diff --git a/projects/confidential-containers/governance-review/2026-03-10.md b/projects/confidential-containers/governance-review/2026-03-10.md new file mode 100644 index 000000000..0341a1b2d --- /dev/null +++ b/projects/confidential-containers/governance-review/2026-03-10.md @@ -0,0 +1,342 @@ +# Confidential Containers - Governance Review - 2026-03 + +What follows is a governance review and assessment for the Confidential +Containers project. The review was executed as part of due diligence when +Confidential Containers submitted to move to Incubation level at CNCF in +[#1504](https://github.com/cncf/toc/issues/1504). + +- Project: +- Site: +- Matriculation issue: +- Governance review issue: + +This review is based on the template at + +and integrates information provided by project maintainers in [the matriculation +issue](https://github.com/cncf/toc/issues/1504). + +## Summary and Assessment + +**Status:** Mostly Satisfactory + +### Governance Summary + +The Confidential Containers project builds on Kata Containers to provide an isolated and secret environment for containerized workloads to run. + +Contributors and Maintainers for each sub-project manage daily activity and features, and a Steering Committee with representation from many contributing companies sets high-level direction and resolves conflicts. + +The project maintains a strong relationship with its dependency Kata Containers; contributors to Kata Containers are part of the Confidential Containers Steering Committee. + +### Must-Fix Items + +**The following issues have been identified that need to be resolved before +Incubation:** + +* A public list of Maintainers for each project should be published. Currently + maintainers are listed within GitHub teams and not publicly readable. + +### Points of Excellence + +**The following aspects of governance are exemplary, and can be referenced as +examples for other projects to copy:** + +* The Steering Committee is designed to represent all major contributing + companies and is currently comprised of members from 7 companies. A process is + defined to ensure membership continues to reflect major contributors. +* Each sub-project is defined by its own repo, and the relationship of + components to sub-projects is listed + [here](https://confidentialcontainers.org/docs/architecture/design-overview/#components). +* The project intentionally cultivates a connection with its major dependency of + Kata Containers. + +## Review + +**The following review primarily consists of an audit on the project's +self-assessment in their Incubation application.** + +### Governance Evolution + +**Governance has continuously been iterated upon by the project as a result of +their experience applying it, with the governance history demonstrating +evolution of maturity alongside the project's maturity evolution.** +
+**Incubating:** Suggested | **Graduated:** Suggested + +* The main governance document has evolved over time, see history at + . +* See discussions at: + * https://github.com/confidential-containers/confidential-containers/issues/9 + * https://github.com/confidential-containers/confidential-containers/pull/56 + * https://github.com/confidential-containers/confidential-containers/issues/144 +* Specific examples of changes include: + * https://github.com/confidential-containers/confidential-containers/pull/235 + * https://github.com/confidential-containers/confidential-containers/pull/229 + +### Discoverability + +**Clear and discoverable project governance documentation.** +
+**Incubating:** Suggested | **Graduated:** Required + +* The project maintains a metadata repo at + . + Governance is documented there at + . +* CONTRIBUTING and CODE-OF-CONDUCT docs are in + . +* The CONTRIBUTING doc is also published on the web site at + . + +### Accuracy and Clarity + +**Governance is up to date with actual project activities, including any +meetings, elections, leadership, or approval processes.** +
+**Incubating:** Suggested | **Graduated:** Required + +* The process for election of Maintainers and Steering Committee members is + documented in + . +* Examples of election process for Steering Committee: + * https://github.com/confidential-containers/confidential-containers/pull/326 + * https://github.com/confidential-containers/confidential-containers/pull/339 +* A community meeting schedule is documented in the contributing guide: + , + and in running notes: + . + +**Governance clearly documents [vendor-neutrality] of project direction.** +
+**Incubating:** Suggested | **Graduated:** Required + +The project's +[overview](https://github.com/confidential-containers/confidential-containers/blob/main/overview.md) +states that a key consideration is to "support multiple TEE and hardware +platforms", and the doc goes on to say that AMD, Intel and IBM TEE technologies +are actively supported. + +The [steering committee +members](https://github.com/confidential-containers/confidential-containers/blob/main/overview.md) +come from a broad swath of companies, including Alibaba, IBM, Intel, AMD, Red +Hat, Nvidia and Microsoft. + +There is no statement about vendor-neutrality in the governance docs though. + +### Decisions and Role Assignments + +**Document how the project makes decisions on leadership roles, contribution +acceptance, requests to the CNCF, and changes to governance or project goals.** +
+**Incubating:** Suggested | **Graduated:** Required + +Anyone can suggest contributions and become a Contributor to the project by +following typical git/GitHub workflows to submit PRs, as documented in +. + +Contributors can become Maintainers by establishing trust and making relevant +contributions, then opening an issue for the project in question. Per [the +project's governance +document](https://github.com/confidential-containers/confidential-containers/blob/main/governance.md) +"this decision process is not formally defined and is based on lazy consensus +from the existing maintainers." + +The Steering Committee defines high-level strategy and roadmap and handles +administrative functions. New members can be added to the steering committee +with a 2/3 vote of existing members as described +[here](https://github.com/confidential-containers/confidential-containers/blob/main/governance.md#expansion). + +**Document how role, function-based members, or sub-teams are assigned, +onboarded, and removed for specific teams (example: Security Response +Committee).** +
+**Incubating:** Suggested | **Graduated:** Required + +The primary role to be added or removed from Contributors is the Maintainer +role, which is granted by adding the Contributor to a GitHub team for the +targeted project as documented +[here](https://github.com/confidential-containers/confidential-containers/blob/main/governance.md#becoming-a-project-maintainer). +GitHub teams and their members are not publicly listed so there isn't a current +list of actual maintainers. + +Maintainers for a project are also "security managers" for those projects, but +in addition dedicated security managers can be added across all projects +following the procedure documented at +. +Since attachment to this role is based on membership in a GitHub team, the +current list is also not available. + +### Maintainers and Maintainer Lifecycle + +**Document a complete maintainer lifecycle process (including roles, onboarding, +offboarding, and emeritus status).** +
+**Incubating:** Suggested | **Graduated:** Required + +As described in [the governance +doc](https://github.com/confidential-containers/confidential-containers/blob/main/governance.md) +Contributors become Maintainers by building trust and making contributions. +Steering Commitee members are elected to represent major contributing companies +to the project and do not have to otherwise be Maintainers. Processes for +removal from Maintainer or Steering Committee membership are documented in the +governance doc as well. + +**Demonstrate usage of the maintainer lifecycle with outcomes, either through +the addition or replacement of maintainers as project events have required.** +
+**Incubating:** Suggested | **Graduated:** Required + +Examples of Maintainer updates for sub-projects: + +* Maintainer updates for Trustee: +* Maintainer updates for guest-components: + +**Document complete list of current maintainers, including names, contact +information, domain of responsibility, and affiliation.** +
+**Incubating:** Required | **Graduated:** Required + +GitHub Teams are used to track maintainers for projects/repos. The list is +available to org members here: + + +However, there is no public list of current maintainers. + +Steering committee members and their affiliations are listed in the governance +doc here: + + +**A number of active maintainers which is appropriate to the size and scope of +the project.** +
+**Incubating:** Required | **Graduated:** Required + +The list of active maintainers is not publicly available. But [LFX +Insights](https://insights.linuxfoundation.org/project/confcont/contributors) +shows a pretty broad group of contributors and contributing organizations. + +**Project maintainers from at least 2 organizations that demonstrates +survivability.** +
+**Incubating:** N/A | **Graduated:** Required + +A list of active maintainers and their affiliations is not publicly available. + +### Ownership + +**Code and Doc ownership in Github and elsewhere matches documented governance +roles.** +
+**Incubating:** Required | **Graduated:** Required + +Code and doc ownership is governed by CODEOWNERS files in each project/repo +which delegate control to GitHub teams. + +### Code of Conduct + +**Document adoption and adherence to the CNCF Code of Conduct or the project's +CoC which is based off the CNCF CoC and not in conflict with it.** +
+**Incubating:** Required | **Graduated:** Required + +The top-level project declares that it follows the CNCF Code of Conduct in +. + +**CNCF Code of Conduct is cross-linked from other governance documents.** +
+**Incubating:** Required | **Graduated:** Required + +The CNCF Code of Conduct is linked in +. + +### Subprojects + +**All subprojects, if any, are listed.** +
+**Incubating:** Required | **Graduated:** Required + +A list of components used in the project is at + + +Per the incubation issue in cncf/toc here are the current sub-projects and their repos: + +| Project | Description | Repo | +| ----------------- | ------------------------------- | ------------------------------------------------------------ | +| Trustee | CoCo attestation services | https://github.com/confidential-containers/trustee | +| guest-components | CoCo TEE/client side components | https://github.com/confidential-containers/guest-components | +| cloud-api-adaptor | CoCo "peer-pods" deployment | https://github.com/confidential-containers/cloud-api-adaptor | +| operator | CoCo "installer" | https://github.com/confidential-containers/operator | +| trustee-operator | CoCo Trustee "installer" | https://github.com/confidential-containers/trustee-operator | +| td-shim | CoCo minimal virtual firmware | https://github.com/confidential-containers/td-shim | + +**If the project has subprojects: subproject leadership, contribution, maturity +status documented, including add/remove process.** +
+**Incubating:** Suggested | **Graduated:** Required + +Subproject leadership and contributor status follow the framework documented in +. + +Maturity for subprojects is not documented but can perhaps be inferred from +release version numbers, all of which are v0.x. + +A public list of maintainers for each project is not available as mentioned +above. + +### Contributors and Community + +**Contributor ladder with multiple roles for contributors.** +
+**Incubating:** Suggested | **Graduated:** Suggested + +Defined in [governance +doc](https://github.com/confidential-containers/confidential-containers/blob/main/governance.md#community-members-and-roles). + +**Clearly defined and discoverable process to submit issues or changes.** +
+**Incubating:** Required | **Graduated:** Required + +Contributing guide here: + + +**Project must have, and document, at least one public communications channel +for users and/or contributors.** +
+**Incubating:** Required | **Graduated:** Required + +Slack channel and community meeting info are documented here: +. + +**List and document all project communication channels, including subprojects +(mail list/slack/etc.). List any non-public communications channels and what +their special purpose is.** +
+**Incubating:** Required | **Graduated:** Required + +* CNCF Slack channel: +* Community meeting: + +**Up-to-date public meeting schedulers and/or integration with CNCF calendar.** +
+**Incubating:** Required | **Graduated:** Required + +Weekly meetings are mentioned here: +and further described in [this Google +doc](https://docs.google.com/document/d/1E3GLCzNgrcigUlgWAZYlgqNTdVwiMwCRTJ0QnJhLZGA/). + +**Documentation of how to contribute, with increasing detail as the project +matures.** +
+**Incubating:** Required | **Graduated:** Required + +A contributing guide is available here: +. It has not been updated +since being published in 2024. + +**Demonstrate contributor activity and recruitment.** +
+**Incubating:** Required | **Graduated:** Required + +See LFX Insights: + +[project milestone or other requirement]: https://github.com/cncf/toc/tree/main/process#how-to-apply-to-move-levels +[vendor-neutrality]: https://contribute.cncf.io/maintainers/community/vendor-neutrality/ \ No newline at end of file