[CNCF Incubation] Due Diligence Review #7
Description
Application Due Diligence Remaining Work (check items as they are completed):
- Fill out initial due diligence (@sam-heilbron )
- Review due diligence documentation (@linsun )
- Security Self Assessment (@sam-heilbron )
- OpenSSF Badge (@sam-heilbron )
Review Project Moving Level Evaluation
- I have reviewed the TOC's moving level readiness triage guide, ensured the criteria for my project are met before opening this issue, and understand that unmet criteria will result in the project's application being closed.
kagent Incubation Application
v1.6
This template provides the project with a framework to inform the TOC of their conformance to the Incubation Level Criteria.
Project Repo(s):
- https://github.com/kagent-dev/kagent
- https://github.com/kagent-dev/community
Project Site: https://kagent.dev/
Sub-Projects: N/A
Communication: https://cloud-native.slack.com/archives/C08ETST0076
Project points of contacts: Idit Levine, Lin Sun, Yuval Kohavi, Sam Heilbron
(Post Incubation only) Book a meeting with CNCF staff to understand project benefits and event resources.
Incubation Criteria Summary for kagent
Application Level Assertion
- This project is currently Sandbox, accepted on May 22, 2025 (ref), and applying to Incubation.
- This project is applying to join the CNCF at the Incubation level.
Adoption Assertion
The project has been adopted by the following organizations in a testing and integration or production capacity:
- kagent adopters (scroll down to "who uses our products")
- Adopters file lists Solo.io, Amdocs, Au10tix, and Krateo
- A few users who are willing to be interviewed will be provided to the CNCF TOC in the adopter interview questionnaire.
Application Process Principles
Suggested
N/A
Required
- Engage with the domain specific TAG(s) to increase awareness through a presentation or completing a General Technical Review.
- Demoed functionality to CloudNative AI WG: https://www.linkedin.com/posts/raravena_github-kagent-devkagent-cloud-native-activity-7322768514665062401-Is7X?utm_source=share&utm_medium=member_desktop&rcm=ACoAAABLihcBuozqLyftNtauegAdN2-QszsmqQQ
- Also have a General Technical Review document: https://github.com/kagent-dev/kagent/blob/main/contrib/cncf/technical-review.md
- All project metadata and resources are vendor-neutral.
- All project resources, governance, and documentation are vendor-neutral. See governance documentation and charter.
- Review and acknowledgement of expectations for Sandbox projects and requirements for moving forward through the CNCF Maturity levels.
- The team is familar with the sandbox, incubation and graduation expectations. The expectations for Sandbox requirements were met during Project's application on May 22, 2025.
- Due Diligence Review.
Completion of this due diligence document, resolution of concerns raised, and presented for public comment satisfies the Due Diligence Review criteria.
- Additional documentation as appropriate for project type, e.g.: installation documentation, end user documentation, reference implementation and/or code samples.
There is easy access to installation and reference samples in kagent:- Installation documentation
- Quick Start guide
- Complete documentation
- Examples for using existing agents or bringing your own
Additionally, kagent seamlessly integrates with other cloud-native and CNCF projects:
- Kubernetes: Native integration with Kubernetes APIs, RBAC, and resource management
- Helm: Deployment and management through Helm charts
- OpenTelemetry: Distributed tracing and observability
- LLM Providers: Secure integration with major AI model providers (OpenAI, Azure OpenAI, Anthropic, Google Vertex AI, Ollama, and custom models)
- MCP Ecosystem: Extensible tool system through Model Context Protocol
- Prometheus: Expose prometheus metrics for observability
There is optional tooling that can be used to integrate with:
- kgateway: Gateway and Kubernetes Gateway API integration
- Grafana: Observability and monitoring integration
- Istio: Integration with Istio Service Mesh APIs
- Argo: Integration with Argo Rollouts
- Cilium: Integration through specialized agents for eBPF-based networking
Governance and Maintainers
Note: this section may be augmented by the completion of a Governance Review from the Project Reviews subproject.
Suggested
- Governance has continuously been iterated upon by the project as a result of their experience applying it, with the governance history demonstrating evolution of maturity alongside the project's maturity evolution.
- The governance doc has not been iterated on, since its original creation
- Clear and discoverable project governance documentation.
- GOVERNANCE.md provides comprehensive governance documentation.
- Governance is up to date with actual project activities, including any meetings, elections, leadership, or approval processes.
- Community meetings are documented in README.md with calendar integration.
- While the governance doc has not been iterated on since its original creation, it is up to date with current community expectations around meetings
- Governance clearly documents vendor-neutral of project direction.
- The governance values explicitly state "Community over Product or Company".
- Document how the project makes decisions on leadership, contribution acceptance, requests to the CNCF, and changes to governance or project goals.
- Decision-making processes are documented in GOVERNANCE.md. As highlighted there "While most business in kagent is conducted by "lazy consensus", periodically the Maintainers may need to vote on specific actions or changes. The following rules govern our voting process, unless otherwise stated for a specific purpose."
- Document how role, function-based members, or sub-teams are assigned, onboarded, and removed for specific teams (example: Security Response Committee).
- Role definitions and processes are documented in CONTRIBUTOR_LADDER.md. These clarify how members are assigned and removed.
- There is not currently a written document that onboards these new roles.
- Document a complete maintainer lifecycle process (including roles, onboarding, offboarding, and emeritus status).
- Complete maintainer lifecycle is documented in CONTRIBUTOR_LADDER.md.
- Demonstrate usage of the maintainer lifecycle with outcomes, either through the addition or replacement of maintainers as project events have required.
- The project has successfully onboarded maintainers from multiple organizations as shown in MAINTAINERS.md.
- If the project has subprojects: subproject leadership, contribution, maturity status documented, including add/remove process.
- N/A - The project does not currently have subprojects.
Required
- Document complete list of current maintainers, including names, contact information, domain of responsibility, and affiliation.
- Complete maintainer list with affiliations is documented in MAINTAINERS.md. It includes names, Github ID, affiliation and area of specialization.
- A number of active maintainers which is appropriate to the size and scope of the project.
- The kagent project has organized regular community meeting every Tuesday. These meetings regularly involve new members joining and participating in the project.
- The project has 8 active maintainers from 2 organizations (Solo.io and Amdocs), appropriate for the project scope.
- In addition to the maintainers, there are 88 unique contributors which demonstrates that the project has sufficient active maintainers and contributors to sustain its current and future momentum.
- Code and Doc ownership in Github and elsewhere matches documented governance roles.
- GitHub permissions and CODEOWNERS files match the documented governance structure.
- There are also clearly documented steps to become a maintainer, what happens if a maintainer is inactive and moving to emeritus status
- Document adoption and adherence to the CNCF Code of Conduct or the project's CoC which is based off the CNCF CoC and not in conflict with it.
- CODE-OF-CONDUCT.md explicitly adopts the CNCF Code of Conduct: "All members of the kagent community must abide by the CNCF Code of Conduct. Only by respecting one another can we build a strong and collaborative community."
- CNCF Code of Conduct is cross-linked from other governance documents.
- The Code of Conduct document (https://github.com/kagent-dev/kagent/blob/main/CODE_OF_CONDUCT.md) is clearly discoverable in the project repository
- The Code of Conduct is referenced in GOVERNANCE.md and CONTRIBUTOR_LADDER.md.
- All subprojects, if any, are listed.
- N/A - No subprojects currently exist.
Contributors and Community
Note: this section may be augmented by the completion of a Governance Review from the Project Reviews subproject.
Suggested
- Contributor ladder with multiple roles for contributors.
- CONTRIBUTOR_LADDER.md defines Contributor, Organization Member, and Maintainer roles.
- There are not multiple roles for contributors, yet
Required
- Clearly defined and discoverable process to submit issues or changes.
- Contribution processes are documented in CONTRIBUTING.md with clear pull request workflows.
- Project must have, and document, at least one public communications channel for users and/or contributors.
- Multiple communication channels documented in community README:
- List and document all project communication channels, including subprojects (mail list/slack/etc.). List any non-public communications channels and what their special purpose is.
- All communication channels are listed in community README.
- Private security reporting via kagent-vulnerability-reports@googlegroups.com as documented in SECURITY.md.
- Up-to-date public meeting schedulers and/or integration with CNCF calendar.
- Community calendar with regular community meetings.
- Documentation of how to contribute, with increasing detail as the project matures.
- Comprehensive contribution documentation in CONTRIBUTING.md and DEVELOPMENT.md.
- Project README has a section dedicated to just contributions: https://github.com/kagent-dev/kagent/blob/main/README.md#get-involved
- Demonstrate contributor activity and recruitment.
- Active development with regular commits and pull requests across multiple repositories.
- Blog post celebrating 100 days showcases community engagement and adoption.
- Introduced a mentorship program to support new contributors. An example of this was Jet Chiang who introduced a major feature to the project, CrewAI support for BYO agents (PR), and then shared it in the community meeting (LinkedIn Post)
- Posts celebrating contributions and engagement in weekly community meetings: https://www.linkedin.com/posts/lin-sun-a9b7a81_visual-agent-builder-is-coming-to-kagent-activity-7391527018129117184-nrGg?utm_source=share&utm_medium=member_desktop&rcm=ACoAAA3vRnUBIhXk9yzD8z3qiMYCwujuwDx1m1Y
- Presentation at KubeCon: https://www.linkedin.com/posts/lin-sun-a9b7a81_kubeconna-activity-7393848441849729024-zOmf?utm_source=share&utm_medium=member_desktop&rcm=ACoAAA3vRnUBIhXk9yzD8z3qiMYCwujuwDx1m1Y
Engineering Principles
Suggested
- Roadmap change process is documented.
- Roadmap update process is documented in ROADMAP.md.
- History of regular, quality releases.
- Release process documented in CONTRIBUTING.md with automated CI/CD pipeline in tag.yaml.
Required
- Document project goals and objectives that illustrate the project's differentiation in the Cloud Native landscape as well as outlines how this project fulfills an outstanding need and/or solves a problem differently.
- Project mission and differentiation documented in CHARTER.md and what-is-kagent documentation.
- Document what the project does, and why it does it - including viable cloud native use cases.
- Comprehensive project description and use cases in README.md and documentation.
- Cloud-native use cases include:
- Diagnosing connectivity issues across multiple service hops
- Troubleshooting application performance degradation
- Automating alert generation from Prometheus metrics
- Debugging Gateway and HTTPRoute configurations
- Managing progressive rollouts with Argo Rollouts
- Document and maintain a public roadmap or other forward looking planning document or tracking mechanism.
- Public roadmap available at project Kanban board and ROADMAP.md.
- Document overview of project architecture and software design that demonstrates viable cloud native use cases, as part of the project's documentation.
- Architecture documented in architecture documentation and README.md.
- Core components:
- Controller: Kubernetes controller managing AI agent custom resources
- Engine: Python application running agent conversations using ADK framework
- UI: Web interface for agent management
- CLI: Command-line tool for agent management
- Document the project's release process.
- Release process documented in CONTRIBUTING.md with automated workflows in .github/workflows/tag.yaml.
Security
Suggested
N/A
Required
Note: this section may be augmented by a joint-assessment performed by TAG Security and Compliance.
- Clearly defined and discoverable process to report security issues.
- Security reporting process documented in SECURITY.md with private email kagent-vulnerability-reports@googlegroups.com.
- Enforcing Access Control Rules to secure the code base against attacks (Example: two factor authentication enforcement, and/or use of ACL tools.)
- GitHub repository protected with branch protection rules and 2FA requirements for maintainers as documented in CONTRIBUTOR_LADDER.md.
- Document assignment of security response roles and how reports are handled.
- Security response process documented in SECURITY.md.
- Document Security Self-Assessment.
- Security self-assessment can be found at https://github.com/kagent-dev/kagent/blob/main/contrib/cncf/security-self-assessment.md
- Achieve the Open Source Security Foundation (OpenSSF) Best Practices passing badge.
- https://www.bestpractices.dev/projects/10723/badge
- OpenSSF Best Practices badge is passing
Ecosystem
Suggested
N/A
Required
- Publicly documented list of adopters, which may indicate their adoption level (dev/trialing, prod, etc.)
- Public adopters list maintained in adopters.yaml and displayed on kagent.dev homepage.
- Used in appropriate capacity by at least 3 independent + indirect/direct adopters, (these are not required to be in the publicly documented list of adopters)
- The project has confirmed usage by multiple independent organizations including Solo.io, Amdocs, Au10tix, and Krateo in various capacities from development to production.
The project provided the TOC with a list of adopters for verification of use of the project at the level expected, i.e. production use for graduation, dev/test for incubation.
- TOC verification of adopters.
Refer to the Adoption portion of this document.
- Clearly documented integrations and/or compatibility with other CNCF projects as well as non-CNCF projects.
- CNCF project integrations documented through agent implementations:
- Integrations with many CNCF projects.
- Tool registry documents all available integrations
- OpenTelemetry tracing support as documented in tracing guide
Adoption
Adopter 1 - Solo.io/Service Mesh & API Gateway
September 2024
Adopter 2 - Amdocs/Telecommunications
August 2025
Adopter 3 - Au10tix/Identity Verification
August 2025
Adopter 4 - Krateo/Platform Engineering
August 2025