[Graduation] Crossplane Graduation Application #1397
Comments
|
@jbw976 In preparation for Crossplane to be picked up by a TOC member after the KubeCon freeze period -- and prior to TOC member assignment -- please:
|
|
awesome @angellk, we'll get started on those work items so we will be ready to start after kubecon freeze period is over! Looks like we missed the security self assessment in the application checklist, so thank you for adding the link here! 🙇♂ edit: ah, looks like you already updated the graduation issue template with the security self-assessment link too, so thanks for being doubly helpful 😉 |
|
6 Adopters have been submitted for interviews - thank you @jbw976 |
|
@jbw976 I am the TOC sponsor for Crossplane's application to move levels from Incubation to Graduation. Next steps:
|
|
A PR for the security self-assessment has been opened for review and collaboration amongst the Crossplane maintainer team in crossplane/crossplane#6143. After that is reviewed and feedback is incorporated, we are happy to move the assessment content to a different long term home if required. |
|
The security self-assessment has been merged and can be found at https://github.com/crossplane/crossplane/blob/main/security/self-assessment.md. The application has been updated to reflect this 🎉 |
|
Update:
|
|
Update:
|
|
Update: @dims and I met with Crossplane Steering Committee February 7, 2025 - moving to "Not Ready / Will Return" while the Steering Committee works on their proposal for resolution. |
github-project-automation
bot
moved this from TOC DD Evaluation
to Done
in CNCF TOC Board
|
@angellk Out of transparency: Where can we read meeting notes about this meeting to understand why this process currently doesn't move forward? |
Crossplane Graduation Application
v1.5
This template provides the project with a framework to inform the TOC of their conformance to the Graduation Level Criteria.
This graduation application issue is a continuation of the Crossplane graduation proposal started using the previous format in #1254 on Feb 5, 2024.
Project Repo(s): https://github.com/crossplane/crossplane is the core Crossplane project
Project Site: https://www.crossplane.io/
Sub-Projects: Crossplane does not have a formal sub-project designation, but there are additional projects/repositories under the https://github.com/crossplane/ organization, and community led extensions in the https://github.com/crossplane-contrib organization. All projects under these organizations fall under the Crossplane governance.
Communication: https://slack.crossplane.io/
Project points of contacts:
Graduation Criteria Summary for Crossplane
Adoption Assertion
The project has been adopted by the following organizations in a testing and integration or production capacity:
Adopters of the Crossplane project that have chosen to share their adoption story publicly can be found in the ADOPTERS.md file in the main Crossplane repository. Currently, there are over 60 public adopters of the project, and there are more that are willing to share their story with the TOC privately. Some notable Crossplane public adopters include Nike, Autodesk, Grafana, NASA Science Cloud, Elastic, Akamai, SAP, IBM, VMWare Tanzu, and Nokia.
Criteria
Application Process Principles
Suggested
N/A
Required
Jared Watts (@jbw976) presented Crossplane's graduation proposal and project update to TAG App Delivery on Feb 7, 2024, as noted by @angellk in #1254 (comment).
Notes from TAG App Delivery can be found linked from the TAG statement of Crossplane's graduation presentation in #1254 (comment), and a formal review/recommendation from the TAG will be provided soon.
A complete due diligence document was prepared by the project team when applying for Incubation and reviewed by TAG App Delivery to provide their feedback and recommendations. This document has now been updated in preparation for Graduation to include notable project progress and accomplishments since Incubation and how the specific concerns raised by the TAG have been addressed.
Crossplane operates according to well defined vendor-neutral governance in https://github.com/crossplane/crossplane/blob/master/GOVERNANCE.md, and all project communication, messaging, and collaboration is vendor-neutral.
The official project charter states that the project is vendor-neutral as well: https://github.com/crossplane/crossplane/blob/master/CHARTER.md#what-crossplane-is
The Crossplane project has reviewed and understands the expectations as it has continued to move forward through the maturity levels as described in the process README and graduation criteria.
Crossplane has demonstrated this understanding through all applications/proposals for each maturity level:
Completion of this due diligence document, resolution of concerns raised, and presented for public comment satisfies the Due Diligence Review criteria.
Complete end user project documentation can be found in https://docs.crossplane.io/. Contributor documentation for the Crossplane project can be found in https://github.com/crossplane/crossplane/tree/master/contributing, and documentation specific contributing guide can be found in https://docs.crossplane.io/contribute/.
Governance and Maintainers
Note: this section may be augmented by the completion of a Governance Review from TAG Contributor Strategy.
Suggested
The project governance has undergone a few revisions in its history since the project's creation. These commits/updates can be found in the git history at https://github.com/crossplane/crossplane/commits/master/GOVERNANCE.md. We started the project and early on had fairly detailed governance, because we are also the creators of the Rook project and had experience developing a well defined project governance there first.
Required
The Crossplane project has had well defined governance in place since entry into the CNCF Sandbox, which can be found in the main repo’s GOVERNANCE.md file. All aspects of the life cycle for Crossplane leadership positions, including the steering committee and repository maintainers (committers) are described in detail within this governance document. The steering committee members, currently from Upbound, Apple, and Nokia, can be found in the project governance also. Repository maintainers can be found in the OWNERS.md file of each separate Crossplane repository that make up the project.
The governance is up to date with the latest iteration of the steering committee membership, which occurred early in 2024. All processes for maintainers, conflict resolution, etc. are defined and up to date in this governance document.
All meetings within the Crossplane community and ecosystem are tracked in the community calendar. This calendar as well as other ways to get involved are highlighted prominently in the project's main README.
The governance has a "maximum representation" section that outlines how vendor neutrality is enforced over the lifetime of the project and leadership elections: https://github.com/crossplane/crossplane/blob/master/GOVERNANCE.md#maximum-representation
The project charter also reinforces the notion of vendor-neutrality: https://github.com/crossplane/crossplane/blob/master/CHARTER.md#what-crossplane-is
Changes to governance has a clearly defined process in https://github.com/crossplane/crossplane/blob/master/GOVERNANCE.md#updating-the-governance.
Project leadership (steering committee) election process is defined in https://github.com/crossplane/crossplane/blob/master/GOVERNANCE.md#election-process.
Process for how each individual repository under the crossplane organization(s) are maintained can be found in https://github.com/crossplane/crossplane/blob/master/GOVERNANCE.md#repository-governance.
Contribution acceptance is augmented by the contributing guide with https://github.com/crossplane/crossplane/tree/master/contributing#contributing-code and https://github.com/crossplane/crossplane/tree/master/contributing#code-review-process.
The steering committee membership and details can be found in https://github.com/crossplane/crossplane/blob/master/GOVERNANCE.md#initial-steering-committee, and contact info for the committee as a whole is provided.
The maintainers of each repository in the crossplane and crossplane-contrib organizations are listed in the OWNERS.md file in each individual repository. For example:
Across the entire Crossplane project, there are 148 different companies that have committers (individuals with write permissions) on at least one repository.
Using the same example repository maintainers (OWNERS.md) from a previous question, we can see the history of these files as maintainer membership changes over time, with both additions and removals (or movement to emeritus status):
Across the entire Crossplane project, there are 148 different companies that have committers (individuals with write permissions) on at least one repository, which is a great demonstration of organizational diversity.
Also, the steering committee for the Crossplane project is composed of individuals from 3 separate organizations: Apple, Nokia, and Upbound.
Yes,
OWNERS.mdfiles in each Crossplane project repository should reflect the documented maintainer roles defined in the governance. For example, https://github.com/crossplane/crossplane/blob/master/OWNERS.md.Crossplane project and community adhere to the CNCF Code of Conduct, e.g., https://github.com/crossplane/crossplane/blob/master/CODE_OF_CONDUCT.md.
The CNCF Code of Conduct is linked from the root of the core Crossplane repository: https://github.com/crossplane/crossplane/blob/master/CODE_OF_CONDUCT.md
Crossplane does not have formally defined "subprojects", but all repositories under the crossplane and crossplane-contrib repository adhere to the well defined governance.
N/A
Contributors and Community
Note: this section may be augmented by the completion of a Governance Review from TAG Contributor Strategy.
Suggested
Contributor roles fall into 3 tiers: member, maintainer, and steering committee. The roles and expectations are described in:
Required
All repositories in the Crossplane project accept issues and changes from the community through the standard Github workflows:
Both issues and PRs have templates to standardize and guide the contributor experience.
The Contributing guide also describes how changes are accepted, what the contributor can expect to experience, and tips for making a successful contribution.
All communication channels are listed in the main project README: https://github.com/crossplane/crossplane/tree/master?tab=readme-ov-file#get-involved. The most commonly used channels are https://slack.crossplane.io/ and https://github.com/crossplane/crossplane.
All communication channels are listed in the main project README: https://github.com/crossplane/crossplane/tree/master?tab=readme-ov-file#get-involved
All meetings within the Crossplane community and ecosystem are tracked in the community calendar. This calendar as well as other ways to get involved are highlighted prominently in the project's main README.
The Contributing guide describes the process of how to contribute to the project, what the maintainers are expecting, and guidance for how to make a successful contribution.
A similar guide is also available for contributing specifically to the docs at https://docs.crossplane.io/contribute/.
Project health metrics tracked by the CNCF consistently demonstrate that the community has continued to thrive with both adoption of the technology as well as a strong base of contributors to the project:
Engineering Principles
Crossplane is a framework for building cloud native control planes without needing to write code, and the Crossplane project and community is a neutral place for vendors and individuals to come together in enabling these control planes. More details on the project goals/objectives can be found in the official project charter.
We are not aware of any other projects in the landscape that provide the building blocks to build your own custom cloud native control plane that manages all of your infrastructure, or exposes infrastructure resources for application developers through custom defined platform APIs.
The official project charter, explaining what Crossplane is and what it is not, can be found at https://github.com/crossplane/crossplane/blob/master/CHARTER.md.
The Crossplane public roadmap can be found at https://github.com/crossplane/crossplane/blob/master/ROADMAP.md.
The expectations and process for updating the public roadmap over time is outlined in https://github.com/crossplane/crossplane/blob/master/ROADMAP.md.
The Crossplane docs provide an overview of the architecture and components of Crossplane that enable cloud native control planes:
There are also specifications for certain components in Crossplane that inform specific implementations on the expectations and requirements for extending Crossplane:
The original public v0.1 release of Crossplane also included a public vision and architecture document. This document has not kept up with the specific implementation details of Crossplane v1.0+, but is of interest nonetheless: https://docs.google.com/document/d/1whncqdUeU2cATGEJhHvzXWC9xdK29Er45NJeoemxebo/edit?usp=sharing
Document the project's release process and guidelines publicly in a RELEASES.md or equivalent file that defines:
The Crossplane release process and expectations are documented in the following locations:
Security
Note: this section may be augmented by a joint-assessment performed by TAG Security.
Suggested
Required
Crossplane's security and vulnerability disclosure policy is outlined in detail at https://github.com/crossplane/crossplane/security/policy.
The Crossplane organization has enabled the GitHub setting for "Require two-factor authentication for everyone in the Crossplane organization."
The response process for security vulnerability disclosure reports is outlined in detail in https://github.com/crossplane/crossplane/security/policy.
A security self-assessment has been published to the security folder in the main Crossplane repository at https://github.com/crossplane/crossplane/blob/main/security/self-assessment.md. If needed, we are happy to move the assessment content to a different long term home if required.
Third Party Security Review.
Crossplane completed two separate security audits within 2023, both of which were performed by ADA Logics. The first audit focused on fuzzing and was completed in March 2023, followed by a more intense general security audit that was broader in scope and completed in July 2023. The full report details can be found in the security folder of the main Crossplane repo:
In the general security audit, the ADA Logics team identified a total 16 issues, with 7 being deemed Low severity, 8 Medium, and 1 of High severity. All issues were reported in accordance with Crossplane’s responsible disclosure security policy. CVEs were published for 2 of these 16 issues:
At the time of publishing the audit report, 15 of the 16 issues had been fixed in the codebase and patch releases were published for all currently supported versions of Crossplane. The final 16th issue was in alpha code that was subsequently removed, thus resolving 100% of the issues found during the security audit.
Crossplane's OpenSSF Best Practices passing badge can be found at https://www.bestpractices.dev/en/projects/3260. This badge is displayed prominently on the main project README.
Ecosystem
Suggested
N/A
Required
Adopters of the Crossplane project that have chosen to share their adoption story publicly can be found in the ADOPTERS.md file in the main Crossplane repository. Currently, there are over 60 public adopters of the project, and there are more that are willing to share their story with the TOC privately. Some notable Crossplane public adopters include Nike, Autodesk, Grafana, NASA Science Cloud, Elastic, Akamai, SAP, IBM, VMWare Tanzu, and Nokia.
The public Crossplane adopters list explicitly mentions over 25 production use cases. There are additional production users amongst the adopters list that have not explicitly declared their production usage, but depend on Crossplane in production environments nonetheless.
The project provided the TOC with a list of adopters for verification of use of the project at the level expected, i.e. production use for graduation, dev/test for incubation.
Refer to the Adoption portion of this document.
function-kcl.Adoption
We assume this section will be filled out by the TOC sponsor as the TOC adopter interviews are conducted. There are many Crossplane adopters that can be verified and interviewed in the public adopters list. The Crossplane team (@jbw976) will be happy to help find and contact adopters that fit the profiles the TOC sponsor is looking for.
Adopter 1 - $COMPANY/$INDUSTRY
If the Adopting organization needs to remain anonymous, stating the industry vertical is sufficient.
MONTH YEAR
Adopter 2 - $COMPANY/$INDUSTRY
If the Adopting organization needs to remain anonymous, stating the industry vertical is sufficient.
MONTH YEAR
Adopter 3 - $COMPANY/$INDUSTRY
If the Adopting organization needs to remain anonymous, stating the industry vertical is sufficient.
MONTH YEAR
The text was updated successfully, but these errors were encountered: