Proposing Falco for graduation #641
Conversation
Signed-off-by: Leonardo Di Donato <[email protected]>
|
strong plus 1 from me, i'll reserve my opinions on exactly why i think this should happen for another day. regardless of the reasoning - i do passionately believe this should happen. |
|
+1 from me. I've returned to using Falco the last few weeks, the project is solid, the documentation is helpful, the developers/maintainers are accessible, passionate and the community team is great making Falco well suited for graduation and for the de-facto tool in Cloud Native landscape for container security IMO! |
|
I agree with @rikatz - +1 from me. Falco has proven itself as an incredibly stable tool that we have made a standard on our clusters. The team is one of the most helpful OSS project teams I have dealt with, you can see the growth and support from the team on how they have addressed issues over the years, updated documentation, and they add additional support with tools like Sidekick and the Sidekick UI. This project deserves graduation, I think it deserved consideration a long time ago :) |
|
+1. We've been putting Falco to work @Shopify and have been very happy with the project's evolution. In particular, the maintainers have been uncommonly kind and responsive as they've steered the product to its current status. Especially following falcosecurity/falco#1530, I fully support moving to graduation. |
|
+1 |
| - End user talk at Kubecon 2020 -- Shane Lawrence, Shopify ([youtube](https://www.youtube.com/watch?v=rBqBrYESryY)) | ||
| - End user talk at Kubecon 2020 -- Natch Ruengsakulrach & Eric Hollis, MathWorks ([slides](https://static.sched.com/hosted_files/kccncna20/aa/KubeCon_NA_Virtual_2020-Cyber_Kill_Chain_Falco.pdf)) | ||
| - Inclusion in CNCF CKS certification | ||
| - Several vendors have built commercial offerings on top of Falco (e.g. [GitLab](https://about.gitlab.com/blog/2020/08/18/how-gitlab-can-help-you-secure-your-cloud-native-applications/), [SumoLogic](https://www.sumologic.com/solutions/kubernetes/)) |
There was a problem hiding this comment.
- To enable wider adoption of the product the Falco website content is translated in Chinese, Korean, Japanese, and Malayalam languages.
| ### ✅ Have committers from at least two organizations. | ||
|
|
||
| Since incubation, the amount of contributions coming from organizations other than Falco original creator (Sysdig) has grown steadily. During the last year, around 45% of the contributions came from a diverse group of committers that includes Innoteam, Amazon, Samsung, IBM, Mercari, Red Hat and many individual contributors. More details are available [here](https://falco.devstats.cncf.io/d/5/companies-table?orgId=1&var-period_name=Last%20year&var-metric=contributions). | ||
|
|
||
| [Maintainers](https://github.com/falcosecurity/.github/blob/master/maintainers.yaml) of [Falco projects](https://github.com/falcosecurity) also come from a wide set of companies (Amazon, IBM, VMWare, RedHat, Sysdig, Qonto, move:elevator GmbH, Mercari, Timber). |
There was a problem hiding this comment.
SIG-Security would like to raise a concern regarding the vendor independence of the Falco project. The Incubation Due Diligence document shows many items that are indicated to be resolved prior to graduation. Reviewing the existing codebase highlights several areas without independence but also reflect efforts of that transition. This in turn causes confusion to the community as it is not clear what the scope of Falco is. Organizations may not simply deploy Falco as is, rather they must also deploy sysdig to reap the value of the project.
If the separation were to be completed, the existing security audit of 2019 may no longer be relevant to the project as significant changes may have occurred. The scheduled security audit for later this year would be beneficial, provided the separation were completed.
CC @lizrice & @justincormack
There was a problem hiding this comment.
Hello Emily!
I'd like to answer your comment by summarizing the discussion (and the plan we came up with) during our call last week.
To recap:
-
The current Falco prebuilt drivers - those installed when using the DEB, RPM, and tarball Falco packages - are already built from the contributed libs repository thanks to driverkit and our Open Falco Infra (Prow) (see build-drivers, its ProwJobs definitions, and an example run)
-
There are 2 ongoing PRs to complete the refactoring of the CMakeLists.txt files both in Falco and in libs repository
-
Today, I've finally published 5 GitHub Security Advisories on
falcosecurity/libscontaining detailed information about all the finding of the security audit done in July 2019, and the relative fixes- You can find them here
-
The findings (and the fixes) of the security audit regarding Falco only have been already published as Github Security Advisories
-
The
falcosecurity/libscode doesn't present substantial changes in the API or in the behavior to the code base that underwent a security audit in July 2019
The only differences are due to:- Fixes to vulnerabilities found during the security audit
- Fixes on the eBPF driver (mostly to make the eBPF verifier happy on newer Linux kernels)
- Fixes regarding the
bpf_probe_read_str()usage - Fixes to the handling of syscalls getting relative or absolute file paths
- Fixes to properly use newer libcurl features
- Memory leaks fixes
- Support for tracing the
renameat2syscall - Support for tracing the
fchmodat,fchmod,chmodsyscalls - Support to fetch Kubernetes liveness/readiness probe from related containers (when not available in the container info labels)
- Async DNS resolution using
c-ares - The userspace API (an experimental API - see pdig driver, or
-uFalco flag) - Decoupling and refactoring code (cosmetic changes) to let the libs contribution happen
- Refactoring of the CMakeLists.txt files to let the libs contribution happen
We can prepare a deck/presentation to present the libs repository to the SIG-Security, if requested
Roadmap: as you may notice, there's a lot already done to complete the transition, and there's active ongoing work (point 2) to complete it that will be complete very soon.
Feel free to reach out if you have any questions. :)
|
|
||
| One important concern emerged during the incubation due diligence process was related to the codebase’s vendor independence: some of the Falco key data collection dependencies (libsinsp, libscap, kernel module and eBPF probe) were coming from an OSS repository under the Sysdig Inc. GitHub organization. | ||
|
|
||
| To address this issue, Sysdig has since contributed those components to the CNCF via the Falcosecurity organization (now available at [falcosecurity/libs](https://github.com/falcosecurity/libs)). Read more on the CNCF blog [here](https://www.cncf.io/blog/2021/02/24/sysdig-contributes-falcos-kernel-module-ebpf-probe-and-libraries-to-the-cncf/). |
There was a problem hiding this comment.
Seems like there are still a lot of Sysdig references - I appreciate that some of these are completely legitimate but almost 500 in the code seems like a lot, please could you comment on that?
There was a problem hiding this comment.
Just a reminder for the Falco team, CNCF has website guidelines on how you can refer to the progenitor organization: https://github.com/cncf/foundation/blob/master/website-guidelines.md
|
Hi @lizrice,
Hope this helps to address your concerns - happy to go deeper into details if needed! Update During the last days, the Falco community took a step forward in completing the deletion of the references. As you can see the overall number is ~50% (253 references at the moment vs 481 before) of the past week. Some of the PRs regarding this ongoing effort:
The greatest drop in the number of references is on the libs repository that went down from 260 to 50 total references. |
|
+1 |
|
I'm not a contributor to Falco, but was a heavy end user in my previous role. They've done a great job with building a community around the project 👍 It's been a little over a month since the last update, but it looks like there has been a good amount of progress towards reducing references: For the various references to sysdig in the codebase, I did a quick look:
If there are concerns about still having a high number of references from the archived projects in the main project org, one potential idea might be to mimic the archive org pattern e.g. kubernetes-retired and move the repos there which can act as a very clear signal to users about the state of those projects. |
|
#671 has details on exactly this! |
|
I saw that note, I was more focused on the:
Just want to make sure we do it right and we don't get lost in processes. We didn't have a chance to connect with people for this and are stuck in a more process > people situation rather than a situation where people are > processes. I feel like just having a conversation and getting guidance and feedback would help Falco and other projects succeding rather than just following a checklist in this stage. |
|
Hi, Falco maintainer here. Is there any update on the new streamlined process (i.e., #667, #671)? As far as I know, it has not yet been confirmed, and we are still stuck in limbo. It would be beneficial for us to have a guide to understand how to proceed (e.g., is there something we should address or just awaiting proper cycles to address the graduation process). |
|
@leogr: The process has not changed, the changes to the graduating process are still in proposal. My comments from before still apply.
|
|
A few thoughts from me
|
The maintainers.yaml contains the list of the current maintainers and is generated from the OWNERS files of all projects within falcosecurity GitHub organization. Periodically, it is automatically updated by our infra.
There's an ongoing effort to reduce the reference count. Currently, it already went down from ~500 to 170 (including archived contents and some legitimate references). Is there perhaps any particular area to be cleaned up that we should prioritize? |
Most of those seem like valid references to sysdig - e.g. 100~ instances are from markdown and most of those are changelog items, meeting notes etc. The one standout area is the sysdig/libs repo, where there are still some carryover code references from when it was migrated, with the caveat that there is a PR in flight to take care of most of them. |
|
Administratively: I'm closing this pull request based on the July 20th meeting, where Falco was discussed and the TOC recommended that Falco reapply in 6 months. |
|
Related traffic:
@leodido @ewilderj are there other public places where you all are figuring out steps or things to do (before filing for graduation again)? |
|
Hey @dims We are trying to keep everything within the https://github.com/falcosecurity/evolution repository. This 👇 is the PR to update the governance document. I will keep you posted in case there're other relevant references. |
This is a formal proposal to consider Falco for CNCF graduation.
In this PR you can find the proposal document that highlights how Falco has met the graduation criteria as defined by CNCF.
Please let me know if anything is missing or can be clarified further.