CNCF Projects

All projects of the Cloud Native Computing Foundation are classified with one of three stages of maturity:

CNCF Graduation Criteria are documented in the CNCF TOC repo. The document describes the maturity stages of the projects.

Graduated Projects


“Kubernetes is a portable, extensible open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available.

Google open-sourced the Kubernetes project in 2014. Kubernetes builds upon a decade and a half of experience that Google has with running production workloads at scale, combined with best-of-breed ideas and practices from the community." - What is Kubernetes? -


“Prometheus is an open-source systems monitoring and alerting toolkit originally built at SoundCloud. Since its inception in 2012, many companies and organizations have adopted Prometheus, and the project has a very active developer and user community. It is now a standalone open source project and maintained independently of any company. To emphasize this, and to clarify the project’s governance structure, Prometheus joined the Cloud Native Computing Foundation in 2016 as the second hosted project, after Kubernetes." - Introduction to Prometheus -


“Originally built at Lyft, Envoy is a high performance C++ distributed proxy designed for single services and applications, as well as a communication bus and “universal data plane” designed for large microservice “service mesh” architectures. Built on the learnings of solutions such as NGINX, HAProxy, hardware load balancers, and cloud load balancers, Envoy runs alongside every application and abstracts the network by providing common features in a platform-agnostic manner. When all service traffic in an infrastructure flows via an Envoy mesh, it becomes easy to visualize problem areas via consistent observability, tune overall performance, and add substrate features in a single place." - Why Envoy? -


“CoreDNS is a DNS server. It is written in Go. It can be used in a multitude of environments because of its flexibility. CoreDNS is licensed under the Apache License Version 2, and completely open source." - What is it? -


“containerd is an industry-standard core container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc.." - About containerd -


“Fluentd is an open source data collector for building the unified logging layer. Once installed on a server, it runs in the background to collect, parse, transform, analyze and store various types of data." - What is Fluentd? - faq


“Jaeger, inspired by Dapper and OpenZipkin, is a distributed tracing system released as open source by Uber Technologies. It is used for monitoring and troubleshooting microservices-based distributed systems." - About -


“Vitess is a database solution for deploying, scaling and managing large clusters of MySQL instances. It’s architected to run as effectively in a public or private cloud architecture as it does on dedicated hardware. It combines and extends many important MySQL features with the scalability of a NoSQL database." - Overview -


“The Update Framework (TUF) helps developers maintain the security of a software update system, even against attackers that compromise the repository or signing keys. TUF provides a flexible framework and specification that developers can adopt into any software update system." - TUF Readme


“Helm helps you manage Kubernetes applications — Helm Charts helps you define, install, and upgrade even the most complex Kubernetes application. Charts are easy to create, version, share, and publish — so start using Helm and stop the copy-and-paste madness. The latest version of Helm is maintained by the CNCF - in collaboration with Microsoft, Google, Bitnami and the Helm contributor community." - What is Helm? -


“Project Harbor is an an open source trusted cloud native registry project that stores, signs, and scans content. Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security, identity and management. Having a registry closer to the build and run environment can improve the image transfer efficiency. Harbor supports replication of images between registries, and also offers advanced security features such as user management, access control and activity auditing." - Harbor Readme


“Rook is an open source cloud-native storage orchestrator for Kubernetes, providing the platform, framework, and support for a diverse set of storage solutions to natively integrate with cloud-native environments." - What is Rook? - Rook Readme


“TiKV (“Ti” stands for Titanium) is a distributed transactional key-value database, originally created to complement TiDB, a distributed HTAP database compatible with the MySQL protocol. TiKV is built in Rust and powered by Raft, and was inspired by the design of Google Spanner and HBase, but without dependency on any specific distributed file system." - TiKV Readme

Incubating Projects


“gRPC is a modern open source high performance RPC framework that can run in any environment. It can efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking and authentication. It is also applicable in last mile of distributed computing to connect devices, mobile applications and browsers to backend services." - About -


“CNI (Container Network Interface), a Cloud Native Computing Foundation project, consists of a specification and libraries for writing plugins to configure network interfaces in Linux containers, along with a number of supported plugins. CNI concerns itself only with network connectivity of containers and removing allocated resources when the container is deleted. Because of this focus, CNI has a wide range of support and the specification is simple to implement." - What is CNI?- CNI Readme


“Notary aims to make the internet more secure by making it easy for people to publish and verify content. We often rely on TLS to secure our communications with a web server, which is inherently flawed, as any compromise of the server enables malicious content to be substituted for the legitimate content." Overview - Notary Readme


“NATS is an open source, lightweight, high-performance cloud native infrastructure messaging system. It implements a highly scalable and elegant publish-subscribe (pub/sub) distribution model. The performant nature of NATS make it an ideal base for building modern, reliable, scalable cloud native distributed systems." - What is NATS? -


“Linkerd is a transparent service mesh, designed to make modern applications safe and sane by transparently adding service discovery, load balancing, failure handling, instrumentation, and routing to all inter-service communication." - Linkerd Readme


“etcd is a distributed reliable key-value store for the most critical data of a distributed system, with a focus on being:

Open Policy Agent

“OPA is a lightweight general-purpose policy engine that can be co-located with your service. You can integrate OPA as a sidecar, host-level daemon, or library." - What is OPA? -


“CRI-O is an implementation of the Kubernetes CRI (Container Runtime Interface) to enable using OCI (Open Container Initiative) compatible runtimes. It is a lightweight alternative to using Docker as the runtime for kubernetes. It allows Kubernetes to use any OCI-compliant runtime as the container runtime for running pods. Today it supports runc and Kata Containers as the container runtimes but any OCI-conformant runtime can be plugged in principle." - What is CRI-O? -


CloudEvents Specification


“Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Powered by sysdig’s system call capture infrastructure, Falco lets you continuously monitor and detect container, application, host, and network activity… all in one place, from one source of data, with one set of rules." - Overview - Falco Readme


“Open source Kubernetes native workflows, events, CI and CD” - Overview -


“Dragonfly is an intelligent P2P-based image and file distribution tool. It aims to improve the efficiency and success rate of file transferring, and maximize the usage of network bandwidth, especially for the distribution of larget amounts of data, such as application distribution, cache distribution, log distribution, and image distribution." - Overview -


“SPIFFE (Secure Production Identity Framework For Everyone) provides a secure identity, in the form of a specially crafted X.509 certificate, to every workload in a modern production environment. SPIFFE removes the need for application-level authentication and complex network-level ACL configuration." - What is SPIFFE? -


“SPIRE (the SPIFFE Runtime Environment) is a tool-chain for establishing trust between software systems across a wide variety of hosting platforms. Concretely, SPIRE exposes the SPIFFE Workload API, which can attest running software systems and issue SPIFFE IDs and SVIDs to them." - Spire Readme


“Contour is an open source Kubernetes ingress controller providing the control plane for the Envoy edge and service proxy. Contour supports dynamic configuration updates and multi-team ingress delegation out of the box while maintaining a lightweight profile." -


“Flux is a collection of tools for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy." - Flux -


“The Distributed Application Runtime (Dapr) provides APIs that simplify microservice connectivity. Whether your communication pattern is service to service invocation or pub/sub messaging, Dapr helps you write resilient and secured microservices. By letting Dapr’s sidecar take care of the complex challenges such as service discovery, message broker integration, encryption, observability, and secret management, you can focus on business logic and keep your code simple." - Dapr -


“Cilium uses the revolutionary kernel technology, eBPF, to provide networking, security and observability for cloud native workloads” -


“Knative is a solution to build Serverless and Event Driven Applications. Serverless Containers in Kubernetes environments." -

Sandbox Projects


“Telepresence is an open source tool that lets you run a single service locally, while connecting that service to a remote Kubernetes cluster." - Overview -


“An effort to create an open standard for transmitting metrics at scale, with support for both text representation and Protocol Buffers." -


“Cortex provides horizontally scalable, multi-tenant, long term storage for Prometheus metrics when used as a remote write destination, and a horizontally scalable, Prometheus-compatible query API." - Cortex Readme


“Buildpacks provide a higher-level abstraction for building apps compared to Dockerfiles." - What Are Buildpacks? -

Virtual Kubelet

“Virtual Kubelet is an open source Kubernetes kubelet implementation that masquerades as a kubelet for the purposes of connecting Kubernetes to other APIs. This allows the nodes to be backed by other services like ACI, AWS Fargate,, IoT Edge etc. The primary scenario for VK is enabling the extension of the Kubernetes API into serverless container platforms like ACI, Fargate, and, though we are open to others. However, it should be noted that VK is explicitly not intended to be an alternative to Kubernetes federation." - Virtual Kubelet Readme


“KubeEdge is an open source system for extending native containerized application orchestration capabilities to hosts at Edge." - KubeEdge website


“Keptn is a control-plane for continuous delivery and automated operations." -


“Brigade is a tool for running scriptable, automated tasks in the cloud — as part of your Kubernetes cluster." - Brigade-overview

Network Service Mesh

“Network Service Mesh (NSM) is a novel approach to solving complicated L2/L3 use cases in Kubernetes that are tricky to address withing the existing Kubernetes Network Model. Inspired by Istio, Network Service Mesh maps the concept of a service mesh to L2/L3 payloads." - What is Network Service Mesh? -


“OpenTelemetry is made up of an integrated set of APIs and libraries as well as a collection mechanism via an agent and collector. These components are used to generate, collect, and describe telemetry about distributed systems. This data includes basic context propagation, distributed traces, metrics, and other signals in the future. OpenTelemetry is designed to make it easy to get critical telemetry data out of your services and into your backend(s) of choice. For each supported language it offers a single set of APIs, libraries, and data specifications, and developers can take advantage of whichever components they see fit. - What is OpenTelemetry? -


“OpenEBS is the leading open-source project for container-attached and container-native storage on Kubernetes. OpenEBS adopts Container Attached Storage (CAS) approach, where each workload is provided with a dedicated storage controller. OpenEBS implements granular storage policies and isolation that enable users to optimize storage for each specific workload. OpenEBS runs in user space and does not have any Linux kernel module dependencies." - Introduction -


“Thanos is a set of components that can be composed into a highly available metric system with unlimited storage capacity, which can be added seamlessly on top of existing Prometheus deployments." - Overview - Thanos readme


“in-toto provides a framework to protect the integrity of the software supply chain. It does so by verifying that each task in the chain is carried out as planned, by authorized personnel only, and that the product is not tampered with in transit." - in-toto - in-toto Readme


“Litmus is a toolset to perform cloud-native chaos engineering. Litmus provides tools to orchestrate chaos on Kubernetes and helps SREs find weaknesses in their deployments. SREs use Litmus to run chaos experiments initially in the staging environment and eventually in production to find bugs, vulnerabilities. Fixing the weaknesses leads to increased resilience of the system." - Litmus


“Tinkerbell is a bare metal provisioning engine. Tinkerbell standardizes infrastructure and application management using the same API-centric, declarative configuration and automation approach pioneered by the Kubernetes community." - Tinkerbell


“Meshery is the open source, service mesh management plane that enables the adoption, operation, and management of any service mesh and their workloads." - Meshery

Service Mesh Performance

“Service Mesh Performance is a standard for capturing and characterizing the details of infrastructure capacity, service mesh configuration, and workload metadata." - Service Mesh Performance


“MetalLB is a load-balancer implementation for bare metal Kubernetes clusters, using standard routing protocols." - MetalLB


“Karmada (Kubernetes Armada) is a Kubernetes management system that enables you to run your cloud-native applications across multiple Kubernetes clusters and clouds, with no changes to your applications." - Karmada

Inclavare Containers

“Inclavare Containers is an innovation of container runtime with the novel approach for launching protected containers in hardware-assisted Trusted Execution Environment (TEE) technology, aka Enclave, which can prevent the untrusted entity, such as Cloud Service Provider (CSP), from accessing the sensitive and confidential assets in use." - Inclavare Containers


“WasmEdge is a lightweight, high-performance, and extensible WebAssembly runtime for cloud native, edge, and decentralized applications. It is the fastest Wasm VM today. Its use cases include serverless apps, embedded functions, microservices, smart contracts, and IoT devices. WasmEdge supports all standard WebAssembly extensions as well as proprietary extensions for Tensorflow inference, KV store, and image processing, etc. Its compiler toolchain supports not only WebAssembly languages such as C/C++, Rust, Swift, Kotlin, and AssemblyScript but also regular JavaScript." - WasmEdge


“SuperEdge is a distributed edge container management system. Aims to seamlessly expand the native Kubernetes centralized resource management capabilities to edge computing and distributed resource management scenarios, and centrally manage edge devices and applications." - SuperEdge


“Akri (A Kubernetes Resource Interface for the Edge) removes the work of finding, using, and monitoring the availability of the IoT devices around Kubernetes clusters. It provides an abstraction layer for device usage, handling the dynamic appearance and disappearance of IoT devices on the Edge. Akri continually detects nodes that have access to IoT devices and schedules workloads based on their availability." - Akri

Open Cluster Management

“Open Cluster Management (OCM) is a community-driven project focused on multi-cluster and multi-cloud scenarios for Kubernetes apps. Open APIs are evolving within this project for cluster registration, work distribution, dynamic placement of policies and workloads, and much more." - Open Cluster Management


“KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior (such as process execution, file access, and networking operation) of containers and nodes at the system level." - KubeArmor


“Nocalhost is a cloud-native dev environment (include VSCode and Jetbrains plug-in), It allows developers to develop applications directly in a Kubernetes cluster using an IDE plug-in, with local coding taking effect in real-time within the container, reducing the development/debugging/testing cycle." - Nocalhost


K8up (pronounced /keɪtæpp/ or simply “ketchup”) is a Kubernetes Operator distributed via a Helm chart, compatible with OpenShift and plain Kubernetes. - K8up


“kube-rs is a set of core libraries for building applications against the kubernetes api in Rust." - kube-rs


“OpenELB is an open-source load balancer implementation designed for exposing the LoadBalancer type of Kubernetes services in bare metal, edge, and virtualization environments.." - OpenELB


“Devfile is an open standard defining containerized development environments that enables developer tools to simplify and accelerate workflows." - Devfile


“Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies." - Kyverno


“OpenFunction is a cloud-native open source FaaS (Function as a Service) platform aiming to let you focus on your business logic without having to maintain the underlying runtime environment and infrastructure. You only need to submit business-related source code in the form of functions." - OpenFunction

Confidential Containers

“Confidential Containers is an open source community working to enable cloud native confidential computing by leveraging Trusted Execution Environments to protect containers and data." - Confidential Containers



“Teller is a universal secret manager for developers” - Teller

Non-code Projects

Cloud Native Glossary

“The Cloud Native Glossary is a project led by the CNCF Business Value Subcommittee. Its goal is to explain cloud native concepts in clear and simple language without requiring any previous technical knowledge." - Cloud Native Glossary

Archived Projects


Vendor-neutral APIs and instrumentation for distributed tracing.


rkt is a pod-native container engine for Linux. It is composable, secure, and built on standards.