Flux Distribution Introduction

ControlPlane Enterprise for Flux CD is a comprehensive solution for organizations seeking to leverage the power of GitOps in their Kubernetes environments.

Built on top of the CNCF-graduated Flux project, the ControlPlane distribution provides a secure, scalable, and enterprise-ready platform for managing the delivery of application and infrastructure workloads on multi-tenant Kubernetes clusters.

The ControlPlane distribution comes with enterprise-hardened Flux controllers including support services for running Flux in production.

Highlights

• Hardened Images

  ---

  The ControlPlane enterprise distribution comes with FIPS-compliant hardened containers images for the GitOps Toolkit controllers in-sync with the upstream CNCF Flux releases.

• Extended Kubernetes Compatibility

  ---

  The distribution is end-to-end tested with the latest six minor releases of Kubernetes, as well as RedHat OpenShift and Kubernetes LTS versions provided by cloud vendors such as AWS EKS, Azure AKS and Google GKE.

• Zero CVEs

  ---

  The ControlPlane images are continuously scanned for vulnerabilities and patched accordingly. We offer SLAs for remediation of critical vulnerabilities affecting Flux functionality, and we provide SBOMs and VEX documents for container images, dependencies and build environments.

• Maintained by Experts

  ---

  The enterprise distribution is maintained by security experts at ControlPlane together with CNCF Flux core maintainers. We provide hotfixes and CVE patches for the enterprise distribution ahead of the upstream releases, while keeping the feature set in-sync with the Flux project.

Flux Operator

To streamline the deployment of the enterprise distribution, the ControlPlane team created the Flux Operator. The operator manages the lifecycle of the Flux controllers and automates the upgrade process, including the patching of hotfixes and CVEs affecting Flux functionality.

Distribution Channels

We offer the following distribution channels for the Flux controllers:

• FIPS-compliant
• :octicons-commit-24: Mainline

FIPS-compliant

The ControlPlane distribution offers hardened Google Distroless-based Flux images to organizations that must comply with NIST FIPS-140-2 standards.

The Flux controller binaries are statically linked against the Google BoringSSL libraries, and the Go runtime restricts all TLS configuration to FIPS-approved settings by importing the crypto/tls/fipsonly package.

Mainline

The mainline distribution channel offers Alpine Linux-based images fully compatible with the upstream Flux feature set.

The major difference between the Flux upstream images and the ControlPlane mainline images is the continuous scanning and CVE patching for the container base images, OS packages, and Go dependencies.

Distribution Components

The Controlplane distribution comprises Open Source components such as the CNCF Flux controllers (Apache 2.0 License) and the Flux Operator (AGPL-3.0 License).

Delivery Pipeline

The build, test and release pipeline developed by ControlPlane is compliant with the SLSA security framework.

The ControlPlane build system produces FIPS-compliant binaries, multi-arch container images, generates SBOMs, applies CVE patches & hotfixes to the Open Source components, and runs conformance tests. The resulting container images and SBOMs are hosted on private registries that are only available to customers with a valid subscription.