As highlighted at the recent KubeCon and CNCF EU 2024 conference, the number of CNCF graduate projects has reached twenty-six, as Cloud Events and Falco join the “boring but safe list of projects”.
Jorge Castro, Open Source Community Manager and Developer Division at CNCF, stated at the event that “CNCF Graduate Projects is a division of the foundation where you can find battle-proven, production-ready tools.” InfoQ investigated several of these new CNCF projects and spoke with their contributors.
CloudEvents is a core specification used in many projects – both within the open-source community and in enterprises. Within CNCF, CloudEvents adopters include Argo, Falco, Harbour, Knative and Severless Workflow.
Given that Cloud Events is a standard based on interoperability, for which predictability is key, the project promises to maintain its stability. Proof of their persistence is the slow pace of releases: their last version, 1.0.2, was released in 2022, and the previous version, 1.0.1, in 2020.
After completing the basic specification, the CloudEvents team discussed how to register event sinks and sources. From this effort of the Serverless WG project, xRegistry was born. It aims to develop a standard set of APIs for registries – enabling common tool development and interoperability between registries. Unlike the cloud event, the iteration pace of this project will be quite fast.
Falco is a cloud-native security tool designed for Linux systems. It employs custom event rules in the core, which are enriched with container and Kubernetes metadata, to provide real-time alerts.
Falco it recently underwent a due diligence process with the CNCF Technical Oversight Committee (TOC) before officially ends the incubation status. He also completed a third-party security audit and supported the process of allowing CNCF projects to include GPL-licensed Linux kernel modules alongside eBPF code.
During KubeCon, the team released their roadmap for version 1.0.0, promising that the main features will be even more robust. To ensure that this sign of maturity and stability is not merely symbolic, the team aims to provide standardized feature and deprecation policies that would allow users to identify which features are stable and to predict when features will be deprecated. Among the features undergoing consolidation and standardization are CLI arguments and the falco.yaml structure.
In the future, Falco aims to implement deeper integrations across a wide range of developer touch points. This will mean more discovery, richer signals, and deeper integrations with tools like version control systems and cloud logging.
Project Cilium is the first project from the cloud-native networking space to graduate. Version 1.15 brings new features such as Gateway API support for routing traffic into your cluster session authentication for BGP. This version is a beta release, and according to Christina Kim, who is responsible for the development experience at Isovalent, no date has been set for when the feature will come out of beta, as the project is dependent on community input”
Given the growing complexity of the project, the team will next work on its sustainability, moving from “one big initialization and configuration to a more loosely coupled design of mostly self-contained modules.”
Tetragon is one of the younger projects within Cillium, says Natália Ivánkó, Tetragon product manager. Jeremy Colvin, Security Technical Marketing Specialist at Cillium described Tetragon as “ your crystal ball or kernel scout: observes all events and performs or overrides certain actions based on rules. For improved performance, it doesn’t work on every event, but only on those that stand out as unusual.”
Although still in the beta phase, Tetragon is used by companies such as GitHub, Palantir, Bell or Nationwide, according to posts on the project’s website.
WHO released version 2.13 in January, bringing changes to authentication, including support for GCP Secret Manager and configuration map in launcher authentication, new AWS authentication, SAS token authentication for Azure Storage scalers, and workload identity authentication for Azure Pipelines.
The current version of Ked removed the previously deprecated code in the Azure Data Explorer Scaler about clientSecret for the 2.13 release and discontinued support for Azure AD Pod identity-based authentication.
Changes have also been made on the visibility side, especially for scaled objects: Prometheus metrics for ScaledJob resources will now be exposed, including paused ones.
Left added network extension in version 2.15. This feature allows developers to integrate off-cluster systems running on legacy VMs or elsewhere in the network. According to Flynn, one of the collaborators of the project, the newly intertwined resources can communicate over the network in a secure, reliable, visible and completely transparent way. Flynn went on to state that the prerequisites for mesh expansion are running a Linux system and having a direct network connection to your network.
Asked about the future of the project, the team promised that version 2.16 will use a new micro proxy built from Rust for even better performance.
Other projects in the CNCF ecosystem are also being developed. FluentBit version 3 has been released, bringing more performance and support for HTTP/2, gRPC, and a SQL log processor. Version 1.29 of the Envoy proxy added the HTTP Basic authentication extension (RFC7617) and promised up to 10-25% faster configuration parsing at startup due to the new protobuf hashing algorithm. Flux completed its second security patch with no new CVEs discovered, and the project also announced version 2.2.0, the first generally available (GA) version.