CNCF Cloud Native Landscape: The Practical Guide
CNCF Cloud Native Landscape: The Practical Guide
The CNCF Cloud Native Landscape catalogs 1,000+ projects. We ranked every major category using a compound metric: stars × 0.5 + forks × 0.3 + maturity bonus (graduated = 1.0, incubating = 0.7, sandbox = 0.4). Here are the categories that matter for production infrastructure.
1. Orchestration & Management — Score: 2.509
The backbone of cloud native. 254K combined stars across the top 5 projects.
| Project | Stars | Status | Role |
|---|---|---|---|
| Kubernetes | 121K | Graduated | Container orchestration |
| gRPC | 44K | Graduated | Polyglot RPC framework |
| Istio | 38K | Graduated | Service mesh |
| Envoy | 27K | Graduated | L4/L7 proxy |
| Argo CD | 22K | Incubating | GitOps deployment |
| Linkerd | 11K | Graduated | Lightweight service mesh |
Kubernetes is the de facto OS for the cloud — pod scheduling, horizontal scaling, RBAC, and a vast operator ecosystem. gRPC with Protocol Buffers powers polyglot microservice communication. Istio provides traffic management, mTLS, and canary deployments via sidecar proxies; Linkerd offers 80% of the same benefits at 20% of the operational cost using a Rust micro-proxy. Envoy is the data plane behind both (and many API gateways). Argo CD watches Git repos and reconciles cluster state — the GitOps standard.
flowchart LR
A[Argo CD] -->|deploys| K[Kubernetes]
K -->|schedules| P[Pods]
I[Istio / Linkerd] -->|mesh| P
E[Envoy] -->|proxy| P
G[gRPC] -->|RPC| P
When to use what:
- New to cloud native? Kubernetes + Argo CD. Skip service mesh until you need it.
- Multi-cluster / multi-team? Istio for the most complete mesh features.
- Resource-constrained? Linkerd — minimal footprint, automatic mTLS.
- Polyglot microservices? gRPC with Protocol Buffers.
2. Observability & Analysis — Score: 2.176
Growing 1.2x thanks to AI-driven observability demands. The eyes and ears of production systems.
| Project | Stars | Status | Role |
|---|---|---|---|
| Grafana | 72K | — | Dashboards & visualization |
| Prometheus | 63K | Graduated | Metrics collection |
| Jaeger | 22K | Graduated | Distributed tracing |
| cert-manager | 13K | Graduated | Automated TLS |
| OPA | 11K | Graduated | Policy as code |
| Chaos Mesh | 7K | Incubating | Chaos engineering |
Prometheus is the metrics backbone of virtually every K8s deployment — pull-based collection, PromQL querying, and Alertmanager for routing. Grafana is the universal dashboard layer connecting to 300+ data sources. Jaeger implements OpenTelemetry tracing to follow requests across service boundaries. cert-manager automates TLS from Let's Encrypt — no more expired certs. OPA enforces fine-grained policies (who can deploy what, which pods can communicate) using the Rego language. Chaos Mesh injects failures to verify your system degrades gracefully.
flowchart TD
subgraph "Visualization"
GR[Grafana]
end
subgraph "Collection"
PR[Prometheus] & LO[Loki] & JA[Jaeger]
end
subgraph "Security"
CM[cert-manager] & OP[OPA] & CH[Chaos Mesh]
end
GR --> PR & LO & JA
OT[OpenTelemetry] --> PR & LO & JA
OT --> CM & OP & CH
When to use what:
- Setting up monitoring? Prometheus + Grafana — the default starting point.
- Debugging latency? Jaeger for distributed tracing.
- Automating HTTPS? cert-manager — zero manual cert management.
- Access control? OPA + Gatekeeper for admission policies.
- Testing resilience? Chaos Mesh — inject failures before users find them.
3. Provisioning — Score: 1.311
Infrastructure as code and security. Ansible alone commands 68K stars.
| Project | Stars | Status | Role |
|---|---|---|---|
| Ansible | 68K | — | Agentless automation |
| OpenTofu | 28K | Sandbox | Open source Terraform |
| OpenEBS | 9K | Graduated | Cloud native storage |
| Atlantis | 8K | Sandbox | PR-based IaC review |
| Falco | 8K | Graduated | Runtime security (eBPF) |
| Kyverno | 7K | Incubating | K8s-native policy engine |
Ansible is agentless IT automation — 3,000+ modules, connects via SSH, idempotent operations. OpenTofu is the community fork of Terraform after HashiCorp's BSL license change — same HCL syntax, MPL license. Falco monitors system calls via eBPF to detect shell invocations in containers, unexpected network connections, and privilege escalations. Kyverno enforces policies using native Kubernetes YAML (no sidecars, no Rego). OpenEBS provides container-attached storage with multiple engines (LocalPV, ZFS, NVMe-oF). Atlantis automates Terraform plan reviews through pull requests.
| Consideration | Terraform | OpenTofu |
|---|---|---|
| License | BSL (restrictive) | MPL (open source) |
| Provider ecosystem | Mature, largest | Growing, compatible |
| Enterprise support | HashiCorp TFC | Community + vendors |
4. Runtime — Score: 1.262
Container runtimes, storage, and networking. Cilium's eBPF revolution is driving growth.
| Project | Stars | Status | Role |
|---|---|---|---|
| Cilium | 24K | Graduated | eBPF networking & security |
| containerd | 20K | Graduated | Container runtime |
| Rook | 13K | Graduated | Storage orchestration (Ceph) |
| Longhorn | 7K | Graduated | Block storage |
Cilium replaces iptables with kernel-level eBPF packet processing — L3/L4 policy enforcement, transparent mTLS, bandwidth management, and deep observability without sidecars. containerd is the invisible workhorse: every pod goes through it for image management (OCI-compliant, CRI implementation). Rook turns Ceph into Kubernetes CRDs for declarative storage provisioning. Longhorn provides lightweight block storage with built-in replication, snapshots, and disaster recovery.
| Traditional Networking | Cilium eBPF |
|---|---|
| iptables-based rules | Kernel-level programmable filtering |
| Sidecar proxy for L7 | Native L7 policy enforcement |
| Best-effort observability | Deep packet-level observability |
| Complex rule chains | Declarative policy models |
5. App Definition & Development — Score: 0.929
CI/CD pipelines, streaming, and modern dev tools.
| Project | Stars | Status | Role |
|---|---|---|---|
| Pulumi | 24K | — | IaC with real programming languages |
| NATS | 19K | Graduated | High-performance messaging |
| Tekton | 8K | Graduated | K8s-native CI/CD |
| Strimzi | 5K | Graduated | Kafka operator for K8s |
Pulumi brings real programming languages (TypeScript, Python, Go) to infrastructure as code — loops, functions, classes, and type safety instead of YAML templates. NATS is a lightweight, high-performance messaging system (sub-ms latency, single Go binary) with JetStream for persistent, exactly-once delivery. Tekton runs CI/CD pipelines directly on Kubernetes — your cluster IS your CI system. Strimzi manages Apache Kafka through Kubernetes CRDs (topics, users, connectors as declarative resources).
flowchart LR
T[Tekton CI/CD] --> P[Pulumi IaC]
P --> N[NATS Messaging]
N --> S[Strimzi Kafka]
Emerging Categories
These are growing fast but not yet as established as the core five above.
Wasm (WebAssembly) — 1.5x trend multiplier
Breaking out of the browser into server-side and edge computing. Wasmer (20K stars), Wasmtime (17K), and WasmEdge (10K, incubating) provide sandboxing, portability, and near-native performance. WasmEdge is pushing into AI/ML inference at the edge.
Serverless
OpenFaaS (26K) turns any function into a serverless workload. Knative (6K, incubating) extends Kubernetes with scale-to-zero primitives for container-based serverless.
Cloud Native AI
The fastest-growing category overall (2.0x multiplier). vLLM (74K stars) is the standard for LLM serving. Vector databases — Milvus (43K), Qdrant (29K), Chroma (27K) — power RAG architectures. Read the full CNAI guide →
For the complete interactive landscape with filtering and sorting, visit landscape.cncf.io.