[Incubation] kcp Incubation Application

[embik]

Review Project Moving Level Evaluation

• [x] I have reviewed the TOC's moving level readiness triage guide, ensured the criteria for my project are met before opening this issue, and understand that unmet criteria will result in the project's application being closed.

kcp Incubation Application

v1.6 This template provides the project with a framework to inform the TOC of their conformance to the Incubation Level Criteria.

Project Repo(s): https://github.com/kcp-dev/kcp Project Site: https://kcp.io Sub-Projects: https://github.com/orgs/kcp-dev/repositories Communication: https://kubernetes.slack.com/archives/C021U8WSAFK

Project points of contacts: Marvin Beckers ([email protected]), Sebastian Scheele ([email protected]), Mangirdas Judeikis ([email protected])

• [ ] (Post Incubation only) Book a meeting with CNCF staff to understand project benefits and event resources.

Incubation Criteria Summary for kcp

Application Level Assertion

• [x] This project is currently Sandbox, accepted on 20230919, and applying to Incubation.
• [ ] This project is applying to join the CNCF at the Incubation level.

Adoption Assertion

The project has been adopted by the following organizations in a testing and integration or production capacity:

• Kubermatic
• SAP
• Upbound

Application Process Principles

Suggested

N/A

Required

• [x] Engage with the domain specific TAG(s) to increase awareness through a presentation or completing a General Technical Review.

  • A General Technical Review was completed and occurred on 26-09-2025, and can be discovered at https://docs.kcp.io/kcp/main/contributing/governance/general-technical-review/.

• [x] All project metadata and resources are vendor-neutral.

  Aside from the adopters list in the repository, kcp documentation and resources do not mention any vendors.

• [x] Review and acknowledgement of expectations for Sandbox projects and requirements for moving forward through the CNCF Maturity levels.
• Met during Project's application on 19-09-2023.

• [ ] Due Diligence Review.

Completion of this due diligence document, resolution of concerns raised, and presented for public comment satisfies the Due Diligence Review criteria.

• [x] Additional documentation as appropriate for project type, e.g.: installation documentation, end user documentation, reference implementation and/or code samples.

  General project documentation at https://docs.kcp.io/kcp/latest. Quickstart guide for getting kcp running is available here. A detailed guide on the Helm chart is available here.

Governance and Maintainers

Note: this section may be augmented by the completion of a Governance Review from the Project Reviews subproject.

Suggested

• [x] Governance has continuously been iterated upon by the project as a result of their experience applying it, with the governance history demonstrating evolution of maturity alongside the project's maturity evolution.

  Our governance document has been updated in several PRs, most recently in #3505 and before in #3451. Our main learning from the past months has been that we needed more roles to distribute PR reviews in subprojects.

• [x] Clear and discoverable project governance documentation.

  Project governance is documented here .

• [x] Governance is up to date with actual project activities, including any meetings, elections, leadership, or approval processes.

  The governance document accurately reflects current project activities like maintainers attending the community meetings. Changes requiring a vote (e.g. governance changes) are put to a maintainer vote before merging.

• [x] Governance clearly documents vendor-neutrality of project direction.

  The governance document values include "Community over Product or Company: Sustaining and growing our community takes priority over shipping code or sponsors' organizational goals. Each contributor participates in the project as an individual."

• [x] Document how the project makes decisions on leadership, contribution acceptance, requests to the CNCF, and changes to governance or project goals.

  The governance document documents voting process for decision making on important project decisions, e.g. governance changes.

• [ ] Document how role, function-based members, or sub-teams are assigned, onboarded, and removed for specific teams (example: Security Response Committee).

• [ ] Document a complete maintainer lifecycle process (including roles, onboarding, offboarding, and emeritus status).

• [x] Demonstrate usage of the maintainer lifecycle with outcomes, either through the addition or replacement of maintainers as project events have required.

  Additional maintainers have been added to the project in October 2023: Mailing list thread and pull request.

• [x] If the project has subprojects: subproject leadership, contribution, maturity status documented, including add/remove process.

  No formal subprojects with separate governance at this point. Project maintainers govern and maintain subprojects listed below.

Required

• [x] Document complete list of current maintainers, including names, contact information, domain of responsibility, and affiliation.

  Available in the MAINTAINERS.md file.

• [x] A number of active maintainers which is appropriate to the size and scope of the project.

  We believe that the current number of active maintainers (6) is capable of shouldering the review and governance decisions required for kcp. To make sure that we could handle the scope of the project, we reduced scope at the beginning of the project by removing a major component called TMC (see #2963).

• [x] Code and Doc ownership in Github and elsewhere matches documented governance roles.

  Code (including documentation) ownership is asserted via the OWNERS file.

• [x] Document adoption of the CNCF Code of Conduct

  The project has adopted the CNCF Code of Conduct in October 2023: Pull request, current file: code-of-conduct.md.

• [x] CNCF Code of Conduct is cross-linked from other governance documents.

  This section of the governance links to the CoC.

• [x] All subprojects, if any, are listed.

  • https://github.com/kcp-dev/kcp-operator
  • https://github.com/kcp-dev/api-syncagent
  • https://github.com/kcp-dev/multicluster-provider
  • https://github.com/kcp-dev/generic-controlplane
  • https://github.com/kcp-dev/contrib

Contributors and Community

Note: this section may be augmented by the completion of a Governance Review from the Project Reviews subproject.

Suggested

• [x] Contributor ladder with multiple roles for contributors.

  Contributors can become approvers and/or subproject maintainers (see contributing documentation) as a way to progress from the contributor role.

Required

• [x] Clearly defined and discoverable process to submit issues or changes.

  kcp accepts issues and pull requests through GitHub at github.com/kcp-dev/kcp and provides various issue and a PR templates for it.

• [x] Project must have, and document, at least one public communications channel for users and/or contributors.

  Several communication channels are available to users and contributors: kcp-dev and kcp-users mailing lists, #kcp-users and #kcp-dev Slack channels on Kubernetes Slack.

  These channels are documented on docs.kcp.io and in the main project README.

• [x] List and document all project communication channels, including subprojects (mail list/slack/etc.). List any non-public communications channels and what their special purpose is.

  Public communication channels:

  GitHub issue tracker (same applies to all subprojects listed above) kcp-dev mailing list kcp-users mailing list #kcp-users Slack channel #kcp-dev Slack channel

  Non-public communication channels:

  kcp-dev-private mailing list + Slack DM group between maintainers: Coordination of security vulnerability assessments and disclosures.

• [x] Up-to-date public meeting schedulers and/or integration with CNCF calendar.

  Meeting schedule is maintained both as a calendar invite sent to users joining the kcp-dev mailing list and on community.cncf.io/kcp, which integrates it into the joint event calendar on community.cncf.io.

• [x] Documentation of how to contribute, with increasing detail as the project matures.

  Documentation on how to get started is available from the project documentation. This documentation has been updated several times, e.g. in #3505 and #3452 to extend it for new contributors.

• [x] Demonstrate contributor activity and recruitment.

  As visible from devstats for the last 1.5 years, we've had a significant uptick in both contributors from 2025 onwards. We've added several key contributors, e.g. @xmudrii, @ntnn, @cnvergence and @SimonTheLeg to the organization.

Engineering Principles

Suggested

• [ ] Roadmap change process is documented.

• [x] History of regular, quality releases.

  Releases of kcp happen every 4-5 months, include significant features and internal updates (e.g. a new Kubernetes version). So far, no release has been retracted and feedback for their quality has been good.

Required

• [x] Document project goals and objectives that illustrate the project’s differentiation in the Cloud Native landscape as well as outlines how this project fulfills an outstanding need and/or solves a problem differently. This can also be satisfied by completing a General Technical Review.

  Project goals for kcp are documented here. Our key goals are centered around extending Kubernetes API principles, e.g. "Use logical tenant clusters as the basis for application and security isolation" and "Support stronger tenancy and isolation of CRDs and applications" are two goals specifying how kcp solves problems occurring with "vanilla" Kubernetes usage.

  A General Technical Review was completed and occurred on 26-09-2025, and can be discovered at https://docs.kcp.io/kcp/main/contributing/governance/general-technical-review/.

• [x] Document what the project does, and why it does it - including viable cloud native use cases. This can also be satisfied by completing a General Technical Review.

  A General Technical Review was completed and occurred on 26-09-2025, and can be discovered at https://docs.kcp.io/kcp/main/contributing/governance/general-technical-review/.

• [x] Document and maintain a public roadmap or other forward looking planning document or tracking mechanism.

  kcp uses GitHub milestones to track intended changes for an upcoming releases. See e.g. v0.28.0 for the past release (at the time of writing) and v0.29.0, the upcoming release. Issues/PRs we consider important but that have no clear release target are added to the TBD meta milestone to communicate that this is on our agenda.

• [x] Document overview of project architecture and software design that demonstrates viable cloud native use cases, as part of the project's documentation. This can also be satisfied by completing a General Technical Review and capturing the output in the project's documentation.

  A General Technical Review was completed and occurred on 26-09-2025, and can be discovered at https://docs.kcp.io/kcp/main/contributing/governance/general-technical-review/.

• [x] Document the project's release process.

  Release process is documented here.

Security

Suggested

N/A

Required

Note: this section may be augmented by a joint-assessment performed by TAG Security and Compliance.

• [x] Clearly defined and discoverable process to report security issues.

  The security reporting process is documented in SECURITY.md. kcp uses the GitHub security advisory reporting feature, available here.

• [x] Enforcing Access Control Rules to secure the code base against attacks (Example: two factor authentication enforcement, and/or use of ACL tools.)

  Code access is governed by a) GitHub teams and b) a collection of OWNERS files that are used by Prow.

• [x] Document assignment of security response roles and how reports are handled.

  The security process is documented here and the security response team is listed in the MAINTAINERS.md file.

• [x] Document Security Self-Assessment.

  Security self-assessment is available here.

• [x] Achieve the Open Source Security Foundation (OpenSSF) Best Practices passing badge.

  Badge is available here.

Ecosystem

Suggested

N/A

Required

• [x] Publicly documented list of adopters, which may indicate their adoption level (dev/trialing, prod, etc.)

  The kcp-dev/kcp repository hosts an ADOPTERS.md file that lists all public adopters.

• [x] Used in appropriate capacity by at least 3 independent + indirect/direct adopters, (these are not required to be in the publicly documented list of adopters)

  The public ADOPTERS.md file already lists three adopters (Kubermatic, SAP, Upbound), and we will provide the TOC with more adopters.

The project provided the TOC with a list of adopters for verification of use of the project at the level expected, i.e. production use for graduation, dev/test for incubation.

• [ ] TOC verification of adopters.

Refer to the Adoption portion of this document.

• [x] Clearly documented integrations and/or compatibility with other CNCF projects as well as non-CNCF projects.

  Integrations are documented here.

Additional Information

[embik]

Adopters have been submitted through Google Form.

[embik]

Created https://github.com/cncf/toc/issues/1914 for governance review.