Looking Back and Forward: Cloud Custodian Moved to CNCF Incubation Status

Cloud Custodian was born as a side project I created while at Capital One in the fall of 2015, when the company was at the beginning of its cloud journey. Initially, we were focused on providing governance as code tooling that could be used to support resource tagging use cases within a particular business unit. 

The project scope expanded quickly, accommodating use cases across business units. Over time, centralized cloud infrastructure and security teams came to be involved. 

By the spring of 2016, the project had become a de facto standard within the organization, enabling teams to go faster and alleviate the burdens of developing ad hoc scripts and working with several third-party vendors. The project’s real-time notification and remediation helped change user behavior and improve awareness of best practices among application teams. Further, the project ultimately helped the organization meet its governance goals.  

The initial purpose of Cloud Custodian was to consolidate all the scripts and tools various teams were using in the cloud, so we could better ensure resources were being well managed, including security, compliance, cost, and operations. The solution helped our development teams scale operations in the cloud while enabling them to use their preferred deployment tools. The solution also reduced the need for handling manual processes and writing ad-hoc scripts. By providing automated notifications and remediations, Cloud Custodian also fostered behavior change amongst development teams. 

In April 2016, we decided to open source Cloud Custodian.  Our team believed cloud governance was a problem that needed to be solved by a community, similar to how the Kubernetes project addressed the demand for container orchestration. Fast forward to 2022, Cloud Custodian is now the de-facto standard for cloud governance. Today,  it is being used by thousands of global brands and has over 350 contributors. 

Over the years, the project has grown in maturity and usage with contributions from over 131 organizations. While Cloud Custodian started with Amazon Web Services (AWS) initially, it now offers support for  Microsoft Azure and Google Cloud Platform. Cloud Custodian has deeper integration with native cloud provider capabilities, such as AWS Security Hub and Google Cloud Security Command Center. This enables us to push policy results and trigger various actions, including remediation. Cloud Custodian adoption has steadily increased over the past few years, with more than 150M downloads. Cloud Custodian continues to support more use cases and groups within an organization. Following are some common usage scenarios: 

• Cloud engineering teams are leveraging Cloud Custodian as a standardized tool for tagging and governance.
• With Cloud Custodian, FinOps teams are automating the enforcement of cost governance policies. 
• Security and compliance teams use Cloud Custodian to enforce organizational security policies and implement industry benchmark controls. 

 CNCF Moves Cloud Custodian to Incubation Status 

Today I'm excited to share that the CNCF Technical Oversight Committee (TOC) has voted to promote Cloud Custodian from a sandbox-level hosted project to the incubation level. As part of their due diligence, the committee verified that Cloud Custodian: 

• It is being used successfully in production.
• Has a healthy number of committers.
• Demonstrates a substantial ongoing flow of commits and merged contributions.
• It has a versioning scheme and security processes that are documented. 
• Completed a security assessment.

Special thanks to Ricardo Rocha for being our TOC sponsor and thanks to the CNCF TOC and CNCF  TAG Security members for their support throughout the process.

Looking Ahead, the Future is Bright for Cloud Custodian

As a community, we look forward to enabling continued adoption and increased usage of Cloud Custodian within organizations. On top of that, we are also exploring the introduction of several exciting new capabilities: 

• Policy authoring enhancements.
• Integration with Kubernetes Admission Controller would enable users to work with the same DSL for both Cloud Custodian and Kubernetes policies.  
• Enhanced capabilities that enable FinOps teams to create policies and alerts for cloud budgets.
• The ability to run Cloud Custodian policies against infrastructure as code (IaC) templates, such as those from HashiCorp’s Terraform.  
  
  

Congratulations to Cloud Custodian maintainers, contributors, and users on the promotion to the incubation level. 

If you are new to the Cloud Custodian project, you can learn more cloudcustodian.io

We also host our annual community event, Cloud Governance as Code Day with Cloud Custodian, on Oct 18th. Please sign up for the event here.