Category Archives: Open Source Blog

News about Google’s open source projects and programs

Securing open source: How Google supports the new Kubernetes bug bounty

At Google, we care deeply about the security of open-source projects, as they’re such a critical part of our infrastructure—and indeed everyone’s. Today, the Cloud-Native Computing Foundation (CNCF) announced a new bug bounty program for Kubernetes that we helped create and get up and running. Here’s a brief overview of the program, other ways we help secure open-source projects and information on how you can get involved.

Launching the Kubernetes bug bounty program

Kubernetes is a CNCF project. As part of its graduation criteria, the CNCF recently funded the project’s first security audit, to review its core areas and identify potential issues. The audit identified and addressed several previously unknown security issues. Thankfully, Kubernetes already had a Product Security Committee, including engineers from the Google Kubernetes Engine (GKE) security team, who respond to and patch any newly discovered bugs. But the job of securing an open-source project is never done. To increase awareness of Kubernetes’ security model, attract new security researchers, and reward ongoing efforts in the community, the Kubernetes Product Security Committee began discussions in 2018 about launching an official bug bounty program.

Find Kubernetes bugs, get paid

What kind of bugs does the bounty program recognize? Most of the content you’d think of as ‘core’ Kubernetes, included at https://github.com/kubernetes, is in scope. We’re interested in common kinds of security issues like remote code execution, privilege escalation, and bugs in authentication or authorization. Because Kubernetes is a community project, we’re also interested in the Kubernetes supply chain, including build and release processes that might allow a malicious individual to gain unauthorized access to commits, or otherwise affect build artifacts. This is a bit different from your standard bug bounty as there isn’t a ‘live’ environment for you to test—Kubernetes can be configured in many different ways, and we’re looking for bugs that affect any of those (except when existing configuration options could mitigate the bug). Thanks to the CNCF’s ongoing support and funding of this new program, depending on the bug, you can be rewarded with a bounty anywhere from $100 to $10,000.

The bug bounty program has been in a private release for several months, with invited researchers submitting bugs and to help us test the triage process. And today, the new Kubernetes bug bounty program is live! We’re excited to see what kind of bugs you discover, and are ready to respond to new reports. You can learn more about the program and how to get involved here.

Dedicated to Kubernetes security

Google has been involved in this new Kubernetes bug bounty from the get-go: proposing the program, completing vendor evaluations, defining the initial scope, testing the process, and onboarding HackerOne to implement the bug bounty solution. Though this is a big effort, it’s part of our ongoing commitment to securing Kubernetes. Google continues to be involved in every part of Kubernetes security, including responding to vulnerabilities as part of the Kubernetes Product Security Committee, chairing the sig-auth Kubernetes special interest group, and leading the aforementioned Kubernetes security audit. We realize that security is a critical part of any user’s decision to use an open-source tool, so we dedicate resources to help ensure we’re providing the best possible security for Kubernetes and GKE.

Although the Kubernetes bug bounty program is new, it isn’t a novel strategy for Google. We have enjoyed a close relationship with the security research community for many years and, in 2010, Google established our own Vulnerability Rewards Program (VRP). The VRP provides rewards for vulnerabilities reported in GKE and virtually all other Google Cloud services. (If you find a bug in GKE that isn’t specific to Kubernetes core, you should still report it to the Google VRP!) Nor is Kubernetes the only open-source project with a bug bounty program. In fact, we recently expanded our Patch Rewards program to provide financial rewards both upfront and after-the-fact for security improvements to open-source projects.

Help keep the world’s infrastructure safe. Report a bug to the Kubernetes bug bounty, or a GKE bug to the Google VRP.

By Maya Kaczorowski, Product Manager, Container Security; and Aaron Small, Product Manager, GKE On-Prem security

Wombat Dressing Room, an npm publication proxy on GCP

We're excited to announce that we're open sourcing the service we use on the Google Cloud Client Libraries team for handling npm publications, it's called Wombat Dressing Room. Wombat Dressing Room provides features that help npm work better with automation, while maintaining good security practices.

A tradeoff is often made for automation

npm has top notch security features: CIDR-range restricted tokens, publication notifications, and two-factor authentication, to name a few. Of these, a feature critical to protecting publications is two-factor authentication (2FA).

2FA requires that you provide two pieces of information when accessing a protected resource: "something you know" (for instance, a password); and "something you have" (for instance, a code from an authenticator app). With 2FA, if your password is exposed, an attacker still can't publish a malicious package (unless they also steal the "something you have".)

On my team, a small number of developers manage over 75 Node.js libraries. We see automation as key to making this possible: we've written tools that automate releases, validate license headers, ensure contributors have signed CLAs; we adhere to the philosophy, automate all the things!

It's difficult to automate the step of entering a code off a cellphone. As a result, folks often opt to turn off 2FA in their automation.

What if you could have both automation and the added security of 2FA? This is why we built the Wombat Dressing Room.

A different approach to authentication

With Wombat Dressing Room, rather than an individual configuring two factor authentication in an authenticator app, 2FA is managed by a shared proxy server. Publications are then directed at the Wombat Dressing Room proxy, which provides the following security features:

Per-package publication tokens.

Wombat Dressing Room can generate authentication tokens tied to repositories on GitHub. These tokens are tied to a single GitHub repository, which the user generating the token must have push permissions for.

If a per-package publication token is leaked, an attacker can only hijack the single package that the token is associated with.

Limited lifetime tokens

Wombat Dressing Room can also generate access tokens that have a 24 hour lifespan. In this model, a leaked token is only vulnerable until the 24 hour lifespan is hit.

GitHub Releases as 2FA

In this authentication model, a package can only be published to npm if a GitHub release with a corresponding tag is found on GitHub.

This introduces a true "second factor", as users must prove they have access to both Wombat Dressing Room and the repository on GitHub.

Getting started with Wombat Dressing Room

We've been using Wombat Dressing Room to manage Google Cloud client libraries for over a year now in our fully automated library release process. As of today, the source is available for everyone on GitHub under an Apache 2.0 license.

Wombat Dressing Room runs on Google App Engine, and instructions on getting it up and running can be found in its README.md.

It's my hope that this will help other folks in the community, simplify and automate their release process, while minimizing the attack surface of their libraries.
By Benjamin Coe, works on Node.js client libraries for the Google Cloud Platform, and was the third engineer at npm, Inc.

Season of Docs Announces Results of 2019 Program

Season of Docs has announced the 2019 program results for standard-length projects. You can view a list of successfully completed technical writing projects on the website along with their final project reports.

During the program, technical writers spent a few months working closely with an open source community. They brought their technical writing expertise to improve the project's documentation while the open source projects provided mentors to introduce the technical writers to open source tools, workflows, and the project's technology.

The technical writers and their mentors did a fantastic job with the inaugural year of Season of Docs! Participants represented countries across all continents except for Antarctica! 36 technical writers out of 41 successfully completed their standard-length technical writing projects, and there are eight long-running projects in progress that are expected to finish in February.

  • 91.7% of the mentors had a positive experience and want to mentor again in future Season of Docs cycles
  • 88% of the technical writers had a positive experience
  • 96% plan to continue contributing to open source projects
  • 100% of the technical writers said that Season of Docs helped improved their knowledge of code and/or open source

Technical writing projects ranged from beginners' guides and tutorials to API and reference documentation; all of which benefited a diverse set of open source projects that included programming languages, software, compiler infrastructure, operating systems, software libraries, hardware, science, healthcare, and more. Take a look at the list of successful projects to see the wide range of subjects covered!

What is next?

The long-running projects are still in progress and finish in February 2020. Technical writers participating in these long-running projects submit their project reports by Feb. 25, and the writer and mentor evaluations are due by Feb. 28. Successfully completed long-running technical writing projects are then published on the results page on March 6, 2020.

If you were excited about participating, please do write social media posts. See the promotion and press page for images and other promotional materials you can include, and be sure to use the tag #SeasonOfDocs when promoting your ideas on social media. To include the tech writing and open source communities, add #WriteTheDocs, #techcomm, #TechnicalWriting, and #OpenSource to your posts.

Stay tuned for information about Season of Docs 2020—watch for posts in this blog and sign up for the announcements email list.

By Andrew Chen, Google Open Source and Sarah Maddox, Cloud Docs

W3C Trace Context Specification: What it Means for You

Since the first days of Google Cloud Platform (GCP), Google has been at the forefront of making your applications more observable. Beyond Stackdriver, our most visible impact in this space is OpenTelemetry, which we initiated in 2017 (as OpenCensus) and has grown into a huge community that includes the majority of APM / monitoring vendors and cloud platforms.

While OpenTelemetry allows developers to easily capture distributed traces and metrics from their own services, there’s also a need to trace requests as they propagate through components that developers don’t directly control, like managed services, load balancers, network hardware, etc. To solve this we co-defined a prototype HTTP header that these components can rely on, gathered partners, and moved the work into the W3C.

This work is now complete, and the W3C Trace Context format is now an official standard. Once implemented in GCP, this will make our services even easier to manage, both with Stackdriver and other third party distributed tracing tools. We explain more in the official post on the W3C blog, which I’ve copied below:

The W3C Distributed Tracing working group has moved the Trace Context specification to the next maturity level. The specification is already being adopted and implemented by many platforms and SDKs. This article describes the Trace Context specification and how it improves troubleshooting and monitoring of modern distributed apps.

W3C Trace Context specification defines the format for propagating distributed tracing context between services. Distributed tracing makes it easy for developers to find the causes of issues in highly-distributed microservices applications by tracking how a single interaction was processed across multiple services. Each step of a trace is correlated through an ID that is passed between services, and W3C Trace Context now defines a standard for these context propagation headers.

Until now, different tracing systems have defined their own headers. Examples include Zipkin’s B3 format and X-Google-Cloud-Trace. Adopting a common context propagation format has been long desired by developers, APM vendors, and cloud platform hosts, as compatibility provides numerous benefits:
  • Web and RPC frameworks that use this standard to provide context propagation out of the box will also offer cross-service log correlation, even for developers who haven’t set up distributed tracing.
  • API producers can record the trace IDs of requests from API consumers and provide additional spans or metadata to their customers for a given traced request. Producers can also correlate customer trace IDs to internal traces when debugging technical issues raised by consumers.
  • Networking infrastructure (proxies, load balancers, routers, etc.) can both ensure that context propagation headers are not removed from requests passing through them, and can record spans or logs for a given trace, without having to support multiple vendor-specific formats. Potential examples of these include router appliances, cloud load balancers, and sidecar proxies like Envoy.
  • Instrumentation can be further decoupled from a developer’s choice of APM vendor. For example, using both OpenTelemetry and a given vendor’s agents, a developer can instrument different services in an application, and traces will flow through the system and be processed correctly by the vendor’s backend.
  • Web browsers and other clients can use these identifiers to correlate their telemetry with traces collected from backend services. This functionality is currently being defined.
To address this effort, a group of cloud providers, open source contributors, and APM vendors started defining a standard HTTP context propagation header that would replace their homegrown formats. This specification has been discussed and iterated on over the past two years, and the group working on it has grown significantly over that time. Sponsors include Google, Microsoft, Dynatrace, and New Relic (W3C members), and the group was officially moved into the W3C in 2018 for the work to proceed under the guidance of an official standards body and to spur even greater adoption.

TraceContext has since been adopted by OpenTelemetry (which enables it by default and also serves as the reference implementation), Azure services, Dynatrace, Elastic, Google Cloud Platform, Lightstep, and New Relic. We are tracking adoption in this list.

This first phase of work has focused on HTTP, as it is commonly used and has no built-in affordances for trace context propagation (gRPC and some newer RPC systems do). The same group of committee members are also working to define trace context propagation in other formats, starting with AMQP and MQTT for IoT; other upcoming topics include context propagation from clients and web browsers.

By Morgan McLean, OpenTelemetry + Stackdriver

Announcing Google Summer of Code 2020!

Google Open Source is proud to announce Google Summer of Code (GSoC) 2020—the 16th year of the program! We look forward to introducing the 16th batch of student developers to the world of open source and matching them with open source projects, while earning a stipend so they can focus their summer on their project.

Over the last 15 years GSoC has provided over 15,000 university students, from 109 countries, with an opportunity to hone their skills by contributing to open source projects during their summer break.

And the ‘special sauce’ that has kept this program thriving for 16 years: the mentorship aspect of the program. Participants gain invaluable experience working directly with mentors who are dedicated members of these open source communities; mentors help bring students into their communities while teaching them, guiding them and helping them find their place in the world of open source.

We’re excited to keep the tradition going! Applications for interested open source project organizations open on January 14, 2020, and student applications open March 25.

Are you an open source project interested in learning more? Visit the program site and read the mentor guide to learn more about what it means to be a mentor organization, how to prepare your community and create appropriate project ideas, and tips for preparing your application. We welcome all types of organizations—large and small—and are very eager to involve first time projects. For 2020, we hope to welcome more organizations into GSoC than ever before and are looking to accept 40-50 new organizations into their first GSoC.

Are you a university student interested in learning how to prepare for the 2020 GSoC program? It’s never too early to start thinking about your proposal or about what type of open source organization you may want to work with. You should read the student guide for important tips on preparing your proposal and what to consider if you wish to apply for the program in mid-March. You can also get inspired by checking out the 200+ organizations that participated in Google Summer of Code 2019, as well as the projects that students worked on.

We encourage you to explore other resources and you can learn more on the program website.

By Stephanie Taylor, Google Open Source

Blockly Summit 2019: Rendering, Accessibility, and More!


It has been over eight years since we started work on Blockly, an open source library for building drag-and-drop block coding apps. In that time, the team has grown from a single developer to a small team and a large community. Blockly is now a standard in the CS education space, used by Scratch, MakeCode, AppInventor, and hundreds of other developers to enable tens of millions of kids around the world to create and express themselves with code.

But Blockly isn't only used for education. The library provides everything an app developer needs to create rich block coding languages and is highly customizable and extensible. This means Blockly is also used by hobbyists and commercial companies alike for business logic, computer games, virtual reality, robotics, and just about anything else you can do with code.


The work we do on Blockly wouldn't be possible without the many folks who contribute back with code, suggestions, and support on the forums. As such, we were very excited to welcome around 30 members of the Blockly open source community to our second annual Blockly User Summit and to be able to make all of the talks available online!

The summit spanned two days in October and included 16 talks, over half of which were given by external contributors, and a Q&A with the Blockly team. The talks covered everything from Blockly's brand new rendering framework and building custom fields to explorations in performance and debugging block code. Check out the full playlist.

We also held a hackathon on the second day of the summit, with quick start guides for using our new rendering and accessibility APIs. If you're new to Blockly and you'd like a good starting point, take a look at our CodeLab and if you build your own cool demo let us know on our forums.



By Erik Pasternak, Kids Coding Team

RecSim: A Configurable Simulation Platform for Recommender Systems

Originally posted on the Google AI Blog

Significant advances in machine learning, speech recognition, and language technologies are rapidly transforming the way in which recommender systems engage with users. As a result, collaborative interactive recommenders (CIRs)—recommender systems that engage in a deliberate sequence of interactions with a user to best meet that user's needs—have emerged as a tangible goal for online services.

Despite this, the deployment of CIRs has been limited by challenges in developing algorithms and models that reflect the qualitative characteristics of sequential user interaction. Reinforcement learning (RL) is the de facto standard ML approach for addressing sequential decision problems, and as such is a natural paradigm for modeling and optimizing sequential interaction in recommender systems. However, it remains under-investigated and under-utilized for use in CIRs in both research and practice. One major impediment is the lack of general-purpose simulation platforms for sequential recommender settings, whereas simulation has been one of the primary means for developing and evaluating RL algorithms in real-world applications like robotics.

To address this, we have developed RᴇᴄSɪᴍ (available here), a configurable platform for authoring simulation environments to facilitate the study of RL algorithms in recommender systems (and CIRs in particular). RᴇᴄSɪᴍ allows both researchers and practitioners to test the limits of existing RL methods in synthetic recommender settings. RecSim’s aim is to support simulations that mirror specific aspects of user behavior found in real recommender systems and serve as a controlled environment for developing, evaluating and comparing recommender models and algorithms, especially RL systems designed for sequential user-system interaction.

As an open-source platform, RᴇᴄSɪᴍ: (i) facilitates research at the intersection of RL and recommender systems; (ii) encourages reproducibility and model-sharing; (iii) aids the recommender-systems practitioner, interested in applying RL to rapidly test and refine models and algorithms in simulation, before incurring the potential cost (e.g., time, user impact) of live experiments; and (iv) serves as a resource for academic-industry collaboration through the release of “realistic” stylized models of user behavior without revealing user data or sensitive industry strategies.

Reinforcement Learning and Recommendation Systems

One challenge in applying RL to recommenders is that most recommender research is developed and evaluated using static datasets that do not reflect the sequential, repeated interaction a recommender has with its users. Even those with temporal extent, such as MovieLens 1M, do not (easily) support predictions about the long-term performance of novel recommender policies that differ significantly from those used to collect the data, as many of the factors that impact user choice are not recorded within the data. This makes the evaluation of even basic RL algorithms very difficult, especially when it comes to reasoning about the long-term consequences of some new recommendation policy—research shows changes in policy can have long-term, cumulative impact on user behavior. The ability to model such user behaviors in a simulated environment, and devise and test new recommendation algorithms, including those using RL, can greatly accelerate the research and development cycle for such problems.

Overview of RᴇᴄSɪᴍ

RᴇᴄSɪᴍ simulates a recommender agent’s interaction with an environment consisting of a user model, a document model and a user choice model. The agent interacts with the environment by recommending sets or lists of documents (known as slates) to users, and has access to observable features of simulated individual users and documents to make recommendations. The user model samples users from a distribution over (configurable) user features (e.g., latent features, like interests or satisfaction; observable features, like user demographic; and behavioral features, such as visit frequency or time budget). The document model samples items from a prior distribution over document features, both latent (e.g., quality) and observable (e.g., length, popularity). This prior, as all other components of RᴇᴄSɪᴍ, can be specified by the simulation developer, possibly informed (or learned) from application data.

The level of observability for both user and document features is customizable. When the agent recommends documents to a user, the response is determined by a user-choice model, which can access observable document features and all user features. Other aspects of a user’s response (e.g., time spent engaging with the recommendation) can depend on latent document features, such as document topic or quality. Once a document is consumed, the user state undergoes a transition through a configurable user transition model, since user satisfaction or interests might change.

We note that RᴇᴄSɪᴍ provides the ability to easily author specific aspects of user behavior of interest to the researcher or practitioner, while ignoring others. This can provide the critical ability to focus on modeling and algorithmic techniques designed for novel phenomena of interest (as we illustrate in two applications below). This type of abstraction is often critical to scientific modeling. Consequently, high-fidelity simulation of all elements of user behavior is not an explicit goal of RᴇᴄSɪᴍ. That said, we expect that it may also serve as a platform that supports “sim-to-real” transfer in certain cases (see below).
Data Flow through components of RᴇᴄSɪᴍ. Colors represent different model components — user and user-choice models (green), document model (blue), and the recommender agent (red)

Applications

We have used RᴇᴄSɪᴍ to investigate several key research problems that arise in the use of RL in recommender systems. For example, slate recommendations can result in RL problems, since the parameter space for action grows exponentially with slate size, posing challenges for exploration, generalization and action optimization. We used RᴇᴄSɪᴍ to develop a novel decomposition technique that exploits simple, widely applicable assumptions about user choice behavior to tractably compute Q-values of entire recommendation slates. In particular, RᴇᴄSɪᴍ was used to test a number of experimental hypotheses, such as algorithm performance and robustness to different assumptions about user behavior.

Future Work

While RᴇᴄSɪᴍ provides ample opportunity for researchers and practitioners to probe and question assumptions made by RL/recommender algorithms in stylized environments, we are developing several important extensions. These include: (i) methodologies to fit stylized user models to usage logs to partially address the “sim-to-real” gap; (ii) the development of natural APIs using TensorFlow’s probabilistic APIs to facilitate model specification and learning, as well as scaling up simulation and inference algorithms using accelerators and distributed execution; and (iii) the extension to full-factor, mixed-mode interaction models that will be the hallmark of modern CIRs—e.g., language-based dialogue, preference elicitation, explanations, etc.

Our hope is that RᴇᴄSɪᴍ will serve as a valuable resource that bridges the gap between recommender systems and RL research — the use cases above are examples of how it can be used in this fashion. We also plan to pursue it as a platform to support academic-industry collaborations, through the sharing of stylized models of user behavior that, at suitable levels of abstraction, reflect a degree of realism that can drive useful model and algorithm development.

Further details of the RᴇᴄSɪᴍ framework can be found in the white paper, while code and colabs/tutorials are available here.

Acknowledgements
We thank our collaborators and early adopters of RᴇᴄSɪᴍ, including the other members of the RᴇᴄSɪᴍ team: Eugene Ie, Vihan Jain, Sanmit Narvekar, Jing Wang, Rui Wu and Craig Boutilier.

By Martin Mladenov, Research Scientist and Chih-wei Hsu, Software Engineer, Google Research

Google Code-in 2019 Contest for Teenagers

Today is the start of the 10th consecutive year of the Google Code-in (GCI) contest for teens. We anticipate this being the biggest contest yet!

The Basics

What is Google Code-in?
Our global, online contest introducing students to open source development. The contest runs for seven weeks until January 23, 2020.

Who can register?
Pre-university students ages 13-17 that have their parent or guardian’s permission to register for the contest.

How do students register and participate?
Students can register for the contest beginning today at g.co/gci. Once students have registered, and the parental consent form has been submitted and approved by Program Administrators, students can choose which “task” they want to work on first. Students choose the task they find interesting from a list of thousands of available tasks created by 29 participating open source organizations. Tasks take an average of 3-5 hours to complete. There are even beginner tasks that are a wonderful way for students to get started in the contest.

The task categories are:
  • Coding
  • Design
  • Documentation/Training
  • Outreach/Research
  • Quality Assurance
Why should students participate?
Students not only have the opportunity to work on a real open source software project, thus gaining invaluable skills and experience, but they also have the opportunity to be a part of the open source community. Mentors are readily available to help answer their questions while they work through the tasks.

Google Code-in is a contest so there are prizes*! Complete one task and receive a digital certificate, three completed tasks and you’ll also get a fun Google t-shirt. Finalists earn a jacket, runners-up earn backpacks, and grand prize winners (two from each organization) will receive a trip to Google headquarters in California in 2020!

Details
Over the past nine years, more than 11,000 students from 108 countries have successfully completed over 55,000 tasks in GCI. Curious? Learn more about GCI by checking out the Contest Rules, short videos, and FAQs. Please visit our contest site and read the Getting Started Guide.

Teachers, if you are interested in getting your students involved in Google Code-in we have resources available to help you get started.

By Stephanie Taylor, Google Open Source

* There are a handful of countries we are unable to ship physical goods to, as listed in the FAQs.

Google and Pixar add Draco Compression to Universal Scene Description (USD) Format

Google and Pixar have collaborated to add Draco compression to USD files to enable significantly smaller meshes for transmission, and real-time asset delivery on the web or in mobile applications.

Draco is an open source compression library to improve the storage and transmission of 3D assets—including compressing points, connectivity information, texture coordinates, color information, normals and any other attributes associated with geometry.

With Draco, applications can present complex 3D assets to the user much more quickly without compromising visual fidelity. For users this means apps can now be downloaded faster, 3D graphics can load quicker, and transmitted over any type of network, regardless of bandwidth.

USD addresses the need to robustly and scalably interchange and augment arbitrary 3D scenes that may be composed from many models and animations. USD also enables assembly and organization of any number of assets into virtual sets, scenes, and shots, transmit them from application to application, and non-destructively edit them (as overrides), with a single, consistent API, in a single scenegraph. USD provides a rich toolset for reading, writing, editing, and rapidly previewing 3D geometry and shading.

We tested Draco compression performance on a representative set of of USD objects and found that Draco on average compressed objects by more than 15X. On a typical 4G network, these assets would load 2.5X faster, all while using less of your users’ data plan.

Public Domain model Kore dressed in chiton and cape from SMK National Gallery of Denmark compressed 15X with Draco. 

Compressing USD objects with Draco enables a wide range of use cases moving forward, especially when delivering run-time assets to consumer devices. Anything from 3D commerce to complex AR scenes can benefit from reduced data requirements and quicker time to launch.

We look forward to seeing what people do with this combination of Draco compression and USD format. Check out the code on GitHub and let us know what you think and how you plan to use it!

By F. Sebastian Grassia, Pixar and Jamieson Brettle, Chrome Media

Why Google’s Celebrating at KubeCon



It's hard to believe it was just five years ago Googlers decided to open up Kubernetes to the world, partnering with Red Hat, and eventually many others, to build a community that would reshape the world of infrastructure. Kubernetes' impact has been accelerated by an incredible 35,000 contributors, who give their time to make the project a cornerstone of cloud native computing, and the center of three huge events a year around the world.

No surprise then that we're excited to be at KubeCon + CloudNativeCon North America 2019 in San Diego: to celebrate Kubernetes, plus a constellation of other open source projects. You can meet leaders from these projects at the Google Cloud Community Lounge, part of Google's numerous activities at KubeCon + CloudNativeCon.

Happy Birthday, Go!

First of all, let's take a moment to celebrate the project that started it all, and wish the Go programming language a happy 10th birthday! As Kubernetes co-founder Joe Beda pointed out in 2014, Go is "Goldilocks for system software", and has been foundational to Kubernetes' success.
Since Kubernetes' adoption of Go, it has become known as the language of the cloud. Most of the projects you'll see this year at KubeCon are built with, or are compatible with, Go. And the Go community is a vibrant ecosystem in its own right: over the last ten years it has grown to see over 20 conferences a year, as well as 2,100 contributors. Read more about the history and evolution of Go in these 10th birthday blog posts from Russ Cox and Steve Francia.

Come join us in celebrating Go's birthday during the booth crawl, from 6.40pm to close on Tuesday November 19! Sweet treats will be served, meet with some of the Go team and other enthusiasts.

Google Open Source At KubeCon



KubeCon is a great chance to learn about the many open source projects that Google has founded or contributes to, and meet face-to-face with our engineers and community leaders. We want to hear about your use cases, meet with contributors (aspiring or experienced!), and connect with the whole community. Google's participation in the conference is not limited to technical talks. In fact, we sponsor and participate in many important community gatherings like the Diversity Lunch+Hack, and project governance like the Steering Committee and Technical Oversight Committee. We recognize and care about fostering a healthy, inclusive environment that extends far beyond just technology concerns.

Of course, Kubernetes is at the center of the conference. And, Google is deeply committed to the Kubernetes ecosystem, including creating and contributing to sub-projects such as kubebuilder, kustomize, KIND, and krew, as well as building testing infrastructure and fostering a community that inspires the whole world of open source. We're still here and still trailblazing. Come and talk with us at the community lounge, attend our talks and tutorials throughout the week, and drop in on hallway discussions galore!

gRPC, developed at Google and donated to CNCF, is a modern, open source, high-performance RPC framework that can run in any environment. Use gRPC to efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking and authentication. Meet some of the gRPC maintainers, connect with the community, and pick up the latest limited edition PanCakes sticker at the Community Lounge on Wednesday!

Knative is an open source serverless platform hosted on Kubernetes. It abstracts away much of the complexity, allowing developers to focus on their code and build highly scalable, secure stateless applications. Knative codifies the best practices shared by successful real-world implementations, and solves the "boring but difficult" parts of deploying and managing cloud native services on Kubernetes.

Knative recently cut their 10th release of the project, providing a stable v1 API for the serving project, and additional work to enable production-readiness. Meet some of the maintainers and learn more about Knative in a hands-on workshop on the Monday November 18.

Istio is an open source service mesh, providing observability, control and security over communication in a distributed application -- running on Kubernetes or on VMs. Started in 2017 by Google and IBM, and reaching 1.0 in 2018, Istio has developed a vibrant community. Over the last 12 months, more than 600 developers from across 125+ companies have committed PRs! GitHub acknowledged this recently, reporting that Istio is in the top 4 of all projects across GitHub for contributor growth for committed PRs! The most recent quarterly release was Istio 1.4, which featured scalability and performance improvements as well as greatly improved experience for getting started.

Kubeflow is dedicated to making deployments of machine learning (ML) workflows on Kubernetes simple, portable and scalable. The community is building a powerful development experience for data scientists to build, train and deploy from notebooks, as well as the enterprise capabilities ML operations teams rely on to deploy and scale advanced workflows in a variety of infrastructures. The Kubeflow project is supported by 180+ contributors from 25+ organizations.

Kubeflow just released v0.7, featuring beta functionality for the Kubeflow 1.0 release, expected in early 2020. Learn how Kubeflow is being used and built in the 17+ talks featuring the project in the Machine Learning + Data track. If you're getting started, attend our Kubeflow OSS Hands-On Workshop on November 18, 1-3pm. Connect with the Kubeflow maintainers attending KubeCon by following @kubeflow.

Agones is an open source, multiplayer-dedicated, game server scaling and orchestration platform built for Kubernetes. Google founded the project in early 2018, along with Ubisoft, and recently Agones reached its 1.0 release milestone. It is being used in production for several games, with more to come!

If you're a game developer or just interested in non-traditional Kubernetes workloads, please join us for a workshop on Monday November 18, where we'll combine forces with our sibling project Open Match to turn a Kubernetes cluster into a game services backend. We're very excited about the future of open source and game development, and invite you to join us Tuesday morning in the Google Cloud Community Lounge for an open source in gaming meetup!

Krew makes it easy to discover and install kubectl plugins. Initially developed at Google, and now a Kubernetes subproject, over 60 open source kubectl plugins are distributed through Krew, and can be installed with a single command. Learn more in our breakout session, and come and talk about Krew in a Community Lounge Q&A session.

KIND makes it easy and cheap to test Kubernetes locally with Docker container "nodes". Started in the Kubernetes SIG-Testing group, this project has flourished and is now used for testing Kubernetes Pull Requests and many subprojects in the ecosystem including kubeadm, CSI, Istio, and Cluster API. KIND v0.6.0 will release before KubeCon, and the team will be presenting a deep dive and running a workshop on contributing to Kubernetes using KIND.

Envoy is a fundamental building block of service mesh architectures, providing a programmable data plane for services. Service mesh helps deploy multi-cloud applications and microservices at scale, by decoupling applications from networking, and service development from operations. Google is a lead contributor to the Envoy project, a critical part of Google Cloud's enterprise-grade service mesh products such as Anthos Service Mesh, Traffic Director and L7 ILB. We are excited to be a sponsor for EnvoyCon on Monday November 18, and would love for you to join us for an intro to Envoy on Thursday November 21.

OpenTelemetry provides the best way to capture metrics and distributed traces from your applications. Google is one of the founders of OpenTelemetry, and the community has grown to include most major monitoring, APM, and cloud vendors. OpenTelemetry is fully supported by the Google Cloud Platform and Stackdriver. Hear more about OpenTelemetry in the KubeCon keynotes, and go deeper in the overview and advanced breakout sessions.

Tekton defines reusable building blocks on Kubernetes for Cloud Native CI/CD. In March Tekton was donated to the CDF (the Continuous Delivery Foundation), and is being developed in collaboration with companies such as Red Hat, IBM, Cloudbees and other friends.

With the first release of Tekton Triggers and Tekton Pipelines, it's now possible to create an entire bespoke CI/CD system from scratch! Hear more about Tekton at the Continuous Delivery Summit on Monday, and catch the breakout sessions Mario's Adventures in Tekton Land and Russian Doll: Extending Containers with Nested Processes. Meet the Tekton maintainers at the Google Cloud Community Lounge on Thursday November 21 from 12.30-2.25pm, and follow @tektoncd for updates during the conference!

gVisor is a container-native sandbox for defense-in-depth anywhere. It provides a per-sandbox user-space kernel to improve isolation and mitigate privilege escalation vulnerabilities. gVisor integrates with Kubernetes and other container orchestration systems, while preserving the portability and resource efficiency of containers. Connect with the gVisor team in the Google Cloud Community Lounge during the Cloud Native Security meetup from 3.55-4.25pm on Thursday November 21.

Skaffold is a tool from Google that speeds up the feedback loop (build, tag, push, deploy) when developing applications on Kubernetes. Using Skaffold, you create a configuration for your project, and on every source code change Skaffold builds the images, deploys the app, abd starts tailing logs from pods and forwarding ports. For continuous delivery pipelines Skaffold provides a one-off deployment, with the ability to wait for health-checks. Skaffold is now GA, and Patrick Flynn and Balint Pato are available to chat about Skaffold and the Kubernetes Developer Experience from 4-5pm on Tuesday November 19, at the Google Cloud Community Lounge.

Additionally, join us for a breakout session on Binary Authorization in Kubernetes, which brings together Grafeas, an artifact metadata API for software supply chains, and Kritis, a deploy-time policy enforcer for Kubernetes applications.

We're excited to meet with so many users, friends, and fellow contributors at KubeCon, and hope you can join us in our talks and the Google Cloud Community Lounge.

Still can't get enough?

If you're interested in keeping up with the Kubernetes ecosystem, including all the news from KubeCon, subscribe to the Kubernetes Podcast from Google. Every week we release an episode covering news from the community, and in-depth interviews with leaders from the Kubernetes and cloud native ecosystem. Subscribe via your favorite podcast platform.