LFX Mentorship - My Experience

In this article, I share everything you need to know about the LFX Mentorship Program - what is it, the selection process and my experience as an LFX Mentee with CNCF: Kubescape.

---

What is LFX Mentorship? 🤔

LFX Mentorship is a 3-month mentorship-cum-internship program by The Linux Foundation. You get to work on an open-source project in the organization you are applying for. Multiple organizations take part in the LFX Mentorship program, like CNCF, Hyperledger, Open Mainframe, RISC-V, and Red Hat, including The Linux Foundation itself!

I applied to the CNCF's Kubescape project.

---

About the Selection Process 📝

Let's have a look at how to apply for the LFX Mentorship program, the selection process, and tips for getting selected.

To apply for the program, head over to their official website. Choose the project you want to work on, click on apply and submit the information it asks for.

The Selection Process:
If you have applied to one of the projects of the CNCF organization, then you will be asked to submit 2 things: Your Resume and Cover Letter. Unlike GSOC, you aren't required to submit a complete proposal (as of today).
The selection process for other organizations may differ, however. For example, you may be required to complete some tasks beforehand which showcases that you are well-versed with the required tech. Or, in some other cases, you might even be required to appear for an interview.
As said, it differs from organization to organization, and you'll get to know what tasks are required once you apply.

Tips for Getting Selected:
I often get asked, "Any tips you would like to share" for getting selected? The answer is simple:

• Have some sort of experience with the required tech. Maybe through internships or projects. The mentors need to know why YOU are the best person for this job.
• Get involved in the community beforehand. If you have made some contributions to the community beforehand, then that can serve as a plus point, as the mentors will know that you are already familiar with the project.

---

My Experience as a Mentee 🥼🧪

I worked for the CNCF's Kubescape project.
There were 3 mentees selected to work on Kubescape (different projects for each) - Me, Yash and Tejas. We had 3 mentors assigned to our projects Craig, David and Ben.

What is Kubescape? 🔍

Kubescape is an open-source Kubernetes security platform. It includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities. It saves Kubernetes users and admins precious time, effort, and resources.
Kubescape is a Cloud Native Computing Foundation (CNCF) sandbox project.

My project 🧑‍💻

My project was to develop a new image vulnerability patching command for Kubescape. Kubescape already supports scanning images for vulnerabilities. My task was to automate the fixing of these vulnerabilities by developing a new command that patches the vulnerabilities automatically.

My end goal was an Integration between Kubescape and Project-Copacetic.
A user should be able to run kubescape patch -i image:tag and have that image pulled down, analyzed by Kubescape, patched by copa using that analysis, and a summary of the vulnerability count before and after the action.

My work was divided into 2 parts:

• Add support for Kubescape to copacetic: Copacetic is an existing tool for directly patching container images using reports from vulnerability scanners. However, it currently supports patching only Trivy-produced image vulnerability reports. I had to add support to copa such that it can patch an image when provided with a kubescape-generated image vulnerability report as well.
• Embed copacetic within Kubescape to directly patch images from Kubescape: After adding support to copa such that it can patch Kubescape-generated image vulnerability reports, the next task was to embed the copa package within Kubescape so that we could directly patch images from the Kubescape CLI. Kubescape would scan & analyze the image, and pass it to copa for patching, re-scan it, and then finally display the vulnerability data after patching, all using just a single Kubescape command.

The copacetic team is currently designing a modular scanners approach to incorporate multiple scanners. I'm actively working with the team on that issue and it will take time to come up with the final solution. In the meantime, I've added support of Kubescape to copacetic, in a fork on mine.

How does it work? ⚒️

Below is a small flowchart I made, to help you understand the Kubescape image patching process.

1. The user inputs the image name to be patched
2. Kubescape scans the image for vulnerabilities using Grype as its engine
3. Kubescape then uses the scanned image information to analyze the vulnerabilities and passes the report further to the patching process.
4. Kubescape then reads the vulnerability report and patches the applicable vulnerable packages in the image using copacetic.
5. Kubescape re-scans the patched image for vulnerabilities using Grype as its engine.
6. In the CLI output, we have the vulnerability summary report and a patched image exported to our local Docker Server

Related PRs 🔗

• Added a new patch command to Kubescape CLI: kubescape/kubescape#1332

• Added kubescape support to copacetic: anubhav06/copacetic@kubescape

• Added a new ignore-errors flag to copacetic: project-copacetic/copacetic#247

• Added docs for filtering vulnerabilities with copacetic: project-copacetic/copacetic#251

• [WIP] Add modular scanners to copacetic: project-copacetic/copacetic#261, project-copacetic/copacetic#270

Takeaways 🗒️

What did I gain from my 3 months of the LFX Mentorship program with the CNCF?

• Knowledge: The amount of knowledge you gain while working on your project is inexplicable. Just for your reference, before the program, I knew nothing about image vulnerabilities, and now I'm very well-versed with image CVEs and SBOMs.

• Experience: Only because of this program, I was forced to move out of my comfort zone, and look at other projects as well (since it involved adding support in another project). Now, I can very easily jump into any new project and contribute to it, which was very difficult for me beforehand. For instance, I got to jump into copacetic and grype codebases.

• Skills: As said, you'll get to learn and work on new tech which will help you in upskilling yourself.

• Network: You not only get to connect with your mentors but also with other fellow mentees. It's always good to connect with an industry expert and gain knowledge from them, but at the same time, you get to connect with your fellow mentees as well. For example, we were 3 mentees selected to work on Kubescape (different projects) and we helped each other in our tasks and also had frequent meetings.

• Stipend: Last but not least, you are also paid a good stipend for the hard work you do.

---

Conclusion ⏳

LFX Mentorship is a very rewarding program that can help you upskill yourself while getting to work on a project and getting mentored at the same time. If you get rejected for a particular term, don't get disheartened, you can always apply the next time. If you get selected, you'll have the best experience of your life, just like I had! Ultimately, it depends on how you make the maximum out of the opportunity you are getting

If you liked this article and you think it helped you know about the program, consider giving this post a like and sharing it with your friends who might have the same doubts.

If you still have any questions, you can reach out to me on my socials (Twitter or Linkedin) and I'll be more than happy to help. FYI: nohello.net