The ControlPlane distribution for Flux CD comes with enterprise-hardened Flux controllers including:
- Hardened container images and SBOMs in-sync with upstream Flux releases.
- Continuous scanning and CVE patching for Flux container base images.
- SLAs for remediation of critical vulnerabilities affecting Flux functionality.
- FIPS-compliant Flux builds based on FIPS 140-2 validated BoringSSL.
- Extended compatibility of Flux controllers for the latest six minor releases of Kubernetes.
- Assured compatibility with Kubernetes LTS versions provided by cloud vendors.
The ControlPlane distribution is offered on a yearly subscription basis and includes enterprise-grade support services for running Flux in production.
Tip
Connect with us to explore how the enterprise distribution aligns with your unique requirements. Together, we'll develop and review a plan tailored to your challenges, goals, and budget.
ControlPlane offers two distribution channels for the Flux controllers:
- FIPS-compliant images hosted at
ghcr.io/controlplaneio-fluxcd/distroless
. - Mainline images hosted at
ghcr.io/controlplaneio-fluxcd/alpine
.
The ControlPlane container images are continuously scanned for vulnerabilities and patched accordingly.
The ControlPlane distribution offers hardened Google Distrosless-based Flux images to organizations that must comply with NIST FIPS-140-2 standards.
The Flux controller binaries are statically linked against the
Google BoringSSL libraries,
and the Go runtime restricts all TLS configuration to FIPS-approved settings
by importing the crypto/tls/fipsonly
package.
The mainline distribution channel offers Alpine Linux-based images fully compatible with the upstream Flux feature set.
The major difference between the Flux upstream images and mainline images is the continuous scanning and CVE patching for the container base images, OS packages, and Go dependencies.
The build, release and provenance portions of the ControlPlane distribution supply chain meet SLSA Build Level 3.
The ControlPlane images come with SBOMs in SPDX format for each CPU architecture.
Example of extracting the SBOM from the source-controller image:
docker buildx imagetools inspect \
<registry>/source-controller:v1.2.3 \
--format "{{ json (index .SBOM \"linux/amd64\").SPDX}}"
The ControlPlane images are signed using Sigstore Cosign and GitHub OIDC.
Example of verifying the signature of the source-controller image:
cosign verify <registry>/source-controller:v1.2.3 \
--certificate-identity-regexp=^https://github\\.com/controlplaneio-fluxcd/.*$ \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
The provenance attestations are generated at build time with Docker Buildkit and include facts about the build process such as:
- Build timestamps
- Build parameters and environment
- Version control metadata
- Source code details
- Materials (files, scripts) consumed during the build
Example of extracting the SLSA provenance JSON for the source-controller image:
docker buildx imagetools inspect \
<registry>/source-controller:v1.2.3 \
--format "{{ json (index .Provenance \"linux/amd64\").SLSA}}"
The provenance of the build artifacts is generated with the official SLSA GitHub Generator.
Example of verifying the provenance of the source-controller image:
cosign verify-attestation --type slsaprovenance \
--certificate-identity-regexp=^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml.*$ \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
<registry>/source-controller:v1.2.3
ControlPlane offers a seamless transition between CNCF Flux to the enterprise distribution with no impact to Flux availability. The hardened container images provided by ControlPlane are fully compatible with the upstream Flux installation and bootstrap procedure.
To access the ControlPlane registry, customers need to create a Kubernetes image pull secret
in the flux-system
namespace with their credentials:
kubectl create secret docker-registry flux-enterprise-auth \
--namespace flux-system \
--docker-server=ghcr.io \
--docker-username=flux \
--docker-password=$TOKEN
Customers can then bootstrap Flux with the enterprise distribution using the Flux CLI or the Flux TF provider.
Example of bootstrapping Flux with the enterprise distribution:
flux bootstrap github \
--owner=customer-org \
--repository=customer-repo \
--branch=main \
--path=./clusters/production \
--image-pull-secret=flux-enterprise-auth \
--registry=ghcr.io/controlplaneio-fluxcd/disroless
For keeping the Flux controllers images digests and manifests up-to-date with the latest version of the Enterprise Distribution, ControlPlane provides Kustomize images patches for the Flux manifests, which can be found in the distribution repository. We provide support for configuring automated updates of the Flux manifests in bootstrap repositories.