The CNCF Technical Oversight Committee (TOC) has voted to accept Flatcar as a CNCF incubating project.
Flatcar is a zero-touch, minimal operating system (OS) for containerized workloads, addressing the challenges of managing and securing a production fleet at scale. It is meant to be deployed the same way cloud native applications are deployed: by applying a declarative configuration, creating an immutable instance from a well-defined image.
“A secure community-owned cloud native operating system was one of the missing layers of the CNCF technology stack,” said Chris Aniszczyk, CTO of CNCF. “As validated by a thorough due diligence process, Flatcar has more than proven itself in this role, and we are thrilled to adopt it as an Incubating project and will support growing its community.”
Flatcar was originally created by the team at Kinvolk, a Berlin-based cloud native technology company that is now a part of Microsoft, as a derivative of CoreOS Container Linux. Flatcar is a popular base operating system for Kubernetes, and is closely integrated with Cluster API for streamlined deployments.
Main Features:
- Container Optimized: Flatcar’s OS image includes only those packages needed to run containers. This minimalist approach reduces the amount of software to manage, as well as the potential attack surface.
- Secure and Immutable File System: The OS is deployed to a cryptographically secured read-only filesystem which eliminates a whole category of security vulnerabilities that modify installed OS files.
- Declaratively Provisioned: Node configuration is defined in a YAML file which is applied on first boot. Thereafter, node configuration is generally treated as immutable, avoiding “configuration drift” and enabling management at scale.
- Auto Updating (and Rollback): Updates are shipped as validated images and applied in an atomic operation. If the update fails, then the system automatically reverts to the previous image. The project includes an update server that provides for advanced fleet-wide policy controls and graphical view of fleet status.
Flatcar has experienced significant success with end user adoption including by Adobe (SaaS provider, with more than 20,000 nodes running Flatcar), Stackit (managed Kubernetes service), and Wipro (managed PostgreSQL service).
“Flatcar Container Linux offers the security, robustness, and efficiency required by various critical workloads, including those utilized within the defence industry of Ukraine. Its acceptance into the CNCF as an incubation-level project, under vendor-neutral and community-driven governance, ensures that many users, including the Ukrainian defence sector, can continue to benefit from its reliability and performance in modern cloud-native environments.” – Ihor Dvoretskyi, Directorate of the Digital Transformation in the Defenсe Area at the Ministry of Defence of Ukraine, and Senior Developer Advocate at Cloud Native Computing Foundation
“Equinix is excited to see Flatcar’s acceptance by CNCF, and proud to be major supporters ourselves through the contribution of build, test, and distribution of cloud infrastructure as part of the Equinix Open Source Partner program,” said Eduardo Cocozza, Vice President of Developer and Product Led Growth Marketing at Equinix.
“Adobe leverages Flatcar as the host operating system for self-managed Kubernetes deployments across our multi-cloud environment, including Microsoft Azure,” said Joseph Sandoval, Principal Product Manager at Adobe and End User Advisory Board Member at CNCF. “We have proven it out at very large scale, and been really impressed both with how Flatcar simplifies our operations and how the project has matured and evolved to stay at the forefront of Linux OS development with capabilities such as Cluster API and system extensions. Adoption by the CNCF is the next logical step, and we are happy to endorse and support that move as a CNCF End User member.”
Notable Milestones:
- 967 GitHub Stars
- 1813 pull requests
- 1444 issues
- 643 contributors
- 429 Releases
Flatcar has hit several milestones in the last several months, which have contributed to the project’s move to the incubator.
- System Extensions. Leveraging the capabilities introduced in recent systemd releases, Flatcar has adopted system extensions (sysexts) as the strategic path forward for customizing and enhancing the base operating system. A “bakery” of off-the-shelf system extensions makes it easy to create custom images supporting different cloud platforms, Cluster API integrations, or versions optimized for edge applications such as lightweight web assembly workers.
- Run in more places. Flatcar supports more operating environments than ever, including ARM64-based servers, with Azure Cobalt being a recent addition; out of the box support for Nvidia Tesla GPUs for AI workloads; and many public clouds, with Scaleway, Brightbox, Hetzner, OVH, and Akamai/Linode being recently added.
- Cluster API. Thanks to Flatcar team contributions, the upstream Cluster API project now supports Ignition-based distros including Flatcar, and there are Cluster API integrations for Flatcar with a variety of platforms including Azure, AWS, and VMware.
The Flatcar roadmap is focused on expanding the range of system extensions to encompass a wider variety of use cases; evolving the Flatcar CAPI implementation, leveraging system extensions to enable independent updates of control plane and operating system; and support for greater security controls including secure boot, disk encryption, and integrity measurement architecture (IMA). The latest roadmap is available on GitHub: https://github.com/orgs/flatcar/projects/7, and discussed in the project’s public release planning meetings.
As a CNCF-hosted project, Flatcar is part of a neutral foundation aligned with its technical interests, as well as the larger Linux Foundation, which provides governance, marketing support, and community outreach. Flatcar joins incubating technologies Backstage, Buildpacks, cert-manager, Chaos Mesh, Cloud Custodian, Container Network Interface (CNI), Contour, Cortex, Crossplane, CubeFS, Dapr, Dragonfly, Emissary-Ingress, gRPC, in-toto, Karmada, Keptn, Keycloak, Knative, KubeEdge, Kubeflow, KubeVela, KubeVirt, Kyverno, Litmus, Longhorn, NATS, Notary, OpenFeature, OpenKruise, OpenMetrics, OpenTelemetry, Operator Framework, Strimzi, Thanos, and Volcano. For more information on maturity requirements for each level, please visit the CNCF Graduation Criteria.