Proposal: Move Istio to Graduation stage

[craigbox]

On behalf of the Istio Steering Committee, please find attached a proposal for Istio to become a graduated project.

What is Istio?

Istio is an open source service mesh that provides a uniform, efficient and transparent way to secure, connect, and monitor services in cloud native applications. It supports zero-trust networking, policy enforcement, traffic management, load balancing, and monitoring; all without requiring applications to be rewritten.

Istio applied to join the CNCF in April 2022 and was accepted in September 2022. The proposal and due diligence from that application are linked for reference. As the due diligence was completed within the last few months, we believe the information contained within remains relevant.

We believe that Istio's maturity is commensurate with the "Graduated" maturity level and recommendation for adoption to a majority of enterprise users.

Why are we ready to graduate?

Istio is a top 10 CNCF project by 2022 velocity, and is in the top 3 CNCF projects by measures such as 7DA average PRs merged.

The project has had 9,500 GitHub contributors with 1950 contributors in the last 12 months. In that time we have had over 330 different contributors with merged PRs representing over 85 companies.

Our latest security assessment concluded "Istio is a very well-maintained and secure project with a sound code base, well-established security practices and a responsive product security team."

We have almost 10,000 members on our community Slack and 32,000 GitHub stars.

Among our many public adopters are End User Community members including Airbnb, Curve, eBay, iHerb, Intuit, Lowes, Thought Machine, Salesforce, SAP, Spotify, Walmart, Wayfair, WP Engine, Yahoo and Zendesk.

How you can help today

• If you're a fan of Istio, please show us by a 👍, ❤️, and 🚀 on this PR.
• If you're using Istio in production, add your logo to our wall
• Tweet, toot or otherwise share this issue with your friends!

[caniszczyk]

congrats on issue 1000 :)

…

On Wed, Feb 1, 2023 at 2:54 PM Craig Box ***@***.***> wrote: On behalf of the Istio Steering Committee, please find attached a proposal for Istio to become a graduated project. What is Istio? Istio <https://istio.io> is an open source service mesh that provides a uniform, efficient and transparent way to secure, connect, and monitor services in cloud native applications. It supports zero-trust networking, policy enforcement, traffic management, load balancing, and monitoring; all without requiring applications to be rewritten. Istio applied to join the CNCF <#827> in April 2022 and was accepted in September 2022 <https://www.cncf.io/blog/2022/09/28/istio-sails-into-the-cloud-native-computing-foundation/>. The proposal <https://github.com/cncf/toc/blob/main/proposals/incubation/istio.md> and due diligence <https://docs.google.com/document/d/1cQiigR5WHQHvo_krUXO6uEaGSB2dWNRkR0cHCAoF5QA/edit> from that application are linked for reference. As the due diligence was completed within the last few months, we believe the information contained within remains relevant. We believe that Istio's maturity is commensurate with the "Graduated" maturity level <https://www.cncf.io/projects/#maturity-levels> and recommendation for adoption to a majority of enterprise users. Why are we ready to graduate? Istio is a top 10 CNCF project by 2022 velocity <https://docs.google.com/spreadsheets/d/1NifFdE45BlscO6j7vlDspccQ-i9Ksgip6yx2bmhmCCs/edit#gid=976519966>, and is in the top 3 CNCF projects by measures such as 7DA average PRs merged <https://all.devstats.cncf.io/d/24/prs-merged-repository-groups?orgId=1&var-period=d7&var-repogroups=All> . The project has had 9,500 GitHub contributors <https://istio.devstats.cncf.io/d/66/developer-activity-counts-by-companies?orgId=1&var-period_name=Last%20decade&var-metric=contributions&var-repogroup_name=All&var-country_name=All&var-companies=All> with 1950 contributors in the last 12 months <https://istio.devstats.cncf.io/d/66/developer-activity-counts-by-companies?orgId=1&var-period_name=Last%20year&var-metric=contributions&var-repogroup_name=All&var-country_name=All&var-companies=All>. In that time we have had over 330 different contributors with merged PRs <https://istio.devstats.cncf.io/d/66/developer-activity-counts-by-companies?orgId=1&var-period_name=Last%20year&var-metric=merged_prs&var-repogroup_name=All&var-country_name=All&var-companies=All> representing over 85 companies. Our latest security assessment <https://istio.io/latest/blog/2023/ada-logics-security-assessment/> concluded "Istio is a very well-maintained and secure project with a sound code base, well-established security practices and a responsive product security team." We have almost 10,000 members on our community Slack <https://slack.istio.io/> and 32,000 GitHub stars <https://github.com/istio/istio>. Among our many public adopters <https://istio.io/latest/about/case-studies/> are End User Community members including Airbnb <https://istio.io/latest/about/case-studies/airbnb/>, Curve, eBay, iHerb, Intuit, Lowes, Thought Machine, Salesforce <https://istio.io/latest/about/case-studies/salesforce/>, SAP, Spotify, Walmart, Wayfair, WP Engine <https://istio.io/latest/about/case-studies/wp-engine/>, Yahoo and Zendesk. How you can help today - If you're a fan of Istio, please show us by a 👍, ❤️, and 🚀 on this PR. - If you're using Istio in production, add your logo to our wall <https://github.com/istio/community/blob/master/CONTRIBUTING.md#tell-the-world-youre-using-istio> - Tweet, toot or otherwise share this issue with your friends! ------------------------------ You can view, comment on, or merge this pull request online at: #1000 Commit Summary - 5a34533 <5a34533> Create istio.md File Changes (1 file <https://github.com/cncf/toc/pull/1000/files>) - *A* proposals/graduation/istio.md <https://github.com/cncf/toc/pull/1000/files#diff-0b377f857b8b9914f2519d8fd30e09e5dc0ef62982b6a742b84545342eaf3552> (37) Patch Links: - https://github.com/cncf/toc/pull/1000.patch - https://github.com/cncf/toc/pull/1000.diff — Reply to this email directly, view it on GitHub <#1000>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAPSIMQANI6SF55ZHXJX4LWVLSQVANCNFSM6AAAAAAUOJ34PQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- Cheers, Chris Aniszczyk https://aniszczyk.org

[craigbox]

congrats on issue 1000 :)

It will go nicely next to kubernetes/kubernetes#100000

[Sunbalcony]

niubi

[rootsongjc]

Glad to hear that! +1

[Xunzhuo]

+1!

[cobb-tx]

+1！

[phantooom]

+1!

[zhaohuabing]

Wow, it's the next big move for Istio. Hope it goes well.

[zhlsunshine]

Awesome!!! A big step forward!

[hobbytp]

Let's all add fuel to the fire! :-)

[pengtianyue025]

nice

[linsun]

yay! This is huge for Istio! nice work @craigbox for putting this forward for us!!

[find-arka]

This is exciting! Cheers to everyone involved! 🎉

[mauro770]

+1. Extremely deserved!

[xiaoyang-sde]

Congrats!

[TheFoxAtWork]

Hi Folks! @nikhita and I will be sponsoring Istio's graduation.

[kfaseela]

Hi Folks! @nikhita and I will be sponsoring Istio's graduation.

Thank you ! @nikhita @TheFoxAtWork :)

[lukaszgryglicki]

Please ping me once Istio graduates, I'll update DevStats immediately.

[scriptkids]

congratulation~

[nikhita]

We are now in the public comment period for Istio moving to graduation - https://lists.cncf.io/g/cncf-toc/message/8004

[jberkus]

@nikhita TAG-CS has added a governance review for Istio to our backlog.

[TheFoxAtWork]

Thank you Josh! The project will address any findings once the review is complete. Once we have the PR in to cover governance review, this will go into effect for projects moving levels prior to public comment. Thank you again!

[lizrice]

And now this has become a brilliant case study in CNCF process standing in the way of innovation! Here's the laughable situation where a project is being pretty much forced to temporarily remove a file from a repo, in order to pass an artificial graduation criterium.

What's worse, licensing compliance isn't even documented as part of the graduation criteria - and nor should it be, in my opinion, precisely because graduation criteria only get assessed the one time. What does the TOC expect to happen when Istio implement eBPF code in the future? Will they forbid it until the eBPF licensing issue is resolved? I hope not, as that would be entirely anti-innovation and anti-project.

So long as the TOC believe that a project's open source intentions are sound, in my opinion the operational management of license compliance should be left to CNCF staff (as it always used to be)

[linsun]

A quick update from Istio side - we discussed it our dev channel and everyone was onboard with removing the code temporarily and we have removed the code via istio/istio#45162 while waiting for CNCF to sort out the license issue which we understand working with lawyer isn't always simple and fast. The impact to Istio is minimal as this was an experimental new feature that was disabled by default and never shipped in any of our Istio releases.

[dims]

And now this has become a brilliant case study in CNCF process standing in the way of innovation! Here's the laughable situation where a project is being pretty much forced to temporarily remove a file from a repo, in order to pass an artificial graduation criterium.

@lizrice I don't see any comments from either the TOC or CNCF staff asking project to "remove a file from a repo" ... did i miss it?

[lizrice]

There was an eBPF program file that required a GPL-compatible license so it can run in the kernel - this is true for pretty much any eBPF program. And while I am fully supportive of Istio graduating, it didn't seem right that Istio should be able to graduate with GPL-licensed code if that is blocking Cilium (which also needs GPL-licensed code for eBPF). Istio are able to work around this by temporarily removing the file during the graduation process. My understanding is they intend to use eBPF later (and thus will need GPL-licensed code), but removing it for now allows them to pass the (artificial) licensing criteria for graduation. No-one "told them" to remove the file, they figured it out as a workaround.

[oaktowner]

I'm very excited for this. Congrats to all involved!

[nightmareze1]

Congrats!

[jitapichab]

Congrats!

[BobyMCbobs]

Woohoo! This is fantastic!

[EverythingOps]

I think it's O.K for some of cloud native project to never graduate if the problem is license. it's just impossible to make sure your license comply with GPL. cloud native is the enabler of big companies to "use" 'open source' and with GPL you cannot make sure of it.

There was an eBPF program file that required a GPL-compatible license so it can run in the kernel - this is true for pretty much any eBPF program. And while I am fully supportive of Istio graduating, it didn't seem right that Istio should be able to graduate with GPL-licensed code if that is blocking Cilium (which also needs GPL-licensed code for eBPF). Istio are able to work around this by temporarily removing the file during the graduation process. My understanding is they intend to use eBPF later (and thus will need GPL-licensed code), but removing it for now allows them to pass the (artificial) licensing criteria for graduation. No-one "told them" to remove the file, they figured it out as a workaround.

[hzxuzhonghu]

From istio side, we would not allow the GPL licensed code in core not limited eBPF code. Unless CNCF have resolved the GPL license issue

[jberkus]

Er ... shouldn't licensing problems be resolved before a project joins the CNCF? Not at graduation?

[craigbox]

The licensing problem in question was in a single file - a prototype eBPF accelerator for an experimental feature (Ambient Mesh). It was added in December 2022, while the project was in Incubation. The file was dual licensed BSD/GPL, as is standard practice for eBPF code. Please check Liz's links for more details on how there is a catch-22 between "CNCF projects may not contain GPL licensed code" and "useful eBPF code is required to be cross-licensed under GPL".

In order to remove any question about the licensing state of the project the file has been removed, and will not be reinstated in a CNCF repository until such time as the CNCF has sorted out their opinion on this matter.

I would respectfully ask that people who wish to follow up on the issue if this should be allowed in the CNCF to follow up on one of the different threads, or contact their appropriate Governing Board representative.

[loganrobertclemons]

Well deserved!

[cywang1905]

Congrats!

[rootsongjc]

Congrats!

[hzxuzhonghu]

Congrats!

[BobyMCbobs]

Woohoo, this is fantastic!

celebratory EnvoyFilter

only use in non-prod environments

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: istio-gradulated-woohoo
  namespace: istio-system
spec:
  configPatches:
  - applyTo: HTTP_FILTER
    patch:
      operation: INSERT_BEFORE
      value:
       name: envoy.lua
       typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
          inlineCode: |
            function envoy_on_request(request_handle)
              request_handle:respond({[":status"] = "200"}, "Istio graduated! Woohoo!")
            end