Description
Application contact emails
xandergr@microsoft.com, ritazh@microsoft.com, seozerca@microsoft.com, bridget.kromhout@microsoft.com
Project Summary
Eraser is a project that helps clean up unused and vulnerable container images from nodes in a Kubernetes cluster.
Project Description
When deploying to Kubernetes, it's common for pipelines to build and push images to a cluster, but it's much less common for these images to be cleaned up. This can lead to accumulating bloat on the disk, and a host of non-compliant images lingering on the nodes.
The current garbage collection process deletes images based on a percentage of load, but this process does not consider the vulnerability state of the images. Eraser aims to provide a simple way to determine the state of an image, and delete it if it meets the specified criteria.
Org repo URL
Project repo URL
https://github.com/Azure/eraser
Additional repos
https://github.com/Azure/eraser-scanner-template
Website URL
https://azure.github.io/eraser/docs/
Roadmap
https://github.com/Azure/eraser/milestones
Roadmap context
We currently use GitHub milestones and a project board to track the short term roadmap
Contributing Guide
https://azure.github.io/eraser/docs/contributing
Code of Conduct (CoC)
https://azure.github.io/eraser/docs/code-of-conduct
Adopters
No response
Contributing or Sponsoring Org
Maintainers file
Managed through GitHub Teams
IP Policy
- If the project is accepted, I agree the project will follow the CNCF IP Policy
Trademark and accounts
- If the project is accepted, I agree to donate all project trademarks and accounts to the CNCF
Why CNCF?
We would like the project to ultimately be community owned rather than Azure owned. We feel the project can provide benefit to everyone using Kubernetes, and having it belong to the community rather than a single organization will help communicate that. We would also like to grow the community of users and contributors in order to make the tool the absolute best it can be. The CNCF is the best way to go about that.
Benefit to the Landscape
While Kubernetes has its own garbage collection mechanism today, it does still regularly leave images cached on nodes. In addition to consuming storage, this opens a possible attack vector if images contain vulnerabilities. The core benefit to the landscape is helping users heighten the security of the Kubernetes clusters and the workloads running on them.
Cloud Native 'Fit'
This project helps users be more successful in running their Kubernetes clusters. Since that's where a good many "cloud native" workloads are running today, we see this as being a good fit for the entire ecosystem around Kubernetes.
Cloud Native 'Integration'
The main way that Eraser has integration potential with other CNCF projects is through it's extension mechanism. Currently, Eraser utilizes Trivy for vulnerability scanning, but it follows a plugin model, so other scanners could be implemented using the same interface. This opens up Eraser to integrating with other CNCF projects in the container security space.
Cloud Native Overlap
To our knowledge, there isn't any direct overlap with other CNCF projects today.
Similar projects
N/A
Product or Service to Project separation
Azure Kubernetes Service has developed a managed addon of the project for customer clusters. The development and roadmap of the open source project and the managed addon have always remained entirely separate, and that will continue to be true going forward.
Project presentations
The project was presented to Kubernetes SIG Security as part of their "security tooling" subproject meeting.
Project champions
Lachlan Evenson
Additional information
No response
Metadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Development
Participants
Activity
dims commentedon Jan 6, 2023
@salaxander @ashnamehrotra, can you please summarize in a short paragraph any feedback from the k8s sig security?
salaxander commentedon Jan 9, 2023
Heya @dims! If I'm remembering correctly, they were excited about it and curious to see how things went as it reached a 1.0.0 version (which should be quite soon!). There were also some questions around architecture, and since then we've updated the documentations site to try and make that a bit more clear -> https://azure.github.io/eraser/docs/architecture
helayoty commentedon Mar 29, 2023
Hey @salaxander, CNCF TAG-Runtime here. It would be great if you and the Eraser team could present and discuss the project in the next TAG meeting.
Please feel free to add the project to the TAG-Runtime agenda at your convenience.
Cc: @raravena80 @nikhita
rochaporto commentedon May 17, 2023
Hi @salaxander.
Following the 2023-05-09 TOC Meeting we'd like to ask for a couple clarifications regarding the 'Cloud Native Integration'.
Thanks!
salaxander commentedon May 18, 2023
Hey @rochaporto! Thanks for following up
Definitely let me know if there's any more info I can provide :)
CC @sozercan @pmengelbert in case they'd like to add any details I may have missed
rochaporto commentedon May 19, 2023
Thanks for the clarifications @salaxander
16 remaining items
git-vote commentedon Jun 16, 2023
Votes can only be checked once a day.
bridgetkromhout commentedon Jun 19, 2023
/check-vote
git-vote commentedon Jun 19, 2023
Vote status
So far
81.82%of the users with binding vote are in favor (passing threshold:66%).Summary
Binding votes (9)
Non-binding votes (14)
git-vote commentedon Jun 20, 2023
Vote closed
The vote passed! 🎉
90.91%of the users with binding vote were in favor (passing threshold:66%).Summary
Binding votes (10)
Non-binding votes (14)
amye commentedon Jun 21, 2023
Closing with approved, new onboarding issue: #198