Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Registry Standard from DR SCS-0212 #458

Merged
merged 1 commit into from
Feb 13, 2024
Merged

Registry Standard from DR SCS-0212 #458

merged 1 commit into from
Feb 13, 2024

Conversation

cah-hbaum
Copy link
Contributor

@cah-hbaum cah-hbaum commented Jan 31, 2024

This MR splits the for now Decision Record for K8s registries into a Standard and a Decision Record.
A standard for this topic was long due and the Decision Record already contained much of the work.
The DR itself will now showcase the internal decision of SCS to use Harbor, but doesn't influence external decisions.

Closes SovereignCloudStack/issues#470

@cah-hbaum cah-hbaum added Container Issues or pull requests relevant for Team 2: Container Infra and Tooling standards Issues / ADR / pull requests relevant for standardization & certification SCS is standardized SCS is standardized labels Jan 31, 2024
@cah-hbaum cah-hbaum self-assigned this Jan 31, 2024
@cah-hbaum cah-hbaum linked an issue Jan 31, 2024 that may be closed by this pull request
3 tasks
@cah-hbaum cah-hbaum changed the title Issue/470 Registry Standard from DR SCS-0212 Jan 31, 2024
@cah-hbaum cah-hbaum marked this pull request as draft January 31, 2024 09:51
@cah-hbaum cah-hbaum force-pushed the issue/470 branch 5 times, most recently from 174e07c to 357b925 Compare February 1, 2024 13:40
@cah-hbaum cah-hbaum marked this pull request as ready for review February 1, 2024 13:40
@cah-patrickthiem
Copy link
Contributor

Just a suggestion, but maybe a section on "compliance and security" in the "Requirements for container registries" document would be beneficial. The following aspects could be considered for that section:

  • importance on cyber security standards, see e.g. https://www.docker.com/trust/compliance/
  • data protection and privacy laws, e.g. General Data Protection Regulation (GDPR) in Europe
  • intellectual property laws

@cah-patrickthiem
Copy link
Contributor

cah-patrickthiem commented Feb 2, 2024

I am not quite sure if that was done in any other standards so far, but maybe something should be mentioned like the following in the "Container registry standard document" :
"This standard will be updated or revised in response to technological advancements or changes in best practices."

@cah-patrickthiem
Copy link
Contributor

cah-patrickthiem commented Feb 2, 2024

Suggestion: add a closing/conclusion section to the "Container registry standard document" describing the importance of adhering to these standards and the expected impact on the SCS project and its users.

@cah-patrickthiem
Copy link
Contributor

cah-patrickthiem commented Feb 2, 2024

Although this is mentioned: "This document should finally lead to a decision about the container registry used in the implementation."
Another section in the "Container registry standard document" could reference the importance (if it is important to SCS) of interoperability between container registries. This could be achieved by the Open Container Initiative (https://opencontainers.org/) or API Compatibility standards like Docker Registry HTTP API V2.
Another aspect worth mentioning might be the authentication and authorization mechanisms, e.g. OAuth2 or OpenID Connect.

@cah-hbaum
Copy link
Contributor Author

cah-hbaum commented Feb 6, 2024

Just a suggestion, but maybe a section on "compliance and security" in the "Requirements for container registries"
document would be beneficial. The following aspects could be considered for that section:

  • importance on cyber security standards, see e.g. https://www.docker.com/trust/compliance/
  • data protection and privacy laws, e.g. General Data Protection Regulation (GDPR) in Europe
  • intellectual property laws

Interesting idea, although I'm not sure if the projects themself even do stuff like compliance. In the end, it's probably more the responsibility of the providers (using these projects) and their way of setting them up thats matters for compliance and security as well as data protection. Its probably possible for most of these projects to be compliant to standard X, but the project owners most of the time won't have time (or even money) to do that. And even if that would be the case, on what basis would you do a compliance test? The "best, most secure" setup? This wouldn't automatically translate to compliant setups for users of their software.
(Additionally while shortly looking through the best solutions presented in the DR, I didn't find any standard/guideline mentioned anywhere (I only had a really short look) regarding this topic)

I am not quite sure if that was done in any other standards so far, but maybe something should be mentioned like the following in the "Container registry standard document" :
"This standard will be updated or revised in response to technological advancements or changes in best practices."

I think we shouldn't do that either. Normally (at least IMO) a revision process should be started after some time in order to check if the standard is up-to-date. If changes are done, a new version is created, so SCS won't change the old standard.

Suggestion: add a closing/conclusion section to the "Container registry standard document" describing the importance of adhering to these standards and the expected impact on the SCS project and its users.

If someone is committed to SCS and the provided standards, I don't think they would need a conclusion. The introduction/motivation section for the standards should be reasoning enough and an additional section only creates extra "overhead".

Although this is mentioned: "This document should finally lead to a decision about the container registry used in the implementation."
Another section in the "Container registry standard document" could reference the importance (if it is important to SCS) > of interoperability between container registries. This could be achieved by the Open Container Initiative (https://opencontainers.org/) or API Compatibility standards like Docker Registry HTTP API V2.
Another aspect worth mentioning might be the authentication and authorization mechanisms, e.g. OAuth2 or OpenID Connect.

Hmmm, interoperability could be interesting, though I'm not quite sure for whom. Providers don't really need it, except if they would change the deployed registry, which probably won't really happen that much. API interoperability is probably on the same level, since customers only see a very small endpoint (to download their images) and since most registries work with the normal types of container solutions, I would assume that they're at least interoperable in this regard.

Possible auth mechanisms in the registries are indeed interesting and should be checked and mentioned.

@cah-hbaum cah-hbaum added the SCS-VP10 Related to tender lot SCS-VP10 label Feb 6, 2024
Copy link
Contributor

@cah-patrickthiem cah-patrickthiem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My comments were resolved, therefore I approve this PR.

Copy link
Member

@matofeder matofeder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

This commit adds the standard for K8s container registries. It also fixes some minor typos.

Signed-off-by: Hannes Baum <[email protected]>
@cah-hbaum cah-hbaum merged commit 0301dea into main Feb 13, 2024
5 checks passed
@cah-hbaum cah-hbaum deleted the issue/470 branch February 13, 2024 14:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Container Issues or pull requests relevant for Team 2: Container Infra and Tooling SCS is standardized SCS is standardized SCS-VP10 Related to tender lot SCS-VP10 standards Issues / ADR / pull requests relevant for standardization & certification
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

[Standardization] Registry Standard from DR SCS-0212
3 participants