如何選擇適當的 CNCF Project 來使用 Cloud Native Taiwan User Group 2023/11 Meetup Phil Huang CNCF Ambassador / Senior Cloud Solution Architect, Microsoft 2023/11/29

© 2023 Cloud Native Computing Foundation 2 Credited by Slide: Navigating Open Source Project Hurdles to Achieve Community Empowerment - or how the heck do you get through graduation? YouTube: https://www.youtube.com/watch?v=9jTZR7GLvzo

CNCF's Mission "Make cloud native computing ubiquitous."

© 2023 Cloud Native Computing Foundation 4 CNCF is part of the Linux Foundation The Linux Foundation is much more than Linux today We are helping global privacy and security through a program to encrypt the entire internet. Security Networking We are creating ecosystems around networking to improve agility in the evolving software- defined datacenter. Cloud We are creating a portability layer for the cloud, driving de facto standards and developing the orchestration layer for all clouds. Automotive We are creating the platform for infotainment in the auto industry that can be expanded into instrument clusters and telematics systems. Blockchain We are creating a permanent, secure distributed ledger that makes it easier to create cost- efficient, decentralized business networks. We are regularly adding projects; for the most up-to-date listing of all projects visit tlfprojects.org Web Node.js and other projects are the application development framework for next generation web, mobile, serverless, and IoT applications.

© 2023 Cloud Native Computing Foundation 5 Containers Cloud Native From Virtualization to Cloud Native ●Cloud native computing uses an open source software stack to: ○ segment applications into microservices, ○ package each part into its own container ○ and dynamically orchestrate those containers to optimize resource utilization Open Source IaaS PaaS Open Source PaaS Virtualiza- tion 2000 2001 2006 2009 2010 2011 Non- Virtualized Hardware 2013 2015 IaaS

Check Landscape v2.0 https://cncf.landscape2.io

Top 30 projects Velocity

Linux Foundation Project Velocity

CNCF Project Velocity

© 2023 Cloud Native Computing Foundation 10 創新者 “技術為主” 早期多數 “實用主義者” 落後者 “懷疑論者” “鴻溝” 晚期多數 “保守派” SANDBOX GRADUATED INCUBATING 早前採用者 “有遠見的人” CNCF Project Maturities

© 2023 Cloud Native Computing Foundation 11 CNCF Technical Oversight Committee (TOC) 1. Adoption by end users 2. Healthy rate of changes 3. Committers from multiple organizations 4. CNCF Code of Conduct 5. Maintained the OpenSSF Best Practices Badge Ref: https://github.com/cncf/toc/tree/main/process

© 2022 Cloud Native Computing Foundation 12 Sandbox Project "Joined CNCF"

© 2023 Cloud Native Computing Foundation 13 INNOVATORS “TECHIES” EARLY MAJORITY “PRAGMATISTS” LAGGARDS “SKEPTICS” “THE CHASM” LATE MAJORITY “CONSERVATIVES” SANDBOX EARLY ADOPTERS “VISIONARIES” CNCF Project Maturities: SANDBOX

© 2023 Cloud Native Computing Foundation 14 Sandbox Projects

© 2023 Cloud Native Computing Foundation 15 Governance Requirement • IP Policy requirements (遵循 CNCF 知識 產權規則) • Adopt CNCF Code of Conduct (遵守 CNCF 行為準則) • Discoverable and simple project governance Ref: https://github.com/cncf/foundation/blob/main/code-of-conduct.md • Sandbox • Incubating • Graduated

© 2023 Cloud Native Computing Foundation 16 Technical Documentation • Project goals, objectives and its differentiation in the Cloud Native landscape with supporting use cases • Need to have demos, getting started guides, and how to install and use • Sandbox • Incubating • Graduated

© 2023 Cloud Native Computing Foundation 17 Security Requirements • Document and enforce access control rules • includes 2FA, CI Infra, GitHub, Google Workspace permissions • Reporting + Triage process for security vulnerabilities • Sandbox • Incubating • Graduated

© 2023 Cloud Native Computing Foundation 18 Who Sponsor / Support The Projects

© 2022 Cloud Native Computing Foundation 19 Incubating Project "Start of survey or early adoption"

© 2023 Cloud Native Computing Foundation 20 EARLY MAJORITY “PRAGMATISTS” LAGGARDS “SKEPTICS” “THE CHASM” LATE MAJORITY “CONSERVATIVES” INCUBATING CNCF Project Maturities: INCUBATING • Production case studies • Contributor docs and processes • More stability and roadmap

© 2023 Cloud Native Computing Foundation 21 Incubating Projects

© 2023 Cloud Native Computing Foundation 22 Governance Requirement • Public documented communication channel • Up-to-date meeting schedule • Documented maintainer list • Enumerate & document subprojects • Demonstrate Contributor Growth / Pipeline • Contributor lifecycle (onboarding, offboarding, emeritus) • Sandbox • Incubating • Graduated

© 2023 Cloud Native Computing Foundation 23 Technical Documentation • Project goals, objectives and its differentiation in the Cloud Native landscape with supporting use cases • What does the project do and why • Overview of project architecture & software design • Maintain roadmap / tracking mechanism • Project release process • Regular scan or implement CI check to prevent importing dependencies with an incompatible license • Sandbox • Incubating • Graduated Ref: https://clomonitor.io/projects/cncf/keycloak#keycloak_license

© 2023 Cloud Native Computing Foundation 24 Security Requirements • Document and enforce access control rules • includes 2FA, CI Infra, GitHub, Google Workspace permissions • Security vulnerability report / triage process • Achieve a passing score of the Open SSF (Open Source Security Foundation) "Best Practices" badge • Perform and document a Security Self- Assessment • Sandbox • Incubating • Graduated Ref: https://openssf.org/blog/2022/09/08/show-off-your-security-score-announcing-scorecards- badges/

© 2022 Cloud Native Computing Foundation 25 Graduated Project "Use It"

© 2023 Cloud Native Computing Foundation 26 EARLY MAJORITY “PRAGMATISTS” LAGGARDS “SKEPTICS” LATE MAJORITY “CONSERVATIVES” GRADUATED CNCF Project Maturities: GRADUATED • Committer and vendor diversity • Full committer lifecycle, emeritus members

© 2023 Cloud Native Computing Foundation 27 Graduated Projects

© 2023 Cloud Native Computing Foundation 28 Governance Requirement • Public documented communication channel • Up-to-date meeting schedule • Documented maintainer list • Enumerate & document subprojects • Demonstrate Contributor Growth / Pipeline • Contributor lifecycle (onboarding, offboarding, emeritus) • Subproject leadership process documented • Sandbox • Incubating • Graduated

© 2023 Cloud Native Computing Foundation 29 Technical Documentation • Project goals, objectives and its differentiation in the Cloud Native landscape with supporting use cases • What does the project do and why • Overview of project architecture & software design • Maintain roadmap / tracking mechanism • Project release process • Regular scan or implement CI check to prevent importing dependencies with an incompatible license • Roadmap change process • Sandbox • Incubating • Graduated Ref: https://clomonitor.io/projects/cncf/keycloak#keycloak_license

© 2023 Cloud Native Computing Foundation 30 Security Requirements • Document and enforce access control rules • includes 2FA, CI Infra, GitHub, Google Workspace permissions • Security vulnerability report / triage process • Achieve a passing score of the Open SSF (Open Secure Security Foundation) "Best Practices" badge • Perform and document a Security Self- Assessment • Third Party Security Audit • Resolve all High & Critical Flaws Discovered in Security Audit • Sandbox • Incubating • Graduated Ref: https://openssf.org/blog/2022/09/08/show-off-your-security-score-announcing-scorecards- badges/

Thanks