release: add release notes for v0.9.0-alpha1

Document the progress we have made in this release
and explain that this is an alpha release.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>

releases/v0.9.0-alpha1.md

@@ -0,0 +1,68 @@
+# Release Notes for v0.9.0-alpha1
+
+Release Date: June 21st, 2024
+
+This release is based on [3.6.0](https://github.com/kata-containers/kata-containers/releases/tag/3.4.0) of Kata Containers
+and [v0.9.1](https://github.com/confidential-containers/enclave-cc/releases/tag/v0.9.0) of enclave-cc.
+
+This is an alpha release, with some limitations, but it builds significantly on the previous release.
+For a full feature set, please use v0.8.0 or the upcoming v0.9.0.
+For details of what has been added and what does not yet work,
+see the following sections.
+
+Please see the [quickstart guide](../quickstart.md) for details on how to try out Confidential
+Containers.
+
+Please refer to our [Acronyms](https://github.com/confidential-containers/documentation/wiki/Acronyms)
+and [Glossary](https://github.com/confidential-containers/documentation/wiki/Glossary) pages for
+definitions of the acronyms used in this document.
+
+## What's new
+
+* Cloud API Adaptor (peer pods) is included in the release and based on Kata main.
+* Image pulling inside the guest via the nydus snapshotter is more stable.
+* Platform support has been partially restored.
+* Confidential runtime classes ship with filesystem sharing disabled by default.
+* `kata-qemu-coco-dev` runtime class introduced for nontee development.
+* Several improvements to guest policy
+* `guest_components_procs` option introduced to control which guest components are started.
+
+## Hardware Support
+
+This release tentatively supports multiple TEE platforms, although
+not all features are enabled for all platforms and test coverage
+is limited.
+
+## Limitations
+
+The following are known limitations of this release:
+
+* Encrypted images and signed images are not yet supported.
+* Sealed secrets and encrypted volumes are not yet supported.
+* SEV(-ES) and SEV-SNP do not support attestation.
+* Authenticated registries are not supported.
+* Nydus snapshotter support is not mature.
+  * Nydus snapshotter sometimes fails to pull an image.
+  * Nydus snapshotter cannot handle pods with init containers.
+  * Host pulling with Nydus snapshotter is not yet enabled.
+  * Nydus snapshotter is not supported with enclave-cc.
+* Pulling container images inside guest may have negative performance implications including greater resource usage and slower startup.
+* `crio` support is still evolving.
+* Platform support is rapidly changing
+* SELinux is not supported on the host and must be set to permissive if in use.
+* Complete integration with Kubernetes is still in progress.
+  * OpenShift support is not yet complete.
+  * Existing APIs do not fully support the CoCo security and threat model. [More info](https://github.com/confidential-containers/community/issues/53)
+  * Some commands accessing confidential data, such as `kubectl exec`, may either fail to work, or incorrectly expose information to the host
+* The CoCo community aspires to adopting open source security best practices, but not all practices are adopted yet.
+  * We track our status with the OpenSSF Best Practices Badge, which remained at 75% at the time of this release.
+  * Community has adopted a security reporting protocol, but application and documentation of static and dynamic analysis still needed.
+* Container metadata such as environment variables are not measured.
+* The Kata Agent allows the host to call several dangerous endpoints
+    * Kata Agent does not validate mount requests. A malicious host might be able to mount a shared filesystem into the PodVM.
+    * Policy can be used to block endpoints, but it is not yet tied to the hardware evidence.
+
+## CVE Fixes
+
+None
+