Skip to content

Latest commit

 

History

History
152 lines (111 loc) · 6.32 KB

README.md

File metadata and controls

152 lines (111 loc) · 6.32 KB

Enterprise Distribution for Flux CD

release Vulnerability scan e2e-fips SLSA 3

The ControlPlane distribution for Flux CD comes with enterprise-hardened Flux controllers including:

  • Hardened container images and SBOMs in-sync with upstream Flux releases.
  • Continuous scanning and CVE patching for Flux container base images.
  • SLAs for remediation of critical vulnerabilities affecting Flux functionality.
  • FIPS-compliant Flux builds based on FIPS 140-2 validated BoringSSL.
  • Extended compatibility of Flux controllers for the latest six minor releases of Kubernetes.
  • Assured compatibility with Kubernetes LTS versions provided by cloud vendors.

The ControlPlane distribution is offered on a yearly subscription basis and includes enterprise-grade support services for running Flux in production.

Tip

Connect with us to explore how the enterprise distribution aligns with your unique requirements. Together, we'll develop and review a plan tailored to your challenges, goals, and budget.

Distribution Channels

ControlPlane offers two distribution channels for the Flux controllers:

  • FIPS-compliant images hosted at ghcr.io/controlplaneio-fluxcd/distroless.
  • Mainline images hosted at ghcr.io/controlplaneio-fluxcd/alpine.

The ControlPlane container images are continuously scanned for vulnerabilities and patched accordingly.

FIPS-compliant

The ControlPlane distribution offers hardened Google Distrosless-based Flux images to organizations that must comply with NIST FIPS-140-2 standards.

The Flux controller binaries are statically linked against the Google BoringSSL libraries, and the Go runtime restricts all TLS configuration to FIPS-approved settings by importing the crypto/tls/fipsonly package.

Mainline

The mainline distribution channel offers Alpine Linux-based images fully compatible with the upstream Flux feature set.

The major difference between the Flux upstream images and mainline images is the continuous scanning and CVE patching for the container base images, OS packages, and Go dependencies.

Supply Chain Security

The build, release and provenance portions of the ControlPlane distribution supply chain meet SLSA Build Level 3.

Software Bill of Materials

The ControlPlane images come with SBOMs in SPDX format for each CPU architecture.

Example of extracting the SBOM from the source-controller image:

docker buildx imagetools inspect \
    <registry>/source-controller:v1.2.3 \
    --format "{{ json (index .SBOM \"linux/amd64\").SPDX}}"

Signature Verification

The ControlPlane images are signed using Sigstore Cosign and GitHub OIDC.

Example of verifying the signature of the source-controller image:

cosign verify <registry>/source-controller:v1.2.3 \
  --certificate-identity-regexp=^https://github\\.com/controlplaneio-fluxcd/.*$ \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com

SLSA Provenance verification

The provenance attestations are generated at build time with Docker Buildkit and include facts about the build process such as:

  • Build timestamps
  • Build parameters and environment
  • Version control metadata
  • Source code details
  • Materials (files, scripts) consumed during the build

Example of extracting the SLSA provenance JSON for the source-controller image:

docker buildx imagetools inspect \
  <registry>/source-controller:v1.2.3 \
  --format "{{ json (index .Provenance \"linux/amd64\").SLSA}}"

The provenance of the build artifacts is generated with the official SLSA GitHub Generator.

Example of verifying the provenance of the source-controller image:

cosign verify-attestation --type slsaprovenance \
  --certificate-identity-regexp=^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml.*$ \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  <registry>/source-controller:v1.2.3

Installation and Upgrades

ControlPlane offers a seamless transition between CNCF Flux to the enterprise distribution with no impact to Flux availability. The hardened container images provided by ControlPlane are fully compatible with the upstream Flux installation and bootstrap procedure.

To access the ControlPlane registry, customers need to create a Kubernetes image pull secret in the flux-system namespace with their credentials:

kubectl create secret docker-registry flux-enterprise-auth \
  --namespace flux-system \
  --docker-server=ghcr.io \
  --docker-username=flux \
  --docker-password=$TOKEN

Customers can then bootstrap Flux with the enterprise distribution using the Flux CLI or the Flux TF provider.

Example of bootstrapping Flux with the enterprise distribution:

flux bootstrap github \
  --owner=customer-org \
  --repository=customer-repo \
  --branch=main \
  --path=./clusters/production \
  --image-pull-secret=flux-enterprise-auth \
  --registry=ghcr.io/controlplaneio-fluxcd/disroless

For keeping the Flux controllers images digests and manifests up-to-date with the latest version of the Enterprise Distribution, ControlPlane provides Kustomize images patches for the Flux manifests, which can be found in the distribution repository. We provide support for configuring automated updates of the Flux manifests in bootstrap repositories.