Open Source

Knative is now a CNCF project, and why this matters for software security

Tracy Miranda, Head of Open Source
March 2, 2022

Congratulations to Knative on being accepted as a CNCF incubating project today! All of us at Chainguard are thrilled about this important milestone within the cloud native community. Not least our founders Matt Moore and Ville Aikas who helped create the project, and along with Scott Nichols continue to drive its direction through the Knative steering and technical oversight committees.

At Chainguard, we believe that the best possible developer experience is one built on a foundation of security. In open source we have a big job ahead of us to figure out how to bring people together to build secure technologies that last. We need to do this together. And this significant milestone for the Knative project is a great reminder of why this is great news for software security.

Well governed and well maintained projects are secure projects

Today’s announcement sees Knative move to a fully open governance model under the vendor-neutral Cloud Native Computing Foundation (CNCF). Knative is now well positioned for tremendous growth and the ability to foster an even bigger ecosystem by reaching new contributors and end users. A big growing community is key to the long term sustainability of open source projects. In addition, CNCF takes an active role in improving the security posture of its projects for example through security audits and fuzzing projects.

Knative addresses the developer experience gap for Kubernetes

“You must be this tall to ride” is the common phrase folks use to describe how difficult it is for just any developer to pick up Kubernetes. Getting started with Kubernetes comes with a significant cognitive load for developers who have to navigate its complexity even to achieve seemingly simple outcomes, let alone addressing 'day-2' operations. Knative was designed to allow developers to easily leverage the full power of Kubernetes without having to know anything more than what is needed for getting your application up and running. Knative provides a framework for rapidly building serverless experiences for development, testing and deployment which makes it one of the best ways to provide a development environment on Kubernetes quickly and easily.

“Knative makes developers super-productive. Not only do we use it extensively at Chainguard but it is also my go-to for open source. When we needed testing for the sigstore project we were able to use Knative to quickly allow us to set up end-to-end testing.” said Ville Aikas, Chainguard co-founder and creator of Knative.

Knative builds in best practices by default

It is more important than ever that software tools do the right thing by default. As we say at Chainguard, “The easy way must be the secure way”. This applies to modern tooling. Developer experience is security according to Rachel Stevens of RedMonk who writes “If we are asking developers to be increasingly responsible for building secure apps, we have to make it as frictionless as possible for them to do so. We need platforms and software with baked in security defaults.”

Knative is a great example of modern tooling that does this. Knative bakes in the principle of ephemerality - that everything should only last for as long as it is absolutely necessary. Serverless and stateless application patterns lend themselves extremely well to ephemerality by providing infrastructure that exists solely for the context of a given request. For example Knative offers a Kubernetes-based serverless service abstraction which can be used in conjunction with an early-stage project called the “descheduler” to bound the maximum lifetime of pods.

“Before it was pretty common to have stateless services always on, everybody’s pet process would be kicking around. Knative allows you to easily scale to zero and this has great security advantages. This is just one of many examples of how Knative does the right thing by default. Other examples include digest resolution and providing automatic TLS” said Matt Moore, Chainguard co-founder and Knative co-creator. “It’s great that Knative can continue to thrive in a vendor-neutral way as a CNCF incubating project”

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.