add Confidential Containers gov review #2081
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,342 @@ | ||
| # Confidential Containers - Governance Review - 2026-03 | ||
|
|
||
| What follows is a governance review and assessment for the Confidential | ||
| Containers project. The review was executed as part of due diligence when | ||
| Confidential Containers submitted to move to Incubation level at CNCF in | ||
| [#1504](https://github.com/cncf/toc/issues/1504). | ||
|
|
||
| - Project: <https://github.com/confidential-containers> | ||
| - Site: <https://confidentialcontainers.org/> | ||
| - Matriculation issue: <https://github.com/cncf/toc/issues/1504> | ||
| - Governance review issue: <https://github.com/cncf/toc/issues/2034> | ||
|
|
||
| This review is based on the template at | ||
| <https://github.com/cncf/toc/blob/main/toc_subprojects/project-reviews-subproject/governance-review-template.md> | ||
| and integrates information provided by project maintainers in [the matriculation | ||
| issue](https://github.com/cncf/toc/issues/1504). | ||
|
|
||
| ## Summary and Assessment | ||
|
|
||
| **Status:** Mostly Satisfactory | ||
|
|
||
| ### Governance Summary | ||
|
|
||
| The Confidential Containers project builds on Kata Containers to provide an isolated and secret environment for containerized workloads to run. | ||
|
|
||
| Contributors and Maintainers for each sub-project manage daily activity and features, and a Steering Committee with representation from many contributing companies sets high-level direction and resolves conflicts. | ||
|
|
||
| The project maintains a strong relationship with its dependency Kata Containers; contributors to Kata Containers are part of the Confidential Containers Steering Committee. | ||
|
|
||
| ### Must-Fix Items | ||
|
|
||
| **The following issues have been identified that need to be resolved before | ||
| Incubation:** | ||
|
|
||
| * A public list of Maintainers for each project should be published. Currently | ||
| maintainers are listed within GitHub teams and not publicly readable. | ||
|
|
||
| ### Points of Excellence | ||
|
|
||
| **The following aspects of governance are exemplary, and can be referenced as | ||
| examples for other projects to copy:** | ||
|
|
||
| * The Steering Committee is designed to represent all major contributing | ||
| companies and is currently comprised of members from 7 companies. A process is | ||
| defined to ensure membership continues to reflect major contributors. | ||
| * Each sub-project is defined by its own repo, and the relationship of | ||
| components to sub-projects is listed | ||
| [here](https://confidentialcontainers.org/docs/architecture/design-overview/#components). | ||
| * The project intentionally cultivates a connection with its major dependency of | ||
| Kata Containers. | ||
|
|
||
| ## Review | ||
|
|
||
| **The following review primarily consists of an audit on the project's | ||
| self-assessment in their Incubation application.** | ||
|
|
||
| ### Governance Evolution | ||
|
|
||
| **Governance has continuously been iterated upon by the project as a result of | ||
| their experience applying it, with the governance history demonstrating | ||
| evolution of maturity alongside the project's maturity evolution.** | ||
| <br /> | ||
| **Incubating:** Suggested | **Graduated:** Suggested | ||
|
|
||
| * The main governance document has evolved over time, see history at | ||
| <https://github.com/confidential-containers/confidential-containers/commits/main/governance.md>. | ||
| * See discussions at: | ||
| * https://github.com/confidential-containers/confidential-containers/issues/9 | ||
| * https://github.com/confidential-containers/confidential-containers/pull/56 | ||
| * https://github.com/confidential-containers/confidential-containers/issues/144 | ||
| * Specific examples of changes include: | ||
| * https://github.com/confidential-containers/confidential-containers/pull/235 | ||
| * https://github.com/confidential-containers/confidential-containers/pull/229 | ||
|
|
||
| ### Discoverability | ||
|
|
||
| **Clear and discoverable project governance documentation.** | ||
| <br /> | ||
| **Incubating:** Suggested | **Graduated:** Required | ||
|
|
||
| * The project maintains a metadata repo at | ||
| <https://github.com/confidential-containers/confidential-containers>. | ||
| Governance is documented there at | ||
| <https://github.com/confidential-containers/confidential-containers/blob/main/governance.md>. | ||
| * CONTRIBUTING and CODE-OF-CONDUCT docs are in | ||
| <https://github.com/confidential-containers/.github>. | ||
| * The CONTRIBUTING doc is also published on the web site at | ||
| <https://confidentialcontainers.org/docs/contributing/>. | ||
|
|
||
| ### Accuracy and Clarity | ||
|
|
||
| **Governance is up to date with actual project activities, including any | ||
| meetings, elections, leadership, or approval processes.** | ||
| <br /> | ||
| **Incubating:** Suggested | **Graduated:** Required | ||
|
|
||
| * The process for election of Maintainers and Steering Committee members is | ||
| documented in | ||
| <https://github.com/confidential-containers/confidential-containers/blob/main/governance.md>. | ||
| * Examples of election process for Steering Committee: | ||
| * https://github.com/confidential-containers/confidential-containers/pull/326 | ||
| * https://github.com/confidential-containers/confidential-containers/pull/339 | ||
| * A community meeting schedule is documented in the contributing guide: | ||
| <https://github.com/confidential-containers/confidential-containers/?tab=contributing-ov-file#community-meeting>, | ||
| and in running notes: | ||
| <https://docs.google.com/document/d/1E3GLCzNgrcigUlgWAZYlgqNTdVwiMwCRTJ0QnJhLZGA/>. | ||
|
|
||
| **Governance clearly documents [vendor-neutrality] of project direction.** | ||
| <br /> | ||
| **Incubating:** Suggested | **Graduated:** Required | ||
|
|
||
| The project's | ||
| [overview](https://github.com/confidential-containers/confidential-containers/blob/main/overview.md) | ||
| states that a key consideration is to "support multiple TEE and hardware | ||
| platforms", and the doc goes on to say that AMD, Intel and IBM TEE technologies | ||
| are actively supported. | ||
|
|
||
| The [steering committee | ||
| members](https://github.com/confidential-containers/confidential-containers/blob/main/overview.md) | ||
| come from a broad swath of companies, including Alibaba, IBM, Intel, AMD, Red | ||
| Hat, Nvidia and Microsoft. | ||
|
|
||
| There is no statement about vendor-neutrality in the governance docs though. | ||
|
|
||
| ### Decisions and Role Assignments | ||
|
|
||
| **Document how the project makes decisions on leadership roles, contribution | ||
| acceptance, requests to the CNCF, and changes to governance or project goals.** | ||
| <br /> | ||
| **Incubating:** Suggested | **Graduated:** Required | ||
|
|
||
| Anyone can suggest contributions and become a Contributor to the project by | ||
| following typical git/GitHub workflows to submit PRs, as documented in | ||
| <https://github.com/confidential-containers/confidential-containers/blob/main/governance.md#contributor>. | ||
|
|
||
| Contributors can become Maintainers by establishing trust and making relevant | ||
| contributions, then opening an issue for the project in question. Per [the | ||
| project's governance | ||
| document](https://github.com/confidential-containers/confidential-containers/blob/main/governance.md) | ||
| "this decision process is not formally defined and is based on lazy consensus | ||
| from the existing maintainers." | ||
|
|
||
| The Steering Committee defines high-level strategy and roadmap and handles | ||
| administrative functions. New members can be added to the steering committee | ||
| with a 2/3 vote of existing members as described | ||
| [here](https://github.com/confidential-containers/confidential-containers/blob/main/governance.md#expansion). | ||
|
|
||
| **Document how role, function-based members, or sub-teams are assigned, | ||
| onboarded, and removed for specific teams (example: Security Response | ||
| Committee).** | ||
| <br /> | ||
| **Incubating:** Suggested | **Graduated:** Required | ||
|
|
||
| The primary role to be added or removed from Contributors is the Maintainer | ||
| role, which is granted by adding the Contributor to a GitHub team for the | ||
| targeted project as documented | ||
| [here](https://github.com/confidential-containers/confidential-containers/blob/main/governance.md#becoming-a-project-maintainer). | ||
| GitHub teams and their members are not publicly listed so there isn't a current | ||
| list of actual maintainers. | ||
|
|
||
| Maintainers for a project are also "security managers" for those projects, but | ||
| in addition dedicated security managers can be added across all projects | ||
| following the procedure documented at | ||
| <https://github.com/confidential-containers/confidential-containers/blob/main/governance.md#security-manager>. | ||
| Since attachment to this role is based on membership in a GitHub team, the | ||
| current list is also not available. | ||
|
|
||
| ### Maintainers and Maintainer Lifecycle | ||
|
|
||
| **Document a complete maintainer lifecycle process (including roles, onboarding, | ||
| offboarding, and emeritus status).** | ||
| <br /> | ||
| **Incubating:** Suggested | **Graduated:** Required | ||
|
|
||
| As described in [the governance | ||
| doc](https://github.com/confidential-containers/confidential-containers/blob/main/governance.md) | ||
| Contributors become Maintainers by building trust and making contributions. | ||
| Steering Commitee members are elected to represent major contributing companies | ||
| to the project and do not have to otherwise be Maintainers. Processes for | ||
| removal from Maintainer or Steering Committee membership are documented in the | ||
| governance doc as well. | ||
|
|
||
| **Demonstrate usage of the maintainer lifecycle with outcomes, either through | ||
| the addition or replacement of maintainers as project events have required.** | ||
| <br /> | ||
| **Incubating:** Suggested | **Graduated:** Required | ||
|
|
||
| Examples of Maintainer updates for sub-projects: | ||
|
|
||
| * Maintainer updates for Trustee: <https://github.com/confidential-containers/trustee/issues?q=is%3Aissue++in%3Atitle+maintainer> | ||
| * Maintainer updates for guest-components: <https://github.com/confidential-containers/guest-components/issues?q=is%3Aissue++in%3Atitle+maintainer> | ||
|
|
||
| **Document complete list of current maintainers, including names, contact | ||
| information, domain of responsibility, and affiliation.** | ||
| <br /> | ||
| **Incubating:** Required | **Graduated:** Required | ||
|
|
||
| GitHub Teams are used to track maintainers for projects/repos. The list is | ||
| available to org members here: | ||
| <https://github.com/orgs/confidential-containers/teams> | ||
|
|
||
| However, there is no public list of current maintainers. | ||
|
|
||
| Steering committee members and their affiliations are listed in the governance | ||
| doc here: | ||
| <https://github.com/confidential-containers/confidential-containers/blob/main/governance.md#members> | ||
|
|
||
| **A number of active maintainers which is appropriate to the size and scope of | ||
| the project.** | ||
| <br /> | ||
| **Incubating:** Required | **Graduated:** Required | ||
|
|
||
| The list of active maintainers is not publicly available. But [LFX | ||
| Insights](https://insights.linuxfoundation.org/project/confcont/contributors) | ||
| shows a pretty broad group of contributors and contributing organizations. | ||
|
|
||
| **Project maintainers from at least 2 organizations that demonstrates | ||
| survivability.** | ||
| <br /> | ||
| **Incubating:** N/A | **Graduated:** Required | ||
|
|
||
| A list of active maintainers and their affiliations is not publicly available. | ||
|
|
||
| ### Ownership | ||
|
|
||
| **Code and Doc ownership in Github and elsewhere matches documented governance | ||
| roles.** | ||
| <br /> | ||
| **Incubating:** Required | **Graduated:** Required | ||
|
|
||
| Code and doc ownership is governed by CODEOWNERS files in each project/repo | ||
| which delegate control to GitHub teams. | ||
|
|
||
| ### Code of Conduct | ||
|
|
||
| **Document adoption and adherence to the CNCF Code of Conduct or the project's | ||
| CoC which is based off the CNCF CoC and not in conflict with it.** | ||
| <br /> | ||
| **Incubating:** Required | **Graduated:** Required | ||
|
|
||
| The top-level project declares that it follows the CNCF Code of Conduct in | ||
| <https://github.com/confidential-containers/confidential-containers/blob/main/CODE_OF_CONDUCT.md>. | ||
|
|
||
| **CNCF Code of Conduct is cross-linked from other governance documents.** | ||
| <br /> | ||
| **Incubating:** Required | **Graduated:** Required | ||
|
|
||
| The CNCF Code of Conduct is linked in | ||
| <https://github.com/confidential-containers/confidential-containers/blob/main/CODE_OF_CONDUCT.md>. | ||
|
|
||
| ### Subprojects | ||
|
|
||
| **All subprojects, if any, are listed.** | ||
| <br /> | ||
| **Incubating:** Required | **Graduated:** Required | ||
|
|
||
| A list of components used in the project is at | ||
| <https://confidentialcontainers.org/docs/architecture/design-overview/#components> | ||
|
|
||
| Per the incubation issue in cncf/toc here are the current sub-projects and their repos: | ||
|
|
||
| | Project | Description | Repo | | ||
| | ----------------- | ------------------------------- | ------------------------------------------------------------ | | ||
| | Trustee | CoCo attestation services | https://github.com/confidential-containers/trustee | | ||
| | guest-components | CoCo TEE/client side components | https://github.com/confidential-containers/guest-components | | ||
| | cloud-api-adaptor | CoCo "peer-pods" deployment | https://github.com/confidential-containers/cloud-api-adaptor | | ||
| | operator | CoCo "installer" | https://github.com/confidential-containers/operator | | ||
|
There was a problem hiding this comment. we have moved from this operator repo to the new charts repo |
||
| | trustee-operator | CoCo Trustee "installer" | https://github.com/confidential-containers/trustee-operator | | ||
| | td-shim | CoCo minimal virtual firmware | https://github.com/confidential-containers/td-shim | | ||
|
|
||
| **If the project has subprojects: subproject leadership, contribution, maturity | ||
| status documented, including add/remove process.** | ||
| <br /> | ||
| **Incubating:** Suggested | **Graduated:** Required | ||
|
|
||
| Subproject leadership and contributor status follow the framework documented in | ||
| <https://github.com/confidential-containers/confidential-containers/commits/main/governance.md>. | ||
|
|
||
| Maturity for subprojects is not documented but can perhaps be inferred from | ||
| release version numbers, all of which are v0.x. | ||
|
|
||
| A public list of maintainers for each project is not available as mentioned | ||
| above. | ||
|
|
||
| ### Contributors and Community | ||
|
|
||
| **Contributor ladder with multiple roles for contributors.** | ||
| <br /> | ||
| **Incubating:** Suggested | **Graduated:** Suggested | ||
|
|
||
| Defined in [governance | ||
| doc](https://github.com/confidential-containers/confidential-containers/blob/main/governance.md#community-members-and-roles). | ||
|
|
||
| **Clearly defined and discoverable process to submit issues or changes.** | ||
| <br /> | ||
| **Incubating:** Required | **Graduated:** Required | ||
|
|
||
| Contributing guide here: | ||
| <https://confidentialcontainers.org/docs/contributing/#making-contributions> | ||
|
|
||
| **Project must have, and document, at least one public communications channel | ||
| for users and/or contributors.** | ||
| <br /> | ||
| **Incubating:** Required | **Graduated:** Required | ||
|
|
||
| Slack channel and community meeting info are documented here: | ||
| <https://confidentialcontainers.org/docs/contributing/#connecting-with-the-community>. | ||
|
|
||
| **List and document all project communication channels, including subprojects | ||
| (mail list/slack/etc.). List any non-public communications channels and what | ||
| their special purpose is.** | ||
| <br /> | ||
| **Incubating:** Required | **Graduated:** Required | ||
|
|
||
| * CNCF Slack channel: <https://cloud-native.slack.com/archives/C039JSH0807> | ||
| * Community meeting: <https://docs.google.com/document/d/1E3GLCzNgrcigUlgWAZYlgqNTdVwiMwCRTJ0QnJhLZGA/> | ||
|
|
||
| **Up-to-date public meeting schedulers and/or integration with CNCF calendar.** | ||
| <br /> | ||
| **Incubating:** Required | **Graduated:** Required | ||
|
|
||
| Weekly meetings are mentioned here: <https://github.com/confidential-containers> | ||
| and further described in [this Google | ||
| doc](https://docs.google.com/document/d/1E3GLCzNgrcigUlgWAZYlgqNTdVwiMwCRTJ0QnJhLZGA/). | ||
|
|
||
| **Documentation of how to contribute, with increasing detail as the project | ||
| matures.** | ||
| <br /> | ||
| **Incubating:** Required | **Graduated:** Required | ||
|
|
||
| A contributing guide is available here: | ||
| <https://confidentialcontainers.org/docs/contributing/>. It has not been updated | ||
| since being published in 2024. | ||
|
|
||
| **Demonstrate contributor activity and recruitment.** | ||
| <br /> | ||
| **Incubating:** Required | **Graduated:** Required | ||
|
|
||
| See LFX Insights: <https://insights.linuxfoundation.org/project/confcont> | ||
|
|
||
| [project milestone or other requirement]: https://github.com/cncf/toc/tree/main/process#how-to-apply-to-move-levels | ||
| [vendor-neutrality]: https://contribute.cncf.io/maintainers/community/vendor-neutrality/ | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@joshgav do you mean the github teams mentioned in the CODEOWNERS files?
e.g. https://github.com/confidential-containers/cloud-api-adaptor/blob/main/CODEOWNERS