cncf
[Sandbox] Tratteria
Application contact emails
[email protected], [email protected], [email protected]
Project Summary
Assure identity and context in microservices call chains
Project Description
Tratteria implements a new IETF OAuth WG draft called "Transaction Tokens" (TraTs). TraTs are short-lived signed JWTs that provide immutable identity and context information in microservices call chains. By providing such immutable context, TraTs prevent attacks like software supply chain, privileged user compromise or malicious insiders, because microservices automatically deny calls that do not have such TraTs associated with them, or the parameters of the call do not match an associated, valid TraT.
Tratteria is a Kubernetes-native framework designed to facilitate the adoption of TraTs in existing applications to secure their call chains. The framework consists of a TraT issuance service, a Kubernetes custom controller for configuration management, and sidecar agents for verifying TraTs. Tratteria requires applications to implement the SPIFFE for service-to-service trust. TraTs generation and verification policies for APIs are described using Kubernetes Custom Resources, allowing applications to describe their services, API endpoints, and immutable context elements (such as path and query parameters, headers, and body elements). Convenient defaults let applications reuse such policy descriptions across a number of microservices. Tratteria documentation includes a tutorial on why TraTs are required, what they are, and how to use them in existing applications. It has a quickstart guide that provides a sample application, which uses the Dex IdP for user authentication and shows the TraTs to the user. While Tratteria can operate alongside service meshes such as Istio, ongoing development aims to optimize this integration, potentially leveraging existing Istio capabilities for improved overall functionality.
Org repo URL (provide if all repos under the org are in scope of the application)
https://github.com/tratteria/
Project repo URL in scope of application
N/A
Additional repos in scope of the application
No response
Website URL
Roadmap
https://github.com/orgs/tratteria/projects/1
Roadmap context
No response
Contributing Guide
https://github.com/tratteria/.github/blob/main/CONTRIBUTING.md
Code of Conduct (CoC)
https://github.com/cncf/foundation/blob/main/code-of-conduct.md
Adopters
No response
Contributing or Sponsoring Org
https://sgnl.ai
Maintainers file
https://github.com/tratteria/.github/blob/main/MAINTAINERS.md
IP Policy
- [X] If the project is accepted, I agree the project will follow the CNCF IP Policy
Trademark and accounts
- [X] If the project is accepted, I agree to donate all project trademarks and accounts to the CNCF
Why CNCF?
CNCF is a natural venue for this project because:
- It addresses the security concerns of almost all microservices based applications, most of which are based on Kubernetes, which is a CNCF project
- It builds on top of other CNCF projects such as SPIFFE
- It enables Kubernetes based code to rapidly adopt identity and context security
Benefit to the Landscape
The CNCF landscape currently does not have a mechanism to assure identity and context in microservices applications. This is a critical need to thwart software supply chain, privileged user compromise, and privileged insider attacks. All of these have wreaked havoc in large organizations in recent years. Tratteria enables the CNCF to provide a standards-based solution to this important security gap in its portfolio
Cloud Native 'Fit'
Tratteria is useful mostly when one has a Kubernetes based application, which has a number of communicating microservices in it. It is configured using custom Kubernetes resources, and builds on other CNCF projects such as SPIFFE. It also coexists with other CNCF projects like Istio.
Cloud Native 'Integration'
Tratteria depends on SPIFFE, and complements SPIFFE/SPIRE and Istio. It can be thought of as a complement to Kubernetes to ensure security throughout any Kubernetes application.
Cloud Native Overlap
Tratteria does not overlap with other existing CNCF projects, although it might be thought of as an alternative to the Open Policy Agent (OPA) in some circumstances. The approaches to security in OPA and Tratteria are vastly different however.
Similar projects
N/A.
Landscape
No.
Business Product or Service to Project separation
N/A
Project presentations
No response
Project champions
Andrés Vega
Additional information
No response
Thanks, I have created this issue: https://github.com/cncf/tag-security/issues/1359
On Thu, Aug 29, 2024 at 12:24 AM Karena Angell @.***> wrote:
@tulshi https://github.com/tulshi please submit a presentation issue https://github.com/cncf/tag-security/issues/new?assignees=&labels=usecase-presentation%2C+triage-required&template=presentation.md&title=%5BPresentation%5D+Presentation+Title to give an overview of the project to TAG Security https://github.com/cncf/tag-security/
— Reply to this email directly, view it on GitHub https://github.com/cncf/sandbox/issues/115#issuecomment-2316894658, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB55UG5JK2E5ASHP274CIHLZT3EEXAVCNFSM6AAAAABMHMNPBSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJWHA4TINRVHA . You are receiving this because you were mentioned.Message ID: @.***>
@tulshi please submit a presentation issue to give an overview of the project to TAG Security
Hi @angellk , FYI we had our presentation today in the Security TAG.
TAG Contributor strategy has reviewed this project and found the following:
- The contributor guide is a very basic template
- The project does not have written governance that I could find.
- The roadmap is a github project board which appears very new and not yet in use
- There are 3 maintainers, who work for SGNL
Tratteria is a new project, less than a year old, and that's reflected in its level of project organization.
This review is for the TOC’s information only. Sandbox projects are not required to have full governance or contributor documentation.
Aside from the review, @tulshi can I recommend that you take the Project Description from your text above and put it in your README? It's much more informative than what's currently there.
Vote created
@mrbobbytables has called for a vote on [Sandbox] Tratteria (#115).
The members of the following teams have binding votes:
| Team |
|---|
| @cncf/cncf-toc |
Non-binding votes are also appreciated as a sign of support!
How to vote
You can cast your vote by reacting to this comment. The following reactions are supported:
| In favor | Against | Abstain |
|---|---|---|
| 👍 | 👎 | 👀 |
Please note that voting for multiple options is not allowed and those votes won't be counted.
The vote will be open for 2months 30days 2h 52m 48s. It will pass if at least 66% of the users with binding votes vote In favor 👍. Once it's closed, results will be published here as a new comment.
![git-vote[bot] avatar](https://avatars.githubusercontent.com/in/206179?v=4 "Published by a pub.dev verified publisher"){kind=small}
The requested configuration profile was not found in the configuration file.
Vote status
So far 63.64% of the users with binding vote are in favor and 0.00% are against (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 7 | 0 | 0 | 4 |
Binding votes (7)
| User | Vote | Timestamp |
|---|---|---|
| angellk | In favor | 2025-01-14 23:18:49.0 +00:00:00 |
| kgamanji | In favor | 2025-01-15 8:15:05.0 +00:00:00 |
| linsun | In favor | 2025-01-15 3:25:15.0 +00:00:00 |
| TheFoxAtWork | In favor | 2025-01-14 16:13:47.0 +00:00:00 |
| dims | In favor | 2025-01-14 21:29:00.0 +00:00:00 |
| nikhita | In favor | 2025-01-15 2:22:37.0 +00:00:00 |
| rochaporto | In favor | 2025-01-14 21:44:03.0 +00:00:00 |
| @mauilion | Pending | |
| @dzolotusky | Pending | |
| @kevin-wangzefeng | Pending | |
| @cathyhongzhang | Pending |
Non-binding votes (1)
| User | Vote | Timestamp |
|---|---|---|
| tulshi | In favor | 2025-01-14 16:33:11.0 +00:00:00 |
Vote closed
The vote passed! 🎉
90.91% of the users with binding vote were in favor and 0.00% were against (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 10 | 0 | 0 | 1 |
Binding votes (10)
| User | Vote | Timestamp |
|---|---|---|
| @mauilion | In favor | 2025-01-15 16:51:34.0 +00:00:00 |
| @dzolotusky | In favor | 2025-01-15 16:30:15.0 +00:00:00 |
| @kevin-wangzefeng | In favor | 2025-01-16 6:35:36.0 +00:00:00 |
| @TheFoxAtWork | In favor | 2025-01-14 16:13:47.0 +00:00:00 |
| @nikhita | In favor | 2025-01-15 2:22:37.0 +00:00:00 |
| @linsun | In favor | 2025-01-15 3:25:15.0 +00:00:00 |
| @dims | In favor | 2025-01-14 21:29:00.0 +00:00:00 |
| @rochaporto | In favor | 2025-01-14 21:44:03.0 +00:00:00 |
| @angellk | In favor | 2025-01-14 23:18:49.0 +00:00:00 |
| @kgamanji | In favor | 2025-01-15 8:15:05.0 +00:00:00 |
Non-binding votes (1)
| User | Vote | Timestamp |
|---|---|---|
| @tulshi | In favor | 2025-01-14 16:33:11.0 +00:00:00 |
Congrats! With the vote completed, I've created https://github.com/cncf/sandbox/issues/329 for following up on sandbox onboarding. I'll go ahead and close this out and further follow up can occur there :)
Thank you for the amazingly smooth decision process! I look forward to the onboarding.
Atul
On Tue, Jan 21, 2025, 7:01 AM Bob Killen @.***> wrote:
Congrats! With the vote completed, I've created #329 https://github.com/cncf/sandbox/issues/329 for following up on sandbox onboarding. I'll go ahead and close this out and further follow up can occur there :)
— Reply to this email directly, view it on GitHub https://github.com/cncf/sandbox/issues/115#issuecomment-2604973101, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB55UG7IGLEBSJEDHLVJMET2LZOMLAVCNFSM6AAAAABMHMNPBSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMBUHE3TGMJQGE . You are receiving this because you were mentioned.Message ID: @.***>