Proposing Keptn to become an Incubation project

[jetzlstorfer]

This is a proposal to consider Keptn as a CNCF Incubation project.

Since joining the CNCF Sandbox, Keptn has made substantial progress in various dimensions, including user adoption, feature set, ecosystem growth, and community growth, as described in detail in the proposal document.

If anything is missing, please let me know and I'm happy to provide more details!

[Jenniferstrej]

Could you provide a link to a resource that fulfills the following requirement of the Incubating Stage - "Clearly documented security processes explaining how to report security issues to the project, and describing how the project provides updated releases or patches to resolve security vulnerabilities". Thanks!

[Jenniferstrej]

Were these contributions in the form of commits on Github? I have looked at the closed PRs (currently at 2,794) and over 2000 are from one organization (Dynatrace) + Robots. Could you give me a few examples of collaborations within different orgs/community?

[jetzlstorfer]

This is based on the official statistics from CNCF devstats. It is true that most contributions are affiliated with Dynatrace, however, the project has profound contributions by other companies including ERT, Garner Cop, ChaosNative/LitmusChaos, VMWare, and Kitopi as well.

I am referencing some PRs from different organizations that have been substantially contributing to the project:

• support for external MongoDB submitted by Kitopi Update control-plane charts with parameters for external mongodb keptn/keptn#2842
• hardening of naming conventions submitted by Mattermost shipyard-controller: check service name lenght to not be bigger than 53 chars keptn/keptn#3005
• contributions for improving the Prometheus integration by LitmusChaos contributors (list of PRs) https://github.com/keptn-contrib/prometheus-service/pulls?q=is%3Apr+author%3Arajdas98
• contributions to the Keptn CLI by LitmusChaos contributors (list of PRs) https://github.com/keptn/keptn/pulls?q=is%3Apr+author%3ADarthBenro008+
• contributions on Keptn API and CLI by ERT (list of PRs) https://github.com/keptn/keptn/pulls?q=is%3Apr+author%3Acheckelmann+is%3Aclosed
• improvements to Helm charts of Keptn by Absa (list of PRs) https://github.com/keptn/keptn/pulls?q=is%3Apr+author%3Adonovanmuller+is%3Aclosed

[Jenniferstrej]

Re Schlumberger - According to the definition of end-user, I’m not sure Schlumberger qualifies under "but do not sell any cloud native services externally", given they are also a Software vendor: https://partners.amazonaws.com/partners/001E000000xHbWRIA0/Schlumberger https://www.slb.com/newsroom/press-release/2021/pr-2021-0629-slb-ibm-osdu

I emailed [email protected] and will verify with the TOC if that's the case.

[Jenniferstrej]

I verified and this submission has at least three other companies that I would qualify as end users, so the project is still fulfilling this requirement.

[Jenniferstrej]

Verified that Schlumberger here qualifies as an end user. 👍

[amye]

I've responded but just to follow up here, the definition of end-user is only applied for CNCF members.
Here, what's needed is adopters of the project, and the video's a good example.

[jetzlstorfer]

Could you provide a link to a resource that fulfills the following requirement of the Incubating Stage - "Clearly documented security processes explaining how to report security issues to the project, and describing how the project provides updated releases or patches to resolve security vulnerabilities". Thanks!

Hi @Jenniferstrej please find our security process here https://github.com/keptn/keptn/blob/master/SECURITY.md and our published vulnerability bulletins can be found here https://keptn.sh/docs/news/vulnerability_bulletins/

[jetzlstorfer]

Due diligence document: https://docs.google.com/document/d/14qFAc6kxhWX_JLMUKddgELcymaRw6jmhsq0OYxrHtc0/edit#

[cdavisafc]

I will be TOC sponsor. Will begin post Kubecon

[oleg-nenashev]

Hi @cdavisafc! Just to follow up on the emails I've sent, I will be coordinating this proposal on the Keptn community side. It would be great to sync-up with you and check the current status together. I see the formal incubation requirements but I'm not yet familiar with the CNCF practices

[oleg-nenashev]

Just a few updates to address the topics brought up during the previous conversations with the TOC:

• Adoption. Growing Keptn adoption is our priority and my main responsibility at Dynatrace. Currently we have 14 company adopters whose names we can share. We also have 64 running Keptn Instances regularly receiving updates from the public update centers, there are also airgapped instances. There are multiple other companies evaluating Keptn now.
• Roadmap. We updated the Keptn Roadmap to include initiatives beyond project features. Now the roadmap includes user and developer community growth initiatives, as well as other items like onboarding documentation and messaging updates. We are adjusting the feedback based on feedback from the adopters, and we use Keptn user group meetings to collect feedback from users on the current state and the roadmap.
• Ecosystem. We extend integrations with other CNCF projects, including but not limited to Helm, Prometheus, CloudEvents, OpenTelemetry, Crossplane. We introduced generic Webhook and Job Executor services to enable custom integrations created by users. We also contribute to the Continuous Delivery Foundation Events SIG that is working on the CD Events standard based on CloudEvents. All these initiatives allow to facilitate Keptn adoption and to provide seamless integration into environment following the CNCF best practices.
• Sustainability. We prioritized Keptn long-term sustainability, and we are committed to fostering a diverse and vendor neutral community. Effective January, there will be a non-Dynatrace core maintainer in the project. We are also working on onboarding more contributors from other companies. We adjust community processes to enable other companies and vendors to participate. Hopefully, we will have another Keptn vendor joining the community by Kubecon.
• Security. Keptn’s 3rd party security audit by the CNCF partner is scheduled to February. I am also working on making available results of the internal audit and aligning the security processes with the standards defined in the Core Infrastructure Initiative requirements. We also work on strengthening the projects security, including the ongoing work on RBAC support in the project. See KEP-60: KEP 60 - Role-based Access Control (RBAC) keptn/enhancement-proposals#60

[abdennour]

Appreciated guys! Thanks for the open source SRE tool