As highlighted at the recent KubeCon and CloudNatveiCon EU 2024 conference, the count of CNCF graduated projects has reached twenty-six, as Cloud Events and Falco joined the "boring, but safe project list".
Jorge Castro, open-source community manager and developer delations at CNCF, stated at the event that "the CNCF graduated projects are the department of the foundation where you can find tools that are battle-proven and ready for production." InfoQ explored several of these new CNCF projects and spoke to their contributors.
CloudEvents is a foundational specification used in many projects – both within the open-source community and enterprises. Within the CNCF, CloudEvents adopters include Argo, Falco, Harbor, Knative, and Severless Workflow.
Given that Cloud Events is an interoperability-based standard, for which predictability is key, the project has promises to maintain its stability. Proof of their steadiness is the slow release rhythm: their last version, 1.0.2, was released in 2022, and the version before that, 1.0.1, in 2020.
After finishing the core spec, the CloudEvents team debated how to register event sinks and event sources. Out of that effort of the Serverless WG project, xRegistry emerged. It aims to develop a standard set of APIs for registries - allowing for the development of common tooling and interoperability between registries. In contrast to Cloud Events, this project’s iteration pace will be quite rapid.
Falco is a cloud-native security tool designed for Linux systems. It employs custom rules on kernel events, which are enriched with container and Kubernetes metadata, to provide real-time alerts.
Falco recently underwent a due diligence process with the CNCF Technical Oversight Committee (TOC) before officially graduating from incubating status. It also completed a third-party security audit and supported the process of allowing CNCF projects to include GPL-licensed Linux kernel modules alongside the eBPF code.
During KubeCon, the team published their roadmap for version 1.0.0, promising that the main features will be even more robust. To ensure that this sign of maturity and stability is not only symbolic, the team aims to provide standardized features and deprecation policies that would allow users to recognize which features are stable and to anticipate when features will be deprecated. Among the features undergoing consolidation and standardization are the CLI arguments and the falco.yaml structure.
In the future, Falco aims to implement deeper integrations across a wide variety of developer touchpoints. This will mean more detections, richer signals, and deeper integrations with tooling such as version control systems and cloud logging.
Cilium Project is the first project from the cloud-native network space to graduate. Version 1.15, brings new features such as Gateway API support for routing traffic into your cluster session authentication for BGP. This version is a beta release, and according to Christine Kim, who is responsible for developer experience at Isovalent, there is no date set when the feature will get out of beta, given that the project is dependent on the input of the community"
Given the growing complexity of the project, the team will work next on its maintainability, moving from "one-large initialization and configuration to a more loosely coupled design of mostly self-contained modules."
Tetragon is one of the younger projects within Cillium, according to Natália Ivánkó, product manager of Tetragon. Jeremy Colvin, technical marketing specialist on security at Cillium described Tetragon as "your crystal ball or scout in the kernel: observes all the events and based on rules it enforces or overrides particular actions. For improved performance, it doesn’t act on each event, but only on those that stand out as being out of the ordinary."
Even though still in beta, Tetragon is used by companies like GitHub, Palantir, Bell or Nationwide, according to postings on the projects’ website.
Keda released version 2.13 in January, bringing changes in the authentication, including support for GCP Secret Manager and config map in trigger authentication, new AWS authentication, SAS token authentication for Azure Storage scalers and workload identity authentication for Azure Pipelines.
The current version of Keda removed the previously deprecated code in Azure Data Explorer Scaler about clientSecret for the 2.13 release and deprecated the support for Azure AD Pod Identity-based authentication.
Changes were also made on the observability side, especially for scaled objects: Prometheus metrics for ScaledJob resources will be now exposed, including paused ones.
Linkerd added mesh expansion in version 2.15. This feature allows developers to integrate off-cluster systems running on legacy VMs or elsewhere into the mesh. According to Flynn, one of the project’s contributors, the newly meshed resources can communicate across the network in a secure, reliable, observable and fully transparent manner. Flynn further stated that the prerequisites of extending the mesh are running a Linux system and having direct network connectivity with your mesh.
Asked about the future of the project, the team promised that version 2.16 would use a new Rust-built micro proxy for even more performance.
Other projects in the CNCF ecosystem are evolving as well. FluentBit version 3 was released, bringing more performance and support for HTTP/2, gRPC and SQL logs processor. Version 1.29 of Envoy proxy added an HTTP Basic authentication extension (RFC7617) and promised faster configuration parsing of up to 10-25% at startup due to a new protobuf hashing algorithm. Flux completed its second security without any new CVEs being discovered, and the project also announced version 2.2.0, the first generally available (GA) version.