CNCF Adds 2 Projects to Better Secure Containers
At the Open Source Summit Europe 2017 conference today, the Cloud Native Computing Foundation (CNCF) announced it is adding two projects to its portfolio to address the security of container images and the way software is distributed and updated.
Notary, the 13th project taken on by the CNCG, provides a mechanism to create, manage and distribute the metadata needed to ensure the integrity and freshness of content. It is based on an implementation of The Update Framework (TUF), a tool for distributing software releases and updates that have become the 14th project overseen by CNCF.
Written in the Go programming language, Notary was developed by Docker Inc. Collectively, Notary and TUF provide a client and a pair of server applications to host signed metadata and perform limited signing functions that replace GnuPG, a now-archaic approach to adding developer signatures to components based on the OpenPGP standard, says Chris Aniszczyk, COO of CNCF.
Given the rise of containers, Aniszczyk says it’s become apparent that there’s a need for a more facile way to manage signatures. Both Enterprise and Community Editions for Docker Platform as well as the Moby Project, Huawei, Motorola Solutions, VMWare, LinuxKit, Quay and Kubernetes have implemented Notary/TUF. By making the two a CNCF project operating under the auspices of The Linux Foundation, there will be much broader adoption of a common framework for securing and verifying container images, he says.
Now that the Kubernetes project overseen by the CNCF has become a de facto standard for container orchestration, Aniszczyk says the CNCF will be focusing more of its efforts in the 13 other projects it now oversees. Those projects include:
- Prometheus: a container monitoring tool
- OpenTracing: an application programming interface (API) for tracking dependencies among microservices based on containers
- Fluentd: a standard mechanism for collecting data
- Linkerd: a proxy used for service discovery and routing to applications
- gRPC: a standard implementation of a remote procedure call (RPC) with multiple applications
- CoreDNS: an implementation of a domain name server (DNS) optimized for container environments
- Containerd: a standard implementation of a container run-time
- Rkt: a container engine originally developed by CoreOS to address specific security issues
- CNI: an implementation of networking interface for containers
- Envoy: an implementation of a service mesh designed to act as a service and edge proxy
- Jaeger: a tracing system for mapping dependencies across a distributed environment
As the CNCF pours more resources into these other areas, pressure on vendors that specialize in them is likely to increase. For example, Aniszczyk says the open-source Envoy offering competes with similar capabilities being provided by NGINX.
Similarly, there is no shortage of container monitoring tools being offered by multiple vendors. Aniszczyk says the CNCF is also working on developing a container storage interface (CSI) that will create a standard means for attaching persistent storage to a container orchestration engine.
The scope and reach of CNCF projects is likely to increase. Not all those projects will result in code that can be directly consumed by an enterprise, and many of these projects are similar to Linux in that a commercial distribution will act as a curator that smooths out the rough edges while also managing ongoing updates. But over time, vendors that compete in areas that CNCF is looking to standardize will have challenges competing against what now amounts to 141 vendors that are all contributing code to various CNCF projects.