **Used in appropriate capacity by at least 3 independent + indirect/direct adopters, (these are not required to be in the publicly documented list of adopters)**
Yes
The project provided the TOC with a list of adopters for verification of use of the project at the level expected, i.e. production use for graduation, dev/test for incubation.
- [ ] **TOC verification of adopters.**
Refer to the Adoption portion of this document.
- [x] **Clearly documented integrations and/or compatibility with other CNCF projects as well as non-CNCF projects.**
- KubeArmor provides a way to enforce security in k8s native way by leveraging k8s resource model.
- KubeArmor has integrations with lots of CNCF and LF Projects including:
- Helm (Installation)
- OpenTelemetry
- OpenHorizon
- Kubernetes PolicyReported CRD
- Nephio
## Additional Information
KubeArmor Incubation Application
v1.5 This template provides the project with a framework to inform the TOC of their conformance to the Incubation Level Criteria.
Project Repo(s): https://github.com/kubearmor/KubeArmor Project Site: https://kubearmor.io/ Sub-Projects: NA Communication: https://join.slack.com/t/kubearmor/shared_invite/zt-2bhlgoxw1-WTLMm_ica8PIhhNBNr2GfA
Project points of contacts: Barun Acharya (@daemon1024, barun1024@gmail.com) Rudraksh Pareek (@DelusionalOptimist, rudrakshpareek3601@gmail.com) Rahul Jadhav (@nyrahul, nyrahul@gmail.com
Incubation Criteria Summary for KubeArmor
Adoption Assertion
The project has been adopted by the following organizations in a testing and integration or production capacity:
Adoption of KubeArmor is tracked in our ADOPTERS.md file.
Owing to the nature of security software, only a small subset are willing to be listed.
Beyond this, we have received interests from other organizations such as:
Application Process Principles
Required
[x] Give a presentation and engage with the domain specific TAG(s) to increase awareness
KubeArmor was presented to WG Policy in TAG Secuirty on 2021-06-09, and can be discovered at YT Link.