Container Orchestrator and Build Tool Catalog
Catalogue of every container orchestrator, build system, CI/CD platform, image builder, registry, service mesh, and adjacent cloud-native tooling encountered in production engineering practice (2018–2026). Vendor names, release cadences, licensing notes, deprecations, ownership changes, and integration touchpoints are included where load-bearing for an engineering decision.
1. Kubernetes — the Reference Orchestrator
Donated by Google to the CNCF (2015); CNCF-graduated 2018. Largest open-source project by contributor count after Linux kernel; ~17 000 monthly active contributors, ~120 SIGs (Special Interest Groups: SIG-Node, SIG-Network, SIG-Storage, SIG-API Machinery, SIG-Auth, …). Release cadence: ~4 minor versions/year (recent: 1.28, 1.29, 1.30, 1.31; v1.32 expected late 2026), each with 14-month support window.
1.1 Core Architecture
- Control plane: kube-apiserver, etcd (consensus store), kube-scheduler, kube-controller-manager, cloud-controller-manager
- Node plane: kubelet, kube-proxy, container runtime
- Container Runtime Interface (CRI): gRPC contract; containerd, CRI-O, Docker (via cri-dockerd shim since v1.24 removed dockershim)
- Container Network Interface (CNI): Calico, Cilium, Flannel, Weave (EoL), Antrea, AWS VPC CNI, Azure CNI, GKE Dataplane V2 (Cilium-based)
- Container Storage Interface (CSI): out-of-tree storage drivers (EBS, GCE PD, Azure Disk, Ceph RBD, Rook, Longhorn, OpenEBS, Portworx, NetApp Trident, Pure Storage)
- Admission controllers: Pod Security Admission (PSA, replaced PodSecurityPolicy in 1.25), ValidatingAdmissionPolicy (CEL-based, GA 1.30), MutatingAdmissionWebhook, Kyverno, OPA Gatekeeper
1.2 Managed Kubernetes Distributions
AWS EKS (2018 GA):
- Control plane fee: 73/mo); per-node EC2 charges separate
- Fargate launch type — serverless pods (no node management), 0.004445/GiB-hr
- Karpenter — open-sourced 2021, donated to CNCF 2023; intelligent node autoscaler replacing Cluster Autoscaler
- Bottlerocket — purpose-built container OS
- Pod Identity (2023) — IAM roles for pods without IRSA OIDC config
Google GKE (2014 GA; oldest managed K8s):
- Standard mode — pay per node
- Autopilot mode (2021) — Google manages nodes; pay per pod ($0.0445/vCPU-hr request)
- gVisor sandboxed runtime option (kernel isolation)
- Spot VMs node pools
- Multi-cluster Ingress / Gateway via Anthos / GKE Enterprise
- Pricing: $0.10/cluster-hr standard; one zonal cluster free
Azure AKS:
- Free control plane in Free tier; $0.10/cluster-hr Standard tier (SLA-backed)
- Virtual Nodes via ACI
- Azure CNI Overlay (2023, recommended) vs Azure CNI Pod Subnet
- Workload Identity (OIDC-based) replacing pod identity
Other managed:
- DOKS DigitalOcean Kubernetes — $12/mo per node minimum
- Linode LKE (Akamai) — control plane free, HA $60/cluster
- Vultr VKE — control plane free
- Civo (k3s-based; fastest provisioning ~90 s)
- Scaleway Kapsule
- OVHcloud Managed Kubernetes
- Oracle Container Engine for Kubernetes (OKE) — control plane free
- IBM Cloud Kubernetes Service
Enterprise on-prem / hybrid distributions:
- Red Hat OpenShift Container Platform (OCP 4.x) — paid; Red Hat Enterprise Linux CoreOS, integrated dev experience (Source-to-Image, builds, registry, monitoring), Operators-first; OKD = upstream community
- SUSE Rancher + RKE2 — open-source upstream; RKE2 = “next-gen” Rancher Kubernetes Engine, replaces RKE1 (deprecated 2025-07)
- Mirantis Kubernetes Engine (MKE) — descendant of Docker Enterprise Edition (acquired 2019); also offers k0s and Lens IDE
- VMware Tanzu Kubernetes Grid (TKG) — now under Broadcom; future uncertain post-acquisition
- HPE Ezmeral Runtime Enterprise
- Spectro Cloud Palette — multi-cluster lifecycle
- Loft Labs — kiosk (multi-tenancy), vcluster (virtual K8s clusters), DevSpace
- Charmed Kubernetes (Canonical, juju-based)
- Platform9 Managed Kubernetes
- D2iQ Kubernetes Platform (DKP; ex-Mesosphere) — acquired by Nutanix 2023
- Diamanti hyperconverged (acquired 2022)
1.3 Lightweight Kubernetes
- K3s (Rancher, 2019) — single 60 MB binary; sqlite by default, optional embedded etcd or external DB; designed for edge + IoT + CI; CNCF Sandbox 2020 then Incubating
- K0s (Mirantis, 2020) — single binary; CNCF Sandbox; designed for simplicity + minimal moving parts
- MicroK8s (Canonical) — snap-based; add-ons (cilium, istio, etc.); multi-node clustering; ARM friendly
- KinD (Kubernetes in Docker, sig-testing) — clusters as Docker containers; for CI + local dev + K8s itself testing
- Minikube — legacy, still supported; multiple drivers (Docker, VirtualBox, KVM, HyperKit, Hyper-V)
- Kubernetes Anywhere — archived
- k3d — k3s in Docker (similar to KinD but for k3s)
- Docker Desktop bundled K8s — single-node, simple but resource heavy
1.4 Specialised K8s Distributions
- Tanzu Kubernetes Grid Integrated (TKGI; ex-PKS) — VMware
- IBM Cloud Pak for Applications — OpenShift-based
- Mirantis Lens — IDE for K8s
- Crossplane (CNCF graduated 2024) — provision cloud resources via K8s APIs
- Karmada (CNCF graduated 2024) — multi-cluster federation
- Submariner — cross-cluster networking
- KubeVela (CNCF graduated) — application delivery platform (OAM)
- KubeEdge (CNCF graduated) — edge K8s
- OpenYurt — edge K8s
- Argo Workflows (CNCF graduated)
- Argo CD (CNCF graduated)
- Flux CD (CNCF graduated)
2. Non-Kubernetes Orchestrators
2.1 HashiCorp Nomad
- Single 100 MB binary; agent on every node
- Job specs in HCL or JSON
- Schedules containers (Docker, Podman), VMs (QEMU), Java, executables, raw_exec — broader than K8s
- Federation across regions native
- Simpler than K8s; popular at Cloudflare, CircleCI, Trivago, Roblox
- HashiCorp acquired by IBM 2024-04 ($6.4B) — pending close concerns over OSS licensing (Nomad still MPL 2.0 / BSL since 2023)
- Consul + Vault + Nomad common stack
2.2 AWS ECS (Elastic Container Service)
- Proprietary AWS-only; launched 2014 (predates K8s)
- Task definitions (JSON)
- Launch types: EC2 (you manage), Fargate (serverless)
- Lighter integration overhead than EKS; deep VPC/IAM/CloudWatch coupling
- ECS Anywhere — run ECS agent on on-prem
2.3 GCP Cloud Run
- Serverless containers; built on Knative + Anthos
- Stateless HTTP; up to 8 vCPU + 32 GiB; up to 1000 concurrent requests/container
- Cloud Run Jobs (batch) since 2023
- 0.0025/vCPU-hr idle (CPU always allocated)
2.4 Azure Container Instances (ACI)
- Single-container or container group serverless
- Often pod-level offload from AKS (Virtual Nodes)
- Confidential containers via AMD SEV-SNP (preview 2024)
2.5 Knative
- K8s-based serverless; Serving + Eventing components
- CNCF (incubating); originated Google + Pivotal + IBM + Red Hat 2018
- Powers Cloud Run, IBM Cloud Code Engine
- Auto-scale to zero, request-driven scaling
2.6 KEDA (Kubernetes Event-Driven Autoscaler)
- CNCF graduated 2023-08
- Scales K8s deployments based on event sources (Kafka, RabbitMQ, AWS SQS, Azure Service Bus, Prometheus metrics, cron, GCP Pub/Sub)
- 60+ scalers; complements HPA
2.7 Apache Mesos + Marathon
- Mesos 2009 (UC Berkeley AMP Lab); Marathon framework on top
- Apache Attic 2021 (project archived); Mesosphere/D2iQ pivoted to K8s
- Legacy installs at Twitter (eventually migrated), Airbnb, Verizon
2.8 Docker Swarm Mode
- Built into Docker Engine since 1.12 (2016); simpler than K8s
- Limited new development; supported but de-emphasised
- Still used in small-scale homelabs + simple multi-host Docker
2.9 OpenSwarm / Docker Swarm Classic
- Predecessor (separate orchestrator before Swarm Mode); deprecated
3. Service Mesh
Sidecar (or sidecarless) data plane handling east-west traffic: mTLS, observability, traffic shifting, retries, circuit-breaking, authorisation.
3.1 Istio
- CNCF graduated 2023-07 (joined CNCF 2022)
- Envoy sidecar by default; control plane = istiod
- Ambient mesh mode (2023+) eliminates per-pod sidecars: ztunnel L4 + waypoint proxies L7
- Adopters: Lyft, Salesforce, Square, eBay, IBM, Solo.io (commercial Gloo Mesh Enterprise / Istio)
- Versions: 1.21 → 1.24 (2024–2026)
3.2 Linkerd
- Buoyant; CNCF graduated 2021 (first mesh to graduate)
- Rust micro-proxy (proxy-init free), simpler than Istio
- Adopters: HP, Subspace, Salesforce MuleSoft, Adidas, Microsoft
- Pricing model controversy: Buoyant moved stable releases to paid for orgs >50 employees (2024)
3.3 Cilium Service Mesh
- Isovalent (acquired by Cisco 2024-12 for $2.6B)
- eBPF-based; bypasses iptables and sidecars
- L7 via Envoy DaemonSet (no per-pod sidecar)
- CNI + service mesh + network policy + observability (Hubble)
- Adopters: Google GKE Dataplane V2, AWS EKS native option, Datadog, Adobe
3.4 Consul Connect
- HashiCorp; works with Nomad and K8s
- Envoy-based proxy; integrated with Consul service discovery
- Multi-runtime, multi-platform
3.5 Other Meshes
- AWS App Mesh — deprecation announced 2024-09 (EoL 2026-09); successor: VPC Lattice (L7 inside AWS networking layer) or Istio
- GKE Anthos Service Mesh / Cloud Service Mesh — Google’s managed Istio
- Kong Mesh (Kuma) — Kuma is CNCF Sandbox, Kong’s enterprise offering
- Open Service Mesh (OSM) — Microsoft; archived 2024-04
- Tetrate Service Bridge — Istio-based commercial
- Solo.io Gloo Mesh — Istio enterprise distribution
4. CI/CD Platforms
4.1 GitHub Actions
- Highest-share CI in 2024 surveys (~60% of CNCF users)
- Linux/Windows/macOS runners; ARM Linux (2024)
- Free for public repos; private: 2 000 free minutes/mo (Linux) — Linux 2x cheaper than Windows 2x cheaper than macOS
- GitHub Larger Runners — 4/8/16/32/64 vCPU options
- Self-hosted runners (free, your infra)
- Workflows in YAML; reusable workflows + composite actions
- Marketplace: 20 000+ actions
- ARC (Actions Runner Controller, ex-summerwind) — K8s-native self-hosted
4.2 GitLab CI/CD
- Integrated with GitLab DVCS (source + issues + CI + container registry + package registry + agent for K8s + security scanning)
- YAML
.gitlab-ci.yml - Auto DevOps (templated full pipeline)
- Pricing tiers: Free, Premium, Ultimate ($99/user/mo)
4.3 Jenkins
- Legacy (origin Hudson 2005, Jenkins fork 2011); LF Continuous Delivery Foundation
- Plugin ecosystem: 1 800+
- Declarative Pipeline + Scripted Pipeline (Groovy)
- Blue Ocean UI (deprecated favour of modernised core)
- Distributed via controller + agents (SSH/JNLP)
- Jenkins X — K8s-native subproject (lower adoption than CD Foundation hoped)
4.4 CircleCI
- SaaS-first; Series F 1.7B (2021)
- Resource classes: small/medium/large/xlarge/2xlarge + GPU + macOS
- Orbs (reusable configs); orbs registry
- Server (self-hosted) tier
4.5 Travis CI
- Pioneer (2011); was free for OSS
- Acquired by Idera 2019; declining usage; many OSS projects migrated to GitHub Actions
4.6 TeamCity
- JetBrains; on-prem + cloud SaaS (TeamCity Cloud 2022)
- Build configurations + dependent builds; strong Java/Kotlin/.NET tooling
- Free tier: 3 build agents, 100 build configurations
4.7 Buildkite
- Hybrid: SaaS UI + your runners
- Strong for orgs with secrets/data they can’t push to cloud
- Adopters: Shopify, Lyft, Airbnb, Pinterest
4.8 Drone
- Acquired by Harness 2020 → became Harness CI Open Source / Harness CD
- YAML pipelines, container-native
- Still maintained; standalone CE
4.9 AWS CodeBuild / CodePipeline / CodeStar
- CodeBuild — managed build runners ($0.005/build min Linux small)
- CodePipeline — orchestration
- CodeStar — deprecated 2024-07
- CodeCommit — closed to new customers 2024
4.10 Google Cloud Build
- Managed builds; first 120 build-minutes/day free
- Cloud Deploy — managed continuous delivery to GKE/Cloud Run
4.11 Azure Pipelines + Azure DevOps
- Microsoft (legacy VSTS / TFS); Azure DevOps Services SaaS
- 1 800 free build minutes/mo Linux
- Both YAML and classic UI
- Azure DevOps positioning unclear vs GitHub Actions post-Microsoft GitHub acquisition
4.12 Bitbucket Pipelines
- Atlassian; YAML; integrated with Bitbucket Cloud
- 50 free build minutes/mo
4.13 K8s-Native Pipelines
- Tekton — CNCF graduated 2023; Tekton Pipelines + Tekton Triggers + Tekton Dashboard + Tekton Chains (in-toto provenance)
- Argo Workflows — CNCF graduated; DAG/step workflows; CI/data pipelines
- Argo Events — CNCF; event-driven workflow triggers
- Spinnaker — Netflix/Google CD platform (CD focus); declining vs Argo CD
- Flagger — Flux project; progressive delivery (canary, A/B, blue-green) atop Istio/Linkerd/AppMesh
- Keptn — Dynatrace; CNCF Sandbox; SRE-style automation
- Brigade — archived
- Octopus Deploy — commercial CD (.NET strong)
- Harness CD — paid platform; ML-powered
5. GitOps
Tools that continuously reconcile cluster state to a Git source-of-truth.
5.1 Flux CD
- Pioneered by Weaveworks (2017); coined “GitOps” 2017
- Flux 2 architecture: GitOps Toolkit (source-controller, kustomize-controller, helm-controller, notification-controller, image-automation-controller)
- CNCF graduated 2022-12
- Weaveworks shut down 2024-02 → Flux Foundation took stewardship (Microsoft, GitHub, ControlPlane, Weaveworks alumni)
5.2 Argo CD
- Intuit-led; CNCF graduated 2022-12 (same wave as Flux)
- Rich UI showing application state, sync history
- App-of-apps pattern; ApplicationSet controller (generators)
- 25k+ stars; the most-deployed GitOps tool
5.3 Others
- GitLab Auto DevOps — built-in to GitLab
- GitHub Codespaces + Actions — light GitOps via PR-merge → deploy
- Jenkins X — declining
- Werf — Russian; Helm + GitOps hybrid
6. Build Tools (Polyglot + Per-Language)
6.1 Polyglot Hermetic
- Bazel (Google, open 2015 from internal Blaze) — hermetic, reproducible, multi-language (Go, C++, Java, Python, JS, Rust, Swift); BUILD files in Starlark; remote build cache + remote execution (Buildbarn, BuildBuddy, EngFlow, Bazel Remote)
- Buck2 (Meta, 2023; Rust rewrite of Buck) — fully open-source, similar Starlark, fast incremental
- Pants (Twitter origin → Toolchain Labs) — Python, Go, Java, Scala, Kotlin, JS, Shell; Pants v2 (2022) rewrite in Rust+Python
- Please (UK) — Go-written Bazel-like
- Earthly — Earthfile mixes Dockerfile + Makefile; reproducible builds inside containers; Earthly Satellites paid cloud cache
6.2 C/C++ Specific
- Make (POSIX 1976) — ubiquitous
- CMake (Kitware 1999) — build system generator; ~80% open-source C++ projects (KDE, LLVM, Ogre3D, Boost); Modern CMake 3.x patterns (targets-not-files)
- Meson + Ninja — Mesa, GTK, GNOME, systemd; Python config generating Ninja
- Ninja (Google) — low-level fast build executor; CMake generator default since CMake 3.x recommends
- SCons (Python) — declining
- Autotools (autoconf + automake + libtool) — legacy GNU; declining but still ubiquitous in legacy projects
- Premake + Tup — niche
6.3 Java / JVM
- Maven (Apache, 2004) — declarative XML pom.xml; central repository; standard for legacy Java
- Gradle (2007) — Groovy/Kotlin DSL; daemon for fast incremental; Android Studio default; Gradle Enterprise (Develocity) paid build cache + observability
- Bazel + Pants — used at Google, Stripe, Pinterest for JVM monorepos
- sbt — Scala build tool, sbt 1.x stable
- Mill — Scala alternative, simpler than sbt
- Leiningen — Clojure
- Boot — Clojure (declining)
6.4 Rust
- Cargo — built-in (every Rust install); workspaces, features, profiles
- cargo-make, just — task runners
- Bazel rules_rust + Buck2 for monorepos
6.5 Go
- go build / go mod — built-in
- mage — Go task runner
- task (Taskfile.yml) — language-agnostic but popular Go
- Bazel rules_go
6.6 JavaScript / TypeScript
- npm (2010; Node default; npm Inc → GitHub 2020) — workspaces 7.x
- Yarn (Facebook 2016 → Yarn 4 Berry 2022) — PnP zero-install, plug-and-play
- pnpm (2017) — content-addressable storage; symlinked node_modules; fastest install
- Bun (Oven, 2023) — JS runtime + npm-compatible package manager + bundler + test runner; written in Zig
- Deno (2018) — JS runtime; built-in TypeScript; URL imports; deno.json + jsr (package registry)
- Turborepo (Vercel, acquired 2021) — monorepo task runner with remote cache
- Nx (Nrwl, 2017) — monorepo; Angular roots; React/Node/Next/Vue support; Nx Cloud remote cache
- Lerna — npm monorepo, now under Nx maintenance
- Rush (Microsoft) — pnpm-based monorepo
- Bundlers: Webpack (legacy default), Rollup (libraries), esbuild (Go, fast), SWC (Rust), Vite (Rollup + esbuild dev, Vue/React/Svelte), Parcel, Turbopack (Vercel, Rust, Next.js 14+ default)
6.7 Python
- pip + setuptools — legacy default
- Poetry (2018) — dep resolver + virtualenv + publish
- Hatch (PyPA) — modern packaging, pyproject.toml-first
- PDM — PEP 621 native, lockfile
- uv (Astral, 2024) — Rust-written pip + venv replacement; 10–100× faster than pip; dependency resolver from Cargo author Charlie Marsh
- Conda + mamba — scientific Python (PyData stack), env management beyond Python
- Pixi (prefix.dev) — Conda-compatible, Rust-written
- Buildout (Plone-era) — legacy
- Nox + tox — test matrix runners
- uvicorn + gunicorn + hypercorn are servers, not build tools
6.8 .NET / C
- dotnet CLI + MSBuild — built-in
- NuGet — package registry
- Cake + FAKE — task runners (Cake C#, FAKE F#)
- Paket — alternative package manager
6.9 Ruby
- Bundler + gem — built-in
- Rake — task runner (Make-like)
- Bun isn’t to be confused with Ruby’s
bundle
6.10 Swift / iOS
- Xcode build system — Apple proprietary
- Swift Package Manager (SwiftPM) — built-in
- CocoaPods — Ruby-based legacy
- Carthage — declining
- Tuist — Swift-based project generation
- Bazel + rules_apple — used at Lyft, Pinterest, Tinder
6.11 Android
- Gradle + Android Gradle Plugin (AGP) — default
- Bazel rules_android — at Pinterest, Uber
- Buck2 + rules_android — Meta
6.12 Infrastructure as Code (IaC)
- Terraform (HashiCorp 2014 → BSL 2023) — fork: OpenTofu (Linux Foundation 2023-09)
- Pulumi — uses general-purpose languages (TS, Python, Go, C#)
- AWS CloudFormation — AWS-only; CDK constructs (TypeScript/Python/Java) generate it
- CDK for Terraform (CDKTF) — HashiCorp
- Crossplane — K8s-native cloud provisioning (CNCF graduated 2024-04)
- Ansible (Red Hat) — agentless config management + IaC
- Chef (Progress Chef) — declining
- Puppet (Perforce, 2022 acquisition) — declining
- SaltStack (VMware) — declining
- Packer (HashiCorp) — image building (AMI, GCE image, OVF, etc.)
7. Container Registries
7.1 Public / SaaS
- Docker Hub — origin (2013); rate limits applied 2020-11 free tier (100 pulls/6h unauth, 200 auth); $5/mo Pro removes
- GitHub Container Registry (GHCR) — free for public images; private images count to org storage quota
- GitLab Container Registry — built-in to GitLab; free
- Quay (Red Hat) — acquired 2018 with CoreOS; quay.io public
- JFrog Container Registry + Artifactory — paid; multi-format (Maven, npm, Docker, Helm, …)
- AWS Public ECR (gallery.ecr.aws) — public registry from AWS (2020)
7.2 Cloud-Provider Private
- Amazon ECR — $0.10/GB-mo + egress; image scanning (basic free; enhanced via Inspector); replication; lifecycle policies; pull-through cache (2022) for Docker Hub/Quay/GCR
- Google Artifact Registry — replaces GCR (2023); Docker, Maven, npm, Python, OS packages
- Azure Container Registry (ACR) — Basic/Standard/Premium; Premium geo-replication, content trust, private link
- Oracle Container Registry, IBM Cloud Registry, DOCR (DigitalOcean)
7.3 Self-Hosted
- Harbor (CNCF graduated 2020) — image + Helm chart + signing (Notary + Cosign 2.0); replication; vulnerability scanning (Trivy/Clair integrated)
- Nexus Repository (Sonatype) — paid; multi-format
- JFrog Artifactory — paid; on-prem option
- Distribution (Docker Registry v2 reference) — open-source; minimal
- Zot (CNCF Sandbox) — minimal OCI-native registry, written in Go
- Project Quay (self-hosted)
7.4 Standards
- OCI Distribution Spec v1.x — standardised registry API
- OCI Image Spec — image format
- OCI Runtime Spec — runc reference
- OCI Artifacts — registry can host arbitrary blobs (Helm charts, SBOM, signatures, WASM)
8. Image Builders
8.1 Docker / BuildKit
- Docker Engine +
docker build— default - BuildKit — separate build subsystem (since Docker 18.09); parallel, cache mounts, secrets, SSH agent forwarding, multi-stage
- Docker Buildx — CLI wrapper; multi-arch (linux/amd64, linux/arm64, linux/arm/v7, linux/s390x, linux/ppc64le, linux/riscv64)
- Cache exporters: local, registry, S3, Azure Blob, GHA cache
8.2 Daemonless / Rootless
- Buildah (Red Hat) — daemonless; OCI image building; integrates with Podman/Skopeo
- Podman (Red Hat 2018) — daemonless Docker drop-in; rootless; pod abstraction native (similar to K8s pods); macOS/Linux/Windows
- Kaniko (Google) — builds in K8s/CI without privileged Docker daemon
- img (Genuine Tools) — daemonless BuildKit-based
- Source-to-Image (S2I) — OpenShift
8.3 Reproducible / Language-Specific
- Cloud Native Buildpacks (CNB) — CNCF graduated; pack CLI; spec born from Heroku buildpacks
- Paketo Buildpacks — Cloud Foundry / VMware
- Google Buildpacks
- Heroku Buildpacks (classic)
- Tanzu Build Service — commercial
- Jib (Google) — Java; Maven + Gradle plugins; layered (deps, snapshots, classes)
- ko (Google) — Go-only; reproducible; OCI layout
- apko (Chainguard) — produce APK-based minimal OCI images; basis of Chainguard Images (formerly Wolfi-based, distro for containers)
- bazel rules_oci — Bazel-native OCI image building (rules_docker deprecated 2023)
- nixpacks (Railway) — Nix-based; auto-detect language → build
- Earthly — Earthfile (mix Dockerfile + Makefile)
- Buildless — distributed Bazel cache SaaS
8.4 Image Manipulation
- Skopeo — copy/inspect images across registries without daemon
- crane (go-containerregistry) — Google
- regctl (regclient) — multi-purpose
- dive — interactive image layer inspector
9. Security Scanners + Supply Chain
9.1 Image / SBOM Scanners
- Trivy (Aqua Security) — CNCF; image, IaC, K8s, filesystem scanning; SBOM (SPDX, CycloneDX) generation; free
- Grype + Syft (Anchore) — vulnerability + SBOM; free open source
- Clair (Red Hat / Quay) — open source, used internally
- Snyk — commercial; container + IaC + SAST + open source
- Anchore Enterprise — commercial
- Twistlock → Palo Alto Prisma Cloud (acquired 2019)
- Aqua Security — commercial CSPM/CWPP
- Sysdig Secure + Falco (CNCF graduated 2024 — runtime threat detection)
- Wiz — agentless CNAPP; $23B valuation 2024 (Google acquisition fell through 2024-07; revived 2025)
- Orca Security — agentless CNAPP
- Lacework, Datadog Cloud Security, CrowdStrike Falcon Cloud Security
- Tenable Cloud Security (ex-Ermetic)
9.2 Signing + Provenance
- Sigstore (OpenSSF) — keyless signing using Fulcio (CA) + Rekor (transparency log); Cosign tool; SLSA provenance
- Notary v2 (Notation) — CNCF; OCI image signing; alternative to Cosign
- in-toto — supply-chain attestations; CNCF graduated 2023
9.3 SLSA + Frameworks
- SLSA (Supply-chain Levels for Software Artifacts) — Google-originated; framework levels SLSA-1 → SLSA-3 (and emerging L4)
- CycloneDX + SPDX — SBOM formats
- OpenSSF Scorecard — repository security posture scoring
10. Adjacent Cloud-Native Tooling
- Helm (CNCF graduated) — K8s package manager (charts); Helm 3 (2019) removed Tiller; charts repo
- Kustomize (built into kubectl) — overlay-based YAML customisation
- Skaffold (Google) — local dev workflow K8s
- Tilt — local dev workflow K8s
- Telepresence — local-to-K8s proxy
- Devspace (Loft) — dev workflow
- Garden — multi-service dev/CI
- Octant (VMware, archived 2022)
- Lens (Mirantis) — K8s IDE
- Headlamp (CNCF Sandbox) — K8s dashboard
- K9s — terminal UI K8s
- stern + kail + kubetail — multi-pod log tail
- kubectx + kubens — context + namespace switch
- Prometheus (CNCF graduated; second after K8s) — metrics
- Thanos (CNCF incubating) — long-term Prometheus
- Cortex + Mimir (Grafana) — multi-tenant Prometheus
- VictoriaMetrics — Prometheus alternative, single binary
- Grafana — dashboarding; LGPL → AGPL 2021
- Loki — log aggregation (Grafana)
- Tempo — tracing (Grafana)
- Pyroscope — continuous profiling (Grafana, acquired 2023)
- Jaeger (CNCF graduated) — distributed tracing
- OpenTelemetry (CNCF; second-largest project after K8s) — traces + metrics + logs unified instrumentation
- Fluentd + Fluent Bit (CNCF graduated) — log forwarders
- Vector (Datadog, Rust) — log forwarder
- Filebeat + Logstash (Elastic)
- ElasticSearch + OpenSearch (AWS fork) — log/search backends
- Loki + Promtail/Grafana Agent alternative
11. CNCF Landscape Stats (as of 2026-Q2)
- ~200 projects total
- ~30 graduated (production-ready): K8s, Prometheus, Envoy, etcd, CoreDNS, containerd, Fluentd, Jaeger, Helm, Linkerd, Argo, Flux, Cilium, Crossplane, Falco, OpenTelemetry, Vitess, Harbor, Istio, KEDA, Karmada, Backstage, Spiffe/Spire, in-toto, Knative, Tekton, KubeVela, KubeEdge, …
- ~50 incubating, ~120 sandbox
12. Build Cache + Remote Execution
- BuildBuddy — Bazel remote cache + execution; SaaS or self-host
- EngFlow — Bazel + Buck2 RE
- NativeLink (TraceMachina, ex-Turbo Cache; Rust) — open-source RE
- Buildbarn — open-source Bazel RE
- Bazel Remote — open-source cache (no exec)
- Develocity (Gradle Inc, ex-Gradle Enterprise) — Gradle + Maven cache + observability
- Turborepo Remote Cache — Vercel-hosted (free) or self-host
- Nx Cloud (Nrwl) — Nx remote cache + DTE (distributed task execution)
- CCache + sccache — compiler caches (C/C++/Rust)
- distcc + icecream — distributed C/C++ compile
13. Common Pitfalls + Practitioner Notes
- K8s minor version skew policy: kubelet ≤2 versions behind apiserver; kubectl ±1 version
- Dockershim removed in K8s 1.24 (2022); migrate to containerd or CRI-O if using Docker as runtime
- PodSecurityPolicy removed in K8s 1.25 (2022); use PSA + Kyverno/OPA
- Helm chart YAML templating is text-based, not structural —
--dry-runto validate; consider Kustomize for pure overlay - Bazel cold-start cost is high; remote cache + RE essential at >100 targets
- Multi-arch images:
docker buildx build --platform linux/amd64,linux/arm64 --pushbuilds + pushes manifest list in single step; QEMU emulation slow for AMD64 building ARM (use native ARM runners for speed) - BuildKit cache mounts (
--mount=type=cache,target=/root/.cache) survive between builds; major speedup for npm/pip/cargo/apt - Containers cannot run inside VMs that don’t expose KVM — CI runners often lack /dev/kvm for nested virtualisation (impacts kvm-based tests)
- ARM64 adoption in CI accelerating: GitHub Actions ARM Linux runners (2024), AWS Graviton EC2 30–40% cheaper than x86