cncf
[Sandbox] stacker
Application contact emails
[email protected] [email protected]
Project Summary
a vendor-neutral OCI-native container image builder
Project Description
Software supply chain security is front and center in the minds of all security practitioners, especially given vital US government compliance requirements. stacker and OCI registries such as zot (a CNCF sandbox project) make a vendor-neutral end-to-end (build, publish, deploy) secure software supply chain viable.
Differentiation:
- stacker is general-purpose and can be used for any programming language environment
- stacker is vendor-neutral and strictly conforms to OCI specs
- SBOM generation and strict validation is part of the image building process itself instead of a post-processing step
- stacker can consume, publish and co-locate these artifacts with the container images using OCI refererrers
- stacker's capabilities are a superset of other commonly used tools such as docker and podman
- Container images and artifacts generated by stacker along with a OCI-native registry such as zot are readily compatible with the rest of the container and Kubernetes ecosystem in terms of deployment and enforcement of security policies
Org repo URL (provide if all repos under the org are in scope of the application)
https://github.com/project-stacker
Project repo URL in scope of application
https://github.com/project-stacker/stacker
Additional repos in scope of the application
https://github.com/project-stacker/stacker-bom https://github.com/project-stacker/stacker-build-push-action
Website URL
https://stackerbuild.io
Roadmap
https://github.com/orgs/project-stacker/projects/1
Roadmap context
- Continued strong conformance to OCI image and distribution specfications
- Enhanced support for secure software supply chain
- Support for OCIv2 prototypes like atomfs/puzzlefs.
Contributing Guide
https://github.com/project-stacker/stacker/blob/main/CONTRIBUTING.md
Code of Conduct (CoC)
https://github.com/project-stacker/stacker/blob/main/CODE_OF_CONDUCT.md
Adopters
https://github.com/project-stacker/stacker/blob/main/ADOPTERS.md
Contributing or Sponsoring Org
https://www.cisco.com
Maintainers file
https://github.com/project-stacker/stacker/blob/main/MAINTAINERS.md
IP Policy
- [X] If the project is accepted, I agree the project will follow the CNCF IP Policy
Trademark and accounts
- [X] If the project is accepted, I agree to donate all project trademarks and accounts to the CNCF
Why CNCF?
The goals of this project are compatible with CNCF.
Benefit to the Landscape
- Vendor-neutral since strong conformance to OCI specs
- Helps meet secure software supply chain requirements
Cloud Native 'Fit'
"Application Definition & Image Build"
Container images are the defacto application lifecycle mechanism in the cloud native world making CNCF a great fit for this project since it can also be readily used to meet secure software supply chain requirements in a vendor-neutral fashion.
Cloud Native 'Integration'
Although stacker is a standalone tool, the container images and artifacts it produces can be stored on OCI registries such as zot and deployed in Kubernetes. Furthermore, the artifacts such as SBOMs that it produces can be used for policy enforcement using tools such as Kyverno.
Cloud Native Overlap
Similarities:
- https://www.cncf.io/projects/ko/ - ko can also generate OCI images but are specific to certain programming languages
- https://github.com/oras-project/oras - oras can push and pull OCI images, however they cannot build them
Similar projects
Similar projects:
https://github.com/containers/buildah https://github.com/docker/buildx
Landscape
No
Business Product or Service to Project separation
N/A
Project presentations
https://github.com/project-stacker/stacker#conference-talks
Project champions
Stephen Augustus - https://github.com/justaugustus
Additional information
No response
@jberkus Indeed, there is an overlap and arguments as follows:
Belongs in OCI because it primarily deals with OCI specs. However, beyond the under-the-hood implementation detail, constrained by ecosystem and use cases.
Belongs in CNCF because the use cases in terms of build, deploy, policy enforcement of container images are arguably under the purvey of CNCF due to various projects and broader use cases - Kubernetes, registries, Kyverno etc. Hence, the following is a good fit. https://landscape.cncf.io/card-mode?category=application-definition-image-build&grouping=category
Full disclosure - stacker is the from the same team that submitted zot (https://www.cncf.io/projects/zot/) and pairs/interacts well with the latter. Furthermore, along with Kyverno (https://kyverno.io/docs/security/#fetching-the-sbom-for-kyverno), enables a OCI-based (hence vendor neutral) end-to-end software provenance pipeline.
https://github.com/kubernetes/kubernetes/issues/121742 ^ another data point why a tool such as stacker is needed.
Also, with recent PRs merged, stacker project is in a much better shape to tackle software supply chain security aligning with OCI artifacts work, meaning, it can produce both container images and sboms - enforcing that "everything must be accounted for" during build stage itself.
https://stackerbuild.io/v1.0.0/user_guide/generate_sbom/
"Landscape: no" updated to "yes"
https://landscape.cncf.io/?item=app-definition-and-development--application-definition-image-build--stacker
TAG-CS note:
Project stacker currently has:
- a pretty good contributing guide
- five maintainers, 4 Cisco & 1 Netflix
- no written governance (yet)
@rchincha Incoming Sandbox projects are not required to have written governance. It is a credit to the project if they do have one, and if the project is a single-company project, having a good written governance may reassure the TOC around product/project separation.
Follow-up from today's sandbox review, Stacker will be moved to a vote. ๐ But please coordinate a project review with TAG-Runtime /vote
Vote created
@mrbobbytables has called for a vote on [Sandbox] stacker (#73).
The members of the following teams have binding votes:
| Team |
|---|
| @cncf/cncf-toc |
Non-binding votes are also appreciated as a sign of support!
How to vote
You can cast your vote by reacting to this comment. The following reactions are supported:
| In favor | Against | Abstain |
|---|---|---|
| ๐ | ๐ | ๐ |
Please note that voting for multiple options is not allowed and those votes won't be counted.
The vote will be open for 2months 30days 2h 52m 48s. It will pass if at least 66% of the users with binding votes vote In favor ๐. Once it's closed, results will be published here as a new comment.
![git-vote[bot] avatar](https://avatars.githubusercontent.com/in/206179?v=4 "Published by a pub.dev verified publisher"){kind=small}
Vote status
So far 9.09% of the users with binding vote are in favor (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 1 | 0 | 0 | 10 |
Binding votes (1)
| User | Vote | Timestamp |
|---|---|---|
| TheFoxAtWork | In favor | 2024-06-12 18:22:12.0 +00:00:00 |
| @dims | Pending | |
| @rochaporto | Pending | |
| @angellk | Pending | |
| @mauilion | Pending | |
| @linsun | Pending | |
| @dzolotusky | Pending | |
| @kevin-wangzefeng | Pending | |
| @cathyhongzhang | Pending | |
| @nikhita | Pending | |
| @kgamanji | Pending |
Non-binding votes (1)
| User | Vote | Timestamp |
|---|---|---|
| ramizpolic | In favor | 2024-06-15 18:43:34.0 +00:00:00 |
Vote status
So far 81.82% of the users with binding vote are in favor (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 9 | 0 | 0 | 2 |
Binding votes (9)
| User | Vote | Timestamp |
|---|---|---|
| kevin-wangzefeng | In favor | 2024-06-18 3:54:07.0 +00:00:00 |
| dzolotusky | In favor | 2024-06-18 5:13:08.0 +00:00:00 |
| angellk | In favor | 2024-06-18 13:11:48.0 +00:00:00 |
| linsun | In favor | 2024-06-18 14:26:33.0 +00:00:00 |
| TheFoxAtWork | In favor | 2024-06-12 18:22:12.0 +00:00:00 |
| nikhita | In favor | 2024-06-18 4:32:44.0 +00:00:00 |
| rochaporto | In favor | 2024-06-18 7:59:05.0 +00:00:00 |
| dims | In favor | 2024-06-18 13:47:59.0 +00:00:00 |
| kgamanji | In favor | 2024-06-18 6:38:17.0 +00:00:00 |
| @mauilion | Pending | |
| @cathyhongzhang | Pending |
Non-binding votes (1)
| User | Vote | Timestamp |
|---|---|---|
| ramizpolic | In favor | 2024-06-15 18:43:34.0 +00:00:00 |
Vote closed
The vote passed! ๐
81.82% of the users with binding vote were in favor (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 9 | 0 | 0 | 2 |
Binding votes (9)
| User | Vote | Timestamp |
|---|---|---|
| @dzolotusky | In favor | 2024-06-18 5:13:08.0 +00:00:00 |
| @nikhita | In favor | 2024-06-18 4:32:44.0 +00:00:00 |
| @angellk | In favor | 2024-06-18 13:11:48.0 +00:00:00 |
| @kevin-wangzefeng | In favor | 2024-06-18 3:54:07.0 +00:00:00 |
| @rochaporto | In favor | 2024-06-18 7:59:05.0 +00:00:00 |
| @dims | In favor | 2024-06-18 13:47:59.0 +00:00:00 |
| @kgamanji | In favor | 2024-06-18 6:38:17.0 +00:00:00 |
| @linsun | In favor | 2024-06-18 14:26:33.0 +00:00:00 |
| @TheFoxAtWork | In favor | 2024-06-12 18:22:12.0 +00:00:00 |
Non-binding votes (1)
| User | Vote | Timestamp |
|---|---|---|
| @ramizpolic | In favor | 2024-06-15 18:43:34.0 +00:00:00 |
Hello and congrats on being accepted as a CNCF Sandbox project!
Here is the link to your onboarding task list: https://github.com/cncf/sandbox/issues/140
Feel free to reach out with any questions you might have!
