March 2026 monthly summary for kata-containers/kata-containers focusing on security hardening, operator-driven deployment validation, core stability, configurability enhancements, and CI/release-process improvements. The month delivered tangible business value by strengthening security posture, increasing reliability of deployment workflows, and enabling more flexible configurations, driving lower risk and faster release readiness.

February 2026 performance summary for kata-containers/kata-containers focusing on features delivered, reliability improvements, and security hardening. Key initiatives include confidential guest Kubernetes support with enhanced testing, Kubernetes test framework enhancements using container image layer storage and storage parameterization, build artifact security hardening with GPG verification and stricter download checks, plus ongoing code quality and DevKit packaging improvements to improve maintainability and pod startup reliability.

January 2026 monthly summary for kata-containers/kata-containers. Focused on GPU passthrough hardening, verity-based rootfs security, test coverage expansion, and deployment modernization. Highlights include NVIDIA GPU passthrough runtime improvements (image-based shim, OVMF, dm-verity protection for non-TEE handler, NVDIMM disable, and kernel parameter cleanup), kernelinit dm-verity mode introduced and enabled across rootfs/runtime/tests (kernel_verity_params overwritable; ~18% kernel-phase startup improvement observed on coco-dev), initramfs logging and testing enhancements (log to /dev/kmsg; support initrd and attestation image usage), deployment target updates to Mariner across all targets, and ongoing documentation/packaging improvements to support trusted-image workflows. These changes increase security, stability, and performance while enabling Mariner-based deployments and broader attestation-driven testing.

December 2025 — DataDog/kata-containers: focused on hardening NVIDIA GPU support and automating security policy generation. Key work included VFIO GPU passthrough validation in the security policy, enabling NVIDIA GPU passthrough and paving the way for other VFIO devices; and implementing automated policy generation and security controls for NVIDIA TEE GPUs in CI, including pod security policies, attestation settings, and tests for confidential hardware. Also delivered CI/test infrastructure improvements for NVIDIA GPU testing to improve reliability, reduce rate limits, and secure NVNG/NVCR-based image sources. These efforts strengthen security compliance, reduce deployment risk for GPU-enabled workloads, and improve CI stability, accelerating delivery of GPU-enabled features across the stack.

November 2025 monthly summary for DataDog/kata-containers: Delivered substantial NVIDIA GPU CI and test infrastructure, expanded deployment capabilities for CC GPUs, and strengthened test policy and security posture. Implemented pipeline and packaging improvements to increase reliability and developer productivity while maintaining strict TEEs and attestation requirements.

October 2025 (DataDog/kata-containers) delivered key NVIDIA GPU capabilities and confidential-environment readiness, focusing on reliability, scalability, and maintainability of NVIDIA-enabled deployments. Key features include a CUDA vector-add test to validate CUDA environment setup and vector operations, with NVRC tracing made optional and idempotent and a skip-path for multi-GPU tests in single-GPU environments to improve CI reliability and workload flexibility. NVIDIA rootfs and build script improvements add guest pull support components and standardize rootfs variant naming to resolve local build inconsistencies in confidential contexts. Fixed driver install conflicts by removing version suffixes for imex and libnvidia-nscq and eliminated CDI leakage by clearing outer CDI annotations to ensure proper device injection and runtime stability. These changes reduce installation conflicts, improve build stability, and enhance runtime security for confidential workloads, while strengthening CI coverage and traceability across commits.