You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have reviewed the TOC's moving level readiness triage guide, ensured the criteria for my project are met before opening this issue, and understand that unmet criteria will result in the project's application being closed.
Cozystack Incubation Application
v1.6
This template provides the project with a framework to inform the TOC of their conformance to the Incubation Level Criteria.
A further 10–15 organizations use Cozystack in production but cannot be listed publicly. Contact details for verified adopters have been shared privately with the TOC.
Application Process Principles
Suggested
N/A
Required
Engage with the domain specific TAG(s) to increase awareness through a presentation or completing a General Technical Review.
Completion of this due diligence document, resolution of concerns raised, and presented for public comment satisfies the Due Diligence Review criteria.
Additional documentation as appropriate for project type, e.g.: installation documentation, end user documentation, reference implementation and/or code samples.
Governance has continuously been iterated upon by the project as a result of their experience applying it, with the governance history demonstrating evolution of maturity alongside the project's maturity evolution.
Cozystack governance is based on CNCF best practices and continues to evolve with community growth. The project currently has 10 active maintainers across 6 organizations (Ænix, Urmanac, 3commas, Timescale, HIDORA, Independent) and has received contributions from 40+ contributors across 15+ companies.
Clear and discoverable project governance documentation.
Demonstrate usage of the maintainer lifecycle with outcomes, either through the addition or replacement of maintainers as project events have required.
Onboarded two additional maintainers from HIDORA (@matthieu-robin, @mattia-eleuteri) reflecting active multi-vendor contribution since Sandbox.
If the project has subprojects: subproject leadership, contribution, maturity status documented, including add/remove process.
Subprojects share the parent project's governance, contribution, and maintainer-lifecycle rules (GOVERNANCE.md). Sub-project leads are listed in their respective MAINTAINERS.md files.
Required
Document complete list of current maintainers, including names, contact information, domain of responsibility, and affiliation.
List and document all project communication channels, including subprojects (mail list/slack/etc.). List any non-public communications channels and what their special purpose is.
Since joining CNCF Sandbox on March 4, 2025, Cozystack has delivered four stable minor releases (v1.1, v1.2, v1.3, v1.4) and approximately twenty patch releases on a predictable cadence, with public release candidates, long-lived patch branches, and automated backports. The most significant milestones include:
Reached v1.0.0 stable: first stable major release.
Introduced an operator-driven platform architecture: declarative Package / PackageSource model, automated CRD lifecycle management, and Flux sharding for multi-tenant scalability.
Built a comprehensive backup and restore framework: backup plans, restore jobs, Velero integration, native VM backup, RestoreJob dashboard, cross-namespace VM restore, and declarative BackupStrategy for PostgreSQL, MariaDB, ClickHouse, and FoundationDB (v1.4).
Significantly advanced virtualization support: GPU support for VMs and tenant Kubernetes clusters, Windows VM support, built-in VNC console, separate vm-disk / vm-instance resources, persistent worker-node storage for tenant Kubernetes (v1.4), and HAMi-based fractional GPU sharing (v1.4).
Expanded managed services substantially: added MongoDB, Qdrant, Harbor, OpenBAO, and continued improvements to RabbitMQ, NATS, MariaDB.
Delivered major storage improvements: LINSTOR scheduler with storage-aware pod placement (v1.3), managed LINSTOR GUI with Keycloak SSO (v1.3), VM Default Images catalog (v1.3), auto-diskful support, tiered storage pools, per-user bucket credentials, read-only S3 access, and object locking.
Expanded networking capabilities: VPC, multi-location networking based on Kilo / cilium-kilo, topology-aware routing, geo-distributed deployments, ouroboros hairpin-NAT with one-switch PROXY-protocol (v1.4), and tenant-scoped cozy-proxy BPF skip for VM LoadBalancer services.
Improved tenant isolation, observability, and API maturity: stable per-namespace tenant resource limits, WorkloadsReady / Events observability surface with S3 bucket metering (v1.3), instance-type resource preset taxonomy (v1.4), public REST API and OpenAPI specifications, schema-driven dashboard rewrite talking directly to the Kubernetes API (v1.4).
Hardened CI/CD security: migrated release workflows from long-lived PATs to short-lived tokens issued by the cozystack-ci GitHub App (v1.3).
Kept the platform on current upstream: most recent components include Kubernetes 1.36, Talos v1.13, Cilium v1.19.3, cert-manager v1.20, KubeVirt v1.8.2, NVIDIA GPU Operator v26.3.1.
Established a mature release lifecycle: pre-releases, long-lived patch branches, automated backports, and a steady stable + patch cadence.
Required
Document project goals and objectives that illustrate the project's differentiation in the Cloud Native landscape as well as outlines how this project fulfills an outstanding need and/or solves a problem differently.
Clearly defined and discoverable process to report security issues.
SECURITY.md — published since v1.3.0. Documents private reporting paths, supported version lines, acknowledgement and triage targets (3 / 7 business days), coordinated disclosure model via GitHub Security Advisories, and out-of-scope cases.
Enforcing Access Control Rules to secure the code base against attacks (Example: two factor authentication enforcement, and/or use of ACL tools).
Organization-wide 2FA enforcement on the cozystack GitHub org
CODEOWNERS-mandated review for protected paths
Branch protection on main and release branches (required reviews, status checks)
Release workflows migrated from long-lived PATs to short-lived tokens issued by the cozystack-ci GitHub App (v1.3.0, PRs #2351, #2383)
Renovate-managed dependency updates with security alerts
Document assignment of security response roles and how reports are handled.
SECURITY.md describes the reporting, triage, and coordinated disclosure flow. Coordinated disclosure is performed through GitHub Security Advisories. The most recent example of the process in operation is GHSA-g883-q79m-8225, an unauthenticated information disclosure in the kubeovn-webhook admission handler, triaged and patched in v1.3.3 with a public advisory.
In progress. A draft self-assessment is being prepared by the maintainers and will be submitted via PR to cncf/tag-security for a joint assessment with TAG-Security. A copy will be maintained in docs/security/self-assessment.md in the project repository.
Achieve the Open Source Security Foundation (OpenSSF) Best Practices passing badge.
Used in appropriate capacity by at least 3 independent + indirect/direct adopters.
Cozystack is used in production and development capacities by independent organizations across hosting, cloud, and consulting domains. The public adopter list is in ADOPTERS.md. Verified adopter contacts have been shared privately with the TOC.
TOC verification of adopters.
Adopter contact details have been shared privately with the TOC for verification. Refer to the Adoption Assertion section of this document.
Clearly documented integrations and/or compatibility with other CNCF projects as well as non-CNCF projects.
This project is important for advancing digital sovereignty, enabling migration from public clouds to bare metal, and equipping local service providers and integrators with an open, free toolkit to compete with hyperscalers (AWS, GCP, Azure) and proprietary platforms (OpenShift, VMware Cloud).
Review Project Moving Level Evaluation
Cozystack Incubation Application
v1.6
This template provides the project with a framework to inform the TOC of their conformance to the Incubation Level Criteria.
Project Repo(s): cozystack/cozystack
Project Site: cozystack.io
Sub-Projects:
Communication: CNCF Slack, Kubernetes Slack, Telegram, GitHub Discussions
Project points of contacts:
The Cozystack Maintainers
Incubation Criteria Summary for Cozystack
Application Level Assertion
Adoption Assertion
The project has been adopted by the following organizations in a testing and integration or production capacity:
A further 10–15 organizations use Cozystack in production but cannot be listed publicly. Contact details for verified adopters have been shared privately with the TOC.
Application Process Principles
Suggested
N/A
Required
Engage with the domain specific TAG(s) to increase awareness through a presentation or completing a General Technical Review.
All project metadata and resources are vendor-neutral.
Yes. Cozystack uses CNCF-provided vendor-neutral resources for communication, testing, hosting, and governance.
Review and acknowledgement of expectations for Sandbox projects and requirements for moving forward through the CNCF Maturity levels.
Met during project's application on 09-Jan-2025.
Due Diligence Review.
Completion of this due diligence document, resolution of concerns raised, and presented for public comment satisfies the Due Diligence Review criteria.
Additional documentation as appropriate for project type, e.g.: installation documentation, end user documentation, reference implementation and/or code samples.
End user documentation
Installation documentation
Use cases / guides
Ænix blog posts
Governance and Maintainers
Suggested
Cozystack governance is based on CNCF best practices and continues to evolve with community growth. The project currently has 10 active maintainers across 6 organizations (Ænix, Urmanac, 3commas, Timescale, HIDORA, Independent) and has received contributions from 40+ contributors across 15+ companies.
Clear and discoverable project governance documentation.
MAINTAINERS.md
GOVERNANCE.md
CONTRIBUTOR_LADDER.md
CONTRIBUTING.md
Cozystack Community Meetings Calendar
Cozystack Community Meetings Recordings
Cozystack Meetings Notes
Governance is up to date with actual project activities, including any meetings, elections, leadership, or approval processes.
Yes.
Included in Code of Conduct and demonstrated by the multi-vendor maintainer composition.
Document how the project makes decisions on leadership, contribution acceptance, requests to the CNCF, and changes to governance or project goals.
GOVERNANCE.md
CONTRIBUTOR_LADDER.md
CONTRIBUTING.md
Document how role, function-based members, or sub-teams are assigned, onboarded, and removed for specific teams.
GOVERNANCE.md
CONTRIBUTOR_LADDER.md
Document a complete maintainer lifecycle process (including roles, onboarding, offboarding, and emeritus status).
GOVERNANCE.md
CONTRIBUTOR_LADDER.md
CONTRIBUTING.md
Demonstrate usage of the maintainer lifecycle with outcomes, either through the addition or replacement of maintainers as project events have required.
Maintainer roster update after joining CNCF
Onboarded two additional maintainers from HIDORA (@matthieu-robin, @mattia-eleuteri) reflecting active multi-vendor contribution since Sandbox.
If the project has subprojects: subproject leadership, contribution, maturity status documented, including add/remove process.
Subprojects share the parent project's governance, contribution, and maintainer-lifecycle rules (GOVERNANCE.md). Sub-project leads are listed in their respective
MAINTAINERS.mdfiles.Required
MAINTAINERS.md
10 active maintainers across 6 organizations (Ænix, Urmanac, 3commas, Timescale, HIDORA, Independent).
CONTRIBUTING.md, CODEOWNERS.
Code of Conduct
Yes. Linked from GOVERNANCE.md, CONTRIBUTING.md, CONTRIBUTOR_LADDER.md.
All subprojects, if any, are listed.
talm
boot-to-talos
cozypkg
cozy-proxy
cozystack-telemetry-server
talos-bootstrap
cozystack-ui
blockstor
etcd-operator
Contributors and Community
Suggested
https://github.com/cozystack/cozystack/blob/main/CONTRIBUTOR_LADDER.md
Required
https://github.com/cozystack/cozystack/blob/main/CONTRIBUTING.md
Documented in README.md.
CNCF Slack, Kubernetes Slack, Telegram, GitHub Discussions. No non-public channels are used for project work.
Up-to-date public meeting schedulers and/or integration with CNCF calendar.
Cozystack Community Meetings Calendar
Cozystack Community Meetings Recordings
Cozystack Meetings Notes
Documentation of how to contribute, with increasing detail as the project matures.
https://github.com/cozystack/cozystack/blob/main/CONTRIBUTING.md
Cozystack DevStat Dashboard
Engineering Principles
Suggested
Community Roadmap
Releases
Since joining CNCF Sandbox on March 4, 2025, Cozystack has delivered four stable minor releases (v1.1, v1.2, v1.3, v1.4) and approximately twenty patch releases on a predictable cadence, with public release candidates, long-lived patch branches, and automated backports. The most significant milestones include:
v1.0.0stable: first stable major release.Package/PackageSourcemodel, automated CRD lifecycle management, and Flux sharding for multi-tenant scalability.BackupStrategyfor PostgreSQL, MariaDB, ClickHouse, and FoundationDB (v1.4).vm-disk/vm-instanceresources, persistent worker-node storage for tenant Kubernetes (v1.4), and HAMi-based fractional GPU sharing (v1.4).cozy-proxyBPF skip for VM LoadBalancer services.WorkloadsReady/ Events observability surface with S3 bucket metering (v1.3), instance-type resource preset taxonomy (v1.4), public REST API and OpenAPI specifications, schema-driven dashboard rewrite talking directly to the Kubernetes API (v1.4).cozystack-ciGitHub App (v1.3).Required
https://cozystack.io/docs/introduction/
https://cozystack.io/docs/introduction/
Community Roadmap
https://cozystack.io/docs/guides/, https://cozystack.io/docs/guides/use-cases/
https://cozystack.io/docs/operations/cluster/upgrade/
Security
Suggested
N/A
Required
SECURITY.md — published since v1.3.0. Documents private reporting paths, supported version lines, acknowledgement and triage targets (3 / 7 business days), coordinated disclosure model via GitHub Security Advisories, and out-of-scope cases.
Enforcing Access Control Rules to secure the code base against attacks (Example: two factor authentication enforcement, and/or use of ACL tools).
Organization-wide 2FA enforcement on the
cozystackGitHub orgCODEOWNERS-mandated review for protected pathsBranch protection on
mainand release branches (required reviews, status checks)Release workflows migrated from long-lived PATs to short-lived tokens issued by the
cozystack-ciGitHub App (v1.3.0, PRs #2351, #2383)Renovate-managed dependency updates with security alerts
Document assignment of security response roles and how reports are handled.
SECURITY.md describes the reporting, triage, and coordinated disclosure flow. Coordinated disclosure is performed through GitHub Security Advisories. The most recent example of the process in operation is GHSA-g883-q79m-8225, an unauthenticated information disclosure in the
kubeovn-webhookadmission handler, triaged and patched in v1.3.3 with a public advisory.In progress. A draft self-assessment is being prepared by the maintainers and will be submitted via PR to
cncf/tag-securityfor a joint assessment with TAG-Security. A copy will be maintained indocs/security/self-assessment.mdin the project repository.OpenSSF Best Practices: passing, 100% (64/64)
Ecosystem
Suggested
N/A
Required
ADOPTERS.md
Cozystack is used in production and development capacities by independent organizations across hosting, cloud, and consulting domains. The public adopter list is in ADOPTERS.md. Verified adopter contacts have been shared privately with the TOC.
Adopter contact details have been shared privately with the TOC for verification. Refer to the Adoption Assertion section of this document.
Cozystack integrates dozens of CNCF and cloud-native projects as platform building blocks: https://cozystack.io/docs/guides/platform-stack/
Additional Information
This project is important for advancing digital sovereignty, enabling migration from public clouds to bare metal, and equipping local service providers and integrators with an open, free toolkit to compete with hyperscalers (AWS, GCP, Azure) and proprietary platforms (OpenShift, VMware Cloud).