40 CNCF Security Projects You Must Know About in 2023— Part 1

by Abdulhamid Adebayo, Constantin Adam, Ting Dai

Recently, we have been working on scalability and security challenges of workload lifecycle management for edge use cases in the KCP-Edge project. We realized that there is already a community of projects dedicated to advancing container technology — Cloud Native Computing Foundation (CNCF) — and relying on such a community is important in developing and prioritizing use cases for the KCP-Edge project. In case you’re wondering what the CNCF is all about, there is no shame in that, I promise 🙂. After incubating several extremely successful projects, CNCF has become a main reference point for identifying current trends in the market and the breadth of solutions available to solve specific business needs.

CNCF is a Linux Foundation project whose purpose is to build sustainable ecosystems for Cloud Native software. According to their maturity, the CNCF projects are classified as Graduated (stable, widely adopted production-ready projects attracting thousands of contributors), Incubating (projects used successfully in production by a small number of users with a large number of contributors), and Sandbox (experimental projects not yet widely tested in production on the bleeding edge of technology). With graduated projects such as Kubernetes, spiffe/SPIRE, Prometheus, Argo, containerd under its belt, CNCF has established itself as a hotbed of projects that are the foundation of cloud-native computing.

Last year, we studied seventy (70) — it’s a big number, right? We were neck-deep in discovery — open-source CNCF projects across Security & Compliance, Key Management, and Container Runtime. We have chosen to highlight forty (40) projects aligned with our interest in this blog series. We have categorized these projects into ten (10) groups, as shown in the table below:

The Categories

As an introduction, we’ll highlight the categories and mention the projects covered in each. Starting off with the Authentication and Authorization category, we have cert-manager, Dex, and external-secrets.

Projects in the Confidential Containers category leverage Trusted Execution Environments to protect containers and data and to deliver cloud-native confidential computing. In this category, we have Confidential Containers, Inclavare Containers, and Kata Containers.

Another paradigm shift we’re witnessing with the exponential growth of vulnerabilities and threats is that a “one scan to fix all” strategy is insufficient. This is why we’re seeing an increase in efforts by DevOps teams to “guarantee” application security at the earliest stages of development with the shift-left strategy. As a general consensus, patching live instances should be for emergency situations only. In this category, 7 CNCF projects that play a key role in the shift-left strategy as part of the Configuration and Vulnerability Management category are reviewed: Anchore, Claire, Checkov, Trivy, KICS, FOSSA, and Terrascan.

With a lone project — PARSEC — in the Platform Abstraction category, it focuses on enabling developers to utilize security components such as TPM and HSM in a completely agonistic fashion.

The projects in the Container Runtime category focus on the Open Container Initiative (OCI) — an open governance structure for creating open industry standards around container formats and runtimes. The CNCF projects in this category include containerd, CRI-O, Firecracker, gVisor, lxd, runc, and Sysbox.

The Integrity category covers the software supply chain with a focus on the integrity of artifacts and data collections. Any software component can introduce vulnerability into the supply chain, which is why it is critical to guarantee artifact integrity. The goal is to automatically analyze artifacts, guarantee original source code, protect against interference in the CI/CD process, and isolate any hidden vulnerabilities. The CNCF projects we analyzed in this category are Notary, in-toto, and Sigstore.

Key management solutions focus on a multitude of security-related use cases, including automated secret issuance and distribution, secure secrets storage, distributing passwords among services, authorization, and authentication. The CNCF projects in this category include Athenz, Keycloak, Pinniped, SPIFFE/SPIRE, Teleport, Teller, and Vault.

In the Policy Management category, we have Datree, Kyverno, KubeArmor, and Tetragon. In the Secure Update category, TUF is a framework to automatically provide secure content delivery and updates.

Threat detection tools monitor an IT organization's networks for malicious activity, alerting the security team when a risk is uncovered. Threat identification to the network or to the applications needs to happen quickly, accurately, and with low false-positive rates to ensure that security teams can focus on real threats to the systems. The CNCF projects in this category include Curiefense, Falco, kube-hunter, and ThreatMapper.

What’s to come?

In the next items of this blog series, each project in these ten (10) categories will be discussed in more detail. Stay tuned!!!

If you’re interested in the challenges of deploying workloads at scale and how it’s being addressed, check out these posts:

• Sync 10,000 Argo CD Applications in One Shot
• Unleashing the Power of Kubernetes: Deploying Containers with Cluster Resource Access

This blog is part of a series of posts from the KCP-Edge community regarding challenges related to multi-cloud and edge. You can learn more about the challenges and read posts from other members of the KCP-Edge community on edge and multi-cloud topics here.