Graduating a CNCF project is no small feat. As someone who took Helm through the graduation process I thought it would be useful and interesting for people to learn about it. This can illustrate what the CNCF looks for in a mature project and what other projects that look to graduate can look forward to.

A Little Background

When the CNCF first launched and Kubernetes became the first project, Helm joined the CNCF as a sub-project of Kubernetes. In early 2018 a decision was made for Helm to move out of Kubernetes and become a sister project to Kubernetes in the CNCF. While Kubernetes was graduated, Helm had numerous things to work out before it met the graduation criteria on its own. Helm moved to be a top level project in the CNCF at the incubating level.

The Criteria To Graduate

The Technical Oversight Committee (TOC) keeps the graduation criteria in GitHub. This includes things like:

• Maintainers from multiple organizations (Helm has more than 10)
• The Core Infrastructure Initiative Best Practices Badge (Helm is almost at the silver level which is beyond the requirement)
• Have a documented governance (Helm has had this for well over a year and it’s working)
• Having completed a security audit (Helm did really well)

This is not the exhaustive list but it is one that showcases some important parts.

Any project that graduates in the CNCF is being used in production by numerous parties, isn’t controlled or relying on one company, has a security picture you can read about, has a contribution and governance model enabling anyone to get involved, and more.

Graduation is about as close to a stamp of trustworthy as you can get. This is why I was excited to take Helm through the graduation process when I noticed we met the criteria.

The Process

The process has changed over the past year and will continue to change. This is by no means a definitive guide but will provide some insight into my experience. Here are the steps I went through:

1. I made sure Helm met the graduation criteria. This is an important check. With Helm it was fairly straight forward because I’d been tracking this.
2. I created a pull request for graduation following the documented process. When I started the process it was not as well documented as it is now. There are a bunch of details to fill in to highlight why the project thinks it’s ready to graduate.
3. The process notes the due diligence from the incubation step. Helm had not completed the due diligence because it came in prior to that step. The process does not document how to handle this but I was advised to fill out the incubation due diligence. This was referenced in the pull request to graduate.
4. Once this was submitted and triaged, I presented to SIG App Delivery. A project may be reviewed by one or more SIGs. For example, Harbor is being reviewed by 4 SIGs as part of the graduation process. As there was no feedback to be dealt with we moved on to the next step.
5. A member of the TOC was assigned to the graduation request. He reviewed it and they opened a call comments on the request. This was a 2 week period. There were no comments on Helm.
6. A vote was called of the TOC. This needed to have 2/3 super-majority of all the members in good standing (7/10 in this case). Helm passed and graduated.
7. The press and announcement was carefully handled. Ever wonder why graduation announcements happen a couple weeks after a vote? That is so that everyone can get their stuff together to make a good announcement with everyone (press possibly included) on the same page. When the announcement goes out it’s coordinated.

This may seem fairly straight forward but it was not. There are two reasons for this:

• When I went through it the process was not well defined as it is today. The docs are getting better which is great news for those going forward.
• Filling out all the paperwork takes a lot of time. I would guess it takes 100 to 400 hours. Some projects may need even more time for everything.

Another wrinkle is the due diligence step. This is required at incubation. Helm went through a process that is different from the current due diligence. It was not clear if that was sufficient or not and I never got clear direction on that. Quite the opposite. I got conflicting direction. So, I did the new due diligence and referenced the material from when Helm came in at the incubating level. This was far more work but I wanted to make sure there was no ambiguity.

You may have noticed I wrote that 7 of 10 votes were required for Helm and wondered where the 10 came from and why it wasn’t 11. There are 11 members of the TOC. According to the CNCF charter, TOC members need to active in certain ways to be eligible to vote. One of the members has not been active over the required period. Helm had more than enough votes for a super-majority from the full TOC.

Along the way the CNCF staff was there to help and did a wonderful job. In this process they are support staff as they are not in the loop on doing the evaluations or voting. But, they do a lot of work to make sure everything is coordinated and do help projects try to figure things out.

Conclusion

If you want to have a graduated CNCF project, prepare to put in the work. The criteria to graduate takes time to meet. Then there is the process you’ll need to go through at each step along the way. These are not simple or quick steps.