This document summarizes the evolution of Flux from version 1 to version 2. It describes how Flux started as a tool to ensure cluster state matches Git config and has become a multi-tenant continuous delivery platform. It outlines key milestones such as graduating from CNCF sandbox to incubation and hitting over 4,000 stars. It also provides an overview of Flux version 2's architecture and growing set of capabilities around areas like GitOps, Helm, Kustomize, security, and support for artifacts from container registries.

1. December 12, 2022
The evolution of Flux
From Inception to CNCF Graduation
Stefan Prodan
Principal Engineer at Weaveworks
Core maintainer of Flux & Flagger

2. Flux v1
A DevOps tool that automatically ensures that the
state of a cluster matches the config in Git.
2016 - 2021
275 contributors
6900 stars

3. CD - Before Flux & GitOps

4. CD - With Flux & GitOps

5. Flux v1 team over the years
● Alexis Richardson (coined GitOps and come up with the Flux name)
● Michael Bridgen
● Peter Bourgon
● Paul Bellamy
● Phil Winder
● Sam Broughton
● Alfonso Acosta
● Stefan Prodan
● Hidde Beydals
● Nick Cabatoff
● Justin Barrick
● And many more
● Matthias Radestock
● Bryan Boreham
● Jordan Pellizzari
● Marc Carré
● Ilya Dmitrichenko
● Aaron Kirkbride
● Adam Harrison
● Elena Morozova

6. Flux v1 Timeline
● 2016 Flux made OSS by Weaveworks
● 2016 Flux adds container image automation
● 2017 General Available release
● 2018 Flux supports verifying commit signatures (OpenPGP)
● 2018 Flux adds native support for Helm (HelmRelease CRD)
● 2019 Weavework donates Flux to CNCF (sandbox)
● 2019 Flux adds support for Kustomize (manifests generation)
● 2019 Flux adds garbage collection
● 2020 Flux adds secret decryption (Mozilla SOPS)
● 2021 Deprecated in favour of Flux v2

7. Flux v1 - GitOps & Deploy Automation

8. Flux v2
A secure multi-tenant Continuous Delivery platform
for Kubernetes and beyond.
2020 - present
210 contributors
4200 stars

9. Flux - Multi-Cluster Continuous Delivery

10. Flux - Kubernetes Controllers
Source Controller
Fetch, verify and cache resources
from Git, OCI and S3-compatible
storage
Kustomize Controller
Server-side apply, GC, decryption
and dependency management
for Kustomize overlays
Helm Controller
Manage the life cycle of Helm
Releases
Notification Controller
Receive and dispatch events
from/to external systems
Image Reflector Controller
Fetch metadata of OCI artifacts
from container registries
Image Automation Controller
Update Kubernetes YAML in Git
when new artifacts are available

11. Flux team (December 2022)
Maintainers
● Hidde Beydals
● Stefan Prodan
● Philip Laine
● Aurel Canciu
● Sunny Gogoi
● Somtochi Onyekwere
● Soule Ba
● Paulo Gomes
● Sanskar Jaiswal
● Max Jonas Werner
Community & DX
● Tamao Nakahara
● Daniel Holbach
● Stacey Potter
● Scott Rigby
● Kingdon Barrett
● Pinky Ravi
● Vanessa Abankwah
● Juozas Gaigalas

12. Flux v2 timeline
● 2020 Flux v2 kickstart
● 2021 Flux adds bootstrap and auto-update capabilities
● 2021 Flux advances from CNCF sandbox to incubation
● 2021 Flux adds support for S3-compatible storage
● 2021 First Flux extension tf-controller (Weaveworks OSS)
● 2022 Flux adopts server-side apply (drift detection & GC)
● 2022 Flux v2 powers GitOps for AWS, Azure, VMware, D2IQ, DoD
● 2022 Weavework releases Weave GitOps an OSS Flux UI
● 2022 Flux adds support for OCI Artifacts & Cosign verification
● 2022 Flux becomes a CNCF graduated project

13. Flux v2 - Security audit
● 2021 First independent security audit (OSTIF & ADA Logics)
○ We’ve addressed all the security issues found in record time
○ We’ve put in place an RFC process for changes to Flux security posture
○ Started continuous fuzzing for all Flux controllers and packages
● 2022 The Flux team focuses on security hardening
○ We’ve found and addressed a series of multi-tenancy vulnerabilities
(locking down kustomize, helm & kubeconfig)
○ We’ve improved fuzzing and the test coverage of sensitive operations
○ Flux ships with signed releases/binaries/images and SBOM
● 2023 Flux is scheduled for a 2nd security audit

14. Flux - Tooling
● Flux CLI is a fully-fledged solution for installing, upgrading, operating and
debugging Flux
● Flux Terraform Provider offers an alternative to Flux CLI install/upgrade
features
● Flux comes with GitHub Actions for upgrading Flux and driving apps
promotions with PRs
● Flux Go client offers programmatic access to Kubernetes API for
operating and observing Flux
● Flux comes with Grafana dashboards for monitoring
● Weaveworks offers an OSS Web UI for Flux

15. Flux - Kustomize integration
● Flux Kustomization CRD is the counterpart of Kustomize config
● Flux builds Kustomize overlays in a secure manner
○ No remote bases (Flux sources are cached &subject to policy)
○ No plugins or KRM (shell-execing can’t be multi-tenant)
○ No Helm inflator (Flux has native Helm support)
● Garbage collection for stale Kustomize generated manifests
● Encryption/Decryption for Kustomize secrets generator
● Flux native variable substitutions instead of Kustomize vars
● Dependency management and health checking for overlays

16. Flux - Helm integration
● Declarative helming with HelmRepository & HelmRelease CRDs
● Flux helm-controller is built on top of the Helm Go SDK
● Support for all Helm operations (including tests & pre-post hooks)
● Unlike Helm, Flux manages CRDs upgrades
● Support for Kustomize patches as Helm post-render action
● Automated Helm upgrades based on semver ranges
● Automated rollback based on health checks and test results
● Support for charts stored in container registries as OCI artifacts

17. Flux - Multi-tenancy Mode
Flux enables multi-tenancy by allowing
platform admins to assign restricted
Kubernetes accounts to the tenants’ sources.
When Flux reconciles the tenant’s Kubernetes
resources, it does so by impersonating the
tenant’s account, thus enforcing the isolation
boundary as defined by platform admins in
their Git repository.

18. Flux - OCI support for Kubernetes configs
$ flux push artifact oci://ghcr.io/org/my-app-config:1.0.0 –path ./deploy
$ cosign sign ghcr.io/org/my-app-config:1.0.0 –key cosign.key

19. Flux - GA Roadmap
● GitOps GA (Q1 2023)
○ Generally available release for the Flux GitOps APIs, and the Flux Git
bootstrap & webhooks functionalities.
● Helm GA (Q2 2023)
○ Generally available release for the Flux Helm APIs and the Flux Helm
functionalities.
● Notifications GA (Q3 2023)
○ Generally available release for the Flux Events & Alerting APIs and the
Flux CLI notifications functionalities.
● Image Automation (TBA)
● OCI Artifacts (TBA)

20. Confidential do not distribute
2
0
Thank you