CNCF Landscape: Provisioning
CNCF Landscape: Provisioning
Provisioning covers the tools that create, configure, and secure cloud native infrastructure. With Ansible alone commanding 68,373 stars, this category represents the operational foundation that every cloud native team depends on.
Ansible: Automation Powerhouse
Ansible at 68,373 stars and 24,167 forks is the most popular IT automation tool in the world. Its agentless architecture, YAML-based playbooks, and vast module library make it the default choice for configuring infrastructure.
Ansible requires no agents on target systems — it connects via SSH, WinRM, or API and pushes desired state. With 3,000+ modules covering cloud providers, databases, networking, and security, Ansible can manage virtually any infrastructure component.
Key capabilities: Agentless execution, 3,000+ modules, idempotent operations, role-based access control, inventory management, and integration with every major cloud provider.
OpenTofu: The Open Source Terraform Alternative
OpenTofu at 28,252 stars and 1,196 forks (sandbox) is the community-driven fork of Terraform, created after HashiCorp's license change. It provides the same declarative HCL syntax and provider ecosystem without the BSL restrictions.
OpenTofu represents a critical moment in the IaC ecosystem. Organizations that can't adopt HashiCorp's Business Source License (BSL) are migrating to OpenTofu, creating a thriving community. The CNCF sandbox status reflects its growing maturity.
Key capabilities: Terraform-compatible HCL syntax, state management, provider ecosystem, import blocks, testing framework, and backward compatibility with Terraform configurations.
Falco: Runtime Security Monitoring
Falco at 8,809 stars and 999 forks (graduated) is a cloud native runtime security tool that detects anomalous activity in containers by monitoring system calls using eBPF.
Falco operates like a security camera for your Kubernetes cluster. It can detect: shell invocations in containers, unexpected network connections, privilege escalations, file system modifications, and credential access. When suspicious activity is detected, Falco triggers alerts to Slack, webhook, or syslog.
Key capabilities: eBPF-powered syscall monitoring, configurable alert rules, Kubernetes-native deployment, Falco Plugins for custom detections, and integration with SIEM systems.
Kyverno: Kubernetes-Native Policy Engine
Kyverno at 7,561 stars and 1,281 forks (incubating) is a Kubernetes-native policy engine that enforces security policies without sidecars. Unlike OPA which requires Gatekeeper, Kyverno runs directly as a Kubernetes admission controller.
Kyverno policies are written in Kubernetes resource formats (YAML), making them natural for Kubernetes operators. It can validate, mutate, and generate resources based on policies — blocking non-compliant deployments before they reach the cluster.
Key capabilities: Admission control (validate/mutate/generate), Kubernetes-native policy format, policy reports, auto-generation of policies from existing resources, and cluster-wide policy management.
OpenEBS: Cloud Native Storage
OpenEBS at 9,667 stars and 979 forks (graduated) provides container-attached and replicated storage for Kubernetes StatefulSets. It makes persistent storage as easy to provision as compute.
OpenEBS supports multiple storage engines: LocalPV for local development, ZFS for data integrity, NVMe-oF for performance-critical workloads, and Jiva for replicated storage with synchronous replication. It integrates natively with Kubernetes PVCs.
Key capabilities: Container-attached storage, multiple storage engines, synchronous replication, snapshot and clone, CSI driver, and Kubernetes-native deployment.
Atlantis: Infrastructure as Code in Pull Requests
Atlantis at 8,961 stars and 1,248 forks (sandbox) automates Terraform plan reviews through pull requests. When a PR contains Terraform changes, Atlantis plans them, shows the diff, and applies them after approval.
Atlantis bridges the gap between code review and infrastructure changes. It enforces policy compliance, provides collaborative plan review, and enables self-service infrastructure changes through PRs — making infrastructure changes as auditable as code changes.
Key capabilities: Terraform plan automation, GitHub/GitLab/Bitbucket integration, plan review workflow, policy enforcement, and Slack notifications.
The IaC Decision: OpenTofu vs Terraform
The emergence of OpenTofu has created a strategic decision point for teams:
| Consideration | Terraform | OpenTofu |
|---|---|---|
| License | BSL (restrictive) | MPL (open source) |
| Provider ecosystem | Mature, largest | Growing, Terraform-compatible |
| Enterprise support | HashiCorp TFC | Community + vendors |
| Future direction | Uncertain | Community-driven |
See Also
- CNCF Landscape Overview — All 8 categories
- Terraform on AWS for Beginners — Terraform getting started guide