[Sandbox] ServiceRadar #415
Description
Project summary
ServiceRadar is an opensource network management and observability platform
Project description
ServiceRadar is an open-source, cloud-native network management and observability platform for large-scale, multi-tenant environments (100k+ devices).
Designed with security-by-default, it features:
- Distributed Architecture: Agent/poller/checker model with NATS JetStream event-driven processing and Timeplus Proton streaming OLAP
- Secure Communication: mTLS via SPIFFE/Spire workload identity across all microservices
- Multi-Protocol: SNMPv3, syslog, gNMI streaming telemetry, OTLP integration
- Kubernetes Native: Helm charts, CRDs, horizontal scaling with RBAC tenant isolation
- SRQL Query Language: Intuitive API for composable dashboards and analytics
- Event Processing: ZenEngine rules for real-time transformation and correlation
ServiceRadar bridges the "last mile" gap in cloud-native observability, providing secure network layer visibility across hybrid infrastructure. It supports traditional NMS protocols alongside modern observability stacks (Prometheus, Jaeger, OpenTelemetry).
Target Users: Telecom operators, MSPs, energy companies, airlines, IoT platforms managing complex, distributed networks.
Key Differentiators:
- Carrier-grade scalability for 100k-1M+ endpoints
- Multi-tenant isolation at network management layer
- Edge deployment via NATS hub/leaf topology
- Secure-by-default with automatic certificate management
Deeply integrated with CNCF ecosystem: Kubernetes, SPIFFE/Spire, NATS JetStream, OpenTelemetry. Deployment via Helm or Docker Compose, with comprehensive web UI and upcoming KV-based configuration.
ServiceRadar addresses critical gaps in existing observability tools by providing comprehensive network discovery, performance monitoring, and event correlation purpose-built for containerized and distributed architectures.
Org repo URL (provide if all repos under the org are in scope of the application)
Project repo URL in scope of application
https://github.com/carverauto/serviceradar
Additional repos in scope of the application
No response
Website URL
Roadmap
https://github.com/carverauto/serviceradar/blob/main/ROADMAP.md
Roadmap context
ServiceRadar's roadmap is designed to advance cloud-native network observability, addressing critical gaps in the CNCF ecosystem:
- Network Layer Observability: Bridges application-centric tools (Prometheus, Jaeger) with infrastructure visibility (SNMP, streaming telemetry)
- Secure Multi-Tenancy: Provides tenant isolation patterns applicable to other CNCF projects
- Distributed Scale: Carrier-grade architecture (100k+ devices) informs CNCF scalability best practices
- SPIFFE/SPIRE Integration: Demonstrates workload identity patterns for microservices
Contributing guide
https://github.com/carverauto/serviceradar/blob/main/CONTRIBUTING.md
Code of Conduct (CoC)
https://github.com/carverauto/serviceradar/blob/main/CODE_OF_CONDUCT.md
Adopters
No response
Maintainers file
https://github.com/carverauto/serviceradar/blob/main/MAINTAINERS.md
Security policy file
https://github.com/carverauto/serviceradar/blob/main/SECURITY.md
Standard or specification?
N/A
Business product or service to project separation
ServiceRadar will maintain clear separation between the open-source project and future enterprise services:
Organizational Separation
- Open Source Project: ServiceRadar OSS maintained under CNCF governance with transparent development, community contributions, and public roadmap
- Enterprise LLC: Separate legal entity providing commercial support, managed services, and enterprise features under dual-licensing model
- Development Teams: OSS core team focused on upstream project; enterprise team builds on OSS with additional proprietary capabilities
Development Model
- Upstream First: All OSS-compatible features developed in public GitHub repository first
- Feature Branching: Enterprise-specific features developed in private repositories, selectively upstreamed when applicable
- Release Cadence: OSS follows SemVer with community-driven priorities; enterprise builds on OSS releases with additional patches/support
Licensing & IP
- OSS License: Apache 2.0 for core project (CNCF standard)
- Enterprise License: Commercial license for proprietary extensions and support services
- Contribution Agreement: CLA ensuring company cannot claim IP ownership over community contributions
Contribution Transparency
- Public Roadmap: All OSS features planned and tracked publicly via GitHub Projects
- Dual Commit Access: Enterprise developers contribute to OSS under same review processes as community
- No Closed Development: No features hidden from community that could be OSS-compatible
Support Model
- Community Support: GitHub Issues, Discussions, Discord for OSS users
- Enterprise Support: SLA-backed support through LLC with dedicated enterprise channel
- Backport Policy: Security fixes flow from enterprise to OSS; no OSS fixes withheld
Governance Safeguards
- CNCF Oversight: Technical decisions made by CNCF-appointed maintainers
- Conflict of Interest Policy: Clear guidelines for enterprise vs. community priorities
- Transparency Reports: Quarterly reports on enterprise contributions to OSS
This model follows established CNCF patterns (e.g., Prometheus, Envoy) ensuring community trust while enabling sustainable enterprise development.
Why CNCF?
Why CNCF for ServiceRadar?
Strategic Alignment with Cloud Native Principles
ServiceRadar embodies core CNCF tenets through its Kubernetes-native deployment, SPIFFE/SPIRE workload identity, and distributed microservices architecture secured by mTLS. As a network observability platform, it addresses the critical infrastructure layer missing from application-centric tools like Prometheus and Jaeger.
Key Ecosystem Gaps Addressed:
- Network Layer Visibility: SNMP, streaming telemetry (gNMI), BGP, and NetFlow integration for hybrid infrastructure
- Secure Multi-Tenancy: RBAC patterns and tenant isolation applicable to other CNCF projects
- Carrier-Grade Scale: 100k+ device support informs CNCF scalability best practices
- Edge Computing: NATS hub/leaf topology for distributed deployments
CNCF Value Proposition
1. Technical Excellence & Standards
- Alignment with SPIFFE, OpenTelemetry, and Kubernetes security models
- Reference implementation for network observability in cloud-native environments
- Contribution to emerging CNCF standards (e.g., streaming telemetry, OCSF schema)
2. Neutral Governance
- Protection from vendor lock-in via Apache 2.0 licensing and CNCF oversight
- Transparent decision-making ensuring community priorities over commercial interests
- Established maintainer ladder and conflict-of-interest policies
3. Ecosystem Integration
- Deep integration with CNCF projects: Kubernetes operators, Helm charts, Prometheus exporters
- Collaboration opportunities with SIG Network, SIG Security, and observability projects
- Shared best practices for secure supply chain (SLSA), container security, and GitOps
4. Community & Talent
- Access to global cloud-native expertise and contributor talent pool
- KubeCon presence, CNCF certification programs, and marketing support
- Mentorship programs and contributor onboarding frameworks
5. Sustainability & Growth
- Funding opportunities through CNCF budgets and sponsorship programs
- Enterprise adoption patterns proven by graduated projects (Prometheus, Envoy)
- Path to incubation and graduation with established success metrics
Specific CNCF Ecosystem Contributions
- TAG Network: Network observability patterns and multi-tenancy best practices
- TAG Security: SPIFFE reference implementation, secure-by-default microservices
- OpenTelemetry: Native OTLP support and network telemetry correlation
- Kubernetes SIGs: CRD patterns for network management, operator lifecycle management
Long-Term Vision
ServiceRadar aims to become the de facto cloud-native network management platform, providing patterns for secure, scalable infrastructure monitoring that complement application observability. CNCF governance ensures these patterns benefit the entire ecosystem rather than any single vendor.
Graduation Path Alignment: Sandbox → Incubation (production adoption, SIG formation) → Graduation (CNCF-wide reference implementation)
By joining CNCF, ServiceRadar commits to upstream-first development, CNCF security standards, and active collaboration across the ecosystem, ensuring network observability advances alongside application observability in cloud-native architectures.
Benefit to the landscape
ServiceRadar: Filling Critical Gaps in Cloud Native Network Observability
Addresses Missing Infrastructure Layer
Current CNCF observability focuses on application metrics (Prometheus), distributed tracing (Jaeger), and logs (Fluentd), but lacks comprehensive network infrastructure visibility:
- No Native SNMP/gNMI Support: Existing tools require complex exporters/adapters
- Limited Network Discovery: No built-in topology mapping or device inventory
- Weak Multi-Tenancy: Application-focused tools don't address network tenant isolation
- Legacy Integration Gap: SNMP/syslog remain dominant but poorly integrated with cloud-native stacks
Key Differentiators & Enhancements
1. Secure Multi-Tenant Network Management
- RBAC at network layer with tenant-scoped SNMP polling and topology views
- SPIFFE/SPIRE workload identity for secure poller/checker communication
- Overlapping IP space isolation for MSPs managing multiple customers
- Enhancement: Provides patterns other projects can adopt for infrastructure multi-tenancy
2. Carrier-Grade Distributed Architecture
- Agent/poller/checker model scales to 100k+ devices across edge/core
- NATS JetStream event-driven processing (90M+ EPS, <4ms latency)
- Horizontal scaling without single points of failure
- Differentiator: Reference architecture for distributed infrastructure monitoring vs. centralized tools
3. Hybrid Infrastructure Bridge
- Native SNMPv3, syslog, NetFlow/sFlow, gNMI streaming telemetry
- Automatic discovery via CDP/LLDP/BGP for hybrid on-prem/cloud networks
- OTLP export to OpenTelemetry collectors for unified observability
- Value: Enables cloud-native operators to monitor legacy infrastructure without custom tooling
4. Edge & Distributed Deployment Patterns
- NATS hub/leaf topology for remote site aggregation
- Lightweight agents for IoT/edge computing environments
- Kubernetes operators for lifecycle management
- CNCF Contribution: Edge computing and distributed monitoring patterns
Ecosystem-Wide Benefits
Technical Standards & Patterns:
- SPIFFE Reference: Complete mTLS implementation across deployment models (K8s, Docker, bare metal)
- CRD Patterns: Network management CRDs informing SIG Network
- SRQL Language: Composable query patterns applicable to other telemetry projects
- OCSF Alignment: Standardized security event formats for observability+security correlation
Developer Experience:
- Helm charts and operators reduce deployment complexity
- Extensible checker framework enables community protocol integrations
- SRQL provides intuitive API reducing custom query development
Production Readiness:
- Battle-tested at carrier scale informs CNCF scalability guidelines
- Secure-by-default practices (SLSA Level 2, cosign signing) raise ecosystem security baseline
- Multi-architecture support (ARM64, AMD64) broadens deployment options
Strategic Landscape Impact
ServiceRadar creates a complete observability stack by adding the missing network infrastructure layer, enabling:
- End-to-End Visibility: Application → Service Mesh → Network → Infrastructure
- Cost Reduction: Eliminates need for multiple specialized network monitoring tools
- Security Enhancement: Network-layer tenant isolation and anomaly detection
- Ecosystem Maturity: Provides production patterns for network observability at cloud-native scale
By addressing the "last mile" of infrastructure monitoring, ServiceRadar enables organizations to fully operationalize hybrid cloud-native environments while contributing scalable, secure patterns back to the broader CNCF ecosystem.
Cloud native 'fit'
ServiceRadar's Cloud Native Fit
Core Cloud Native Architecture
ServiceRadar embodies cloud native principles through its distributed, containerized microservices architecture designed for Kubernetes orchestration:
- Container-First Deployment: Native Helm charts, Docker Compose, and Kubernetes operators with multi-architecture support (AMD64/ARM64)
- Microservices & SOA: Independent, loosely-coupled services (Core API, pollers, agents, checkers) communicating via gRPC/mTLS
- Immutable Infrastructure: Multi-stage Docker builds, cosign-signed images, non-root containers, and Kubernetes rolling updates
- Declarative Configuration: Migrating to NATS JetStream KV store and CRDs for GitOps compatibility (ArgoCD/Flux)
Service Mesh & Identity Management
ServiceRadar exemplifies secure service-to-service communication patterns:
- SPIFFE/SPIRE Integration: Workload identity and automatic mTLS certificate rotation across all microservices
- Zero-Trust Networking: Mutual TLS enforcement for all inter-service gRPC and API communications
- API Gateway: Kong with JWT validation, rate limiting, and shared authentication/authorization
- Service Discovery: Native Kubernetes service discovery with SPIFFE identities
Observability & Telemetry
Deep integration with the CNCF observability ecosystem:
- OpenTelemetry Native: OTLP protocol support for metrics, traces, and logs
- Prometheus Integration: Built-in metrics endpoints and service discovery for scraping
- Distributed Tracing: Jaeger-compatible tracing across microservices
- Event-Driven: NATS JetStream for high-throughput, asynchronous event processing (90M+ EPS)
Scalability & Resilience Patterns
ServiceRadar demonstrates cloud native scalability:
- Horizontal Pod Autoscaling: CPU/memory-based scaling for stateless pollers and Core services
- Distributed Data Processing: Timeplus Proton streaming OLAP with subscription-based scaling
- Circuit Breakers & Retries: gRPC-level resilience with exponential backoff
- Multi-AZ/Region: NATS hub/leaf topology for edge-to-core federation
- Stateless Design: Configuration in KV store enables zero-downtime rolling updates
Security-First Cloud Native Practices
Secure-by-default following CNCF TAG Security guidelines:
- RBAC & Tenant Isolation: Kubernetes RBAC + application-level multi-tenancy
- Network Policies: Pod-level isolation for agents, pollers, and Core services
- Secrets Management: SPIFFE certificates, Kubernetes secrets for API keys
- Supply Chain Security: SLSA Level 2, SBOM generation, dependency scanning
- Pod Security Standards: Restricted PSS enforcement, non-root containers
Operator Patterns & CRDs
ServiceRadar leverages Kubernetes extensibility:
- Custom Resource Definitions: NetworkDevice, PollerGroup, Tenant CRDs for declarative management
- Operators: Planned Kubernetes operators for lifecycle management of distributed pollers
- Helm Charts: Production-grade charts with values validation and upgrade hooks
Edge Computing & Multi-Cluster
Distributed deployment patterns:
- NATS Federation: Hub/leaf topology for multi-cluster, edge deployments
- Lightweight Agents: ARM64-compatible agents for IoT/edge computing
- Federated Queries: SRQL queries spanning multiple clusters via NATS
- GitOps Ready: Configuration as code with CRDs and Helm
CNCF Ecosystem Integration
ServiceRadar leverages and contributes to core CNCF projects:
| CNCF Project | Integration |
|---|---|
| Kubernetes | Native deployment, CRDs, operators |
| SPIFFE/SPIRE | Workload identity reference implementation |
| NATS | Event-driven backbone (incubating) |
| OpenTelemetry | Native OTLP exporter |
| Prometheus | Metrics collection and alerting |
| Kong | API gateway and service mesh |
Cloud Native Maturity Model Alignment
ServiceRadar maps to high maturity across cloud native dimensions:
- Packaging: Container images, Helm charts ✅
- Delivery: GitOps, rolling updates ✅
- Runtime: Kubernetes orchestration, service mesh ✅
- Security: mTLS, SPIFFE, RBAC ✅
- Observability: OTLP, Prometheus, distributed tracing ✅
- Configuration: Externalized (KV/CRDs), dynamic updates ✅
Strategic Landscape Positioning
ServiceRadar occupies the Network Infrastructure Observability layer, complementing:
- Application Layer: Prometheus, Jaeger, OpenTelemetry (metrics/traces)
- Platform Layer: Kubernetes, Istio (orchestration, service mesh)
- Infrastructure Layer: ServiceRadar (network devices, SNMP, topology)
By providing secure, scalable network visibility with native Kubernetes integration, SPIFFE identity, and OpenTelemetry export, ServiceRadar completes the cloud native observability stack while contributing reference implementations for multi-tenant infrastructure monitoring and edge computing patterns.
Cloud native 'integration'
ServiceRadar CNCF Integrations
Core Infrastructure
- Kubernetes: Helm charts, CRDs for network devices/pollers, Kubernetes operators
- SPIFFE/SPIRE: Workload identity and mTLS certificate management for microservices
Observability & Telemetry
- OpenTelemetry: OTLP protocol support for network metrics, traces, logs export
- Prometheus: Built-in metrics endpoints and service discovery integration
- CloudEvents: SNMP traps, syslog events, discovery events published via NATS JetStream
Networking & Messaging
- NATS: JetStream for event streaming (90M+ EPS), KV configuration store, hub/leaf federation
- Kong: API gateway with JWT validation, rate limiting, tenant routing
Packaging & Operations
- Helm: Production deployment charts with dependency management and validation
Service Mesh Compatibility
- Envoy/Istio: gRPC/mTLS protocol compatibility, planned service mesh integration
Security & Policy
- Open Policy Agent (OPA): Planned integration for dynamic RBAC and admission control
GitOps & CI/CD
- ArgoCD/Flux: Declarative deployments via CRDs and Helm for GitOps workflows
Data Processing
- Timeplus Proton: Streaming OLAP database for real-time network telemetry analysis
ServiceRadar collects infrastructure telemetry (SNMP, NetFlow, gNMI) and publishes standardized CloudEvents/OTLP, bridging network observability with application stacks while leveraging CNCF security, networking, and observability primitives.
Cloud native overlap
ServiceRadar CNCF Overlap Analysis
Direct Functional Overlap
Prometheus (Graduated)
- Overlap: Metrics collection and alerting from network devices
- Differentiation: Prometheus focuses on application metrics; ServiceRadar specializes in SNMP/gNMI/NetFlow network infrastructure metrics with built-in discovery and topology mapping
- Complementary: ServiceRadar exports to Prometheus via remote_write and provides service discovery for network endpoints
Fluentd/Fluent Bit (Graduated)
- Overlap: Log collection and aggregation (syslog, GELF)
- Differentiation: Fluentd for general logs; ServiceRadar focuses on network-specific logs (SNMP traps, syslog from network devices) with correlation to topology
- Complementary: ServiceRadar forwards network events to Fluentd collectors via OTLP or CloudEvents
Adjacent Capability Overlap
Jaeger (Incubating) / OpenTelemetry (Incubating)
- Overlap: Distributed tracing capabilities
- Differentiation: Jaeger/OTel trace application requests; ServiceRadar traces network data flows (agent→poller→core) and network protocol interactions
- Complementary: ServiceRadar generates network spans exported to Jaeger/OTel collectors for end-to-end visibility
Linkerd/Istio (Incubating)
- Overlap: Service mesh traffic observability
- Differentiation: Service meshes focus on L7 application traffic; ServiceRadar monitors L2/L3/L4 network infrastructure and device health
- Complementary: ServiceRadar provides underlying network visibility that service meshes depend on for topology-aware routing
Emerging Overlap Areas
CloudEvents (Incubating)
- Overlap: Event format standardization
- Differentiation: CloudEvents is format specification; ServiceRadar implements network-specific CloudEvents schemas (SNMP traps, discovery events, OCSF security events)
- Complementary: ServiceRadar publishes domain-specific CloudEvents consumable by other CNCF event processors
Falco (Incubating)
- Overlap: Security monitoring and anomaly detection
- Differentiation: Falco focuses on runtime security (syscalls, container behavior); ServiceRadar monitors network anomalies and device behavior
- Complementary: Falco + ServiceRadar provides application runtime + network infrastructure security monitoring
Architectural Pattern Overlap
Kubernetes Operators (Pattern)
- Overlap: Custom resource management for infrastructure
- Differentiation: Most operators manage application workloads; ServiceRadar operators would manage network infrastructure (devices, pollers, topology)
- Complementary: Extends Kubernetes control plane to network infrastructure domain
Strategic Positioning
ServiceRadar complements rather than competes by occupying the network infrastructure observability layer missing from current CNCF landscape:
┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ Applications │ │ Service Mesh │ │ Network Infra │
│ Prometheus/Jaeger│◄──►│ Istio/Linkerd │◄──►│ ServiceRadar │
│ OpenTelemetry │ │ │ │ │
└─────────────────┘ └──────────────────┘ └─────────────────┘
│ │ │
└──────────End-to-End───┘ │
Visibility SNMP/gNMI
Key Value: Provides the missing network layer enabling true end-to-end observability while contributing network-specific patterns (SNMP discovery, multi-tenant isolation, carrier-grade scaling) back to the ecosystem.
Similar projects
N/A
Landscape
N/A
Trademark and accounts
- If the project is accepted, I agree to donate all project trademarks and accounts to the CNCF
IP policy
- If the project is accepted, I agree the project will follow the CNCF IP Policy
Will the project require a license exception?
N/A
Project "Domain Technical Review"
N/A
Application contact email(s)
Contributing or sponsoring entity signatory information
If an organization:
| Name | Address | Type | Signatory name and title | Email address |
|---|---|---|---|---|
| Carver Automation Corporation | 5840 Mount Carmel Road, Carver MN 55315 | Minnesota corporation | Michael Freeman - Founder | [email protected] |
Or, if an individual or individual(s):
| Name | Country | Email address |
|---|---|---|
CNCF contacts
N/A
Additional information
N/A