Skip to content

Kubean Enters CNCF Sandbox

In April 2024, the CNCF community welcomed a vibrant green pod (Kubean) into the Sandbox.

Kubean Logo

Over the past few years, several developers from DaoCloud have been maintaining code in the Kubespray community. On the occasion of May Day 2022, inspired by Uncle Kai and Brother Xiao, they casually sowed a green pod Kubean in the CNCF community. This young pod, after nearly two years of diligent nurturing, began to crackle and grow, and now serves as the initial spark for the [DCE 5.0](../../../dce/index.mdroduction cluster, capable of creating hundreds to thousands of clusters on demand.

On April 15, 2024, after an 11-member CNCF TAG committee vote, with 8 in favor and 3 not voting, the results exceeded the 66% threshold, successfully entering the well-known Sandbox for further incubation.

What Can This Pod Do?

At its core, Kubean is an Operator, providing CR resources for containerized clusters, capable of deploying clusters and more as Jobs. Like the legendary generals who could conjure soldiers from beans, as long as you have an underlying cluster, you can deploy numerous new clusters in various environments using Kubean.

  • Supports declarative deployment of clusters from scratch using Operator and Helm Chart, supports D1, D2 for efficient operations (scaling, upgrading, and uninstalling)
  • Capable of deploying K8s clusters on bare metal, virtual machines, cloud platforms, and more
  • Supports almost all Linux distributions
  • Supports log tracing for convenient cluster operations (upgrades, scaling, uninstallation), and also facilitates rolling back clusters to a specific job state
  • Supports engines like Kubespray
  • Supports offline installation and upgrading

Here is the overall architecture diagram of Kubean:

Kubean Architecture Diagram

Kubean operates on an existing Kubernetes cluster, using standard CRD resources and Kubernetes built-in resources to control and manage the lifecycle of clusters (installation, uninstallation, upgrading, and scaling). Kubean uses Kubespray as its underlying technology dependency, simplifying the cluster deployment process and lowering the barrier for users. Additionally, it builds on Kubespray's capabilities by adding new features like operation records and offline version tracking.

Kubean Operator

This pod consists of four beans:

  • Big Bean Cluster Controller: Monitors the Cluster object. Uniquely identifies a cluster, possesses access information, type information, deployment parameters of the cluster nodes, and associates all operations (ClusterOperation objects) on this cluster;
  • Second Bean ClusterOperation Controller: Monitors ClusterOperation objects. When a ClusterOperation Object is created, the controller assembles a Job to execute the operation defined in the CRD object;
  • Third Bean Manifest Controller: Monitors Manifest objects. Used to record and maintain the current version of components, packages, and versions used and compatible with Kubean;
  • Fourth Bean LocalArtifactSet Controller: Monitors LocalArtifactSet objects. Used to record the supported components and versions of offline packages.

Comparison with Similar Products

Kubean currently defaults to the Kubespray underlying engine, but plans to support more engines in the future, such as switching to newer engines like Kops and KubeKey.

Kubespray is part of the kubernetes-sigs ecosystem, designed for deploying production clusters as an open-source project. Kubean was initially developed based on Kubespray, but has since added several new features. Below is a simple comparison between Kubean, Kubespray, Kops, and KubeKey:

Kubean Kubespray Kops KubeKey
Applicable Scenarios Suitable for cloud-native declarative API cluster management scenarios Suitable for complex scenarios with varying deployment platforms Suitable for fixed infrastructure platform management Suitable for lightweight dependency deployment scenarios
Containerization Support Supported Supported Not Supported Not Supported
CLI Support Not Supported Supported Supported Supported
Declarative API Supported Not Supported Not Supported Not Supported
Supported Deployment Platforms
  • GCE
  • Azure
  • OpenStack
  • vSphere
  • EquinixMetal
  • OracleCloud
  • Baremetal
  • GCE
  • Azure
  • OpenStack
  • vSphere
  • EquinixMetal
  • OracleCloud
  • Baremetal
  • AWS
  • GCE
  • DigitalOcean (Alpha)
  • Hetzner (Alpha)
  • OpenStack (Alpha)
  • Azure (Alpha)
Unknown
Mixed Architecture Support Supported Supported Not Supported Not Supported
Offline Deployment Supported Supported Not Supported Supported
Implementation Method
  • Kubespray
  • Operator
  • CRD
  • Ansible
  • kubeadm
  • Cloud Provider API
  • Nodeup
  • Golang
  • SSH
  • SFTP
  • Kubeadm
Operating System Support
  • Flatcar
  • Debian
  • Ubuntu
  • CentOS
  • Fedora
  • OpenSUSE
  • Oracle Linux
  • Almalinux
  • Rocky Linux
  • Kylin
  • Amazon Linux
  • UOS Linux
  • OpenEuler
  • Flatcar
  • Debian
  • Ubuntu
  • CentOS
  • Fedora
  • OpenSUSE
  • Oracle Linux
  • Almalinux
  • Rocky Linux
  • Kylin
  • Amazon Linux
  • UOS Linux
  • OpenEuler
Depends on infrastructure support
  • Ubuntu
  • Debian
  • CentOS
  • Almalinux
  • SUSE
Runtime Support
  • Docker
  • containerd
  • CRI-O
  • Docker
  • containerd
  • CRI-O
  • Docker
  • containerd
  • Docker
  • containerd
  • CRI-O
  • iSula
Upgrading Supported Supported Supported Supported

Sandbox Journey

Kubean was selected for the CNCF Landscape in late July 2023 and immediately applied to join the Sandbox.

At the end of August, ErikJiang, the main maintainer of Kubean, presented a PPT online to CNCF TAG-Runtime members during a regular hearing, introducing the origins, functional features, and future plans of Kubean.

In the following months, he answered many questions raised by TAG members, such as the differences from Cluster API, enhancing the persuasiveness of Kubean's ease of use. Subsequently, TAG committee members jberkus, caniszczyk, rochaporto, and others proposed new schemes regarding Kubean's affiliation:

  • A subproject under kubernetes-sigs/kubespray
  • Or as an independent Sandbox project

Open source progresses through exchange and collision, and so does Kubean. This pod was originally born on the branches of Kubespray, but now it has been found to be capable of further development based on more engines, alleviating the TAG committee's concerns. In fact, it is not only an extension of Kubespray but can also be an expansion of more cluster lifecycle engines; it is a new product running on old-era engine technologies, endowed with a new mission.

In early April 2024, raravena80 on behalf of TAG decided to accept Kubean into the sandbox, initiating the voting process.

On April 15, 2024, the TAG votes exceeded the 66% threshold, and Kubean began the Sandbox Onboarding process.

vote

Behind the Scenes

One small incident worth mentioning is that in early 2024, Jiang Hang, a code maintainer of Kubean, opened GitHub during a weekend to routinely review open-source code and incidentally discovered a runc container escape vulnerability. He raised an issue, discussed it with several community developers, and then submitted a PR to fix this CVE vulnerability. Later, this vulnerability, identified as CVE-2024-21626, scored a high 8.6 points, claimed to be the most severe vulnerability in runc history. See K8s runc discloses 8.6 point highest historical security vulnerability.

cve CVE-2024-21626

It was after the Kubean project team members deeply participated in and fixed this most severe vulnerability that the TAG committee's attitude softened, recognizing the value of Kubean and its team.

In summary, the open-source community always rewards effort, whether it's project recognition or personal skill and insight growth. On this global stage, efforts will be remembered. Today, there's the remarkable presence of the green pod, and perhaps tomorrow, the song of the blue sprite will be sung far and wide.

More developers are welcome to contribute and build a thriving community. GitHub project address: https://github.com/kubean-io

In Conclusion

In this world, no method can fully satisfy both the Buddha and your beloved.

Comments