sandbox
sandbox copied to clipboard
cncf
[Sandbox] bpfman
Application contact emails
Project Summary
eBPF Program Management built for Linux and Kubernetes
Project Description
Since eBPF is gaining in popularity, we are building tools that make it easier for developers and operations teams to securely deploy and manage eBPF programs in various environments.
bpfman is a suite of eBPF program management tooling that includes:
- A system service for loading and managing eBPF programs
- An opentelemetry metrics exporter for the kernel eBPF subsystem
- Custom Resource Definitions (CRDs) and a Kubernetes Controller that extend our loading and management capabilities to Kubernetes.
- A Container Storage Interface (CSI) plugin that can provision BPF filesystems.
This suite is available as binaries or RPMs for Linux, and packaged as an Operator for Kubernetes.
Org repo URL (provide if all repos under the org are in scope of the application)
N/A
Project repo URL in scope of application
https://github.com/bpfman/bpfman
Additional repos in scope of the application
No response
Website URL
https://bpfman.io
Roadmap
https://github.com/bpfman/bpfman/milestones
Roadmap context
We use GitHub Milestones to plan our roadmap - 3 months at a time. This planning is done with input from the community during our weekly meetings. Version 0.3 was released on Oct 15, 2023 and our next release, 0.4 is planned for Q1 2024.
Contributing Guide
https://github.com/bpfman/bpfman/blob/main/CONTRIBUTING.md
Code of Conduct (CoC)
https://github.com/bpfman/bpfman/blob/main/CODE_OF_CONDUCT.md
Adopters
No response
Contributing or Sponsoring Org
Red Hat
Maintainers file
https://github.com/bpfman/bpfman/blob/main/MAINTAINERS.md
IP Policy
- [X] If the project is accepted, I agree the project will follow the CNCF IP Policy
Trademark and accounts
- [X] If the project is accepted, I agree to donate all project trademarks and accounts to the CNCF
Why CNCF?
Having open governance is important to us and our potential contributors and we hope joining an open foundation will help make it easier to field contributions from outside Red Hat. We have had a few, but large organizations have more concerns about contributing to a project that is not held independently.
We want to donate bpfman specifically to the CNCF since it is home to several popular eBPF projects with which we’d love to work more closely. We believe that the discoverability offered by the CNCF ecosystem will both enhance contributions as well as introduce us to new opportunities to expand the value of bpfman.
Benefit to the Landscape
bpfman benefits the landscape by providing a secure way of loading eBPF programs on Kubernetes clusters, and by providing observability of the use of eBPF to Kubernetes admins.
Existing eBPF-based projects in the CNCF ecosystem are usually deployed as a privileged pod or daemon set. We’re on a mission to remove the need to proliferate these privileges since they present a security risk. In addition, we integrate with container-based supply chain security tooling, as well as Kubernetes RBAC to provide additional security guarantees.
Cloud Native 'Fit'
bpfman is a cloud native solution since:
- It's been built as independent, lightweight services
- We package bpfman and its associated tools in containers
- We advocate the use of containers as packaging for eBPF programs (and have a work-in-progress OCI image spec for this)
- We have tight integration with other cloud-native software
Not only that, but bpfman provides a consistent experience across public, private and hybrid clouds, whether you choose to use K8s as your orchestrator or bring your own.
There is no existing solution in a cloud native stack to securely deploy eBPF enabled applications, as well as making the eBPF-enabled app development process simpler. We believe that bpfman would fit into either TAG runtime or TAG security.
Cloud Native 'Integration'
We’ve presented to sig-network, sig-node and sig-security in the Kubernetes community about what we’re building. Several times it has been suggested that “this could be part of kubelet” and we agree that it could, someday, however right now it’s not currently on the agenda for Kubernetes.
We’d like to build this project in the CNCF, with collaboration from others, to help get this integrated into other CNCF projects first where we see an opportunity to collaborate with them and build something that works for everyone.
There are many eBPF projects in the landscape that bpfman could complement, for example:
Cloud Native Overlap
Of the projects listed above that we could complement, you may also consider that we might overlap a little with Inspektor Gadget:
- Inspektor Gadget seeks to enable the deployment of eBPF “gadgets” to a cluster to provide observability.
- bpfman is a general purpose eBPF program manager, that can deploy any eBPF program that is packaged as an OCI image as well as managing eBPF filesystems etc..
While both projects deploy eBPF programs, bpfman seeks to be a complete runtime solution for eBPF programs whereas Inspektor Gadget is more observability focussed.
This overlap could easily be addressed with some collaboration between the two projects.
Similar projects
- L3AF (LF Networking) - while L3AF is similar, it’s focussed on Network-focused eBPF Programs only and is not a complete cloud-native eBPF runtime solution.
Landscape
No
Business Product or Service to Project separation
N/A
Project presentations
No TAGs as yet, but we have presented to sig-network, sig-node and sig-security (see above).
Project champions
No response
Additional information
With the exception of eBPF code, everything is distributed under the terms of the Apache License (version 2.0).
All eBPF code is distributed under the terms either:
The terms of the GNU General Public License, Version 2 The terms of the GNU General Public License, Version 2 OR the BSD 2 Clause license, at your option.
The SPDX headers in each of the files in the files containing eBPF code show exactly which license is in use:
- https://github.com/bpfman/bpfman/tree/main/bpf
- https://github.com/bpfman/bpfman/tree/main/examples/go-tc-counter/bpf
- https://github.com/bpfman/bpfman/tree/main/examples/go-tracepoint-counter/bpf
- https://github.com/bpfman/bpfman/tree/main/examples/go-xdp-counter/bpf
- https://github.com/bpfman/bpfman/tree/main/tests/integration-test/bpf
This is required since eBPF programs use GPL-licensed helpers in the Linux Kernel, but we also wish to retain a permissive license to facilitate code reuse.
Both of these licenses in use for eBPF code are permitted for CNCF projects under the recently granted License Exception for eBPF.
This is an interesting project in the ebpf ecosystem. Do you have any endorsement or integration with the opensource projects you've named?
Hiya @mauilion!!! In the past we've worked with a number of communities and have even written some integration bits for many of them (some are stale now but easily revivable):
- Blixt -> https://github.com/kubernetes-sigs/blixt/pull/121 we are also ingrained in their integration tests.
- Kepler -> https://github.com/sustainable-computing-io/kepler/pull/881
- NetObserv -> https://github.com/netobserv/network-observability-operator/pull/288
- Ingress Node firewall -> https://github.com/openshift/ingress-node-firewall/pull/285
Additionally I've also had great conversations with the inspektor-gadget community at kubecon and are excited to work with them in the future around standardizing how we actually can package eBPF programs into OCI container images.
In short we also hope to continue to integrate with more projects and have already been actively doing so :)
TAG-CS Note, bpfman currently has:
- very good Contributing guide, including Reviewing and Release guides
- simple governance based on the Maintainer Council template
- four maintainers, all from Red Hat
Follow up from today's Sandbox Review (2024-06-11), the project can move forward to a vote, but @mauilion has some specific follow up questions. I'll assign him to chime in with those 👍 /vote
Vote created
@mrbobbytables has called for a vote on [Sandbox] bpfman (#76).
The members of the following teams have binding votes:
| Team |
|---|
| @cncf/cncf-toc |
Non-binding votes are also appreciated as a sign of support!
How to vote
You can cast your vote by reacting to this comment. The following reactions are supported:
| In favor | Against | Abstain |
|---|---|---|
| 👍 | 👎 | 👀 |
Please note that voting for multiple options is not allowed and those votes won't be counted.
The vote will be open for 2months 30days 2h 52m 48s. It will pass if at least 66% of the users with binding votes vote In favor 👍. Once it's closed, results will be published here as a new comment.
![git-vote[bot] avatar](https://avatars.githubusercontent.com/in/206179?v=4 "Published by a pub.dev verified publisher"){kind=small}
Vote status
So far 18.18% of the users with binding vote are in favor (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 2 | 0 | 0 | 9 |
Binding votes (2)
| User | Vote | Timestamp |
|---|---|---|
| angellk | In favor | 2024-06-11 21:53:55.0 +00:00:00 |
| rochaporto | In favor | 2024-06-12 9:12:01.0 +00:00:00 |
| @dims | Pending | |
| @mauilion | Pending | |
| @linsun | Pending | |
| @dzolotusky | Pending | |
| @kevin-wangzefeng | Pending | |
| @cathyhongzhang | Pending | |
| @nikhita | Pending | |
| @TheFoxAtWork | Pending | |
| @kgamanji | Pending |
Non-binding votes (16)
| User | Vote | Timestamp |
|---|---|---|
| astoycos | In favor | 2024-06-12 13:17:46.0 +00:00:00 |
| dave-tucker | In favor | 2024-06-12 13:18:52.0 +00:00:00 |
| PalmPalm7 | In favor | 2024-06-12 13:29:57.0 +00:00:00 |
| Molter73 | In favor | 2024-06-12 13:34:28.0 +00:00:00 |
| donaldh | In favor | 2024-06-12 13:36:11.0 +00:00:00 |
| Billy99 | In favor | 2024-06-12 13:40:58.0 +00:00:00 |
| stflaherty | In favor | 2024-06-12 13:44:47.0 +00:00:00 |
| tssurya | In favor | 2024-06-12 14:07:12.0 +00:00:00 |
| msherif1234 | In favor | 2024-06-12 14:13:45.0 +00:00:00 |
| fedepaol | In favor | 2024-06-12 14:45:05.0 +00:00:00 |
| shaneutt | In favor | 2024-06-12 14:54:40.0 +00:00:00 |
| screeley44 | In favor | 2024-06-12 14:56:13.0 +00:00:00 |
| aryan9600 | In favor | 2024-06-12 15:02:18.0 +00:00:00 |
| martinkennelly | In favor | 2024-06-13 10:37:49.0 +00:00:00 |
| EandrewJones | In favor | 2024-06-17 2:45:20.0 +00:00:00 |
| anfredette | In favor | 2024-06-17 13:10:00.0 +00:00:00 |
Vote status
So far 81.82% of the users with binding vote are in favor (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 9 | 0 | 1 | 1 |
Binding votes (10)
| User | Vote | Timestamp |
|---|---|---|
| TheFoxAtWork | Abstain | 2024-06-18 17:36:24.0 +00:00:00 |
| linsun | In favor | 2024-06-18 15:18:19.0 +00:00:00 |
| angellk | In favor | 2024-06-11 21:53:55.0 +00:00:00 |
| rochaporto | In favor | 2024-06-12 9:12:01.0 +00:00:00 |
| cathyhongzhang | In favor | 2024-06-17 18:39:11.0 +00:00:00 |
| kevin-wangzefeng | In favor | 2024-06-18 12:06:09.0 +00:00:00 |
| dims | In favor | 2024-06-18 14:15:15.0 +00:00:00 |
| dzolotusky | In favor | 2024-06-18 5:14:19.0 +00:00:00 |
| nikhita | In favor | 2024-06-18 4:34:34.0 +00:00:00 |
| kgamanji | In favor | 2024-06-18 6:41:10.0 +00:00:00 |
| @mauilion | Pending |
Non-binding votes (16)
| User | Vote | Timestamp |
|---|---|---|
| astoycos | In favor | 2024-06-12 13:17:46.0 +00:00:00 |
| dave-tucker | In favor | 2024-06-12 13:18:52.0 +00:00:00 |
| PalmPalm7 | In favor | 2024-06-12 13:29:57.0 +00:00:00 |
| Molter73 | In favor | 2024-06-12 13:34:28.0 +00:00:00 |
| donaldh | In favor | 2024-06-12 13:36:11.0 +00:00:00 |
| Billy99 | In favor | 2024-06-12 13:40:58.0 +00:00:00 |
| stflaherty | In favor | 2024-06-12 13:44:47.0 +00:00:00 |
| tssurya | In favor | 2024-06-12 14:07:12.0 +00:00:00 |
| msherif1234 | In favor | 2024-06-12 14:13:45.0 +00:00:00 |
| fedepaol | In favor | 2024-06-12 14:45:05.0 +00:00:00 |
| shaneutt | In favor | 2024-06-12 14:54:40.0 +00:00:00 |
| screeley44 | In favor | 2024-06-12 14:56:13.0 +00:00:00 |
| aryan9600 | In favor | 2024-06-12 15:02:18.0 +00:00:00 |
| martinkennelly | In favor | 2024-06-13 10:37:49.0 +00:00:00 |
| EandrewJones | In favor | 2024-06-17 2:45:20.0 +00:00:00 |
| anfredette | In favor | 2024-06-17 13:10:00.0 +00:00:00 |
Vote closed
The vote passed! 🎉
81.82% of the users with binding vote were in favor (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 9 | 0 | 1 | 1 |
Binding votes (10)
| User | Vote | Timestamp |
|---|---|---|
| @TheFoxAtWork | Abstain | 2024-06-18 17:36:24.0 +00:00:00 |
| @kevin-wangzefeng | In favor | 2024-06-18 12:06:09.0 +00:00:00 |
| @angellk | In favor | 2024-06-11 21:53:55.0 +00:00:00 |
| @nikhita | In favor | 2024-06-18 4:34:34.0 +00:00:00 |
| @dims | In favor | 2024-06-18 14:15:15.0 +00:00:00 |
| @rochaporto | In favor | 2024-06-12 9:12:01.0 +00:00:00 |
| @cathyhongzhang | In favor | 2024-06-17 18:39:11.0 +00:00:00 |
| @kgamanji | In favor | 2024-06-18 6:41:10.0 +00:00:00 |
| @linsun | In favor | 2024-06-18 15:18:19.0 +00:00:00 |
| @dzolotusky | In favor | 2024-06-18 5:14:19.0 +00:00:00 |
Non-binding votes (16)
| User | Vote | Timestamp |
|---|---|---|
| @astoycos | In favor | 2024-06-12 13:17:46.0 +00:00:00 |
| @dave-tucker | In favor | 2024-06-12 13:18:52.0 +00:00:00 |
| @PalmPalm7 | In favor | 2024-06-12 13:29:57.0 +00:00:00 |
| @Molter73 | In favor | 2024-06-12 13:34:28.0 +00:00:00 |
| @donaldh | In favor | 2024-06-12 13:36:11.0 +00:00:00 |
| @Billy99 | In favor | 2024-06-12 13:40:58.0 +00:00:00 |
| @stflaherty | In favor | 2024-06-12 13:44:47.0 +00:00:00 |
| @tssurya | In favor | 2024-06-12 14:07:12.0 +00:00:00 |
| @msherif1234 | In favor | 2024-06-12 14:13:45.0 +00:00:00 |
| @fedepaol | In favor | 2024-06-12 14:45:05.0 +00:00:00 |
| @shaneutt | In favor | 2024-06-12 14:54:40.0 +00:00:00 |
| @screeley44 | In favor | 2024-06-12 14:56:13.0 +00:00:00 |
| @aryan9600 | In favor | 2024-06-12 15:02:18.0 +00:00:00 |
| @martinkennelly | In favor | 2024-06-13 10:37:49.0 +00:00:00 |
| @EandrewJones | In favor | 2024-06-17 2:45:20.0 +00:00:00 |
| @anfredette | In favor | 2024-06-17 13:10:00.0 +00:00:00 |
Hello and congrats on being accepted as a CNCF Sandbox project!
Here is the link to your onboarding task list: https://github.com/cncf/sandbox/issues/138
Feel free to reach out with any questions you might have!
