Upgrade to Pro — share decks privately, control downloads, hide ads and more …

So Flatcar’s in the CNCF… What's Next?

So Flatcar’s in the CNCF… What's Next?

Lightning Talk presented at Cloud Native Rejekts, November 11, 2024
Video: https://youtu.be/aRW3LBR6iHo

Andy Randall

December 10, 2024
Tweet

More Decks by Andy Randall

Other Decks in Technology

Transcript

  1. Nov 10-11 • Salt Lake City, Utah So Flatcar’s in

    the CNCF… What's Next? Andy Randall Principal PM Manager, Microsoft @ahrkrak.bsky.social
  2. Flatcar Container Linux Automated updates (+ rollback) Immutable (read-only) file

    system Minimal set of packages Declarative provisioning
  3. Vendor-neutral foundation governance Rigorous due diligence process Incubation: “stable &

    successfully used in production” Access to CNCF resources “A secure community- owned cloud native operating system was one of the missing layers of the CNCF technology stack” – Chris Aniszczyk CTO, CNCF
  4. Looking Ahead: Big Themes Simplified multi-cluster management Extensible, composable architecture

    Enhanced security to address increased threats Native support for the next generation of workloads
  5. Enhancing the cloud native security posture • Documented and verifiable

    from source to binary • Accessible, reliable inventory data • Automated alerting for existing / new CVEs • Secure Boot / measured, verified OS • Tamper-proof, verity- protected • User-managed signing infrastructure • Confidential compute • Zero-trust, verifiable updates (== no "trusted sources") • Tamper protection against MitM • Multi-vendor: separate for OS (distro) and extensions (operator) Supply Chain Updates Runtime
  6. Making Flatcar Extensible: System Extensions https://www.freedesktop.org/software/systemd/ man/latest/systemd-sysext.html Loaded at boot

    time by systemd Library of pre- baked sysexts Automatic updates github.com/flatcar/ sysext-bakery Overlay file system
  7. Composability with System Extensions Easy image customization Alternate Container Runtimes

    (torcx replacement) Improved support for OEM variants (replacement for non- updatable /oem partition)
  8. Improving Kubernetes Cluster API Experience • Worker node image combines

    OS + Kubernetes control plane • User manages/hosts own K8s images • K8s + OS versions tied, separate image for every version combination • No in-place updates • Kubernetes control plane as system extension, separate from base OS • Stock distro images • OS + K8s distros decoupled, simplifying version matrix • In-place updates CAPI today, with Image Builder CAPI with Sysext sysext
  9. Support for evolving cloud native workloads WebAssembly runtimes, frameworks, orchestrators

    More production environments Clouds, edge, on- prem Evolving hardware architectures ARM, RISC-V, GPUs / AI acceleration, …