So Flatcar’s in the CNCF… What's Next?

Transcript

1. Nov 10-11 • Salt Lake City, Utah So Flatcar’s in

   the CNCF… What's Next? Andy Randall Principal PM Manager, Microsoft @ahrkrak.bsky.social

2. Flatcar Container Linux Automated updates (+ rollback) Immutable (read-only) file

   system Minimal set of packages Declarative provisioning

3. Contributions from 646 contributors, 218 companies https://flatcar.devstats.cncf.io/

4. Vendor-neutral foundation governance Rigorous due diligence process Incubation: “stable &

   successfully used in production” Access to CNCF resources “A secure community- owned cloud native operating system was one of the missing layers of the CNCF technology stack” – Chris Aniszczyk CTO, CNCF

5. Looking Ahead: Big Themes Simplified multi-cluster management Extensible, composable architecture

   Enhanced security to address increased threats Native support for the next generation of workloads

6. CVEs patched in 2024 (so far)

7. Enhancing the cloud native security posture • Documented and verifiable

   from source to binary • Accessible, reliable inventory data • Automated alerting for existing / new CVEs • Secure Boot / measured, verified OS • Tamper-proof, verity- protected • User-managed signing infrastructure • Confidential compute • Zero-trust, verifiable updates (== no "trusted sources") • Tamper protection against MitM • Multi-vendor: separate for OS (distro) and extensions (operator) Supply Chain Updates Runtime

8. Making Flatcar Extensible: System Extensions https://www.freedesktop.org/software/systemd/ man/latest/systemd-sysext.html Loaded at boot

   time by systemd Library of pre- baked sysexts Automatic updates github.com/flatcar/ sysext-bakery Overlay file system

9. Composability with System Extensions Easy image customization Alternate Container Runtimes

   (torcx replacement) Improved support for OEM variants (replacement for non- updatable /oem partition)

10. Improving Kubernetes Cluster API Experience • Worker node image combines

    OS + Kubernetes control plane • User manages/hosts own K8s images • K8s + OS versions tied, separate image for every version combination • No in-place updates • Kubernetes control plane as system extension, separate from base OS • Stock distro images • OS + K8s distros decoupled, simplifying version matrix • In-place updates CAPI today, with Image Builder CAPI with Sysext sysext

11. Support for evolving cloud native workloads WebAssembly runtimes, frameworks, orchestrators

    More production environments Clouds, edge, on- prem Evolving hardware architectures ARM, RISC-V, GPUs / AI acceleration, …

12. Wrapping up Flexible, extensible Secure Community- driven, foundation governed Evolving

    with cloud native

13. Thank you flatcar.org @flatcar.bsky.social @[email protected] github.com/flatcar