[Presentation] Dapr Overview

[yaron2]

Title: Dapr Overview

Speakers: Yaron Schneider (myself)

Description: In this session I will cover the Dapr project's goals, history, and specifically its unique role in the CNCF ecosystem for providing application level security as opposed to network/infrastructure level security.

This presentation is for the project to move levels (Incubation -> Graduation)

Time: 45 minutes

Availability: Any day between 7am - 6pm PST

TO DO

• TAG Representative
• Schedule date
• By opening this issue, I, (@yaron2) acknowledge that the presentation topic and speaker will follow the presentation guidelines
• If this is a presentation for a project moving levels, the TAG Representative should complete the Moving Levels Recommendation

[eddie-knight]

Hi @yaron2! Would you like to present on the September 25th Americas community call at 1000PST?

[yaron2]

Hi @yaron2! Would you like to present on the September 25th Americas community call at 1000PST?

Sure, that time works well. Thanks

[dims]

@yaron2 can you please PR in the self-assessment like was done for cert-manager? #1254

[dims]

xref: cncf/toc#1354

[brandtkeller]

Template for TAG recommendation to TOC

Project Overview

Ecosystem Adoption

3.6k Contributors
23.9k stars
14/157 largest CNCF project
10-15 maintainers across multiple companies
Large list of end user adoption

Past TOC Reviews

Dapr Incubation PR
Dapr incubation Onboarding Issue
Dapr Graduation Application Issue
How has the project addressed comments from previous reviews (incubation if graduation, sandbox if incubating, etc)?
Yes, project addressed any items identified in the incubation on boarding

License Scanning is in place

Security Reviews

TAG Security Assessments

The project has not yet completed a self or joint assessment with the Security TAG. A self assessment is recommended as a great step towards recommendation for gradation.

Threat Model

Security Audit

The following audits have been performed against the project.

Dapr Fuzzing Audit PR
Dapr Security Audit Report PR

Findings were addressed.

Best Practices

Metrics

Project has the OpenSSF Best Practices badge with a passing state. The project does not produce any SBOM or other build provenance artifacts to-date but was recommended to review.

Static Analysis

The project does perform static analysis and this is integrated into CI/CD processes.

Sub-project Considerations

Sub-projects do exist - there are 34 repositories total under the Dapr GitHub Organization.

It is recommended that each sub-project have the above processes adopted over time.

TAG Recommendation to the TOC

Dapr has many methods for utility and has seen large adoption from end users/companies and contributors. Utilization has seen critical deployments - of which deployment to the International Space Station were mentioned.

In order for the Security TAG to make a recommendation for the Dapr project towards Graduation, a self assessment and joint assessment would be required.