Flatcar accepted into CNCF at incubating level

“A secure community-owned cloud native operating system was one of the missing layers of the CNCF technology stack. As validated by a thorough due diligence process, Flatcar has more than proven itself in this role, and we are thrilled to adopt it as an incubating project and will support growing its community.”—Chris Aniszczyk, CTO, Cloud Native Computing Foundation

I couldn’t be more delighted with the news that the Cloud Native Computing Foundation (CNCF) Technical Oversight Committee has voted to accept the Flatcar project at the incubating level. This is the first time the CNCF has adopted an operating system distribution, marking a significant milestone for both the Flatcar project and the cloud native community.

Flatcar provides a lightweight Linux OS specifically tailored for hosting container workloads. It was originally derived from CoreOS Container Linux by Kinvolk, which was acquired by Microsoft in 2021. 

At the time of the acquisition, I said “Microsoft is committed to Flatcar Container Linux community development and will invest in working with the Flatcar community to create a growth path forward together¹.”

I am pleased to be able to say that Microsoft stood by its word. Now part of the Azure Core Linux organization, the original Kinvolk team has continued active project development and maintenance with an excellent track record for proactively addressing emerging security vulnerabilities, moved the paid pro features to the free community versions, adopted CNCF best practices for project governance, successfully completed an in-depth independent security review, and established open forums including a popular monthly office hours.

The community has responded by embracing Flatcar in record numbers. Flatcar is widely deployed across practically every public cloud environment, as well as large on-premises environments, is integrated with many Kubernetes offerings, and underpins several managed Kubernetes services. In Azure, Flatcar is one of the top five most popular Linux distributions, as measured by core (virtual CPU) usage. The result today is a thriving, diverse community of production users, supporters, contributors, and maintainers. 

All this progress is reflected by acceptance at the incubating level, which in CNCF terms means that a project is considered stable and is used successfully in production environments. This situates Flatcar alongside many other notable incubating cloud native projects such as Dapr, gRPC, Notary, and OpenTelemetry.

Some of the key characteristics that have enabled Flatcar’s success include:

• Minimal: Flatcar includes just the minimal set of packages needed for hosting container workloads. This reduces the attack surface, the number of vulnerabilities, the image size, and the start-up time. 

• Auto updates (and rollback): Flatcar automatically checks for updates, downloading new releases into a non-active OS partition, and rebooting (following user-defined policies) into that partition when ready. If for any reason the new release fails to start, it automatically reverts to the previously-installed, known good version. Flatcar’s update server, Nebraska, includes even more flexible server-side update policy controls and is included as a sub-project within the Flatcar distribution. 

• Secure: In addition to its reduced attack surface and auto-update mechanisms, which are key aspects of security, the Flatcar operating system is immutable (cannot be changed at runtime) and verified at boot time. This combination of characteristics eliminates a broad range of attack vectors, making Flatcar one of the most secure ways to deploy containers and Kubernetes. 

• Declarative config: A fleet of Flatcar machines can be deployed at scale with declarative ignition configuration files, ensuring manageability at scale. Combined with the immutability of the operating system itself, configuration drift (individual servers departing from their originally intended state as a result of uncontrolled changes) is also avoided, further simplifying “day two” operations. 

Since joining Microsoft, the Flatcar team has continued to maintain the project, with regular releases keeping the user community secure, and innovating with new capabilities including:

• System Extensions: Leveraging the capabilities introduced in recent systemd releases, Flatcar has adopted system extensions as the strategic path forward for customizing and enhancing the base operating system. A bakery of off-the-shelf system extensions makes it easy to create custom images supporting different cloud platforms, Cluster API integrations, or versions optimized for edge applications such as lightweight web assembly workers. 

• Ignition v3: Flatcar has moved to the latest version of the ignition provisioning project, and uniquely added back-compatibility with Ignition v2, enabling smooth migration for existing users. 

• ARM64: Flatcar added support for ARM64 workloads and was one of the first Linux distros to support Arm in Azure, including the latest Cobalt processors. 

• GPU Support: Flatcar now comes with simplified, out-of-the-box support for Nvidia Tesla GPU drivers. 

• Cluster API: Thanks to Flatcar team contributions, the upstream Cluster API project now supports Ignition-based distros including Flatcar, and there are Cluster API integrations for Flatcar with a variety of platforms including Azure, AWS, and VMware. 

For more details, see the CNCF announcement blog post.

Learn more about Flatcar

At KubeCon North America in Salt Lake City on November 12-15, visit the Flatcar Kiosk (16A) to meet with the Flatcar team and ask questions. 

More Info: 

• Intro for Flatcar—CNCF Special Purpose OS Working Group presentation.

• Flatcar introduction—CNCF TAG Runtime presentation.

• Flatcar Office Hours.

• Flatcar Slack channel, Matrix channel.

• Running Flatcar Container Linux on Microsoft Azure.

• Learn more about Linux on Azure.

• Linux and Open Source Blog.

---

References:

1. Microsoft acquires Kinvolk to accelerate container-optimized innovation.