[Incubation] Confidential Containers Incubation Application

[mythi]

Confidential Containers Incubation Application

v1.6
This template provides the project with a framework to inform the TOC of their conformance to the Incubation Level Criteria.

Project Repo(s): https://github.com/confidential-containers (Github org)
Project Site: https://confidentialcontainers.org/
Sub-Projects: see the detailed list with descriptions below
Communication: #confidential-containers on CNCF Slack

Project points of contacts:

• Ariel Adam

• Mikko Ylinen

• (Post Incubation only) Book a meeting with CNCF staff to understand project benefits and event resources.

Incubation Criteria Summary for Confidential Containers

Application Level Assertion

• This project is currently Sandbox, accepted on 20220626 and applying to Incubation.
• This project is applying to join the CNCF at the Incubation level.

Adoption Assertion

The project has been adopted by the following organizations in a testing and integration or production capacity:

• https://github.com/confidential-containers/confidential-containers/blob/main/ADOPTERS.md

Application Process Principles

Suggested

N/A

Required

• Give a presentation and engage with the domain specific TAG(s) to increase awareness
  • This was completed and occurred on 28-Aug-2024, and can be discovered at https://zoom.us/rec/share/nCSdjZxN4DjxA7RopMqocddvDBPzxuO-Xpa2u-9xzB8MbumatD1Vtw0ePpNrobHy.Cby9t12K1IJfq_tk
  • [Presentation] Confidential Containers Project Update tag-security#1320

• TAG provides insight/recommendation of the project in the context of the landscape
  - Insight provided as part of presentation to engage on 28-Aug 2024 recorded here -> https://zoom.us/rec/share/nCSdjZxN4DjxA7RopMqocddvDBPzxuO-Xpa2u-9xzB8MbumatD1Vtw0ePpNrobHy.Cby9t12K1IJfq_tk
  - Further insight provided when Marina Moore presented to CoCo Project weekly meeting on 12 Sep 2024 -> ​​https://zoom.us/rec/share/CoBjav5zAv_AOZaOSJMgSJTlvz6vrzs8rFxfuaTy6qG8Q5fwToc7l5xyiS5U_rJj.Qurwv3NKGNSjKO8i

• All project metadata and resources are vendor-neutral.

• Confidential containers github The CoCo project is in a public github repo vendor neutral.

• Review and acknowledgement of expectations for Sandbox projects and requirements for moving forward through the CNCF Maturity levels.

• CNCF Sandbox Onboarding completed 26-06-2022.

• Due Diligence Review.

Completion of this due diligence document, resolution of concerns raised, and presented for public comment satisfies the Due Diligence Review criteria.

• Additional documentation as appropriate for project type, e.g.: installation documentation, end user documentation, reference implementation and/or code samples.

Quickstart guides: https://github.com/confidential-containers/confidential-containers/blob/main/quickstart.md
Confidential containers website (docs, blogs and additional information): https://confidentialcontainers.org/

Governance and Maintainers

Note: this section may be augmented by the completion of a Governance Review from TAG Contributor Strategy.

Suggested

• Clear and discoverable project governance documentation.

  • The project governance doc is maintained in the main community repository.

• Governance has continuously been iterated upon by the project as a result of their experience applying it, with the governance history demonstrating evolution of maturity alongside the project's maturity evolution.

  • See examples of iterations below.
  • Update governance to allow removing inactive maintainers confidential-containers/confidential-containers#235
  • update MAINTAINERS confidential-containers/confidential-containers#229

• Governance is up to date with actual project activities, including any meetings, elections, leadership, or approval processes.

  • Regular updates of TSC members when companies are doing rotation

• Governance clearly documents vendor-neutrality of project direction.

  • The Confidential container project goals include specific points for enforcing vendor neutrality:
    • Transparent deployment of unmodified containers
    • Support for multiple TEE and hardware platforms

• Document how the project makes decisions on leadership, contribution acceptance, requests to the CNCF, and changes to governance or project goals.

See the community governance document

• Document how role, function-based members, or sub-teams are assigned, onboarded, and removed for specific teams (example: Security Response Committee).

See the community governance document

• Document a complete maintainer lifecycle process (including roles, onboarding, offboarding, and emeritus

See the community governance document

• Demonstrate usage of the maintainer lifecycle with outcomes, either through the addition or replacement of maintainers as project events have required.

  • Trustee maintainer updates
  • guest-components maintainer updates

• If the project has subprojects: subproject leadership, contribution, maturity status documented, including add/remove process.

  • subprojects follow the project org-level governance for contributions, maintainership etc.
  • the removal is not documented. bigger contributions that'd justify a sub-project creation follow the RFC process in the contributions guide

Required

• Document complete list of current maintainers, including names, contact information, domain of responsibility, and affiliation.

• The community uses the github teams feature to track maintainers for the different repos: confidential containers teams

• A number of active maintainers which is appropriate to the size and scope of the project.

See confidential containers teams responsible for the different efforts in this project.

• Code and Doc ownership in Github and elsewhere matches documented governance roles.

Each repo has their CODEOWNERS pointing to the maintainers.

• Document agreement that project will adopt CNCF Code of Conduct.

https://github.com/confidential-containers/confidential-containers/blob/main/CODE_OF_CONDUCT.md

• CNCF Code of Conduct is cross-linked from other governance documents.

https://github.com/confidential-containers/confidential-containers/blob/main/CODE_OF_CONDUCT.md

• All subprojects, if any, are listed.

  • Trustee - CoCo attestation services
  • guest-components - CoCo TEE/client side components
  • cloud-api-adaptor - CoCo "peer-pods" deployment
  • operator - CoCo "installer"
  • trustee-operator - CoCo Trustee "installer"
  • td-shim - CoCo minimal virtual firmware

Contributors and Community

Note: this section may be augmented by the completion of a Governance Review from TAG Contributor Strategy.

Suggested

• Contributor ladder with multiple roles for contributors.

See community members and roles

Required

• Clearly defined and discoverable process to submit issues or changes.

• Documented in the contribution guide.

• Project must have, and document, at least one public communications channel for users and/or contributors.

CNCF Slack (#confidential-containers)

Github org "front page": https://github.com/confidential-containers/

• List and document all project communication channels, including subprojects (mail list/slack/etc.). List any non-public communications channels and what their special purpose is.

Github org "front page": https://github.com/confidential-containers/

• Up-to-date public meeting schedulers and/or integration with CNCF calendar.

Github org "front page": https://github.com/confidential-containers/ has a pointer to our community meetings calendar. The meetings do not show up on CNCF Calendar yet.

• Documentation of how to contribute, with increasing detail as the project matures

• Documented in the contribution guide.

• Demonstrate contributor activity and recruitment.

CNCF Dev Stats for Confidential Containers is available: https://confidentialcontainers.devstats.cncf.io/d/8/dashboards?orgId=1&refresh=15m

Engineering Principles

Suggested

• Roadmap change process is documented.

All changes to the CoCo roadmap are documented in the Confidential containers SC meeting notes and have also been shared with the communicate and documented in Confidential Containers Community Meeting

• History of regular, quality releases.

See our documented release folder: https://github.com/confidential-containers/confidential-containers/tree/main/releases

Required

• Document project goals and objectives that illustrate the project’s differentiation in the Cloud Native landscape as well as outlines how this project fulfills an outstanding need and/or solves a problem differently.

See the projects goals in our website: https://confidentialcontainers.org/

• Document what the project does, and why it does it - including viable cloud native use cases.

The projects website gives a high-level overview and the coco intro blog goes into more details.

• Document and maintain a public roadmap or other forward looking planning document or tracking mechanism.

https://github.com/confidential-containers/confidential-containers/blob/main/roadmap.md

• Document overview of project architecture and software design that demonstrates viable cloud native use cases, as part of the project's documentation.

The project website as a detailed architecture section.

• Document the project's release process.

The goal of the project is to release every 6 weeks (documented in https://github.com/confidential-containers/confidential-containers/blob/main/README.md)
The release process is documented here: https://github.com/confidential-containers/confidential-containers/blob/main/.github/ISSUE_TEMPLATE/release-check-list.md

Security

Note: this section may be augmented by a joint-assessment performed by TAG Security.

Suggested

N/A

Required

• Clearly defined and discoverable process to report security issues.

Github org-wide setting.

• Enforcing Access Control Rules to secure the code base against attacks (Example: two factor authentication enforcement, and/or use of ACL tools.)

All project maintainers use a two factor authentication: https://github.com/confidential-containers/confidential-containers/blob/main/MAINTAINERS

• Document assignment of security response roles and how reports are handled.

https://github.com/confidential-containers/.github/blob/main/SECURITY.md

• Document Security Self-Assessment.

Documented on Tag-Security website.

• Achieve the Open Source Security Foundation (OpenSSF) Best Practices passing badge.

Ecosystem

Suggested

N/A

Required

• Publicly documented list of adopters, which may indicate their adoption level (dev/trialing, prod, etc.)

List of project adopters: https://github.com/confidential-containers/confidential-containers/blob/main/ADOPTERS.md

• Used in appropriate capacity by at least 3 independent + indirect/direct adopters, (these are not required to be in the publicly documented list of adopters)

Will be provided on demand.

The project provided the TOC with a list of adopters for verification of use of the project at the level expected, i.e. production use for graduation, dev/test for incubation.

• TOC verification of adopters.

Refer to the Adoption portion of this document.

• Clearly documented integrations and/or compatibility with other CNCF projects as well as non-CNCF projects.

See confidential containers design overview.

CoCo interacts with the following CNCF projects:

• containerd
• cri-o
• nydus
• Operator Framework

CoCo interacts with the following non-CNCF projects:

• kata containers
• Open Container Initiative
• IETF Remote Attestation Procedures Architecture
• skopeo

Additional Information