Table of Contents
Who We Are
Remembering Dan Kohn
Momentum in 2020
Membership
End User Community
End Users & CNCF Projects / TOC
End Users & KubeCon + CloudNativeCon
CNCF End User Technology Radar
End User Training Benefits
End User Case Studies
Conferences & Events
Wellness Activities
Training & Certification
Project Updates & Satisfaction
Project Maturity Levels
CNCF Project Maintainer Survey Results
Project Updates & Releases
Services & Assistance for Projects
Documentation, Websites, & Blog Posts
CNCF Service Desk
Community Engagement
Community Awards
CNCF Meetups
Kubernetes Community Days Update
CNCF Ambassador Program
Community Mentoring & Internships
Welcome to the 2020 Cloud Native Computing Foundation annual report.
Our themes for the year were end user driven open source, diversity-powered resilience, and a focus on education and training. Comments and feedback are welcome at info@cncf.io.
Who We Are
The Cloud Native Computing Foundation (CNCF) is an open source software foundation dedicated to making cloud native computing universal and sustainable.
Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments across public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify the cloud native approach.
We are a community of open source projects, including Kubernetes, Prometheus, Envoy, and many others. Kubernetes and other CNCF projects have quickly gained adoption and won community support, becoming some of the highest velocity projects in the history of open source.
CNCF employs 34 people from various backgrounds and locations; 71% are women, 29% are men. CNCF’s Governance Leadership, comprising the Governing Board and Technical Oversight Committee, is 14% women and 86% men.
CNCF’s revenue is derived from four primary fundraising sources, including membership, event sponsorship, event registration, and training.
A basic premise behind CNCF, our conferences (including KubeCon + CloudNativeCon), and open source, in general, is that interactions are positive-sum. There is no fixed amount of investment, mindshare, or development contribution allocated to specific projects. Just as open source development is based on the idea that, collectively, we are smarter than any one of us, open source foundations work for the betterment of the entire community.
Equally important, a neutral home for a project and community fosters this type of positive-sum thinking and drives the growth and diversity that we believe are core elements of a successful open source project.
Remembering Dan Kohn
CNCF and The Linux Foundation are deeply saddened at the recent passing of our longtime colleague and dear friend, Dan Kohn. Dan was one of the great open source leaders of our time, a brilliant mind – devoted to giving back to the community, and a loving husband and father who will truly be missed forever.
Dan’s lifelong desire was to help others. From serving as a volunteer firefighter in college to founding Linux Foundation Public Health at the height of the pandemic to assist in the worldwide fight against COVID-19, he never stopped finding ways to make a positive and lasting impact. We are forever grateful for Dan’s many contributions and accomplishments and will continue to honor his legacy of constant collaboration, sharing, and compassion in everything that we do.
Momentum in 2020
Throughout its fifth year, CNCF achieved tremendous community engagement through steady membership growth, incredible virtual event attendance, strong end user participation, and broad industry commentary. At present, CNCF hosts 80+ projects with over 110,000 contributors from nearly 1,000 organizations representing 177 countries.
Cloud native tech is not just for the cloud anymore. Builtin declared that “cloud-native technology is moving to the enterprise” because “legacy tech is waking up to cloud native”. Cloud native technologies are also driving the expansion of the “Wild West” of edge computing with many firms realizing the “financial benefits to taking the cloud native path”.
As cloud native technologies continue to scale across the world, touching almost every industry, CNCF has actively embraced diversity. This diversity is at the heart of the open source movement. Together we are stronger, faster, better, and more innovative than alone and apart, and that diversity makes us more resilient to weather any challenge — even the loss of a great leader.
Additionally, CNCF is committed to creating end user-driven open source, where everyone is encouraged to participate and get involved irrespective of their level of expertise. This expands the horizon of valuable contributions and welcomes everyone within the cloud native community to participate.
CNCF is at the forefront of these revolutionary market and technology transitions.
Membership
CNCF would not be what it is today without the support of our global membership community.
Our members help CNCF and the Linux Foundation provide neutral governance, strong IP management, ecosystem building, training, events, developer marketing, rich tools to engage communities, and more to keep the wheels of innovation spinning for our project communities.
The CNCF ecosystem continues to grow across vendor and end user memberships, making CNCF one of the most successful open source foundations ever.
Over the course of 2020, we added over 150 new members, an increase of more than 28% from 2019. Our now 20 Platinum members include some of the world’s largest public cloud and enterprise software companies and end users.
Kasten by Veeam and Volcano Engine joined or upgraded to Platinum in 2020. Cox Communications, HCL Technologies, Hewlett Packard Enterprise, Intuit, SPD Bank, and T-Mobile all joined or upgraded to Gold in 2020.
Investment from these leading organizations signifies a strong dedication to the advancement and sustainability of cloud native computing for years to come.
End User Community
CNCF prides itself on being an open source community driven by End Users.
End users are defined as companies that use cloud native technologies internally but do not sell any cloud native services externally. Companies that meet this definition are eligible to join the End User Community.
Our End User Community grew to over 145 members in 2020, indicating strong, continued interest in cloud native technologies. At present, the CNCF End User Community is the largest of any open source foundation.
The End User Community meets regularly and advises the CNCF Governing Board and Technical Oversight Committee (TOC) members on key challenges, emerging use cases, and areas of opportunity and new growth for cloud native technologies. End Users are also an important source for CNCF projects including Prometheus, Envoy, Argo, and Backstage.
A respondent of the 2020 survey commented that they “enjoy hearing other organizations discuss their experience implementing different flavors of the open source projects/software products. As we begin to mature our K8s offering, those conversations are very beneficial. Continue connecting end users and advocating for knowledge sharing and collaboration.” Among respondents, 100% would recommend CNCF to other companies, and the average satisfaction rating was 4.47 out of 5 (89%), up from 4.16 out of 5 in 2019 (83%).
If you are using CNCF projects and meet the definition of an End User, we urge you to join our End User Community so you can participate in this influential group and provide your insights both to fellow end users and to the CNCF community as a whole. If you join, we are confident you will also learn from other end users who are deploying CNCF projects, praised as “a great way to share information between companies.”
End Users and Technical Oversight Committee
During 2020 the number of End User representatives on the TOC doubled from 1 to 2, with representatives from Apple, Spotify, Intuit, and American Express.
Dave Zolotusky from Spotify joined as the new TOC End User Representative from Spotify. This highlights the importance of End Users to the cloud native community.
End User Projects
2020 has been a successful year for End User-xdriven projects. Envoy, Jaeger, Prometheus, TUF, and Vitess all continued to grow as graduated projects. Argo and Thanos moved from Sandbox to Incubating. At the Sandbox level backstage.io and OpenKruise also joined CNCF.
End Users and KubeCon + CloudNativeCon
45% of attendees and 31% of talks came from end user companies, an increase of 10% from KubeCon CloudNativeCon NA 2019! 12% of attendees came solely from the End User Community, exceeding the goal of 10%. Our keynotes featured The Cloud Native Journey @Apple, an incredible landmark for how far this community has come.
CNCF End User Technology Radar
In June 2020, CNCF launched the End User Technology Radar, a quarterly report on a single topic in cloud native. It is aimed at a technical audience who want to understand what cloud native solutions end users use and recommend.
For each report CNCF surveyed the CNCF End User Community and asked them to place solutions at one of three levels:
- Adopt: The CNCF End User Community can clearly recommend this technology. We have used it for long periods of time in many teams, and it has proven to be stable and useful.
- Trial: The CNCF End User Community has used it with success, and we recommend you have a closer look at the technology.
- Assess: The CNCF End User Community has tried it out, and we find it promising. We recommend having a look at these items when you face a specific need for the technology in your project.
The first three End User Tech Radars explored Continuous Delivery, Observability, and Database Storage. End users appreciated that “Tech radars provide clear data points that are easy to consume. It has worked very well in the community so far and we are happy to participate in it.”. The Tech Radars received significant press and analyst coverage including The New Stack (here and here), InfoQ, DevClass, Container Journal, and SiliconANGLE.
End User Training Benefits (Launching January 2021)
One of the biggest concerns for organizations as they transition over to new architectures is the successful adoption and implementation of cloud native technologies. According to the CNCF’s Cloud Native Survey 2020, 27% of respondents indicated a lack of training was one of the biggest challenges in deploying containers.
As a result, CNCF and The Linux Foundation are pleased to announce new training benefits for the CNCF End User Community.
- Our End User Supporters will receive five 100% off coupon codes – a value of up to $2,500 – for any eLearning class, certification exam, or eLearning + Certification exam “bundle” in the Training and Certification Catalog.
- Our End User Members will receive a 15-Seat Starter Pack Subscription to eLearning and certification – a $7,500 value. This means that 15 employees will be able to tap into unlimited access to the entire eLearning catalog and one certification exam for one year.
End User Case Studies
In 2020, we published 17 case studies about a diverse group of end users, spanning the U.S., U.K., India, China, Sweden, El Salvador, Brazil, and Japan, and in industries ranging from software (Zendesk) and telecom (Vodafone) to travel (Booking.com) and government (U.S. Department of Defense).
These end users shared their learnings to benefit the community and help accelerate the adoption of cloud native technologies around the world.
The majority of the published case studies involved organizations that are using multiple CNCF projects in tandem, including not only Kubernetes, but also Fluentd, Prometheus, Envoy, Helm, Jaeger, NATS, Falco, Argo, Harbor, CoreDNS, etcd, gRPC, and Open Policy Agent.
Conferences and Events
CNCF put on its first virtual KubeCon + CloudNativeCon conferences in both Europe (August 17-20) and North America (November 17-20) and reached a record-breaking combined 41,000+ registrants with a 70% attendance rate each! Of this year’s registrants, 72% were first-time attendees at KubeCon + CloudNativeCon Europe and 67% at North America, an indication of rising interest and healthy ecosystem growth.
At each event, attendees had access – both live and on-demand – to over 215 sessions, including keynotes, breakout sessions, tutorials, maintainer track sessions, and the expanded 101 track sessions.
While the pandemic limited our in-person interaction, going virtual allowed CNCF to massively increase its conference reach. North America attendance increased 90% over the prior year’s in-person KubeCon + CloudNativeCon North America event in San Diego.
The CNCF issued a Transparency Report to recap the event; the report included detailed data covering attendee demographics, attendee and speaker diversity, and attendee sentiment on their conference experience. The Transparency Report for KubeCon + CloudNativeCon Europe is also available for 2020. The overall satisfaction scores from attendees were 87% for EU and 90% for NA.
Wellness Activities
We encouraged attendees to “Keep Cloud Native Well” at both KubeCon + CloudNativeCon Virtual events this year. While CNCF makes every effort to ensure the comfort, health, and happiness of KubeCon + CloudNativeCon attendees, there may still be some attendees who feel overwhelmed by the amount of information or from having to stay home while often being secluded from friends, family, and their usual activities.
For our 2020 events, we provided options for attendees to get active, watch some fuzzy friends, and discuss wellness. Activities included:
- Session: Stress & Mental Health in Technology, Dr. Jennifer Akullian, Founder | Psychologist, Growth Coaching Institute
- Access to Open Sourcing Mental Illness (OSMI) handbook (available at NA)
- On-demand desk stretching
- On-demand desk yoga
- On-demand desktop meditation
- Live online puppy + kitty cams
- Keep Cloud Native Well Slack channel for conversations
Training and Certification
CNCF’s training and certification program continued to grow this year.
In 2020, these training courses and exams received considerable interest:
- Kubernetes Massively Open Online Course (MOOC) hit 165,000 enrollments (65% increase from 2019).
- Certified Kubernetes Administrator (CKA) exam hit 37,000 enrollments (121% increase from 2019).
- Certified Kubernetes Application Developer (CKAD) hit 18,300 exam registrations (143% increase from 2019).
- Kubernetes Certified Service Provider (KCSP) program reached 179 certifications in 2020 (38% increase from 2019).
- Kubernetes Training Partner (KTP) program grew to 50 certified companies (40% increase from 2019).
In November 2020, CNCF launched the Certified Kubernetes Security Specialist (CKS) exam. This exam will provide assurance that a certificant has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment, and runtime.
Other courses that CNCF funded in 2020 include:
- Service Mesh Fundamentals
- Managing Kubernetes Applications with Helm
- Cloud Native Logging with Fluent
- Intro to Service Mesh with Linkerd
- Intro to Serverless on Kubernetes
Project Updates and Satisfaction
In 2020, CNCF-hosted projects Helm, Harbor, TikV, Rook, and etcd advanced to “graduated” status, for a total of 14 projects.
During 2020, Argo, Contour, and Operator Framework joined at the incubating level. Buildpacks, Cortex, Dragonfly, Falco, KubeEdge, SPIFFE/SPIRE, and Thanos joined our 20 incubating projects from the Sandbox level.
Project Maturity Levels
CNCF projects are classified by maturity level, ranging from sandbox to incubating to graduated. CNCF uses these maturity levels to indicate to enterprises the degree of project readiness for enterprise adoption.
Graduated projects are suitable for the vast majority of enterprises. Incubating projects are suitable for early adopters, and sandbox projects are suitable for innovators. Projects increase their maturity level by demonstrating to the TOC that they have attained end user and vendor adoption, established a healthy rate of code commits and codebase changes, and attracted committers from multiple organizations.
All projects must adopt the CNCF Code of Conduct and commit to earning the Core Infrastructure Initiative Best Practices Badge in order to become an accepted CNCF project. Full details are listed in Graduation Criteria v1.1.
In 2020 the CNCF TOC accepted 35 new projects:
CNCF Project Maintainer Survey Results
CNCF conducts a survey of our project maintainers twice a year. The overall satisfaction with CNCF increased in 2020, with an improved satisfaction rating on staff responsiveness. There was a 98% maintainer response rate across projects, and the super majority of maintainers recommended CNCF as a place to host an open source project.
Project Updates
Many incubation and graduation moves demonstrated steady forward progress for each of these projects:
- Graduations:
- Joined at the Incubation level of moved from Sandbox to Incubation:
Services and Assistance for Projects
CNCF provides a variety of services to our projects to help make them more successful and sustainable.
Events
CNCF continues to invest in CNCF-hosted projects by assisting with their own specialized events. These may be in conjunction with KubeCon + CloudNativeCon or standalone conferences.
CNCF Hosted – Co-located with KubeCon + CloudNativeCon:
- Cloud Native Security Day Europe | 890 registered attendees
- Serverless Practitioners Summit Europe | 496 registered attendees
- ServiceMeshCon Europe | 891 registered attendees
- Cloud Native Security Day North America | 1,606 registered attendees
- OpenTelemetry Community Day North America | 913 registered attendees
- Production Identity Day: SPIFFE + SPIRE North America | 515 registered attendees
- ServiceMeshCon North America | 1,803 registered attendees
CNCF Hosted – Standalone
- Kubernetes Forum Bengaluru (in-person) | 2121 registered attendees
- Kubernetes Forum Delhi (in-person) | 985 registered attendees
- gRPConf | 506 registered attendees
- PromCon 2020 Virtual | 744 registered attendees
- EnvoyCon 2020 Virtual | 417 registered attendees
- Helm Workshop: v2 to v3 | 306 registered attendees
Documentation, Websites, and Blog Posts
- We issued a series of project journey reports for CNCF graduated projects, including containerd, Fluentd, Helm, and Jaeger.
- 296 blog posts were published in 2020, with a blog readership of 448,493 (21% higher than 2018).
- Top blog posts for 2020:
- Kubernetes 1.19: The future of traffic ingress and routing (eficode) (23,171 views)
- The difference between API Gateways and Service Mesh (Kong) (15,871 views)
- Logging in Kubernetes: EFK vs PLG Stack (MSys Technologies) (14,674 views)
- Building a Large-scale Distributed Storage System Based on Raft (InfraCloud) (12,976 page views)
- 9 Kubernetes security best practices everyone must follow (StackRox) (11,012 page views)
- We rebuilt the CNCF website from scratch to accomplish the following goals:
- Improve the speed of the site, both for browsing and editing content
- Automate the administration of the site to make it easier to maintain and keep up-to-date
- Modernize the development process and codebase to facilitate ongoing improvements
- Improve accessibility
- Modernize the design
- We added a Community Spotlights content type to highlight contributions from the community, including CNCF ambassadors Paolo Simoes and Queeny Jin, community leaders Paris Pittman and Liz Rice, and project maintainers Torin Sandall and Goutham Veeramachaneni
- Some projects got brand new websites courtesy of CNCF in 2020:
- Other projects got major documentation/web presence upgrades:
CNCF Service Desk
To improve access to activities and services that CNCF offers to its hosted projects, the CNCF Service Desk serves as a single access point for all CNCF services. If you’re a CNCF project maintainer, all you have to do is visit http://servicedesk.cncf.io to request support.
Community Engagement
The CNCF community spans the world across our contributors, members, meetups, and ambassadors.
CNCF continues to support the development of this incredible cloud native community while also striving to ensure that everyone who participates feels welcome regardless of gender, gender identity, sexual orientation, disability, race, ethnicity, age, religion, or economic status.
In 2020, women and gender non-conforming speakers made up 74% of the keynotes at KubeCon + CloudNativeCon EU Virtual and 52% at KubeCon + CloudNativeCon NA Virtual. At our KubeCon + CloudNativeCon events, there were a number of activities designed to foster the diversity of the cloud native community, including: peer group mentoring and career networking, the EmpowerUs event, a Diversity & Inclusion workshop, KubeCon + CloudNativeCon diversity and need-based scholarships and complimentary registration to CNCF hosted co-located events.
CNCF offered scholarships to 717 diversity applicants from traditionally underrepresented and/or marginalized groups and 185 need-based applicants in 2020. Scholarships and diversity programs were funded by sponsorships from Amazon Web Services, CarGurus, Cloud Native Computing Foundation, ITRenew, Legacy II Cloud, Palo Alto Networks, Two Sigma, and VMware.
Including the 2020 virtual events, CNCF has offered more than 2,300 diversity and need-based scholarships to attend KubeCon + CloudNativeCon and other CNCF hosted events over the course of its life.
Community Awards
Now in their fifth year, the CNCF Community Awards highlighted the most active ambassador and top contributor across all CNCF projects. The awards included:
- Top Cloud Native Committer – an individual with incredible technical skills and notable technical achievements in one or multiple CNCF projects. The 2020 recipient was Ben Elder.
- Top Cloud Native Ambassador – an individual with incredible community-oriented skills, focused on spreading the word and sharing knowledge with the entire cloud native community or within a specific project. The 2020 recipient was Ian Coldwater.
To recognize contributors who spend countless hours completing often mundane tasks, CNCF created the “Chop Wood and Carry Water” awards. CNCF was proud to acknowledge the amazing efforts of five individuals for their outstanding contributions in 2020: Erin Boyd, Josh Berkus, Bridget Kromhout, Matt Fisher, and Richard Hartmann.
We also celebrate the contributions that end users make to our ecosystem, including providing upstream contributions to projects, creating and maintaining open source projects to expand the ecosystem, and providing significant insights into successes and failures. We were thrilled to grant our Top End User Award to Zalando in recognition of its notable contributions to the cloud native ecosystem, including chairing the CNCF Developer Experience SIG.
CNCF Meetups and Community Groups
In 2020, CNCF supported more than 194 Meetup groups in 53 countries, with greater than 158,000 members. In 2020, we experienced a nearly 10% increase in CNCF Meetup members.
CNCF also kicked off the Cloud Native Community Groups program, which will supersede the Meetup program in the future, and will become a single hosting place for the Cloud Native community initiatives.
Kubernetes Community Days Update
In response to the cloud native community’s evolving needs, CNCF launched the Kubernetes Community Days (KCD) program in 2019.
KCDs are community-organized events that gather adopters and technologists from open source and cloud native communities to learn, collaborate, and network.
The goal of the events is to further the adoption and improvement of Kubernetes.
Unfortunately, due to the COVID-19 pandemic, the 2020 KCD events were postponed. CNCF plans to reboot the program in 2021 with the option to run virtual events.
For additional information about the program, please visit the homepage.
CNCF Ambassador Program
Cloud Native Ambassadors (CNAs) are individuals who are passionate about Cloud Native Computing Foundation technology and projects, recognized for their expertise, and willing to help others learn about the framework and community. These individuals are bloggers, influencers, and evangelists. CNCF has 118 CNCF Ambassadors around the globe educating the world on cloud native technologies and best practices.
We accepted 22 new CNCF ambassadors and provided financial support for ambassador-run meetups in 2020. We are excited to have this worldwide group of people with diverse interests, experiences, and technical backgrounds help drive local and global cloud native communities. Please check out the interviews with several of our CNCF ambassadors from the Ambassador Spotlights section on the CNCF homepage.
Community Mentoring and Internships
CNCF proudly supports various mentoring and internship opportunities including the LFX mentorship platform (previously known as Community Bridge), Google Summer of Code (GSoC), Google Summer of Docs (GSoD) program, and Outreachy. These programs are important catalysts for internships to have an impact on future technologies that we all depend on.
Students accepted into the GSoC program have the opportunity to work with a mentor and become part of an active open source community. CNCF hosted 20 interns in 2020 (16 of them have graduated) – our largest class ever. Mentors from our community paired with interns and worked with them to help improve CNCF projects. You can find further details here.
Also, 2020 was the first year that CNCF participated in the Google Season of Docs (GSoD) program. GSoD is a mentoring initiative for technical writers; this year the CNCF matched 4 writers with projects and mentors and provided administrative support.
Recently launched by The Linux Foundation, LFX Mentorship aims to sustain open source projects while providing paid opportunities for new developers to join and learn from open source communities. In 2020, CNCF sponsored 50 students during three mentoring cycles to work on 21 CNCF projects.
In November 2020, CNCF partnered with The Linux Foundation and National Center for Women & Information Technology (NCWIT) to launch a new training course, Inclusive Open Source Community Orientation. This course is designed to provide essential background knowledge and practical skills to create an inclusive culture in the open source community.
Ecosystem Tools
CNCF provides various tools to support the cloud native ecosystem.
CNCF Job Board
According to the 2020 Linux Foundation Open Source Jobs Report, cloud and containers continue to grow in popularity and importance; 69% of hiring managers are currently seeking cloud and container expertise, up from 64% in 2018. In response to this demand, CNCF launched its official job board in 2019. Since then, the job board has listed over 1,000 jobs from 2,000+ employers. More than 2,600 job seekers have applied for a job via email or on the site.
The CNCF Job Board is an excellent resource to connect with the world’s top cloud native developers and hire strong candidates. The job board is a free service for both posters and applicants, and CNCF member job openings receive a featured listing. We invite you to post your job, search for candidates, or find your next employment opportunity through the CNCF Job Board.
CNCF Speakers Bureau
Launched in 2018, the CNCF Speakers Bureau helps connect event organizers with speakers who have varied expertise in the cloud native ecosystem. Speakers consist of CNCF ambassadors, meetup organizers, and prominent community members who are willing to speak at events on the topics they are proficient in.
In 2020, CNCF made some exciting updates to the Speakers Bureau page, including the option for CNCF members to bulk email speakers and a powerful faceted search feature.
DevStats
In 2017, CNCF developed DevStats, a tool to visualize various developer and community metrics for Kubernetes and other CNCF-hosted projects, as well as non-CNCF open source projects hosted on a public GitHub repository.
DevStats organizes and displays CNCF-hosted project data using Grafana dashboards. In 2020, we added DevStats API support, so others can connect to DevStats’ APIs and request data programmatically.
CNCF developer Lukasz Gryglicki, the primary developer on DevStats, is responsive to suggestions and pull requests that provide additional insights into the development of CNCF’s hosted projects.
CNCF Landscape and Cloud Native Trail Map
The CNCF Cloud Native Landscape has become the standard way of charting the myriad options in the cloud native ecosystem. The landscape started in November 2016 as a static image of fewer than 100 projects and products. In 2020, it has grown through the power of collaborative editing to track more than 1,500 projects, products, and companies and includes a serverless landscape and the CNCF member landscape. The project has nearly 7,000 stars on GitHub.
The Cloud Native Landscape 2.0 is an interactive version that allows viewers to filter, obtain detailed information on a specific project or technology, and easily share via stateful URLs. The landscape also captures funding and financing information for companies that are fostering and building businesses around cloud native technologies. The code used to generate the interactive landscape is open source with the data stored in a yaml file. Every night, a server downloads updated GitHub data, financing information from Crunchbase, market cap data from Yahoo Finance, and CII Best Practices Badge information.
The Cloud Native Trailmap continues to show a path for organizations to adopt the graduated and incubating projects hosted by CNCF.
CNCF Open Source Security Audits
In 2018, the CNCF began performing and open sourcing security audits for its projects to improve the security of our ecosystem.
The goal was to audit several projects and gather feedback from the CNCF community as to whether the pilot program was useful. The first projects to undergo this process were Kubernetes, CoreDNS, and Envoy. In 2019, CNCF invested in security audits for Vitess, Jaeger, Fluentd, Linkerd, Falco, Harbor, gRPC, Helm, and Kubernetes, totaling approximately half a million dollars. These first public audits identified a variety of security issues, ranging from general weaknesses to critical vulnerabilities. Project maintainers for CoreDNS, Envoy, and Prometheus have addressed the identified vulnerabilities and added documentation to help users, thus improving the security of these projects.
With funds provided by the CNCF community to conduct the Kubernetes security audit, the Security Audit Working Group was formed to lead the process of finding a reputable third-party vendor. The group created an open request for proposals. The group took responsibility for evaluating the proposals and recommending the vendor best suited to complete a security assessment against Kubernetes, bearing in mind the project’s high complexity and broad scope.
This audit process was partially inspired by the Core Infrastructure Initiative (CII) Best Practices Badge program that all CNCF projects are required to complete. Provided by the Linux Foundation, this badge offers a clear and easy-to-understand way for open source projects to show that they follow security best practices. Adopters of open source software can use the badge to quickly assess which open source projects are following best practices, and as a result, are more likely to produce higher-quality, secure software.
Findings from the Kubernetes audit conducted over a few months revealed:
- Key security policies may not be applied, leading to a false sense of security.
- Insecure TLS is in use by default.
- Credentials are exposed in environment variables and command-line arguments.
- Names of secrets are leaked in logs.
- Kubernetes lacked certificate revocation.
- seccomp is not enabled by default.
By open sourcing security audits and processes, the working group hopes to inspire other projects to undertake similar efforts in their respective open source communities. Full findings and recommendations from the audits are listed here.
Growth in China
CNCF continues to grow the cloud native community in China. CNCF’s first virtual event in China, Cloud Native + Open Source Virtual Summit China 2020, attracted 5,800+ attendees.
CNCF has grown from a few members in China in 2015 to over 50 in 2020. That number includes four Platinum (20% of Platinum members), six Gold (27% of Gold members), 55 Silver (nearly 8% of Silver members), and two End User Supporters (2% of End User Supporters). China now represents more than 8% of the CNCF total membership. China remains the third-largest contributor to CNCF projects (in terms of contributors and committers) after the United States and Germany.
According to the Cloud Native Survey China 2019, released this year, cloud native is continuing its growth in China, especially in production. Some 49% of respondents now use containers in production, with another 32% planning to do so. This is a significant increase from November 2018 when only 20% used containers in production. Further, 72% of respondents in China use Kubernetes in production, up from 40% in November 2018. We are in the process of conducting the Chinese survey for 2020, and will release the results early next year.
Among Chinese contributors to CNCF-hosted projects, Huawei and PingCAP led the way with 66,554 and 84,816 contributions, respectively, and are the sixth- and eighth-largest contributors overall. CNCF also hosts 11 CNCF projects that were born in China: BFE (Baidu), Chaos Mesh (PingCAP), ChubaoFS (JD.com), CNI-Genie (Huawei), Dragonfly (Alibaba), Harbor (VMware China), KubeEdge (Huawei), OpenKruise (Alibaba), OpenYurt (Alibaba), TiKV (PingCAP), and Volcano (Huawei).
Our Chinese community participated in a variety of certification programs and case studies in 2020, including 17% of KCSPs, 16% of KTPs, and 24% of Certified Kubernetes Conformance companies. To help showcase best practices for this community, we published two Chinese case studies in 2020, featuring China Minsheng Bank and Platinum end user member JD.com.
CNCF, in partnership with Alibaba, continues to offer the free Kubernetes and Cloud Native course that was launched in 2019 in China.
We’re excited to build on this success by hosting a KubeCon + CloudNativeCon China event in 2021.
Looking Forward to 2021
CNCF remains the fastest-growing foundation in the history of open source. The success of CNCF is directly attributable to our projects, the contributions of the community, our end users, and support from our member companies. Thank you!
As we look to 2021 and beyond, we remain committed to fostering and sustaining an ecosystem of open source, vendor-neutral projects, and to making technology accessible for everyone. To thrive, we believe CNCF must continue to provide a neutral home for projects, encourage diversity, and continue to cultivate community. All three are crucial elements for growth.
By continuing a wide array of initiatives, such as security audits, project journey reports, and documentation improvements, we are investing in the community to strengthen the cloud native ecosystem. We will continue with our core strategy of focusing on the developer community, helping developers progress into contributor and maintainer roles, and offering educational opportunities for those looking to grow and learn.
Previously, in-person learning opportunities were offered at our flagship KubeCon + CloudNativeCon events. We are now aggressively expanding these learning opportunities through virtual and hybrid events. We plan to expand our events, especially community ones,both initiatives in 2021 to continue supporting community learning.
Our sincere hope is that the CNCF community will continue to evolve as more and more new people join the ecosystem, thus furthering diversity and collaboration. We see signs of this as first-time attendees made up 69% of KubeCon + CloudNativeCon North America Virtual 2020. In 2021, we will also be launching a member referral program that will help support the growth and diversity of our community.
We also will continue to emphasize the growth of our end user community, with new initiatives such as the CNCF End User Technology Radar sharing the real experiences, feedback, and opinions of end users. We will continue our work to bring end users together to discuss best practices in the Telco, Research, and Financial Services sectors.
In summary, 2020 was an exceptional year for CNCF. We are well-positioned financially and organizationally to continue our mission to make cloud native computing ubiquitous and the de facto standard for software development and usage. We look forward to having you join us on this journey as we look to 2021 and beyond.
We are working diligently to iterate on our strategy for 2021. For the latest updates, please see the CNCF blog.