What is shipped, what is next

Authentication and 2FA gateway for reverse proxies.

Identity provider supporting OIDC, SAML, and LDAP backed by PostgreSQL and Redis.

Automated TLS certificate issuance and renewal for Kubernetes.

OIDC identity hub that federates upstream providers.

Syncs secrets from external stores into Kubernetes Secrets.

Reverse-proxy authentication layer delegating to OIDC and OAuth2 providers.

General-purpose policy engine for authorization and admission control.

Identity and access management with OIDC and SAML backed by PostgreSQL.

SBOM and component-vulnerability analysis platform backed by a relational database.

Enterprise PKI certificate authority (Community Edition) backed by a relational database.

Kubernetes-native policy engine for validation, mutation, and generation.

Fine-grained authorization engine based on the Zanzibar model.

LDAP directory server for centralized authentication and user data.

OAuth 2.0 and OpenID Connect provider backed by a relational database.

Identity and user-management server for login, registration, and MFA.

Authentication for Kubernetes clusters federating external identity providers.

Encrypts Kubernetes Secrets so they can be stored safely in Git.

Zanzibar-inspired permissions database for fine-grained authorization.

SPIFFE runtime for issuing workload identities across a fleet.

Smallstep online certificate authority for internal PKI and ACME.

Access plane providing identity-based SSH, Kubernetes, and database access. Community edition is AGPL-3.0.

HashiCorp Vault. Source-available, not OSI.

clean alt: OpenBao (MPL-2.0) — the open fork, already shipped.

L7 proxy and the data plane behind most service meshes.

The Kubernetes community NGINX ingress controller.

Dynamic API gateway on Nginx + LuaJIT: hot-reloads plugins and config from etcd, with no relational-database dependency. A high-performance Kong alternative.

The Apache httpd web server and reverse proxy.

Envoy-based Kubernetes ingress controller.

CNCF implementation of the Kubernetes Gateway API on Envoy: standard K8s resources instead of vendor CRDs. The Kubernetes-first Kong alternative.

Envoy-based gateway for microservices, monoliths, and serverless, with strong multi-protocol support: HTTP, gRPC, WebSockets, and FaaS.

API gateway on nginx/OpenResty. Open-core (the OSS gateway is Apache-2.0; many features are gated behind the enterprise tier) and it depends on PostgreSQL. APISIX and Tyk are lighter, fully-open alternatives.

Caching and forwarding HTTP proxy.

API gateway written in Go: full-featured out of the box rather than open-core, with custom plugins in Go, Python, JavaScript, or gRPC (no Lua required).

HTTP caching reverse proxy and web accelerator.

High-performance Go AI gateway: unified access, load balancing, and failover across 20+ LLM providers with near-zero overhead. An open alternative to bolt-on AI-gateway plugins.

Lightweight Python proxy exposing one OpenAI-compatible API to call, monitor, and cost-map 100+ LLM providers.

APM: distributed tracing, metrics, and service-topology analysis.

Centralized log management and analysis. Source-available, not OSI.

clean alt: Loki (AGPL) + OpenSearch (Apache-2.0) for a truly-open logging stack.

Visualization and dashboards UI for OpenSearch.

Long-term storage and global query for Prometheus.

Load and performance testing tool for web and service endpoints.

Container resource-usage and performance metrics exporter.

Unified logging layer for collecting, parsing, and routing logs.

OpenTelemetry-based collector distribution for metrics, logs, traces, and profiles.

Scriptable load-testing tool for performance and reliability testing.

Continuous profiling backend for CPU and memory flame graphs.

End-to-end distributed tracing.

Visualization and dashboards for Elasticsearch. Default distribution is Elastic-2.0, not OSI.

clean alt: OpenSearch Dashboards (Apache-2.0) over OpenSearch, both open.

Exposes Kubernetes object state as Prometheus metrics.

Server-side log and event processing pipeline. Default distribution is Elastic-2.0, not OSI.

clean alt: Vector (MPL-2.0) or Fluentd (Apache-2.0), both open pipelines.

Horizontally scalable long-term metrics storage.

CNCF dashboards-as-code visualization tool for metrics.

Plugin-driven metrics collection agent from the InfluxData ecosystem.

Fast, cost-effective log database from the VictoriaMetrics team.

Infrastructure and network monitoring platform; version 7 and later is AGPL-3.0.

Distributed tracing system for collecting and querying timing data.

Vector database with hybrid search.

Scalable vector database for AI workloads.

Search engine for logs and traces on object storage.

Typo-tolerant search engine, an Algolia alternative.

Programmatic workflow scheduling and orchestration.

Fair-code workflow automation with native AI. Source-available, not OSI.

clean alt: No drop-in clean equivalent; Temporal (MIT) for code-first orchestration.

Workflow automation and server monitoring system.

Real-time analytics database for high-concurrency OLAP queries.

Stateful stream processing.

Visual dataflow automation for routing, transforming, and mediating data.

Real-time distributed OLAP datastore for low-latency analytics.

Unified batch and stream analytics engine.

Fault-tolerant workflow orchestration engine backed by a database.

Process automation and BPMN orchestration including the Zeebe engine.

Data orchestrator for ML and analytics pipelines.

Python-native workflow orchestration server for data pipelines.

Distributed SQL query engine for federated analytics across data sources.

Feature-flag and toggle management server backed by PostgreSQL.

Scalable MQTT broker for IoT.

Lightweight MQTT broker.

Java JMS message broker, including the Artemis next-generation engine.

Realtime messaging / WebSocket server.

Open schema registry and REST proxy for Kafka; an Apache-licensed alternative to the Confluent Community schema-registry.

Realtime distributed messaging.

Kafka-compatible streaming. Source-available, not OSI.

clean alt: Kafka or Pulsar (Apache-2.0), both already shipped.

Flexible, pluggable DNS server.

eBPF-based networking, security, and observability for Kubernetes.

Service discovery and mesh. Source-available, not OSI.

clean alt: etcd (Apache-2.0) for KV/coordination, already shipped.

Synchronizes Kubernetes Services and Ingresses with DNS providers.

Service mesh built on Envoy: traffic management, mTLS, and observability. Platform-scale, a multi-image wave (istiod control plane plus Envoy sidecars and gateways) rather than a single image.

Envoy-based service mesh and control plane for multi-zone deployments.

Lightweight service mesh.

Load-balancer implementation for bare-metal Kubernetes clusters.

Workload scheduler. Source-available, not OSI.

Authoritative DNS server and recursor with database backends.

Validating, recursive, caching DNS resolver.

PostgreSQL extension for time-series (Apache-2.0 core).

Redis-protocol key-value database persisted on RocksDB.

Transactional catalog and versioning for data lakehouse tables.

Multi-model database for documents, graphs, and key-value (Community Edition).

In-process analytical database (OLAP); ships as a CLI/base image.

Instant GraphQL API over PostgreSQL and other databases.

Distributed graph database over pluggable storage backends.

Multi-threaded Redis fork; BSD-licensed and Redis-protocol compatible.

Connection pooling, load balancing, and replication middleware for PostgreSQL.

Serves a RESTful API directly from a PostgreSQL schema.

High-performance proxy for MySQL/MariaDB.

High-performance time-series database with SQL.

Distributed relational database built on SQLite with Raft consensus.

Multi-model database. Source-available, not OSI.

Financial accounting database, high-throughput.

Horizontal sharding for MySQL.

Scalable distributed object store (S3 + HDFS).

Self-hostable PaaS on Docker Swarm. Open-core: most is Apache-2.0, the /proprietary parts are source-available (DSAL-1.0). Not a fit for the hardened catalog: it requires root, the Docker socket, and an initialized Swarm, so it cannot run nonroot or read-only.

clean alt: Coolify (Apache-2.0), already shipped.

Community Git forge, a Gitea fork.

Reference IPFS implementation for distributed content-addressed storage.

Streaming replication of SQLite databases to object storage.

Distributed block storage for Kubernetes with snapshots and backups.

Command-line program to sync files across cloud and object storage.

Continuous code-quality and security inspection.

Backup, restore, and migration of Kubernetes cluster resources and volumes.

Simple container-native CI engine.

Data exploration and business-intelligence dashboard platform backed by a metadata database and Redis.

PHP content management framework backed by MySQL, MariaDB, or PostgreSQL.

Self-hosted virtual whiteboard for diagrams and sketches; the app plus an excalidraw-room collaboration server.

Self-hosted local AWS emulator (Java), a LocalStack Community alternative after its 2026 sunset. The in-process services (S3, DynamoDB, SQS, SNS, IAM) run hardened nonroot; the Docker-backed services (Lambda, RDS, ECS, EKS) need the host Docker socket and root, so they fall outside the hardened model.

Node.js publishing and newsletter platform backed by MySQL or MariaDB.

Privacy-respecting web analytics platform on PHP backed by MySQL or MariaDB.

Self-hosted team chat platform; the Team Edition server is Apache-2.0 and runs on PostgreSQL.

Self-hosted file sync, sharing, and collaboration suite on PHP backed by PostgreSQL or MariaDB.

PHP CMS and blogging platform; runs PHP-FPM behind a web server against MySQL or MariaDB.

Single-file PHP database management UI for MySQL, PostgreSQL, and others.

Low-code internal-tools and admin-panel builder backed by PostgreSQL and Redis.

VS Code running in the browser on a remote server.

Ruby discussion and forum platform backed by PostgreSQL and Redis.

Web-based file manager for a server filesystem.

Stateless HTML and Office to PDF conversion API.

Self-hosted services and bookmarks dashboard with widget integrations.

PHP CMS backed by MySQL or MariaDB.

SMTP testing server with a web UI for capturing outbound email in development.

Federated social network server (Ruby plus Node) backed by PostgreSQL and Redis.

PHP learning management system backed by MySQL, MariaDB, or PostgreSQL.

Python ERP and business apps suite (Community Edition) backed by PostgreSQL.

Web administration and management UI for PostgreSQL.

PHP web administration UI for MySQL and MariaDB.

Ruby on Rails project management and issue tracker backed by a relational database.

PHP customer relationship management application backed by MySQL or MariaDB.

Clientless remote desktop gateway for RDP, VNC, and SSH over the browser.

Self-hosted media server for movies, music, and live TV.

WebRTC SFU media server for real-time audio and video.

Real-time media server and proxy for RTSP, RTMP, HLS, and WebRTC streams.

Declarative GitOps continuous delivery for Kubernetes.

CNCF Distribution, the reference OCI container registry server.

Extensible automation server for continuous integration and delivery.

Container-native workflow engine for orchestrating parallel jobs on Kubernetes.

Self-hosted agent that runs Buildkite CI/CD jobs.

Helm chart repository server with pluggable storage backends.

Pipeline-based continuous integration system backed by PostgreSQL.

Control-plane framework for managing cloud infrastructure via Kubernetes APIs.

Distributed application runtime providing building-block APIs for microservices.

GitOps toolkit of controllers for continuous delivery on Kubernetes.

Self-hosted Git hosting with built-in pipelines from Harness.

Event-driven autoscaling for Kubernetes workloads.

Open-source infrastructure-as-code tool; the community fork of Terraform.

Infrastructure-as-code using general-purpose programming languages.

Automated dependency-update bot for self-hosted execution.

Kubernetes-native CI/CD building blocks for pipelines and tasks.

OCI-native container image registry with optional UI and sync.

Machine-learning lifecycle platform for tracking, models, and registry.

Local runtime for serving open large language models with a simple API.

High-throughput LLM inference and serving engine with an OpenAI-compatible API.

Multi-user Jupyter notebook server for teams and classrooms.

Operator for running Ray distributed-compute clusters on Kubernetes.

Data-labeling and annotation tool for ML datasets.

Visual builder for LLM applications and agent workflows.

LLM observability and tracing platform backed by PostgreSQL.

Self-hosted web UI for chatting with local and remote LLMs.

Sigstore tool for signing and verifying container images and artifacts.

Vulnerability and misconfiguration scanner for images, filesystems, and IaC.

Open-source antivirus engine for scanning files and mail.

Runtime security and threat detection using kernel and eBPF events.

Vulnerability scanner for container images and SBOMs.

Keyless signing infrastructure including Fulcio CA and the Rekor transparency log.

SBOM generator for container images and filesystems.

eBPF-based runtime security observability and enforcement.

SIEM and XDR platform with manager, indexer, and dashboard components.