private-distributors-list: add DaoCloud

[pacoxu]

Actively monitored security email alias for our project: kubernetes-security@daocloud.io

1. Be an actively maintained and CNCF-certified distribution of Kubernetes components. DaoCloud is in the list of https://www.cncf.io/certification/software-conformance/

• and we also maintain an open-source project kubean(which is a kubespray operator, and now a CNCF Sandbox project). It is listed in Certified Kubernetes - Installer part of the page above.

2. Have a user base not limited to your own organization. Yes

3. Have a publicly verifiable track record up to the present day of fixing security issues.

• We tried to extend the kubernetes long-term support at https://github.com/klts-io/kubernetes-lts. And we will try to help in WG-LTS after the workgroup is revived.
• We have submitted several CVEs to hackone. One of them is https://hackerone.com/reports/867699 by Kebe from Daocloud.

4. Not be a downstream or rebuild of another distribution. No.

5. Be a participant and active contributor in the community. https://k8s.devstats.cncf.io/d/9/companies-table?orgId=1 DaoCloud ranks 7th in kubernetes community contributions in history, and top 5 if only counting recent 3 years.

Some of the active contributors from DaoCloud in the community:

• @pacoxu member of Kubernetes Steering Committee; kubeadm maintainer; sig-node reviewer; v1.31 release signal team lead;
• @windsonsea is sig doc approver and rank 3rd contributor to the website project.
• @wzshiming kwok(sig-scheduling & sig autoscaling sponsored subproject) maintainer; sig node reviewer; also a etcd member that is working on https://github.com/etcd-io/auger.
• @kerthcet sig scheduling approver and kueue approver, also working wg-serving & LWS & kube-scheduler-wasm-extension.
• @carlory is now SIG Storage and CSI Reviewer, kubeadm reviewer, also sig-testing.
• @my-git9 sig doc zh approver: commit number ranks 5th in k/website project.
• @mengjiao-liu wg-structured-logging chair, sig instrumentation reviewer, sig-doc zh approver & en reviewer
• @Zhuzhenghao @kinzhi are SIG-DOC-ZH reviewers
  • Most Chinese blogs after 2022 are translated by DaoCloud's contributors.
• @yankay kubespray(subproject) maintainer; we also have @cyclinder @ErikJiang two kubespray reviewers
• some active contributors like @cyclinder (sig network & kubepsray, also Calico Big Cat/ambassador) @bzsuni @Fish-pro @lengrongfu @liyuerich @B1F030(intern for half a year on Kueue project.)

Besides code contributions, we also organized several KCD and KCS in China including KCS China 2023, KCD Beijing 2021&2023, KCD Shanghai 2021&2024, KCD Chengdu 2022 and KCD Shenzhen 2023.

• @pacoxu is the co-chair of KubeCon China 2024. I also worked in LFAPAC SIG Education on mentoring new contributors in China.
• @Iceber who is CNCF ambassador and containerd/clusterpedia/wasmcloud maintainer, lead the organization of recent several KCDs.
• @windsonsea is CNCF ambassador.

Most of the SIG maintainer talks in KubeCon China 2023 are by DaoClouder, including SIG-Scheduling, SIG-Node, SIG-Instrumentation, Kubespray, KWOK sessions.

BTW, we also try to maintain kube lts version in https://github.com/klts-io/kubernetes-lts for an extended period, and it is open-source and only focus on high value CVEs currently.

6. Accept the Embargo Policy.

Yes.

7. Be willing to contribute back.

yes

8. Have someone already on the list vouch for the person requesting membership on behalf of your distribution. VMware and Microsoft below.

• [ ] https://github.com/kubernetes/k8s.io/pull/5361: add kubernetes-security@daocloud.io to https://github.com/kubernetes/k8s.io/blob/main/groups/committee-security-response/groups.yaml

More information can be found in https://github.com/DaoCloud (we add more information about projects that were founded or maintained by DaoClouder there), https://www.daocloud.io/en/ and https://docs.daocloud.io/en/.

[pacoxu]

/cc @puerco @ritazh

[neolit123]

DaoCloud ranks top 10 in kubernetes community contributions.

+1 to be added

@neolit123 (VMware)

[ritazh]

+1

@ritazh (Microsoft)

[pacoxu]

ack

[pacoxu]

@kubernetes/security-response-committee any update?

[enj]

@kubernetes/security-response-committee any update?

I haven't forgotten, just haven't had time to update distributor requirements.

[pacoxu]

Updated some new approvers/reviewers in Kubernetes Community from DaoCloud.

[pacoxu]

@kubernetes/security-response-committee ACK

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[pacoxu]

/remove-lifecycle stale still valid in progress

[pacoxu]

I haven't forgotten, just haven't had time to update distributor requirements.

@enj do we have any new requirements for being in the private distributor list? So I can evaluate them and add them to our action items.