The CNCF Technical Oversight Committee (TOC) has voted to accept Cloud Custodian as a CNCF incubating project.
Cloud Custodian is a governance as a code tool that allows organizations to use code to manage and automate enforcement of policies for cloud security, compliance, operations, and cost optimization without hindering developer velocity. Cloud Custodian is used in production by many organizations, including Capital One, Code 42, Grupo, HBO Max, Intuit Inc, JP Morgan Chase & Co, Siemens, Premise Data, and Zapier
“Cloud Custodian is fast becoming the de facto standard for cloud governance, enabling teams to go faster and alleviate the burdens of developing ad hoc scripts,” said Kapil Thangavelu, Cloud Custodian creator and maintainer and CTO at Stacklet. “Cloud Custodian’s real-time notification and remediation capabilities are helping DevSecOps and FinOps teams drive behavioral change and improve awareness of best practices among application teams. As we take our next steps into incubation with CNCF, I’m beyond excited to work with the community to continue the adoption of Cloud Custodian and add new capabilities such as Kubernetes controller integration and policy validation against IaaC code.”
As organizations scale operations in the cloud, enforcing best practice policies and ensuring cloud infrastructure is safe and cost-optimized becomes challenging due to multiple deployment tools, scripts, and teams. Kapil Thangavelu created the project at Capital One when the company was at the beginning of its cloud journey in 2016. Capital One contributed Cloud Custodian to CNCF Sandbox in August 2020 and since then, the project has been downloaded over 100 million times while expanding depth and breath of resource support across all three cloud providers.
“Cloud Custodian, a critical component of our SDLC process, helps us seamlessly enforce policies across thousands of multi-cloud accounts,” said Darren Dao, principal software engineer at Intuit Inc and maintainer of the Cloud Custodian project.” Moving to incubate is a critical step in growing the adoption and velocity of the project. I look forward to continuing the collaborative partnership with the community and seeing the project add exciting new capabilities.”
“Cloud Custodian has enabled the Siemens DISW Cloud Security Operations team to establish the necessary guardrails to ensure compliance with internal policies and achieve numerous industry-recognized certification standards,” Scott Schwartz, Senior Cloud Infrastructure Engineer at Siemens. “We are excited about the progress made by the Cloud Custodian community and are committed to supporting and contributing to the project.
“HBO Max security team believes in building guardrails and not fences. Cloud Custodian has helped developers innovate quicker while automating and enforcing security guardrails across multiple cloud accounts and regions. The development teams at HBO Max can fearlessly deploy innovative services for their users,” said Mrunal Shah, cloud security leader at HBO Max.
Main Components
- c7n – Main module, includes AWS support
- c7n_org – multi-account support
- c7n_azure – Azure support
- c7n_gcp – Google Cloud Support
- c7n_mailer – Notification/mail support
- (Other modules) – this includes awscc, kubernetes, openstack, etc. and also includes in-progress modules like initial tencentcloud support.
Notable Milestones:
- 350+ contributors across 130 + organizations
- 4.3K GitHub Stars
- 350+ contributors
- 150M+ downloads
“Cloud Custodian has proven to be one of the integral parts of the cloud native ecosystem and as it moves to the CNCF Incubator, I anticipate that the project will continue to gain momentum and improve security and cost management practices across the community. I look forward to watching the community grow,” said Chris Aniszczyk, CTO of the Cloud Native Computing Foundation.
“As cloud adoption scales within organizations, automating cloud cost policy governance is emerging as a critical functional area in the FinOps framework,” said J.R. Storment, executive director at FinOps Foundation. “Cloud Custodian is a popular open source tool within our community for cloud cost governance, and it’s great to see the project progress to incubate stage within the CNCF.”
Cloud Custodian publishes a roadmap on GitHub. New features this fall include Kubernetes support, AWSCC API support, and GA support for Google Cloud. This year has been focused on project sustainability which are expected to land this year including: governance updates, full ARM64 support, and signing Docker images as part of a newly automated release process.
As a CNCF-hosted project, Cloud Custodian is part of a neutral foundation aligned with its technical interests, as well as the larger Linux Foundation, which provides governance, marketing support, and community outreach. For more information on maturity requirements for each level, please visit the CNCF Graduation Criteria.