Skip to content

Flux Distribution Introduction

ControlPlane Enterprise for Flux CD is a comprehensive solution for organizations seeking to leverage the power of GitOps in their Kubernetes environments.

Built on top of the CNCF-graduated Flux project, the ControlPlane distribution provides a secure, scalable, and enterprise-ready platform for managing the delivery of application and infrastructure workloads on multi-tenant Kubernetes clusters.

The ControlPlane distribution comes with enterprise-hardened Flux controllers including support services for running Flux in production.

Highlights

  • Hardened Images

    The ControlPlane enterprise distribution comes with FIPS-compliant hardened container images for the GitOps Toolkit controllers in-sync with the upstream CNCF Flux releases.

  • Extended Kubernetes Compatibility

    The distribution is end-to-end tested with the latest six minor releases of Kubernetes, as well as RedHat OpenShift and Kubernetes LTS versions provided by cloud vendors such as AWS EKS, Azure AKS, and Google GKE.

  • Zero CVEs

    The container images are continuously scanned for vulnerabilities and patched accordingly. ControlPlane offers SLAs for remediation of critical vulnerabilities affecting Flux functionality, and provides SBOMs and VEX documents for images, dependencies, and build environments.

  • Maintained by Experts

    The enterprise distribution is maintained by security experts at ControlPlane together with CNCF Flux core maintainers. ControlPlane provides hotfixes and CVE patches for the enterprise distribution ahead of the upstream releases, while keeping the feature set in-sync with the Flux project.

Flux Operator

To streamline the deployment of the enterprise distribution, the ControlPlane team created the Flux Operator. The operator manages the lifecycle of the Flux controllers and automates the upgrade process, including the patching of hotfixes and CVEs affecting Flux functionality.

Distribution Channels

ControlPlane offers the following distribution channels for the Flux controllers:

Distroless

The ControlPlane distribution offers hardened Google Distroless-based Flux images.

Distroless comes with two variants, distroless and distroless-fips. The latter is built using the FIPS 140-3 mode, and the Go runtime is configured to restrict the TLS and SSH configuration to FIPS-approved settings.

The Distroless variants have no shell or package managers installed, reducing the attack surface and eliminating entire classes of CVEs. Due to the absence of a shell environment and OS packages, the following kustomize-controller features are disabled:

  • Kustomize remote bases: requires the git binary for fetching remote resources which bypass source-controller; use GitRepository or OCIRepository sources instead.
  • Secrets decryption with GnuPG: requires the gpg binary; use Age encryption or a cloud KMS provider instead.

Mainline

The mainline distribution channel offers Alpine Linux-based images fully compatible with the upstream Flux feature set.

The major difference between the Flux upstream images and the ControlPlane mainline images is the continuous scanning and CVE patching for the container base images, OS packages, and Go dependencies.

Distribution Components

The ControlPlane distribution comprises Open Source components such as the CNCF Flux controllers (Apache 2.0 License) and the Flux Operator (AGPL-3.0 License).

Delivery Pipeline

The build, test and release pipeline developed by ControlPlane is compliant with the SLSA security framework.

The ControlPlane build system produces FIPS-compliant binaries, multi-arch container images, generates SBOMs, applies CVE patches & hotfixes to the Open Source components, and runs conformance tests. The resulting container images and SBOMs are hosted on private registries that are only available to customers with a valid subscription.

Distribution Addons

ControlPlane offers enterprise-grade addons that integrate seamlessly with the Flux distribution, enabling organizations to enforce identity policies, streamline incident response, and operate GitOps at scale.

  • Dex IdP — hardened Dex providing OIDC-based Single Sign-On for the Flux Web UI.
  • Local MCP Server — hardened Flux MCP for AI-assisted incident response and GitOps pipeline troubleshooting across environments.

All addons are covered by ControlPlane's SLA for CVE remediation and FIPS compliance.