Happy to help and support

Thanks @michmike !

@monadic so you're interested in sponsoring?

@mattklein123 is there a reason something like this wouldn't just become an Envoy sub project or would you prefer for it to be a standalone project?

Yes I am interested

@mattklein123 is there a reason something like this wouldn't just become an Envoy sub project or would you prefer for it to be a standalone project?

I discussed this with the Contour team. There are pros/cons to both scenarios. On the pro side, it's very closely aligned with Envoy and would make a great official addition to the ecosystem. On the con side, we don't have any process within the project for doing something like this and would have to develop it. Additionally, it's unclear how this would effect the overall ecosystem of Contour competitors. Overall, I think going into the CNCF directly is simpler. We can always change things later depending on how things evolve IMO.

I'm happy to help sponsor this also along with @monadic

@mattklein123 and @monadic , i will add you as our TOC sponsors. thank you!
@caniszczyk , that's a really good question and something we explored with the Envoy team. Like Matt mentioned, going to CNCF is simpler and provides a clear path towards open governance

@lizrice @amye Does this need to go back through the SIGs?
I noticed a footnote from January 8th but haven't seen an update since then.
It would also need to get new sponsors since Alexis is now no longer able to sponsor.
Thoughts?

This is in SIG-Network for review.

@leecalcote and CNCF-SIG-Network team, the technical due diligence document for Contour is located at https://docs.google.com/document/d/1IIUDRch-8EEbcSFVK4sNL6Op5QJkIBrJi4SwbBjXiXU/edit?usp=sharing. we look forward to your feedback

@kenowens12: any updates here?

@amye I'm doing some private DD with Contour users. I need a bit more time to complete that. Thank you!

@mattklein123: Checking in here, any movement?

@mattklein123 friendly ping while Amye is out on vacation, you OK with kicking off an incubating vote?

https://docs.google.com/document/d/1IIUDRch-8EEbcSFVK4sNL6Op5QJkIBrJi4SwbBjXiXU/edit

Which process is this submission following? Is this ready for public comments?

@VinodAnandan https://github.com/cncf/toc/blob/master/process/project_proposals.adoc#incubation-process

It's been ready for public comment since March 19th
#330 (comment)

TOC Incubation Sponsor determines when DD is “done” and I believe @mattklein123 is making that call this week after syncing up last week.

If I haven't misunderstood, the comment link you have posted is asking feedback from @leecalcote and SIG Network. If a DD is not "done", how can someone ask for public comments? Who is responsible to notify the mailing lists to get public comments. How long a DD should wait for the public comments? Going through the documents I have multiple comments, I just want to verify that the TOCs have already approved the DD ("done").

I was planning on calling for the vote today/tomorrow. I had assumed that people that wanted to comment would have already done so either on the DD document or in this PR. If that's not the case, let's have a few days for public comments and we can do the vote next Monday.

@VinodAnandan and community, fire away!

@mattklein123 Thanks for completing the due diligence.

This submission was just moved to the "In Public Comment Period" column and the public comment announcement was sent before 3 hours. As per the official process, the Due Diligence review is 2-6 weeks. It's a bit unusual that the particular submission was a bit out of normal from the beginning itself.

In the document, the mission statement says that "To be the most secure, performant, scalable, and available ingress controller" but when I checked the landscape ( https://github.com/projectcontour/community/blob/master/LANDSCAPE.md ), Contour is the only one without authentication, why wasn't the authentication a priority in version 1.0?

Where can I find a high-level roadmap for the project?

When I compared the GitHub popularity with other projects mentioned in the landscape, both the current numbers and trend is the lowest compared to other projects mentioned there. Has this been reviewed and are there any plans to improve?

What are the organizations other than VMware that are officially contributing to the Contour Project?

How is the "count author" value mentioned in the document calculated?

Is there any document/links to find and that are highlighting the details of recent (6 months, 1 year ) contribution stats?

I noticed that the main two external contributors mentioned in the table have stopped contributing recently? Is there any specific reason for it ( changing sponsoring company etc? )

At the time of the submission ( 7 Jan ) of this project, I have checked for the Governance document and I couldn't find one at that time and it seems like there is a new document created on 18 Mar. Is this acceptable from the TOC?

Hi @VinodAnandan, thank you for reading through our documentation and asking insightful questions. My name is Michael Michael, and I am one of the maintainers of Contour. I am also a long standing contributor in CNCF projects as a maintainer of Harbor as well as a chair in a Kubernetes SIG. I will try to address all your concerns. Feel free to ping me in private (i am @m2 on the CNCF and the K8s Slack channels) or continue the discussion here on followup items.

This submission was just moved to the "In Public Comment Period" column and the public comment announcement was sent before 3 hours. As per the official process, the Due Diligence review is 2-6 weeks. It's a bit unusual that the particular submissions were a bit out of normal from the beginning itself.

It is true the due diligence period needs to be 2-6 weeks. We started the due diligence with the TOC and CNCF sig-network on Jan 16th. Then, all the documents were ready and available for DD review on March 19th. You are correct that the email to the TOC mailing list did not go out until yesterday. We are not trying to short-circuit the process. If anyone has feedback, we would love to hear it.

In the document, the mission statement says that "To be the most secure, performant, scalable, and available ingress controller" but when I checked the landscape ( https://github.com/projectcontour/community/blob/master/LANDSCAPE.md ), Contour is the only one without authentication, why wasn't the authentication a priority in version 1.0?

I would like to separate the is a product secure question from does a product have feature x. There is a difference between intrinsic security (is the system itself secure) and security features. We could build in a WAF but that would be out of scope for Contour and not aligned with our vision. The important thing we would like to note is that the features Contour delivers are done securely. A great example is being able to run the control plane in different pods (perhaps on different nodes with different service accounts) so that if an envoy is compromised it doesn't get privileged (TLS secret) access to the rest of the cluster. That type of architecture was designed with security, availability and scalability in mind. Authentication is a feature that you can add on top of ingress, and this is one of the highest priority items for us to work on next. You can view additional design and implementation details on supporting auth in Contour here.

Where can I find a high-level roadmap for the project?

The due diligence document has a section on releases and roadmap, ultimately pointing to https://github.com/projectcontour/contour/blob/master/RELEASES.md. The Contour team maintains an up-to-date project board where our prioritized backlog and what we plan to work on next is viewable. We also have additional “parking lots” where we have grouped features that are of similar priority. We intend to work on these features after we go through the prioritized backlog. We develop Contour in the open, and more than a few times a user request has come in, we evaluated it, and decided it was important for us to work on it immediately due to the impact to the community.

When I compared the GitHub popularity with other projects mentioned in the landscape, both the current numbers and trend is the lowest compared to other projects mentioned there. Has this been reviewed and are there any plans to improve?

From the Contour perspective, we develop the project in the open and we are open to any and all contributors. We also created a philosophy document to outline how we engage with the community and the table stakes that Contour has set in terms of our vision and goals.

What are the organizations other than VMware that are officially contributing to the Contour Project?

These are outlined in the “Key Health Statistics” section of the DD document. VMware is the main contributor to Contour, but as you can see, we are not the only ones. For example, Tero Saarni (@tsaarni) from Ericsson, drove two key sets of features: client auth so users can use certificates to validate access from outside the cluster and the automatic refresh of secrets with Contour<>Envoy.

How is the "count author" value mentioned in the document calculated?

The count author is a total count of all PRs, Issues, Commits by a github user

Is there any document/links to find and that are highlighting the details of recent (6 months, 1 year ) contribution stats?

If you are asking for contribution stats and dates per individual user, we don’t have that handy. It is not hard to compute, but it does involve manual labor to create out of the github APIs. What we do have though is charts on the contributions by date for VMware and non-VMware contributors and those are included in the DD document. Those charts go back 2 years.

I noticed that the main two external contributors mentioned in the table have stopped contributing recently? Is there any specific reason for it ( changing sponsoring company etc? )

Maybe it is possible they got the features they wanted/needed. We don’t have all the information on company associations since some of the data is private and not shared by the github API.

At the time of the submission ( 7 Jan ) of this project, I have checked for the Governance document and I couldn't find one at that time and it seems like there is a new document created on 18 Mar. Is this acceptable from the TOC?

That is a question for the TOC. We were always operating Contour with that governance in mind, we just never put it down on paper. The DD process offered a great checklist and reminder to ensure we document and follow best practices on operating healthy open source projects.

Hi @michmike thank you very much for your reply.

As per the CNCF TOC approved process https://github.com/cncf/toc/blob/master/process/project_proposals.adoc#incubation-process , Due Diligence : 2-3 months, Due Diligence review : 2-6 weeks, TOC vote : up to 6 weeks, and I believe this is for a submission which completely meets criteria, it may take even more time ( NATS is waiting 1.5+ years) for projects which don't meet all criteria at the time of submission.

I am not quite sure how to make the "most secure" software without having the basic security functionalities like authentication. And I don't believe that comparing authentication and WAF is appropriate. If you are saying that the project is achieving "most secure" by secure software development practice, could you please let us know

• Where is the threat model for the project?
• What are the SAST tools (e.g: gosec ) /service project use?
• What are the DAST tools (e.g: Zap ) /service project use?
• What are the OSS security scanning tools/service project use?
• How many public pentest has been completed? Where can we find the reports?

Why is the adopter file empty? ( https://github.com/projectcontour/contour/blob/master/ADOPTERS.md )

Where can we find three independent end users interviews?

Have the CNCF staff completed the governance and legal DD?

I am not quite sure how to make the "most secure" software without having the basic security functionalities like authentication. And I don't believe that comparing authentication and WAF is appropriate. If you are saying that the project is achieving "most secure" by secure software development practice, could you please let us know

Contour is secure for the features we deliver. With this specific example in mind, if you want to front end your K8s services with auth, that's not a feature Contour has today. We are working on it and will deliver it soon because it is an important feature, but it is still just a feature. Contour can be an excellent and functional ingress controller with or without it. We are adding auth not because it would make Contour more secure, because it really will not. Auth will make users’ services more secure and it is an important feature to our community.

Where is the threat model for the project?

We don’t have a threat model to share publicly. If and when we are accepted into the CNCF, we will work with sig-security on an assessment to Contour. That’s a very valuable exercise and I have been through it with Harbor.

What are the SAST tools (e.g: gosec ) /service project use?

We execute a variety of static analysis tools. I have listed them below. We also periodically run gosec, but it has way too many false positives and has not impressed us as a tool. You have a valid point though and we are going to immediately enable gosec as part of the PR process/checks.

bodyclose: checks whether HTTP response body is closed successfully [fast: true, auto-fix: false]
deadcode: Finds unused code [fast: true, auto-fix: false]
errcheck: Errcheck is a program for checking for unchecked errors in go programs. These unchecked errors can be critical bugs in some cases [fast: true, auto-fix: false]
goimports: Goimports does everything that gofmt does. Additionally it checks unused imports [fast: true, auto-fix: true]
gosimple (megacheck): Linter for Go source code that specializes in simplifying a code [fast: true, auto-fix: false]
govet (vet, vetshadow): Vet examines Go source code and reports suspicious constructs, such as Printf calls whose arguments do not align with the format string [fast: true, auto-fix: false]
ineffassign: Detects when assignments to existing variables are not used [fast: true, auto-fix: false]
misspell: Finds commonly misspelled English words in comments [fast: true, auto-fix: true]
staticcheck (megacheck): Staticcheck is a go vet on steroids, applying a ton of static analysis checks [fast: true, auto-fix: false]
structcheck: Finds unused struct fields [fast: true, auto-fix: false]
typecheck: Like the front-end of a Go compiler, parses and type-checks Go code [fast: true, auto-fix: false]
unconvert: Remove unnecessary type conversions [fast: true, auto-fix: false]
unparam: Reports unused function parameters [fast: true, auto-fix: false]
unused (megacheck): Checks Go code for unused constants, variables, functions and types [fast: false, auto-fix: false]
varcheck: Finds unused global variables and constants [fast: true, auto-fix: false]

What are the DAST tools (e.g: Zap ) /service project use?

We have not used any DAST tools because Contour is not a web application. It does not listen to user requests, it is not vulnerable to cross-site scripting attacks, as it has no user-facing functionality aside from the Kubernetes API

What are the OSS security scanning tools/service project use?

We don’t use any security scanning tools on a daily basis. However, we periodically use gosec as mentioned above and have also verified our container images using vulnerability scanners. However, those vulnerability scanners can’t properly scan Contour because there is no underlying operating system in our container image. It is just our binaries in there. What they can do is check the binary signature of Contour and make sure no vulnerabilities are reported for Contour in NVD databases. We have zero such CVEs currently and we plan to follow our established security process if a vulnerability is reported.

How many public pentest has been completed? Where can we find the reports?

We have not had a public pentest yet, as that is part of the requirements for going to graduation stage. We look forward to potentially partnering with CNCF and Cure53 on a security audit.

Why is the adopter file empty? ( https://github.com/projectcontour/contour/blob/master/ADOPTERS.md ) Where can we find three independent end users interviews?

We are working with some of our users on filling in details in our adopters file. From the CNCF criteria, this is a graduation stage criterion. Matt Klein from the TOC has conducted private interviews with Contour users to satisfy the incubation criteria. Even though some enterprises don’t want to be named publicly as users of Contour, Adobe, PhishLabs, kintone.io, Replicated, and Kinvolk have all been using Contour and talked or tweeted about it publicly. This thread also has additional customer testimonials.

Have the CNCF staff completed the governance and legal DD?

I can’t speak for the CNCF staff. That’s a question for @caniszczyk and @amye

@michmike thank you for your reply.

Static Application Security Testing (SAST): Not all linter will be considered in this category, gosec is one of the many SAST tools that can be utilised for go projects. Thanks to the project team for enabling the gosec yesterday ( projectcontour/contour#2526 ) and fixing the argument injection vulnerability. The gosec is a great tool and the false positive can be reduced by configuring the tool properly.

Dynamic Application Security Testing (DAST): Tools under this category can be used to test APIs not just web applications.

Open Source Software (OSS) Security (CVE) issues are not only associated to the OS packages but also with the application dependencies including the go modules (e.g: CVE-2020-12118), gosec can't scan for the Common Vulnerabilities and Exposures (CVE) with OSS, it scans for the Common Weakness Enumeration (CWE).

Thanks to the project team for enabling the gosec yesterday ( projectcontour/contour#2526 ) and fixing the argument injection vulnerability.

Just to clarify; if this refers to the change that I think it does, there was no argument injection issue here. gosec was not able to prove that the argument used was actually a local constant, and emitted a warning. I hoisted the constant because there was no need for the indirection and it made gosec happy. There was no vulnerability here.

I'd also be very happy to shepherd changes from anyone who is interested in improving Contour CI, including applying any useful static analysis tooling.

@jpeach Thank you for your reply. The SAST tools may not always find exploitable findings, but it will help with the secure coding and to reduce the weaknesses and vulnerabilities with the applications. As an example, the NIST formally deprecated use of SHA-1 and there are secure alternatives. For exploitable findings, Pentesting and DAST tools can be more useful.

I’m about to add my +1 on the incubation vote.

Governance looks well set up and there are significant contributions from outside VMware, but just for the record I wanted to note that I’d like to see Contour working to add maintainers from other organizations going forward.

@lizrice absolutely, that's our goal. There are a few contributors that are heavily investing in the project and are moving towards maintainer status.

Welcome contour, onboarding will be tracked here: #483

https://lists.cncf.io/g/cncf-toc/message/4932

+1 Binding: note: Quorum is 10 as Jeff Brewer has been away
Matt Klein: https://lists.cncf.io/g/cncf-toc/message/4737
Alena Prokharchyk: https://lists.cncf.io/g/cncf-toc/message/4748
Liz Rice: https://lists.cncf.io/g/cncf-toc/message/4770
Sheng Liang: https://lists.cncf.io/g/cncf-toc/message/4771
Justin Cormack: https://lists.cncf.io/g/cncf-toc/message/4776
Michelle Noorali: https://lists.cncf.io/g/cncf-toc/message/4855
Brendan Burns: https://lists.cncf.io/g/cncf-toc/message/4858
Saad Ali: https://lists.cncf.io/g/cncf-toc/message/4864