├── .gitignore ├── LICENSE ├── README.md ├── SECURITY.md ├── images └── maturity-diagram.png ├── jobs.md └── process └── graduation_guidelines.md /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.suo 8 | *.user 9 | *.userosscache 10 | *.sln.docstates 11 | 12 | # User-specific files (MonoDevelop/Xamarin Studio) 13 | *.userprefs 14 | 15 | # Build results 16 | [Dd]ebug/ 17 | [Dd]ebugPublic/ 18 | [Rr]elease/ 19 | [Rr]eleases/ 20 | x64/ 21 | x86/ 22 | bld/ 23 | [Bb]in/ 24 | [Oo]bj/ 25 | [Ll]og/ 26 | 27 | # Visual Studio 2015/2017 cache/options directory 28 | .vs/ 29 | # Uncomment if you have tasks that create the project's static files in wwwroot 30 | #wwwroot/ 31 | 32 | # Visual Studio 2017 auto generated files 33 | Generated\ Files/ 34 | 35 | # MSTest test Results 36 | [Tt]est[Rr]esult*/ 37 | [Bb]uild[Ll]og.* 38 | 39 | # NUNIT 40 | *.VisualState.xml 41 | TestResult.xml 42 | 43 | # Build Results of an ATL Project 44 | [Dd]ebugPS/ 45 | [Rr]eleasePS/ 46 | dlldata.c 47 | 48 | # Benchmark Results 49 | BenchmarkDotNet.Artifacts/ 50 | 51 | # .NET Core 52 | project.lock.json 53 | project.fragment.lock.json 54 | artifacts/ 55 | **/Properties/launchSettings.json 56 | 57 | # StyleCop 58 | StyleCopReport.xml 59 | 60 | # Files built by Visual Studio 61 | *_i.c 62 | *_p.c 63 | *_i.h 64 | *.ilk 65 | *.meta 66 | *.obj 67 | *.iobj 68 | *.pch 69 | *.pdb 70 | *.ipdb 71 | *.pgc 72 | *.pgd 73 | *.rsp 74 | *.sbr 75 | *.tlb 76 | *.tli 77 | *.tlh 78 | *.tmp 79 | *.tmp_proj 80 | *.log 81 | *.vspscc 82 | *.vssscc 83 | .builds 84 | *.pidb 85 | *.svclog 86 | *.scc 87 | 88 | # Chutzpah Test files 89 | _Chutzpah* 90 | 91 | # Visual C++ cache files 92 | ipch/ 93 | *.aps 94 | *.ncb 95 | *.opendb 96 | *.opensdf 97 | *.sdf 98 | *.cachefile 99 | *.VC.db 100 | *.VC.VC.opendb 101 | 102 | # Visual Studio profiler 103 | *.psess 104 | *.vsp 105 | *.vspx 106 | *.sap 107 | 108 | # Visual Studio Trace Files 109 | *.e2e 110 | 111 | # TFS 2012 Local Workspace 112 | $tf/ 113 | 114 | # Guidance Automation Toolkit 115 | *.gpState 116 | 117 | # ReSharper is a .NET coding add-in 118 | _ReSharper*/ 119 | *.[Rr]e[Ss]harper 120 | *.DotSettings.user 121 | 122 | # JustCode is a .NET coding add-in 123 | .JustCode 124 | 125 | # TeamCity is a build add-in 126 | _TeamCity* 127 | 128 | # DotCover is a Code Coverage Tool 129 | *.dotCover 130 | 131 | # AxoCover is a Code Coverage Tool 132 | .axoCover/* 133 | !.axoCover/settings.json 134 | 135 | # Visual Studio code coverage results 136 | *.coverage 137 | *.coveragexml 138 | 139 | # NCrunch 140 | _NCrunch_* 141 | .*crunch*.local.xml 142 | nCrunchTemp_* 143 | 144 | # MightyMoose 145 | *.mm.* 146 | AutoTest.Net/ 147 | 148 | # Web workbench (sass) 149 | .sass-cache/ 150 | 151 | # Installshield output folder 152 | [Ee]xpress/ 153 | 154 | # DocProject is a documentation generator add-in 155 | DocProject/buildhelp/ 156 | DocProject/Help/*.HxT 157 | DocProject/Help/*.HxC 158 | DocProject/Help/*.hhc 159 | DocProject/Help/*.hhk 160 | DocProject/Help/*.hhp 161 | DocProject/Help/Html2 162 | DocProject/Help/html 163 | 164 | # Click-Once directory 165 | publish/ 166 | 167 | # Publish Web Output 168 | *.[Pp]ublish.xml 169 | *.azurePubxml 170 | # Note: Comment the next line if you want to checkin your web deploy settings, 171 | # but database connection strings (with potential passwords) will be unencrypted 172 | *.pubxml 173 | *.publishproj 174 | 175 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 176 | # checkin your Azure Web App publish settings, but sensitive information contained 177 | # in these scripts will be unencrypted 178 | PublishScripts/ 179 | 180 | # NuGet Packages 181 | *.nupkg 182 | # The packages folder can be ignored because of Package Restore 183 | **/[Pp]ackages/* 184 | # except build/, which is used as an MSBuild target. 185 | !**/[Pp]ackages/build/ 186 | # Uncomment if necessary however generally it will be regenerated when needed 187 | #!**/[Pp]ackages/repositories.config 188 | # NuGet v3's project.json files produces more ignorable files 189 | *.nuget.props 190 | *.nuget.targets 191 | 192 | # Microsoft Azure Build Output 193 | csx/ 194 | *.build.csdef 195 | 196 | # Microsoft Azure Emulator 197 | ecf/ 198 | rcf/ 199 | 200 | # Windows Store app package directories and files 201 | AppPackages/ 202 | BundleArtifacts/ 203 | Package.StoreAssociation.xml 204 | _pkginfo.txt 205 | *.appx 206 | 207 | # Visual Studio cache files 208 | # files ending in .cache can be ignored 209 | *.[Cc]ache 210 | # but keep track of directories ending in .cache 211 | !*.[Cc]ache/ 212 | 213 | # Others 214 | ClientBin/ 215 | ~$* 216 | *~ 217 | *.dbmdl 218 | *.dbproj.schemaview 219 | *.jfm 220 | *.pfx 221 | *.publishsettings 222 | orleans.codegen.cs 223 | 224 | # Including strong name files can present a security risk 225 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 226 | #*.snk 227 | 228 | # Since there are multiple workflows, uncomment next line to ignore bower_components 229 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 230 | #bower_components/ 231 | 232 | # RIA/Silverlight projects 233 | Generated_Code/ 234 | 235 | # Backup & report files from converting an old project file 236 | # to a newer Visual Studio version. Backup files are not needed, 237 | # because we have git ;-) 238 | _UpgradeReport_Files/ 239 | Backup*/ 240 | UpgradeLog*.XML 241 | UpgradeLog*.htm 242 | ServiceFabricBackup/ 243 | *.rptproj.bak 244 | 245 | # SQL Server files 246 | *.mdf 247 | *.ldf 248 | *.ndf 249 | 250 | # Business Intelligence projects 251 | *.rdl.data 252 | *.bim.layout 253 | *.bim_*.settings 254 | *.rptproj.rsuser 255 | 256 | # Microsoft Fakes 257 | FakesAssemblies/ 258 | 259 | # GhostDoc plugin setting file 260 | *.GhostDoc.xml 261 | 262 | # Node.js Tools for Visual Studio 263 | .ntvs_analysis.dat 264 | node_modules/ 265 | 266 | # Visual Studio 6 build log 267 | *.plg 268 | 269 | # Visual Studio 6 workspace options file 270 | *.opt 271 | 272 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 273 | *.vbw 274 | 275 | # Visual Studio LightSwitch build output 276 | **/*.HTMLClient/GeneratedArtifacts 277 | **/*.DesktopClient/GeneratedArtifacts 278 | **/*.DesktopClient/ModelManifest.xml 279 | **/*.Server/GeneratedArtifacts 280 | **/*.Server/ModelManifest.xml 281 | _Pvt_Extensions 282 | 283 | # Paket dependency manager 284 | .paket/paket.exe 285 | paket-files/ 286 | 287 | # FAKE - F# Make 288 | .fake/ 289 | 290 | # JetBrains Rider 291 | .idea/ 292 | *.sln.iml 293 | 294 | # CodeRush 295 | .cr/ 296 | 297 | # Python Tools for Visual Studio (PTVS) 298 | __pycache__/ 299 | *.pyc 300 | 301 | # Cake - Uncomment if you are using it 302 | # tools/** 303 | # !tools/packages.config 304 | 305 | # Tabs Studio 306 | *.tss 307 | 308 | # Telerik's JustMock configuration file 309 | *.jmconfig 310 | 311 | # BizTalk build output 312 | *.btp.cs 313 | *.btm.cs 314 | *.odx.cs 315 | *.xsd.cs 316 | 317 | # OpenCover UI analysis results 318 | OpenCover/ 319 | 320 | # Azure Stream Analytics local run output 321 | ASALocalRun/ 322 | 323 | # MSBuild Binary and Structured Log 324 | *.binlog 325 | 326 | # NVidia Nsight GPU debugger configuration file 327 | *.nvuser 328 | 329 | # MFractors (Xamarin productivity tool) working folder 330 | .mfractor/ 331 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) Microsoft Corporation. All rights reserved. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Azure Core Container Upstream Projects 2 | 3 | This list of projects is maintained by the Azure Core Container Upstream team. This list is intended to help you make informed decisions about what projects to use (or not use) in the context of your goals (e.g. proof of concept vs. production). To make this decision you need to consider your goals, your need for formal support, the project's [maturity](#Maturity), governance, version level, and your willingness to work in open source. 4 | 5 | ## Support 6 | 7 | Projects listed on this page are open source that Microsoft maintain or contribute to. These projects are [**NOT** covered by the Microsoft Azure support policy](https://support.microsoft.com/en-us/help/2941892/support-for-linux-and-open-source-technology-in-azure). To get help please search the open issues on the project using the links in the table. To communicate with the Azure Container Compute Upstream team please use the [issues](https://github.com/Azure/container-compute-upstream/issues) in this repo. If your issue isn't already represented, please open a new one. However, if you consume one of these projects as a part of a Microsoft or Azure product or service, you may be eligible for [support through that product or service](https://support.microsoft.com/en-us/hub/4343728/support-for-business). 8 | 9 | ## Project list 10 | 11 | | Project Area | Project & (artifacts) | Goal | Project State &
API Version | Communication | Use on Azure | 12 | | ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 13 | | Kubernetes Cluster Management | | | | | 14 | | | [Cluster API Azure Provider](https://sigs.k8s.io/cluster-api-provider-azure)
([releases](https://github.com/kubernetes-sigs/cluster-api-provider-azure/releases))
[Tests](https://testgrid.k8s.io/sig-cluster-lifecycle-cluster-api-provider-azure) | Self-managed clusters on Azure using Cluster API | CNCF: incubating
API: v1alpha4 | [#cluster-api-azure](https://kubernetes.slack.com/archives/CEX9HENG7)
[kubernetes-sig-cluster-lifecycle@googlegroups.com](https://groups.google.com/forum/#!forum/kubernetes-sig-cluster-lifecycle)
[GitHub issues](https://github.com/kubernetes-sigs/cluster-api-provider-azure/issues) | | 15 | | | [Image Builder](https://sigs.k8s.io/image-builder)
([releases](https://github.com/kubernetes-sigs/image-builder/releases))
[Tests](https://testgrid.k8s.io/sig-cluster-lifecycle-image-builder) | Tools for building Kubernetes disk images | | [#image-builder](https://kubernetes.slack.com/archives/C01E0Q35A8J)
[kubernetes-sig-cluster-lifecycle@googlegroups.com](https://groups.google.com/forum/#!forum/kubernetes-sig-cluster-lifecycle)
[GitHub issues](https://github.com/kubernetes-sigs/image-builder/issues) | | 16 | | | [Cluster API Add-on Provider for Helm](https://sigs.k8s.io/cluster-api-addon-provider-helm)
([releases](https://github.com/kubernetes-sigs/cluster-api-addon-provider-helm/releases))
[Tests](https://testgrid.k8s.io/sig-cluster-lifecycle-cluster-api-addon-provider-helm) | Use Helm charts to manage the installation and lifecycle of Cluster API add-ons. | CNCF: incubating
API: v1alpha1 | [#cluster-api](https://kubernetes.slack.com/archives/C8TSNPY4T)
[kubernetes-sig-cluster-lifecycle@googlegroups.com](https://groups.google.com/forum/#!forum/kubernetes-sig-cluster-lifecycle)
[GitHub issues](https://github.com/kubernetes-sigs/cluster-api-addon-provider-helm/issues) | | 17 | | | [Cluster Autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler)
([releases](https://github.com/kubernetes/autoscaler/releases?q=cluster-autoscaler))
[Tests](https://testgrid.k8s.io/sig-autoscaling-cluster-autoscaler) | Cluster Autoscaler is a tool that automatically adjusts the size of the Kubernetes cluster. | Kubernetes: stable | [#sig-autoscaling](https://kubernetes.slack.com/archives/C09R1LV8S)
[kubernetes-sig-autoscaling@googlegroups.com](https://groups.google.com/g/kubernetes-sig-autoscaling)
[GitHub issues](https://github.com/kubernetes/autoscaler/labels/area%2Fcluster-autoscaler) | | 18 | | | [Cluster Autoscaler Provider Azure](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler/cloudprovider/azure)
([releases](https://github.com/kubernetes/autoscaler/releases?q=cluster-autoscaler))
[Tests](https://testgrid.k8s.io/sig-autoscaling-cluster-autoscaler) | Azure provider for running Cluster Autoscaler on AKS and Azure self-managed clusters. | Kubernetes: stable | [#sig-autoscaling](https://kubernetes.slack.com/archives/C09R1LV8S)
[kubernetes-sig-autoscaling@googlegroups.com](https://groups.google.com/g/kubernetes-sig-autoscaling)
[GitHub issues](https://github.com/kubernetes/autoscaler/pulls?q=is%3Aopen+is%3Apr+label%3Aarea%2Fprovider%2Fazure) | | 19 | | | [Multi-Cluster Service APIs (MCS)](https://github.com/kubernetes-sigs/mcs-api)
([releases](https://github.com/kubernetes-sigs/mcs-api/releases)) | Kubernetes standard APIs for multi-cluster service controller implementations. | Kubernetes: alpha | [#sig-multicluster](https://kubernetes.slack.com/archives/C09R1PJR3)
[kubernetes-sig-multicluster@googlegroups.com](https://groups.google.com/g/kubernetes-sig-multicluster)
[GitHub issues](https://github.com/kubernetes-sigs/mcs-api/issues) | | 20 | | Kubernetes Enhancements | | | | | 21 | | | [Windows containers](https://kubernetes.io/docs/setup/production-environment/windows/intro-windows-in-kubernetes/)
([kubernetes releases](https://github.com/kubernetes/kubernetes/releases))
[Tests](https://testgrid.k8s.io/sig-windows#aks-engine-azure-1-17-windows) | Run Windows server containers with Kubernetes | Kubernetes: stable
API: N/A | [#sig-windows](https://kubernetes.slack.com/archives/C0SJ4AFB7)
[kubernetes-sig-windows@googlegroups.com](https://groups.google.com/forum/#!forum/kubernetes-sig-windows)
[Windows Community Forum](https://discuss.kubernetes.io/c/general-discussions/windows)
[GitHub issues](https://github.com/kubernetes/kubernetes/issues?q=is%3Aissue+is%3Aopen+label%3Asig%2Fwindows+) |
  • [AKS Windows](https://docs.microsoft.com/en-us/azure/aks/windows-container-cli)
    • | 22 | | | [IPv4/v6 Dual-Stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/)
    ([kubernetes releases](https://github.com/kubernetes/kubernetes/releases))
    [Tests](https://testgrid.k8s.io/provider-azure-dualstack) | IPv4/IPv6 dual-stack enables the allocation of both IPv4 and IPv6 addresses to Pods and Services. | Kubernetes:
    IPv6: beta
    Dual-stack: GA | [#sig-network](https://kubernetes.slack.com/archives/C09QYUH5W)
    [kubernetes-sig-network@googlegroups.com](https://groups.google.com/forum/#!forum/kubernetes-sig-network)
    [GitHub issues](https://github.com/kubernetes/kubernetes/labels/area%2Fipv6) |
  • [Use dual-stack with AKS](https://docs.microsoft.com/en-us/azure/aks/configure-kubenet-dual-stack)
    • | 23 | | | [KMSv2](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3299-kms-v2-improvements)
    ([blog (alpha)](https://kubernetes.io/blog/2022/09/09/kms-v2-improvements/)
    [blog (beta)](https://kubernetes.io/blog/2023/05/16/kms-v2-moves-to-beta/)) | Encryption at rest of Kubernetes data in etcd using Key Management Service (KMS) v2 API | Kubernetes: GA
    API: v2 | [#sig-auth-kms-dev](https://kubernetes.slack.com/archives/C03035EH4VB)
    [GitHub issues](https://github.com/kubernetes/kubernetes/issues) | | 24 | | | [Structured Authentication Configuration](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3331-structured-authentication-configuration)
    ([blog (beta)](https://kubernetes.io/blog/2024/04/25/structured-authentication-moves-to-beta/)) | Structured authentication configuration in the Kubernetes API server. Initially, only a `jwt` configuration will be supported, which will serve as the next iteration of the existing OIDC authenticator. | Kubernetes: beta
    API: v1beta1 | [#sig-auth-authenticators-dev](https://kubernetes.slack.com/archives/C04UMAUC4UA)
    [GitHub issues](https://github.com/kubernetes/kubernetes/issues) | | 25 | | | [Structured Authorization Configuration](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3221-structured-authorization-configuration)
    ([blog (beta)](https://kubernetes.io/blog/2024/04/26/multi-webhook-and-modular-authorization-made-much-easier/)) | Structured authorization configuration in the Kubernetes API serverintroducing a more structured and versatile way to configure the authorization chain, focusing on enabling multiple webhooks and providing explicit control mechanisms. | Kubernetes: beta
    API: v1beta1 | [#sig-auth-authorizers-dev](https://kubernetes.slack.com/archives/C05EZFX1Z2L)
    [GitHub issues](https://github.com/kubernetes/kubernetes/issues) | | 26 | | | [Move Storage Version Migrator in-tree](https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/4192-svm-in-tree) | Move storage version migrator in-tree to make it easy for users to perform storage migrations. | Kubernetes: alpha
    API: v1alpha1 | [#sig-api-machinery-storageversion-dev](https://kubernetes.slack.com/archives/C06S7LHB06B)
    [GitHub issues](https://github.com/kubernetes/kubernetes/issues) | | 27 | | Cloud Native Governance and Security | | | | | 28 | | | [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper)
    ([releases](https://github.com/open-policy-agent/gatekeeper/releases)) | K8s native Open Policy Agent policy enforcement | Azure: GA (AKS and Arc)
    CNCF: graduated
    API: Config: v1alpha1; ConstraintTemplate: v1; Constraints: v1beta1; Mutation: v1; External Data: v1beta1 | [#kubernetes-policy](https://openpolicyagent.slack.com/archives/CDTN970AX)
    [GitHub issues](https://github.com/open-policy-agent/gatekeeper/issues) |
  • [Azure Policy for AKS](https://docs.microsoft.com/en-us/azure/governance/policy/concepts/rego-for-aks)
  • [Azure Policy for Azure Arc connected clusters](https://docs.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-add-on-for-azure-arc-enabled-kubernetes)
    • | 29 | | | [Secrets Store CSI Driver](http://sigs.k8s.io/secrets-store-csi-driver)
    ([releases](https://github.com/kubernetes-sigs/secrets-store-csi-driver/releases))
    [Builds](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver) | Integrates secrets stores with Kubernetes via a [Container Storage Interface (CSI)](https://kubernetes-csi.github.io/docs/) volume | Kubernetes: GA
    API: v1 | [#csi-secrets-store](https://kubernetes.slack.com/messages/csi-secrets-store)
    [GitHub issues](https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues) | | 30 | | | [Azure KeyVault Provider for Secrets Store CSI Driver](https://github.com/Azure/secrets-store-csi-driver-provider-azure)
    ([releases](https://github.com/Azure/secrets-store-csi-driver-provider-azure/releases)) | Enables mounting AKV secrets as volumes in K8s pods | Azure: GA (AKS and Arc)
    API: N/A | [GitHub issues](https://github.com/Azure/secrets-store-csi-driver-provider-azure/issues) | [Use with AKS](https://docs.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security#use-azure-key-vault-with-secrets-store-csi-driver) | 31 | | | [KMS Plugin for Key Vault](https://github.com/Azure/kubernetes-kms)
    ([releases](https://github.com/Azure/kubernetes-kms/releases)) | Enables encryption at rest of Kubernetes data in etcd using Azure Key Vault | Azure: GA (AKS)
    API: N/A | [GitHub issues](https://github.com/Azure/kubernetes-kms/issues) | [Use with AKS](https://docs.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption) | 32 | | | [Azure Workload Identity](https://github.com/Azure/azure-workload-identity)
    ([releases](https://github.com/Azure/azure-workload-identity/releases)) | Uses Kubernetes primitives to associate managed identities for Azure resources and identities in Azure Active Directory (AAD) with pods based on [Workload Identity federation](https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation) | Azure: GA (AKS)
    API: N/A | [GitHub issues](https://github.com/Azure/azure-workload-identity/issues) | [How to use (OSS)](https://azure.github.io/azure-workload-identity/docs/installation.html)
    [How to use (AKS)](https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview) | 33 | | | [Eraser](https://github.com/Azure/eraser)
    ([releases](https://github.com/Azure/eraser/releases)) | Cleaning up images from Kubernetes nodes | CNCF: sandbox
    Azure: GA (AKS)
    API: v1 | [#eraser](https://kubernetes.slack.com/archives/C03Q8KV8YQ4)
    [GitHub issues](https://github.com/Azure/eraser/issues) | [How to use (OSS)](https://github.com/Azure/eraser#getting-started)
    [How to use (AKS)](https://learn.microsoft.com/en-us/azure/aks/image-cleaner?tabs=azure-cli) | 34 | | | [Copacetic](https://github.com/project-copacetic/copacetic) ([releases](https://github.com/project-copacetic/copacetic/releases)) | CLI tool for directly patching container images using reports from vulnerability scanners | CNCF: sandbox | [#copa](https://cloud-native.slack.com/archives/C071UU5QDKJ)
    [GitHub issues](https://github.com/project-copacetic/copacetic/issues) | [How to use](https://project-copacetic.github.io/copacetic/website/) | 35 | | | [DALEC](https://github.com/Azure/dalec) ([releases](https://github.com/Azure/dalec/releases)) | Produce secure packages and containers with declarative configurations | Azure: incubating | [GitHub issues](https://github.com/Azure/dalec/issues) | [How to use](https://azure.github.io/dalec/) | 36 | | Cloud Native Service Mesh | | | | | 37 | | | [Istio](https://istio.io/) | The leading service mesh on Kubernetes | CNCF: graduated
    APIs: [experimental, alpha, beta, stable](https://istio.io/latest/docs/releases/feature-stages/)| [Istio Slack](https://slack.istio.io/)
    [GitHub issues](https://github.com/istio/istio/issues) | [Deploy Istio addon on AKS](https://learn.microsoft.com/en-us/azure/aks/istio-deploy-addon) | 38 | | | [Gateway API](https://gateway-api.sigs.k8s.io/) | A sig-network subproject that establishes a specification for service networking in Kubernetes (ingress and service mesh) | Kubernetes: v1beta
    APIs: [Standard and Experimental](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=version#release-channels)| [#gateway-api in Kubernetes Slack](https://kubernetes.slack.com/archives/CR0H13KGA)
    [GitHub issues](https://github.com/kubernetes-sigs/gateway-api/issues) | [Use application gateway for containers](https://learn.microsoft.com/en-us/azure/application-gateway/for-containers/overview) | 39 | | | [Envoy Proxy](https://www.envoyproxy.io/) | A high performance, cloud-native proxy | CNCF: graduated | [Envoy Slack](https://envoyproxy.slack.com)
    [GitHub issues](https://github.com/envoyproxy/envoy/issues) | 40 | | Container Runtime | | | | | | 41 | | | [Moby](https://github.com/moby/moby)
    ([releases](https://github.com/moby/moby/releases)) | Toolkit for app containerization | | [#opencontainers](https://opencontainers.slack.com/archives/C0LQVA03W)
    [Moby Forums](https://forums.mobyproject.org/)
    [GitHub issues](https://github.com/moby/moby/issues) |
  • [Azure Kubernetes Service](https://docs.microsoft.com/en-us/azure/aks/)
  • [Azure Stack Hub](https://docs.microsoft.com/en-us/azure-stack/user/azure-stack-kubernetes-aks-engine-overview)
  • many more
    • | 42 | | | [Containerd](https://github.com/containerd/containerd)
    ([releases](https://github.com/containerd/containerd/releases)) | Complete container lifecycle management on Linux and Windows hosts | CNCF: graduated
    API: N/A | [#opencontainers](https://opencontainers.slack.com/archives/C0LQVA03W)
    [dev@opencontainers.org](https://groups.google.com/a/opencontainers.org/forum/#!forum/dev)
    [GitHub issues](https://github.com/containerd/containerd/issues) |
  • [Use with AKS](https://docs.microsoft.com/en-us/azure/aks/cluster-configuration#container-runtime-configuration)
    • | 43 | | | [Containerd runwasi](https://github.com/containerd/runwasi)
    ([releases](https://github.com/containerd/runwasi/releases)) | Facilitates running Wasm / WASI workloads managed by containerd | CNCF: alpha | [#runwasi](https://opencontainers.slack.com/archives/C0LQVA03W)
    [GitHub issues](https://github.com/containerd/runwasi/issues) |
  • [Docker Desktop](https://docs.docker.com/desktop/wasm/)
    • | 44 | | | [Containerd Wasm Shims](https://github.com/deislabs/containerd-wasm-shims)
    ([releases](https://github.com/deislabs/containerd-wasm-shims/releases)) | containerd shims for running WebAssembly workloads in Kubernetes | DeisLabs: alpha | [#GitHub Issues](https://github.com/deislabs/containerd-wasm-shims/issues) |
  • [Docker Desktop](https://docs.docker.com/desktop/wasm/)
  • [AKS WASI Node Pools](https://learn.microsoft.com/en-us/azure/aks/use-wasi-node-pools)
    • | 45 | | Platforms | | | | | | 46 | | | [Brigade](https://brigade.sh) | Event-driven scripting for Kubernetes | CNCF: Archived
    API: v2 | [#brigade channel on Kubernetes Slack](https://slack.brigade.sh)
    [GitHub Issues](https://github.com/brigadecore/brigade/issues) | | 47 | | Deployment Tools | | | | | | 48 | | | [Porter](https://porter.sh) | Package your application artifact, client tools, configuration and deployment logic together as a versioned bundle that you can distribute, and then install with a single command | CNCF: Sandbox
    Stable: v0.38.x Prerelease: [v1.0.0-alpha](https://porter.sh/board/?card_filter_query=milestone:"1.0") | [Mailing list, slack, etc](https://porter.sh/community/)
    [Project Board](https://porter.sh/board/) | [Azure Service Operator](https://github.com/Azure/azure-service-operator), [Azure Trusted Research Environments](https://microsoft.github.io/AzureTRE/) | 49 | | | [CNAB Specification](https://cnab.io) | Cloud Native Application Bundle Specification implemented by Porter | Spec: 1.1 | [#cnab on CNCF Slack](https://cloud-native.slack.com/archives/CEX1W7WMD)
    [Issues](https://github.com/cnabio/cnab-spec/issues) | | 50 | | Web Assembly / WASI | | | | | | 51 | | | [Hyperlight-Wasm](https://github.com/hyperlight-dev/hyperlight-wasm) | hyperlight-wasm is a rust library crate that enables Wasm Modules and components to be run inside lightweight Virtual Machine backed Sandbox. It is built on top of Hyperlight. | CNCF Sandbox | [GitHub Issues](https://github.com/hyperlight-dev/hyperlight-wasm/issues) | | 52 | | Virtualization | | | | | | 53 | | | [Hyperlight](https://github.com/hyperlight-dev/hyperlight) | Hyperlight is a lightweight Virtual Machine Manager (VMM) designed to be embedded within applications. It enables safe execution of untrusted code within micro virtual machines with very low latency and minimal overhead. | CNCF Sandbox | #Hyperlight
    [GitHub Issues](https://github.com/hyperlight-dev/hyperlight/issues) | | 54 | | Past Projects | | | | | | 55 | | | [AKS Engine](https://github.com/Azure/aks-engine)
    ([releases](https://github.com/Azure/aks-engine/releases)) | Self-managed clusters on Azure | Azure: Deprecated. Consider using [AKS](https://azure.microsoft.com/en-us/services/kubernetes-service/) or [Cluster API Azure Provider](https://sigs.k8s.io/cluster-api-provider-azure)
    | | 56 | | | [Virtual Kubelet](https://github.com/virtual-kubelet/virtual-kubelet/)
    ([releases](https://github.com/virtual-kubelet/virtual-kubelet/releases)) | Enable services to masquerade as kubelet - serverless | CNCF: sandbox
    API: N/A | [#virtual-kubelet](https://kubernetes.slack.com/archives/C8YU1QP8W)
    [GitHub issues](https://github.com/virtual-kubelet/virtual-kubelet/issues) | [AKS Virtual Nodes](https://docs.microsoft.com/en-us/azure/aks/virtual-nodes-cli) | 57 | | | [AAD Pod Identity](https://github.com/Azure/aad-pod-identity)
    ([releases](https://github.com/Azure/aad-pod-identity/releases)) | Enables K8s applications to access cloud resources securely with Azure Active Directory | Azure: Archived
    API: v1 | [GitHub issues](https://github.com/Azure/aad-pod-identity/issues)
    [GitHub Project](https://github.com/Azure/aad-pod-identity/projects/3) | [Use with AKS](https://docs.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security#use-pod-managed-identities) | 58 | | | [Service Mesh Interface (SMI) Spec](https://smi-spec.io/) | A standard interface for service meshes on Kubernetes | Deprecated; consider using [Gateway API](https://gateway-api.sigs.k8s.io/) | [#smi](https://cloud-native.slack.com/messages/smi)
    [GitHub issues](https://github.com/servicemeshinterface/smi-spec/issues) | 59 | | | [Open Service Mesh (OSM)](https://openservicemesh.io/) | A lightweight, extensible, cloud native service mesh | Deprecated; consider using [Istio](https://istio.io/) | [#openservicemesh](https://cloud-native.slack.com/archives/C018794NV1C)
    [GitHub issues](https://github.com/openservicemesh/osm/issues) | | 60 | ## Maturity 61 | 62 | Open source project maturity can be assessed on many dimensions including age, number of contributors, diversity of contributor employers, and many more. Two you should consider are represented in the table as: 63 | 64 | * Project state - The first entry in the Maturity column represents the project's status. Projects in the CNCF (kubernetes, kubernetes-sigs, prometheus, etc) use the [CNCF maturity model](https://github.com/cncf/toc/blob/master/process/graduation_criteria.adoc). Projects in the Azure, Microsoft, or deislabs GitHub orgs are working towards using the [graduation guidelines](process/graduation_guidelines.md) defined in this repo. 65 | * [API or Feature Versions](https://kubernetes.io/docs/concepts/overview/kubernetes-api/#api-versioning) if relevant, are listed as the second entry of the Maturity column, and follow the Kubernetes convention except where noted 66 | 67 | ## Jobs 68 | 69 | Interested in joining our team at Microsoft? Please take a look at [jobs](/jobs.md) to see current openings. 70 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Security 4 | 5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). 6 | 7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. 8 | 9 | ## Reporting Security Issues 10 | 11 | **Please do not report security vulnerabilities through public GitHub issues.** 12 | 13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). 14 | 15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). 16 | 17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 18 | 19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: 20 | 21 | * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) 22 | * Full paths of source file(s) related to the manifestation of the issue 23 | * The location of the affected source code (tag/branch/commit or direct URL) 24 | * Any special configuration required to reproduce the issue 25 | * Step-by-step instructions to reproduce the issue 26 | * Proof-of-concept or exploit code (if possible) 27 | * Impact of the issue, including how an attacker might exploit the issue 28 | 29 | This information will help us triage your report more quickly. 30 | 31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. 32 | 33 | ## Preferred Languages 34 | 35 | We prefer all communications to be in English. 36 | 37 | ## Policy 38 | 39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). 40 | 41 | 42 | -------------------------------------------------------------------------------- /images/maturity-diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/container-upstream/47f5826f207abc992241df3943b97f55923f601d/images/maturity-diagram.png -------------------------------------------------------------------------------- /jobs.md: -------------------------------------------------------------------------------- 1 | # Jobs 2 | 3 | Come and work with us! 4 | 5 | ## Upstream team 6 | 7 | Interested in working on open source and containers at a leading hyper-scale cloud? You can help build the future of Kubernetes at Microsoft! 8 | 9 | ### Australia 10 | Hiring across all levels from early in career to senior software engineer. 11 | 12 | - [Software Engineer - Senior Engineer DevTools](https://jobs.careers.microsoft.com/global/en/job/1716579/Software-Engineer---Senior-Engineer-DevTools) 13 | 14 | - [Software Engineer - Senior Engineer- Large Language Model](https://jobs.careers.microsoft.com/global/en/job/1716594/Software-Engineer---Senior-Engineer--Large-Language-Model) 15 | 16 | - [Software Engineer II](https://jobs.careers.microsoft.com/global/en/job/1712014/Software-Engineer-II) 17 | -------------------------------------------------------------------------------- /process/graduation_guidelines.md: -------------------------------------------------------------------------------- 1 | # Azure Cloud Native Upstream Graduation Guidelines v0.1 2 | The Azure Cloud Native Upstream Graduation Guidelines owes much of its basis on two existing documents, 3 | [CNCF Graduation Criteria](https://github.com/cncf/toc/blob/fc161c13a86ba022277a906a10ff51a568406f7c/process/graduation_criteria.adoc) 4 | and [.NET Foundation Project Maturity Profile](https://github.com/dotnet-foundation/project-maturity-model/blob/65fdfa43d7e68845bd65638c378cf834d7158b90/maturity-profiles.md). The goal of this document is to describe the process and 5 | minimum bar for each increasing level of project maturity to both provide a 6 | goal for the project maintainers, but also to set expectations for consumers of these 7 | projects. 8 | 9 | ## Process 10 | 11 | Each project in Azure Cloud Native Upstream (AzCNU) has an associated maturity level. If the 12 | project originates within the AzCNU group, then it should begin at the Sandbox Stage. If a project 13 | originates outside of the AzCNU group, the preferred maturity level of the project must meet 14 | a 2/3 supermajority vote by the AzCNU technical oversight committee (TOC). If the vote tally 15 | can not be met at the preferred maturity level, each previous level will receive a vote until a 16 | 2/3 supermajority is met. If the project does not receive enough votes at the Sandbox stage, the 17 | project is rejected with an opinion authored by the TOC. 18 | 19 | Each project in AzCNU will participate in a quarterly review by the TOC. The review will assess the 20 | project's maturity level as well as its community momentum. A 2/3 supermajority vote is required to 21 | graduate to the next maturity level. If the project is no longer needed or has become obsolete, the 22 | TOC can also vote with a 2/3 supermajority to archive the project. 23 | 24 | For a project that has reached the "Graduation Stage" and would benefit from a more neutral home in 25 | a community foundation, the option of project donation is an option. 26 | 27 | All entry guidelines are aspirational and do not imply a hard rule. Since these metrics can vary 28 | significantly depending on the type, scope and size of a project, the TOC has final judgement over 29 | the interpretation of level with respect to the guidelines. 30 | 31 | ![AzCNU Maturity Process](../images/maturity-diagram.png) 32 | 33 | ## Sandbox Stage 34 | Sandbox projects are early stage projects that warrant experimentation. The project should be 35 | beneficial to Azure and the Cloud Native community, open to contributions from the public and have 36 | well-founded aspiration. 37 | 38 | The AzCNU Sandbox is the entry point for early stage projects and has the following goals: 39 | - Encourage public visibility of experiments or other early work that can add value to the mission 40 | of AzCNU, Cloud Native in Azure and its impact on the larger Cloud Native community. 41 | - Facilitate alignment with existing projects within Azure as well as the larger community 42 | - Remove obstacles to adoption and contribution by ensuring projects adhere to Microsoft Open Source 43 | Guidelines, code of conduct and IP policy requirements 44 | 45 | ### Entry Guidelines 46 | - Best effort support for issues and pull requests 47 | - Sponsorship of at least one member of the MSFT program management 48 | - Draft project proposal for review and approval by TOC 49 | - An example is the [CNCF Project Proposal Process](https://github.com/cncf/toc/blob/fc161c13a86ba022277a906a10ff51a568406f7c/process/project_proposals.adoc) 50 | - TODO: create our own project proposal process based on the CNCF project proposal process 51 | - Begin working toward achieving [Core Infrastructure Initiative Best Practices Badge](https://bestpractices.coreinfrastructure.org/) 52 | - Should have 53 | - Gated PRs with unit tests 54 | - MSFT code of conduct 55 | - CLA bot enabled 56 | - Releases labeled and tagged with a semantic version 57 | 58 | ### Badging 59 | - Display of the AzCNU "Sandbox" badge on website / readme which links to explanation of level. 60 | 61 | ## Incubating Stage 62 | An Incubating project is one that has met all of the requirements of the Sandbox stage and is 63 | showing accelerating adoption. 64 | 65 | ### Entry Guidelines 66 | - Met Sandbox stage guidelines 67 | - Best effort support for issues and pull requests 68 | - 3+ reference-able production or preproduction deployments beyond contributing companies 69 | - 2+ maintainers 70 | - Full due diligence of the TOC 71 | - A great example is the [CNCF Due Diligence Guidelines](https://github.com/cncf/toc/blob/fc161c13a86ba022277a906a10ff51a568406f7c/process/due-diligence-guidelines.md) 72 | - TODO: create our own DD guidelines based on the CNCF DD guidelines 73 | - Demonstrate a substantial ongoing flow of commits and merged contributions 74 | - Have a healthy number of issues and pull requests 75 | - Set a clear, documented versioning scheme 76 | - Show significant progress toward achieving [Core Infrastructure Initiative Best Practices Badge](https://bestpractices.coreinfrastructure.org/) 77 | - Should have 78 | - UT covering a majority of the codebase 79 | - E2E tests covering 100% of all supported features/functionality 80 | - Linting 81 | - Static analysis (where appropriate) 82 | - An initial security review 83 | - Contributing guide 84 | - Issue and PR templates 85 | - Public project board with prioritization 86 | - Milestones for releases 87 | - Telemetry for errors and general usage 88 | - If not possible, provide reasoning for why 89 | 90 | ### Badging 91 | - Display of the AzCNU "Incubation" badge on website / readme which links to explanation of level. 92 | 93 | 94 | ## Graduation Stage 95 | Graduation Stage project is one that has met all of the requirements of the Incubation stage and has 96 | reached a level of maturity and polish which will delight users. 97 | 98 | ### Entry Guidelines 99 | - Met Incubation stage guidelines 100 | - On-call support within MSFT hosted properties, and best effort support for issues and pull requests 101 | - 30+ reference-able production or preproduction deployments beyond contributing companies 102 | - 4+ maintainers (at least one from outside AzCNU) 103 | - Project road map published and updated 104 | - Full due diligence of the TOC with an eye to any misalignment 105 | - Have achieved and maintained a [Core Infrastructure Initiative Best Practices Badge](https://bestpractices.coreinfrastructure.org/) 106 | - Should have 107 | - Load tests and performance tests 108 | - Bonus for achieving Silver or higher 109 | - Security review and threat analysis with the Azure Green / Red teams 110 | - Explicitly define a project governance and committer process. This preferably is laid out in a 111 | GOVERNANCE.md file and references an OWNERS.md file showing the current and emeritus committers. 112 | - Have a public list of project adopters for at least the primary repo (e.g., ADOPTERS.md or logos 113 | on the project website). For a specification, have a list of adopters for the implementation(s) 114 | of the spec. 115 | - SLA / SLO guidance 116 | - Telemetry and Metrics for errors and general usage 117 | - Include identifiable headers (ex: calling Azure services with the `User-Agent` http header specified) 118 | - Define a set of KPIs and publish 119 | - Setup alerting for anomalous value ranges (ex: life cycle success rates -- create, update, etc) 120 | - If not possible, provide reasoning for why 121 | 122 | ### Badging 123 | - Display of the AzCNU "Graduation" badge on website / readme which links to explanation of level. 124 | 125 | ## Donation 126 | At any point in the maturity progression can a project be donated to a more neutral home, which 127 | will provide a more open governance model. A project can propose to be donated during quarterly 128 | reviews. The TOC can approve donation of a project with a 2/3 supermajority vote. Project maintainers 129 | should provide evidence of interest from the foundation intended for donation. 130 | 131 | For example, CNCF describes a neutral home as follows: 132 | A neutral home for your project increases the willingness of developers from other companies and 133 | independent developers to collaborate, contribute, and become committers. Neutrality requires that 134 | projects contribute their trademark to CNCF so that: 135 | 136 | - No company is favored over any other 137 | - CNCF ensures project governance is transparent and fair for everyone. 138 | 139 | Some projects which are not directly tied to Azure may warrant such a graduation so they can gain 140 | more adoption through increased neutrality and governance. 141 | --------------------------------------------------------------------------------