Nov 10-11 • Salt Lake City, Utah So Flatcar’s in the CNCF… What's Next? Andy Randall Principal PM Manager, Microsoft @ahrkrak.bsky.social

Flatcar Container Linux Automated updates (+ rollback) Immutable (read-only) file system Minimal set of packages Declarative provisioning

Contributions from 646 contributors, 218 companies https://flatcar.devstats.cncf.io/

Vendor-neutral foundation governance Rigorous due diligence process Incubation: “stable & successfully used in production” Access to CNCF resources “A secure community- owned cloud native operating system was one of the missing layers of the CNCF technology stack” – Chris Aniszczyk CTO, CNCF

Looking Ahead: Big Themes Simplified multi-cluster management Extensible, composable architecture Enhanced security to address increased threats Native support for the next generation of workloads

CVEs patched in 2024 (so far)

Enhancing the cloud native security posture • Documented and verifiable from source to binary • Accessible, reliable inventory data • Automated alerting for existing / new CVEs • Secure Boot / measured, verified OS • Tamper-proof, verity- protected • User-managed signing infrastructure • Confidential compute • Zero-trust, verifiable updates (== no "trusted sources") • Tamper protection against MitM • Multi-vendor: separate for OS (distro) and extensions (operator) Supply Chain Updates Runtime

Making Flatcar Extensible: System Extensions https://www.freedesktop.org/software/systemd/ man/latest/systemd-sysext.html Loaded at boot time by systemd Library of pre- baked sysexts Automatic updates github.com/flatcar/ sysext-bakery Overlay file system

Composability with System Extensions Easy image customization Alternate Container Runtimes (torcx replacement) Improved support for OEM variants (replacement for non- updatable /oem partition)

Improving Kubernetes Cluster API Experience • Worker node image combines OS + Kubernetes control plane • User manages/hosts own K8s images • K8s + OS versions tied, separate image for every version combination • No in-place updates • Kubernetes control plane as system extension, separate from base OS • Stock distro images • OS + K8s distros decoupled, simplifying version matrix • In-place updates CAPI today, with Image Builder CAPI with Sysext sysext

Support for evolving cloud native workloads WebAssembly runtimes, frameworks, orchestrators More production environments Clouds, edge, on- prem Evolving hardware architectures ARM, RISC-V, GPUs / AI acceleration, …

Wrapping up Flexible, extensible Secure Community- driven, foundation governed Evolving with cloud native

Thank you flatcar.org @flatcar.bsky.social @flatcar@hachyderm.io github.com/flatcar