cncf · joshgav · Mar 10, 2026
@@ -0,0 +1,342 @@
+# Confidential Containers - Governance Review - 2026-03
+
+What follows is a governance review and assessment for the Confidential
+Containers project. The review was executed as part of due diligence when
+Confidential Containers submitted to move to Incubation level at CNCF in
+[#1504](https://github.com/cncf/toc/issues/1504).
+
+- Project: <https://github.com/confidential-containers>
+- Site: <https://confidentialcontainers.org/>
+- Matriculation issue: <https://github.com/cncf/toc/issues/1504>
+- Governance review issue: <https://github.com/cncf/toc/issues/2034>
+
+This review is based on the template at
+<https://github.com/cncf/toc/blob/main/toc_subprojects/project-reviews-subproject/governance-review-template.md>
+and integrates information provided by project maintainers in [the matriculation
+issue](https://github.com/cncf/toc/issues/1504).
+
+## Summary and Assessment
+
+**Status:** Mostly Satisfactory
+
+### Governance Summary
+
+The Confidential Containers project builds on Kata Containers to provide an isolated and secret environment for containerized workloads to run.
+
+Contributors and Maintainers for each sub-project manage daily activity and features, and a Steering Committee with representation from many contributing companies sets high-level direction and resolves conflicts.
+
+The project maintains a strong relationship with its dependency Kata Containers; contributors to Kata Containers are part of the Confidential Containers Steering Committee.
+
+### Must-Fix Items
+
+**The following issues have been identified that need to be resolved before
+Incubation:**
+
+* A public list of Maintainers for each project should be published. Currently
+  maintainers are listed within GitHub teams and not publicly readable.
+
+### Points of Excellence
+
+**The following aspects of governance are exemplary, and can be referenced as
+examples for other projects to copy:**
+
+* The Steering Committee is designed to represent all major contributing
+  companies and is currently comprised of members from 7 companies. A process is
+  defined to ensure membership continues to reflect major contributors.
+* Each sub-project is defined by its own repo, and the relationship of
+  components to sub-projects is listed
+  [here](https://confidentialcontainers.org/docs/architecture/design-overview/#components).
+* The project intentionally cultivates a connection with its major dependency of
+  Kata Containers.
+
+## Review
+
+**The following review primarily consists of an audit on the project's
+self-assessment in their Incubation application.**
+
+### Governance Evolution
+
+**Governance has continuously been iterated upon by the project as a result of
+their experience applying it, with the governance history demonstrating
+evolution of maturity alongside the project's maturity evolution.**
+<br />
+**Incubating:** Suggested | **Graduated:** Suggested
+
+* The main governance document has evolved over time, see history at
+  <https://github.com/confidential-containers/confidential-containers/commits/main/governance.md>.
+* See discussions at:
+    * https://github.com/confidential-containers/confidential-containers/issues/9
+    * https://github.com/confidential-containers/confidential-containers/pull/56
+    * https://github.com/confidential-containers/confidential-containers/issues/144
+* Specific examples of changes include:
+    * https://github.com/confidential-containers/confidential-containers/pull/235
+    * https://github.com/confidential-containers/confidential-containers/pull/229
+
+### Discoverability
+
+**Clear and discoverable project governance documentation.**
+<br />
+**Incubating:** Suggested | **Graduated:** Required
+
+* The project maintains a metadata repo at
+  <https://github.com/confidential-containers/confidential-containers>.
+  Governance is documented there at
+  <https://github.com/confidential-containers/confidential-containers/blob/main/governance.md>.
+* CONTRIBUTING and CODE-OF-CONDUCT docs are in
+  <https://github.com/confidential-containers/.github>.
+* The CONTRIBUTING doc is also published on the web site at
+  <https://confidentialcontainers.org/docs/contributing/>.
+
+### Accuracy and Clarity
+
+**Governance is up to date with actual project activities, including any
+meetings, elections, leadership, or approval processes.**
+<br />
+**Incubating:** Suggested | **Graduated:** Required
+
+* The process for election of Maintainers and Steering Committee members is
+  documented in
+  <https://github.com/confidential-containers/confidential-containers/blob/main/governance.md>.
+* Examples of election process for Steering Committee:
+    * https://github.com/confidential-containers/confidential-containers/pull/326
+    * https://github.com/confidential-containers/confidential-containers/pull/339
+* A community meeting schedule is documented in the contributing guide:
+  <https://github.com/confidential-containers/confidential-containers/?tab=contributing-ov-file#community-meeting>,
+  and in running notes:
+  <https://docs.google.com/document/d/1E3GLCzNgrcigUlgWAZYlgqNTdVwiMwCRTJ0QnJhLZGA/>.
+
+**Governance clearly documents [vendor-neutrality] of project direction.**
+<br />
+**Incubating:** Suggested | **Graduated:** Required
+
+The project's
+[overview](https://github.com/confidential-containers/confidential-containers/blob/main/overview.md)
+states that a key consideration is to "support multiple TEE and hardware
+platforms", and the doc goes on to say that AMD, Intel and IBM TEE technologies
+are actively supported.
+
+The [steering committee
+members](https://github.com/confidential-containers/confidential-containers/blob/main/overview.md)
+come from a broad swath of companies, including Alibaba, IBM, Intel, AMD, Red
+Hat, Nvidia and Microsoft.
+
+There is no statement about vendor-neutrality in the governance docs though.
+
+### Decisions and Role Assignments
+
+**Document how the project makes decisions on leadership roles, contribution
+acceptance, requests to the CNCF, and changes to governance or project goals.**
+<br />
+**Incubating:** Suggested | **Graduated:** Required
+
+Anyone can suggest contributions and become a Contributor to the project by
+following typical git/GitHub workflows to submit PRs, as documented in
+<https://github.com/confidential-containers/confidential-containers/blob/main/governance.md#contributor>.
+
+Contributors can become Maintainers by establishing trust and making relevant
+contributions, then opening an issue for the project in question. Per [the
+project's governance
+document](https://github.com/confidential-containers/confidential-containers/blob/main/governance.md)
+"this decision process is not formally defined and is based on lazy consensus
+from the existing maintainers."
+
+The Steering Committee defines high-level strategy and roadmap and handles
+administrative functions. New members can be added to the steering committee
+with a 2/3 vote of existing members as described
+[here](https://github.com/confidential-containers/confidential-containers/blob/main/governance.md#expansion).
+
+**Document how role, function-based members, or sub-teams are assigned,
+onboarded, and removed for specific teams (example: Security Response
+Committee).**
+<br />
+**Incubating:** Suggested | **Graduated:** Required
+
+The primary role to be added or removed from Contributors is the Maintainer
+role, which is granted by adding the Contributor to a GitHub team for the
+targeted project as documented
+[here](https://github.com/confidential-containers/confidential-containers/blob/main/governance.md#becoming-a-project-maintainer).
+GitHub teams and their members are not publicly listed so there isn't a current
+list of actual maintainers.
+
+Maintainers for a project are also "security managers" for those projects, but
+in addition dedicated security managers can be added across all projects
+following the procedure documented at
+<https://github.com/confidential-containers/confidential-containers/blob/main/governance.md#security-manager>.
+Since attachment to this role is based on membership in a GitHub team, the
+current list is also not available.
+
+### Maintainers and Maintainer Lifecycle
+
+**Document a complete maintainer lifecycle process (including roles, onboarding,
+offboarding, and emeritus status).**
+<br />
+**Incubating:** Suggested | **Graduated:** Required
+
+As described in [the governance
+doc](https://github.com/confidential-containers/confidential-containers/blob/main/governance.md)
+Contributors become Maintainers by building trust and making contributions.
+Steering Commitee members are elected to represent major contributing companies
+to the project and do not have to otherwise be Maintainers. Processes for
+removal from Maintainer or Steering Committee membership are documented in the
+governance doc as well.
+
+**Demonstrate usage of the maintainer lifecycle with outcomes, either through
+the addition or replacement of maintainers as project events have required.**
+<br />
+**Incubating:** Suggested | **Graduated:** Required
+
+Examples of Maintainer updates for sub-projects:
+
+* Maintainer updates for Trustee: <https://github.com/confidential-containers/trustee/issues?q=is%3Aissue++in%3Atitle+maintainer>
+* Maintainer updates for guest-components: <https://github.com/confidential-containers/guest-components/issues?q=is%3Aissue++in%3Atitle+maintainer>
+
+**Document complete list of current maintainers, including names, contact
+information, domain of responsibility, and affiliation.**
+<br />
+**Incubating:** Required | **Graduated:** Required
+
+GitHub Teams are used to track maintainers for projects/repos. The list is
+available to org members here:
+<https://github.com/orgs/confidential-containers/teams>
+
+However, there is no public list of current maintainers.
+
+Steering committee members and their affiliations are listed in the governance
+doc here:
+<https://github.com/confidential-containers/confidential-containers/blob/main/governance.md#members>
+
+**A number of active maintainers which is appropriate to the size and scope of
+the project.**
+<br />
+**Incubating:** Required | **Graduated:** Required
+
+The list of active maintainers is not publicly available. But [LFX
+Insights](https://insights.linuxfoundation.org/project/confcont/contributors)
+shows a pretty broad group of contributors and contributing organizations.
+
+**Project maintainers from at least 2 organizations that demonstrates
+survivability.**
+<br />
+**Incubating:** N/A | **Graduated:** Required
+
+A list of active maintainers and their affiliations is not publicly available.
+
+### Ownership
+
+**Code and Doc ownership in Github and elsewhere matches documented governance
+roles.**
+<br />
+**Incubating:** Required | **Graduated:** Required
+
+Code and doc ownership is governed by CODEOWNERS files in each project/repo
+which delegate control to GitHub teams.
+
+### Code of Conduct
+
+**Document adoption and adherence to the CNCF Code of Conduct or the project's
+CoC which is based off the CNCF CoC and not in conflict with it.**
+<br />
+**Incubating:** Required | **Graduated:** Required
+
+The top-level project declares that it follows the CNCF Code of Conduct in
+<https://github.com/confidential-containers/confidential-containers/blob/main/CODE_OF_CONDUCT.md>.
+
+**CNCF Code of Conduct is cross-linked from other governance documents.**
+<br />
+**Incubating:** Required | **Graduated:** Required
+
+The CNCF Code of Conduct is linked in
+<https://github.com/confidential-containers/confidential-containers/blob/main/CODE_OF_CONDUCT.md>.
+
+### Subprojects
+
+**All subprojects, if any, are listed.**
+<br />
+**Incubating:** Required | **Graduated:** Required
+
+A list of components used in the project is at
+<https://confidentialcontainers.org/docs/architecture/design-overview/#components>
+
+Per the incubation issue in cncf/toc here are the current sub-projects and their repos:
+
+| Project           | Description                     | Repo                                                         |
+| ----------------- | ------------------------------- | ------------------------------------------------------------ |
+| Trustee           | CoCo attestation services       | https://github.com/confidential-containers/trustee           |
+| guest-components  | CoCo TEE/client side components | https://github.com/confidential-containers/guest-components  |
+| cloud-api-adaptor | CoCo "peer-pods" deployment     | https://github.com/confidential-containers/cloud-api-adaptor |
+| operator          | CoCo "installer"                | https://github.com/confidential-containers/operator          |
+| trustee-operator  | CoCo Trustee "installer"        | https://github.com/confidential-containers/trustee-operator  |
+| td-shim           | CoCo minimal virtual firmware   | https://github.com/confidential-containers/td-shim           | 
+
+**If the project has subprojects: subproject leadership, contribution, maturity
+status documented, including add/remove process.**
+<br />
+**Incubating:** Suggested | **Graduated:** Required
+
+Subproject leadership and contributor status follow the framework documented in
+<https://github.com/confidential-containers/confidential-containers/commits/main/governance.md>.
+
+Maturity for subprojects is not documented but can perhaps be inferred from
+release version numbers, all of which are v0.x.
+
+A public list of maintainers for each project is not available as mentioned
+above.
+
+### Contributors and Community
+
+**Contributor ladder with multiple roles for contributors.**
+<br />
+**Incubating:** Suggested | **Graduated:** Suggested
+
+Defined in [governance
+doc](https://github.com/confidential-containers/confidential-containers/blob/main/governance.md#community-members-and-roles).
+
+**Clearly defined and discoverable process to submit issues or changes.**
+<br />
+**Incubating:** Required | **Graduated:** Required
+
+Contributing guide here:
+<https://confidentialcontainers.org/docs/contributing/#making-contributions>
+
+**Project must have, and document, at least one public communications channel
+for users and/or contributors.**
+<br />
+**Incubating:** Required | **Graduated:** Required
+
+Slack channel and community meeting info are documented here:
+<https://confidentialcontainers.org/docs/contributing/#connecting-with-the-community>.
+
+**List and document all project communication channels, including subprojects
+(mail list/slack/etc.). List any non-public communications channels and what
+their special purpose is.**
+<br />
+**Incubating:** Required | **Graduated:** Required
+
+* CNCF Slack channel: <https://cloud-native.slack.com/archives/C039JSH0807>
+* Community meeting: <https://docs.google.com/document/d/1E3GLCzNgrcigUlgWAZYlgqNTdVwiMwCRTJ0QnJhLZGA/>
+
+**Up-to-date public meeting schedulers and/or integration with CNCF calendar.**
+<br />
+**Incubating:** Required | **Graduated:** Required
+
+Weekly meetings are mentioned here: <https://github.com/confidential-containers>
+and further described in [this Google
+doc](https://docs.google.com/document/d/1E3GLCzNgrcigUlgWAZYlgqNTdVwiMwCRTJ0QnJhLZGA/).
+
+**Documentation of how to contribute, with increasing detail as the project
+matures.**
+<br />
+**Incubating:** Required | **Graduated:** Required
+
+A contributing guide is available here:
+<https://confidentialcontainers.org/docs/contributing/>. It has not been updated
+since being published in 2024.
+
+**Demonstrate contributor activity and recruitment.**
+<br />
+**Incubating:** Required | **Graduated:** Required
+
+See LFX Insights: <https://insights.linuxfoundation.org/project/confcont>
+
+[project milestone or other requirement]: https://github.com/cncf/toc/tree/main/process#how-to-apply-to-move-levels
+[vendor-neutrality]: https://contribute.cncf.io/maintainers/community/vendor-neutrality/