sandbox
sandbox copied to clipboard
cncf
[Sandbox] Kexa
Application contact emails
[email protected], [email protected]
Project Summary
Open source cross-cloud platform compliance and customizable security tools
Project Description
Kexa is a tool for ensuring compliance and security in different environments. Using standardized yaml rules, those more or less familiar with the cloud can define a set of standards that their environment must meet. Kexa offers detailed reporting on different communication channels, data retrieval from your cloud and export of scans for archiving/history. Its detailed reports facilitate analysis and compliance, and guarantee complete visibility of your infrastructure state. Scalable and integrable, Kexa adapts to the evolution of your infrastructure and connects easily to your existing tools. It is designed so that everyone can make it their own. Information inputs and outputs are based on the addon principle, making it quick and easy to customize your instance. It can be deployed as a script, Docker or github action. Kexa is flexible in the way it is deployed, and can be quickly incorporated into CI/CDs or pipeline to guarantee the integrity of your workflow on a high frequency check
Org repo URL (provide if all repos under the org are in scope of the application)
https://github.com/4urcloud
Project repo URL in scope of application
https://github.com/4urcloud/Kexa, https://github.com/4urcloud/Kexa_githubAction
Additional repos in scope of the application
No response
Website URL
https://kexa.io/
Roadmap
https://github.com/4urcloud/Kexa/blob/dev/ROADMAP.md
Roadmap context
No response
Contributing Guide
https://github.com/4urcloud/Kexa/blob/main/CONTRIBUTING.md
Code of Conduct (CoC)
https://github.com/4urcloud/Kexa/blob/main/CODE_OF_CONDUCT.md
Adopters
No response
Contributing or Sponsoring Org
No response
Maintainers file
https://github.com/4urcloud/Kexa/blob/dev/MAINTAINERS.md
IP Policy
- [X] If the project is accepted, I agree the project will follow the CNCF IP Policy
Trademark and accounts
- [X] If the project is accepted, I agree to donate all project trademarks and accounts to the CNCF
Why CNCF?
Integrating our Kexa project into the Cloud Native Computing Foundation (CNCF) is of crucial importance, mainly because of the extremely positive feedback our initiative has received from regional companies. We've seen significant enthusiasm from our local users, highlighting the efficiency and innovation Kexa brings to their workflows. However, the crucial challenge we face lies in the lack of wider adoption, mainly attributable to a certain reluctance due to a perceived lack of confidence in our current structure. By joining the CNCF, an organization renowned for its commitment to transparency, collaboration and security in cloud-native technologies, we are reinforcing the credibility of our project. This membership demonstrates our commitment to industry best practice, which in turn can allay concerns about trust and encourage wider adoption of Kexa on the technology scene.
Benefit to the Landscape
Kexa brings to the CNCF landscape a complete solution for ensuring compliance and security in a variety of environments. Kexa offers an approach that enable people with different levels of cloud expertise to define and apply standardized or variabilized rules that will quickly bring any project or workspace into compliance. Its adaptability is a key differentiator. Deployment is possible not only as a script, but also as a Docker container or as a GitHub action. The project's emphasis on addon-based information input and output enables rapid customization. This facilitates adaptation to diverse business requirements. Kexa's integration into CI/CD pipelines ensures high-frequency verification, guaranteeing the integrity of workflows: preproduction, production release and solution maintenance. This unique combination of features positions Kexa as a unique and flexible solution, addressing compliance and security challenges comprehensively in the CNCF landscape.
Cloud Native 'Fit'
Kexa fits into the Cloud Native landscape, embodying the key principles and elements inherent in Cloud technologies. Kexa is fully compatible with the containerization principles that are the essence of cloud development, encapsulating its functionality in a Docker container for rapid deployment. This approach is fundamental to ensuring consistency and portability across diverse cloud environments.
To further reinforce its cloud-native identity, Kexa adopts an addon-based architecture, echoing the modularity and scalability principles of microservices. This architecture enables users to customize and extend functionalities, promoting adaptability and evolution of infrastructures, as well as ease of maintenance.
Kexa uses YAML files to define compliance rules. This practice is very similar to IaC (infrastructure as code). This method facilitates versioning, collaboration and automation, improving the efficiency of compliance management in cloud environments.
The project integrates into continuous integration/continuous deployment (CI/CD) pipelines, as evidenced by its option to deploy as a GitHub action. This integration streamlines the automation of compliance actions, aligning with CNCF's principle of automating software delivery processes for rapid and reliable deployment.
We have built, and continue to build, a project that is flexible and adaptable to tomorrow's cloud. Kexa becomes a versatile tool for rapidly transforming ideas and concepts into concrete realizations. It adapts to the changing day-to-day needs of different providers, while offering security over the quality levels of our infrastructure. Kexa provides health status reports, which can be in alert format, or recorded as monitoring and observability data.
Finally, Kexa's compatibility with various cloud environments makes it an interoperable tool, supporting a multi-cloud strategy and mitigating the risks of vendor lock-in. This promotes flexibility and choice of cloud platform, while maintaining consistency of compliance and security measures.
In short, Kexa holistically embodies cloud-native principles, meeting the evolving needs of organizations adopting Cloud Native development practices.
Cloud Native 'Integration'
Kexa has been specifically designed to meet the day-to-day needs of clouds, Kubernetes and related SaaS environments. It has been designed to be easy to use, quick to set up, reusable and can be integrated in a containerized way into a cloud stack. In this context, Kexa acts as an extension and additional layer to many existing tools, notably Kubernetes and Grafana. Its possible future deployment as a Kubernetes operator positions it as a complementary component in the container management ecosystem. What's more, its integration with Grafana strengthens the overall observability capability, offering a unified and coherent solution for monitoring and compliance in the cloud environment. Kexa complements and depends on these CNCF projects, enriching their functionality, simplifying operational processes and enhancing the overall efficiency of cloud management.
Cloud Native Overlap
We don't know the entire CNCF environment by heart, but we don't know of any project overlap to ours as far we search.
Similar projects
While Kexa and Open Policy Agent (OPA) share a focus on policy enforcement in cloud-native environments, their approaches and core functionality distinguish them significantly. OPA is renowned for its ability to make policy decisions and enforce them at runtime, evaluating policies against incoming requests. In contrast, Kexa excels at verifying and ensuring the compliance status of environments, offering the unique ability to create comprehensive inventories and historical records of infrastructure status. This fundamental difference makes Kexa a complementary tool to OPA, as it goes beyond real-time policy decisions to provide a holistic compliance verification and historical tracking solution, offering a distinct perspective in the CNCF landscape.
Landscape
No, we are not
Business Product or Service to Project separation
N/A
Project presentations
N/A
Project champions
N/A
Additional information
N/A
One note: https://github.com/4urcloud/Kexa/blob/dev/LICENCE.txt states that you're licensed under MIT. If accepted, you'd need to relicense under Apache 2.0 per https://github.com/cncf/foundation/blob/main/charter.md#11-ip-policy.
@estebanmathia looks like you are pretty upfront about Open Source and Premium offerings on your landing page. How do you foresee the challenges of building a community with a distinct identity from your company itself?
Kexa was built with modularity in mind. Each of Kexa's building blocks is designed to be customised to suit individual needs. From the data source part to data alerting/exporting, not forgetting the definition of rules, everything has been done to ensure that the tool can be adapted to everyone's needs. The "Prenium" offer is nothing more than the aside possibilities or constraints we take on, in order to facility adoption. Kexa SaaS is based solely on Kexa, nothing is modified or owned as such. The content of the paying section can be created using the documentation provided in Kexa and with a little motivation. The "Prenium" offer is simply an extension of the open source part with the aim of financing it.
Kexa is one of the projects we have in our company, and we maintain it because it's a tool that's useful to us in our day-to-day work and to some of our partners. We will continue to develop it for ourselves initially and as long as others use it.
Please open a presentation issue with TAG security so that we can provide the TAG review. It may be useful to perform a self assessment before the presentation.
TAG Contributor strategy has reviewed this project and found the following:
- The contributor guide gives a pretty good guide on contributing new AddOns to Kexa. However, no information is given around contributing to other parts of the project.
- The governance outlines the responsibilities of maintainers, and a basic maintainer lifecycle
- The roadmap is a checklist of providers/features which is a bit hard to interpret. It was added 6 months ago.
- There are two maintainers, who work for Innovtech, as do the two other contributors
This review is for the TOC’s information only. Sandbox projects are not required to have full governance or contributor documentation.
Question for Kexa: your contributing guide covers only contributions of AddOns. Is that intentional, or is it a matter of simply not having documented how to contribute to other parts of the project yet?
We estimated that someone wanting to start customizing Kexa would want to prioritize customizing the data inputs and outputs, so we prioritized the AddOns documentation first. We haven't yet taken the time to develop the rest of the contribution-related documentation.
TOC and TAGs discussed this project. The recommendation is to re-apply in 6 months after completing the review with TAG-security, getting more community activity and adoption, improving the separation of open source from company identity
Closing per previous, please reapply in 6 months after completion of items mentioned above
