 Hello, I'm Justin Cormack. I'm the CTO at Docker and I'm a member of the CNCF Technical Oversight Committee. And one of the things we really changed a lot in the last year in CNCF is the sandbox. So the sandbox is now home for a huge variety of projects to experiment with new things in cloud native and innovate and it's these are the projects you'll all be using in a few years time and some of you are using right now and they're great places to hack and develop and explore new ideas and we're really excited that now we have over over 40 nearly 50 probably by the time you hear this sandbox project and there's a huge diversity of them and I'm going to try and run through almost all of them in 15 minutes. So let's go then. Starting with databases. SchemaHero is a tool that takes your database schema and makes it into a Kubernetes object and then you can apply schema updates and so on along with changes in your application code just through GitOps and through you know through your normal Kubernetes operations. We'll see this pattern of applying things as Kubernetes objects in a lot of these projects. SchemaHero supports Postgres MySQL, Cockroach, Cassandra and SQLite. So if you're using those try it out. Next we have streaming and messaging tools. Streaming data and stream processing is a really important part of cloud native applications and lots of people are using them and getting a lot of value from that kind of architecture. Strims is a tool to help you run Apache Kafka efficiently on Kubernetes. So it's a Kubernetes operator that lets you manage the lifecycle of Kafka deployments and scaling and things like that. Provega is a whole new streaming database design. It's in the same kind of family as Kafka but it's designed to support persistent storage, auto scaling, efficiency with a lot of partitions while delivering exactly one semantics and low latency all running on Kubernetes. Tremor is also a new event processing system. It's an early stage project written in Rust. One of many Rust projects we have in CNCF now. We had a Rust day earlier this week and it's exciting to see that community starting to work on interesting cloud native projects. So Tremor is designed to replace tools such as Logstash or Telegraph for getting JSON log data throughout into your system at high performance and high volume and it supports back pressure and rate limiting for a stable system which is obviously really important in production. The next landscape section is application definition and image building. Backstage is a really exciting project. We were all really excited to see this when it came into Sandbox. It's a Spotify project originally and it lets you build a whole developer portal for managing infrastructure with extensible UX and extensible service catalog and plugins that lay your teams to manage their own infrastructure from a simple UI. Kudo is a toolkit for writing Kubernetes operators. So if you've been excited about operators in the stock so far, take a look at it. It's got a set of existing operators you can use and modify and operators let you control the whole life cycle of stateful applications such as managing backups and scaling and all the complex bits of life cycle that are really important. Serverless workflow is a specification with Java and Go SDKs for defining workflows for serverless applications. So there's a way to define how data flows between different serverless functions and how the events map and how retry and control logic works. Artifact Hub is a front-end for finding artifacts such as Helm charts across multiple actual back-end repositories. It's not limited to Helm. It's been used by open policy Asian policies, Falco rules and all sorts of other cloud native pieces. Kubevert is a tool for running VM workloads, not just container workloads on Kubernetes. So if you haven't containerized everything and you want to run one set of infrastructure for all your applications, take a look and run your legacy applications in the same infrastructure. Porter is an application packaging tool from the CNAP specification. So it bundles up a set of components with instructions for how to deploy them, how to upgrade them and so on. It's a very generic specification and Porter is the kind of tool that works with all these CNAP things. And Telepresence is a useful tool for remote debugging your apps while they're actually running in Kubernetes in production or in staging. So you can debug on your local workstation using local tools while your application is actually running remotely in Kubernetes. Now CINCD tools. Brigade runs inside your Kubernetes cluster and lets you use simple JavaScript programs to run tasks and pipelines and things. So you could run unit tests or Slack integrations or database updates, whatever you want to script, all sorts of tasks in JavaScript. So it's easy to use. KEP10 manages application lifecycle automation. So if you want to have a GitHub style delivery pipeline but you don't want to roll out code unless it actually passes service level objectives, then this is what you need. So you can roll out from say staging to production if the code is meeting the quality gates. This takes us nicely into observability and the areas around that. So open metrics is standardizing the Prometheus format. So make it an IETF standard. So it's not just the format used by Prometheus, but it's also being widely used elsewhere because it's a really simple, easy to understand standard. Trickster is an HTTP reverse proxy in cache, but it's specifically designed around accelerating time series databases such as Prometheus. So if you're making a dashboard system, for example, it can make it much faster by caching frequently used data, but it can also add special optimizations that apply specifically to time series data such as exactly aligning your time series requests on say one second boundaries to make them faster. Open telemetry is a telemetry service for traces and metrics and logs. Now this project, it really shows what you can do in the sandbox. It was actually a merger of open tracing and open census projects to make a uniform interface for users and it's seeing a lot of adoption as just applying for incubation now, but it really shows that you can, you know, projects can really morph and change in sandbox and projects can work together and work at how to grow. We also have a couple of chaos engineering tools. Netflix really introduced the Chaos Monkey years ago and it's become a valuable part of people's tooling for breaking things at scale in production in controlled ways or uncontrolled ways. So Chaos Mesh has an operator that injects chaos into Kubernetes and Litmus has a set of CRDs and a toolkit to let you program your own chaos in Go. So if you want to make custom chaotic things happen in your cluster, that's an interesting way of doing it. So far we have one Kubernetes whole Kubernetes distribution in the sandbox. So k3s is built for IoT and edge use cases which are becoming really popular with Kubernetes and really growing area. So it's a lighter weight environment, can use SQLite instead of XDD and more things targeted at that kind of environment also runs well on ARM servers. Crossplane is a really cool way to expose any service API as a Kubernetes object and manage it. So you can manage resources in public and private clouds that your application needs along with your application in your kuba resources with a uniform API. So it's really, really interesting. Volcano is a batch scheduling system for Kubernetes. It's often used for ML and big data applications like Spark and TensorFlow. So if you're looking for better support for more advanced batch workflow, take a look. BFE is a layer 7 application load balancer with support for things like HTTPS obviously and web sockets and TLS and flexible routing policies. The service mesh interface is a specification for service mesh as it covers the common feature sets like traffic encryption, telemetry, which everyone, everyone using service mesh is usually using. So it allows you to switch to a different service mesh that meets the SPAC and use common tooling. Open service mesh is a simple envoy based service mesh that actually implements service mesh interface. So it covers those basics. Kuma is another envoy based service mesh designed to bridge Kubernetes and virtual machines with a single control plane. Network service mesh is people who need containers to different network protocols. So if you're using raw Ethernet or MPLS or L2TP, for example, like lots of telco applications are, this is something that you might want to check out. CNI Genie lets you connect to different CNI, so Kubernetes networking implementations on the same cluster. So you can give pods connectivity to multiple CNI plugins. So if you're doing interesting things with networking, take a look at that. And KuboVN lets you use OVN networks with Kubernetes. So if you're integrating into your enterprise network where you're using encapsulated packets, then you might want to use that as your CNI. We've got three storage projects in the sandbox. Longhorn provides replicated block storage and management. So that's useful if you need replicated, highly available block stores. Open EBS supports local or replicated storage volumes. It uses a fork of one of the Longhorn providers and some various other options. Chibao FS is not a block store, but it's actually POSIX and S3 compatible file-based storage if you're looking for file storage for your applications. Provisioning is another area where you've got several interesting projects. Metal Cubed, see the cool name? Cubed. It's a provisioning tool that runs inside Kubernetes to provision bare metal hosts. It has an operator that talks to IPMI controllers and provision servers and has NGO clusters. So that's interesting. And then Tinkerbell, there's another bare metal provisioning project came out of Packet and Equinix Metal. It divides into five components for managing different parts, HCP, OS installs and power and boot control and things like that. So very interesting project and lots of work going on there. Open Yert is another Kubernetes on the Edge project. So you can see lots of Edge work going on supporting nodes that might go offline. Edge clusters which need to sync back to a cloud control plane. We've got there's lots of different Edge work at different stages because a lot of people are doing Kubernetes at the Edge. So there's lots of projects and CNC have to look out for if you're doing that. And now for something different. Cloud Custodian is actually a tool for policy definition enforcement in public clouds. So if you're using public cloud and you want to check your certificates are about to expire or check policies and on say machine images and storage bucket policy then use that, which brings us really into the whole security and compliance section. There's actually a lot of projects here. A lot of these projects are really exciting. It's great to see security projects in CNCF because it's one of the areas I'm particularly interested in. CERT Manager is an incredibly useful project which can manage all your Kubernetes cluster certificates and automatically renew them and so on. EnToto is a software supply chain security specification. So it's around about signing what processes have taken place with when you're building your software so you can verify it went through the right steps. KeyLime is built on TPM2 software stack and is providing remote attestation and integrity measurements so you can see that what's running on your machine is what's supposed to be running. Parsec is another hardware security project platform abstraction for security it's short for. It's designed to abstract over hardware cryptography. So if applications want to talk to hardware crypto modules on the machine it can use Parsec. CurieFence is a web application firewall that can be deployed in Envoy or standalone to control traffic reaching our application. DEX is an open ID Connect and an OAuth 2 provider so if you want to authenticate users into your cluster that's incredibly useful. Caverno is a policy agent and mission controller for Kubernetes. It's really a much simpler than open policy agent. It's designed for very simple use cases if you want to for example just say I don't want to run privileged containers this might be easier for you. It doesn't have a whole programming language like open policy agent but just has simple composable policies. And Athens is next for my own certificate manager to give applications dynamic certificates and provide service identity. So that's all the projects that were in the sandbox landscape when I was doing this talk. There were actually a few more that we just let in recently that didn't quite get into the landscape. Sorry distribution you didn't get in. And a couple of others that we let in and a couple of others that are going to be let in before KubeCon no doubt. But the sandbox is a really exciting place for projects and it's where projects are you know again the next generation of projects that you're all going to be using and coming from and you can start using them now start investigating them and find something to hack on.