{"id":116561,"url":"https://github.com/igusev/awesome-cloud-native","name":"awesome-cloud-native","description":"A curated list of cloud native tools that are actually production-ready. Curated by Podo Stack.","projects_count":64,"last_synced_at":"2026-06-15T18:00:23.858Z","repository":{"id":335657244,"uuid":"1146591280","full_name":"iGusev/awesome-cloud-native","owner":"iGusev","description":"A curated list of cloud native tools that are actually production-ready. Curated by Podo Stack.","archived":false,"fork":false,"pushed_at":"2026-04-10T08:45:39.000Z","size":24,"stargazers_count":0,"open_issues_count":1,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-30T03:04:40.922Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc0-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/iGusev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-31T10:53:41.000Z","updated_at":"2026-04-10T08:45:43.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/iGusev/awesome-cloud-native","commit_stats":null,"previous_names":["igusev/awesome-cloud-native"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/iGusev/awesome-cloud-native","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iGusev%2Fawesome-cloud-native","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iGusev%2Fawesome-cloud-native/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iGusev%2Fawesome-cloud-native/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iGusev%2Fawesome-cloud-native/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/iGusev","download_url":"https://codeload.github.com/iGusev/awesome-cloud-native/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iGusev%2Fawesome-cloud-native/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34374146,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-15T02:00:07.085Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"created_at":"2026-02-04T05:54:47.272Z","updated_at":"2026-06-15T18:00:23.858Z","primary_language":null,"list_of_lists":false,"displayable":true,"categories":["License","🏗️ Platform Engineering","⚡ Autoscaling","📊 Observability","📜 Kyverno Policies","🔐 Supply Chain \u0026 Runtime Security","🌐 Networking \u0026 Service Mesh","🧩 Runtime","⚙️ Workload Scheduling","🚀 GitOps","📨 Messaging","🖼️ Container Images","Contributing"],"sub_categories":["Karpenter drift detection","🔥 Continuous Profiling","Image Distribution \u0026 Caching","📈 Metrics \u0026 Telemetry"],"readme":"# Awesome Cloud Native [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)\n\n\u003e A curated list of cloud native tools that are actually production-ready.\n\n🍇 Curated by [Podo Stack](https://podostack.substack.com) — Ripe for Prod.\n\n---\n\n## Contents\n\n- [Container Images](#-container-images)\n- [Runtime](#-runtime)\n- [Supply Chain \u0026 Runtime Security](#-supply-chain--runtime-security)\n- [Autoscaling](#-autoscaling)\n- [Workload Scheduling](#-workload-scheduling)\n- [Networking \u0026 Service Mesh](#-networking--service-mesh)\n- [Observability](#-observability)\n- [Messaging](#-messaging)\n- [GitOps](#-gitops)\n- [Platform Engineering](#-platform-engineering)\n- [Kyverno Policies](#-kyverno-policies)\n- [CLI Tools \u0026 One-Liners](#-cli-tools--one-liners)\n\n---\n\n## 🖼️ Container Images\n\n### Image Distribution \u0026 Caching\n\n- **[Spegel](https://github.com/spegel-org/spegel)** - Nodes share container images directly with each other — no registry involved. Stateless P2P caching that speeds up scaling and cuts egress costs. `CNCF Sandbox`\n  - 📖 [Deep dive](https://podostack.substack.com/p/spegel-pixie-and-why-latest-is-evil)\n\n- **[Stargz Snapshotter](https://github.com/containerd/stargz-snapshotter)** - Start containers before the image fully downloads. Your app uses ~6% of files at startup — why pull 100%?\n  - 📖 [Deep dive](https://podostack.substack.com/p/lazy-pull-smart-scale-ebpf-network)\n\n---\n\n## 🧩 Runtime\n\n- **[WasmEdge](https://github.com/WasmEdge/WasmEdge)** - Server-side WebAssembly runtime with ahead-of-time compilation. Cold start in milliseconds and single-digit MB modules, sandboxed by default — fits FaaS, edge processing, and plugin systems where containers are too heavy. `CNCF Incubating`\n  - 📖 [Deep dive](https://podostack.substack.com/p/dapr-kargo-wasmedge-koordinator-openfeature) — Solomon Hykes's \"if Wasm+WASI existed in 2008\" take, revisited\n\n---\n\n## 🔐 Supply Chain \u0026 Runtime Security\n\n- **[Trivy](https://github.com/aquasecurity/trivy)** - Single-binary CVE scanner for container images, IaC, and filesystems. No daemon, no config — drop it into CI and fail the build on criticals before they reach a registry.\n  - 📖 [Deep dive](https://podostack.substack.com/p/signed-images-runtime-watchtowers-docker-pull-act-of-faith)\n\n- **[cosign](https://github.com/sigstore/cosign)** - Signs container images like a wax seal on a letter — break the signature, everyone knows. Part of Sigstore, and keyless mode with GitHub OIDC means no private keys to manage. `Sigstore`\n  - 📖 [Deep dive](https://podostack.substack.com/p/signed-images-runtime-watchtowers-docker-pull-act-of-faith)\n\n- **[Falco](https://github.com/falcosecurity/falco)** - Watches Linux syscalls via eBPF while your containers run — every file open, every process spawn, every network connection. Real-time threat detection in the kernel, not \"scan and report later\". `CNCF Graduated`\n  - 📖 [Deep dive](https://podostack.substack.com/p/signed-images-runtime-watchtowers-docker-pull-act-of-faith)\n  - ⚔️ [Falco vs Tetragon](https://podostack.substack.com/p/ebpf-tetragon-parca-falco-sloth-alloy) — detection vs in-kernel enforcement\n\n- **[Tetragon](https://github.com/cilium/tetragon)** - Doesn't just watch syscalls — it kills them with SIGKILL in the kernel before they complete. From the Cilium team, under 1% overhead, and Kubernetes-aware policies as CRDs instead of Lua scripts.\n  - 📖 [Deep dive](https://podostack.substack.com/p/ebpf-tetragon-parca-falco-sloth-alloy)\n\n- **[Chainguard Images](https://github.com/chainguard-images/images)** - Distroless-style base images with daily rebuilds and aggressive CVE tracking. About 5 CVEs per year instead of Alpine's 150 — nothing to exploit because there's almost nothing there.\n  - 📖 [Deep dive](https://podostack.substack.com/p/signed-images-runtime-watchtowers-docker-pull-act-of-faith)\n\n---\n\n## ⚡ Autoscaling\n\n- **[Karpenter](https://github.com/aws/karpenter)** - Provisions the exact node your pods need in seconds, not minutes. No node groups — just right-sized instances from any available type. `AWS` `GCP`\n  - 📖 [Deep dive](https://podostack.substack.com/p/lazy-pull-smart-scale-ebpf-network)\n  - 💰 [FinOps patterns](https://podostack.substack.com/p/spot-consolidation-pod-packing-40-percent-overpaying) — SpotToSpot consolidation, affinity traps, the knobs that actually move the bill\n\n- **[Cluster Autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler)** - The battle-tested autoscaler that works through Node Groups. Slower than Karpenter but multi-cloud and familiar.\n  - 📖 [Deep dive](https://podostack.substack.com/p/lazy-pull-smart-scale-ebpf-network) — side-by-side with Karpenter\n\n---\n\n## ⚙️ Workload Scheduling\n\n- **[Koordinator](https://github.com/koordinator-sh/koordinator)** - Colocation scheduler that runs best-effort batch jobs on the CPU your latency-sensitive services reserved but aren't actually using. Alibaba reports ~15% → 50%+ cluster utilization in production, with hardware-level LLC and memory-bandwidth isolation to stop noisy neighbors. `CNCF Sandbox`\n  - 📖 [Deep dive](https://podostack.substack.com/p/dapr-kargo-wasmedge-koordinator-openfeature)\n\n---\n\n## 🌐 Networking \u0026 Service Mesh\n\n- **[Cilium](https://github.com/cilium/cilium)** - Replaces kube-proxy with eBPF — O(1) lookups instead of walking iptables chains. Also does identity-based security and multi-cluster mesh. `CNCF Graduated`\n  - 📖 [Deep dive](https://podostack.substack.com/p/cilium-ebpf-kube-proxy-identity-hubble) — kube-proxy replacement, Hubble, identity policies, egress gateway, cluster mesh\n\n- **[Istio Ambient](https://github.com/istio/istio)** - Service mesh without sidecars. Uses a node-level ztunnel for L4 and on-demand waypoint proxies for L7 — pay only for what you need. `CNCF Graduated`\n  - 📖 [Deep dive](https://podostack.substack.com/p/sidecar-free-mesh-slo-from-yaml-and)\n\n---\n\n## 📊 Observability\n\n- **[Pixie](https://github.com/pixie-io/pixie)** - See your cluster's HTTP, SQL, and DNS traffic without touching your code. Uses eBPF to capture data — including decrypted TLS. `CNCF Sandbox`\n  - 📖 [Deep dive](https://podostack.substack.com/p/spegel-pixie-and-why-latest-is-evil)\n\n- **[sloth](https://github.com/slok/sloth)** - Define your SLOs in YAML, get Prometheus rules and Grafana dashboards. No more hand-rolling burn rate calculations.\n  - 📖 [Deep dive](https://podostack.substack.com/p/sidecar-free-mesh-slo-from-yaml-and)\n\n### 📈 Metrics \u0026 Telemetry\n\n- **[Thanos](https://github.com/thanos-io/thanos)** - Long-term storage, global query, and HA for Prometheus. Writes TSDB blocks to S3-compatible object storage and queries across them plus live Prometheus in one PromQL. `CNCF Incubating`\n  - 📖 [Deep dive](https://podostack.substack.com/p/flame-graphs-prod-prometheus-scale-fourth-signal)\n\n- **[VictoriaMetrics](https://github.com/VictoriaMetrics/VictoriaMetrics)** - Drop-in Prometheus-compatible TSDB that's significantly leaner on memory and disk. Built for billion-series workloads without the Thanos/Cortex operational complexity.\n  - 📖 [Deep dive](https://podostack.substack.com/p/flame-graphs-prod-prometheus-scale-fourth-signal)\n\n- **[OpenTelemetry Collector](https://github.com/open-telemetry/opentelemetry-collector)** - Vendor-neutral telemetry gateway for traces, metrics, and logs. Receivers, processors, and exporters as pluggable modules — ship to Prometheus, Loki, Tempo, Datadog, or anything OTLP-compatible. `CNCF Graduated`\n  - 📖 [Deep dive](https://podostack.substack.com/p/flame-graphs-prod-prometheus-scale-fourth-signal)\n\n- **[Grafana Alloy](https://github.com/grafana/alloy)** - One agent to replace Prometheus, Promtail, and an OTel Collector. Programmable config language and built-in clustering that distributes scrape targets across instances — vendor-neutral despite the Grafana branding.\n  - 📖 [Deep dive](https://podostack.substack.com/p/ebpf-tetragon-parca-falco-sloth-alloy)\n\n### 🔥 Continuous Profiling\n\n- **[Pyroscope](https://github.com/grafana/pyroscope)** - Continuous profiling with flame graphs and differential profiling — compare today's deployment to yesterday's and find which function started eating CPU. Part of Grafana Labs, supports SDK-based and eBPF collection across most languages.\n  - 📖 [Deep dive](https://podostack.substack.com/p/flame-graphs-prod-prometheus-scale-fourth-signal)\n\n- **[Parca](https://github.com/parca-dev/parca)** - Pure-eBPF continuous profiling with zero instrumentation and under 1% overhead. Profiles land in FrostDB (columnar) so you can diff two deploys and see exactly which function changed. `CNCF Sandbox`\n  - 📖 [Deep dive](https://podostack.substack.com/p/ebpf-tetragon-parca-falco-sloth-alloy)\n\n---\n\n## 📨 Messaging\n\n- **[RabbitMQ Cluster Operator](https://github.com/rabbitmq/cluster-operator)** - Declarative RabbitMQ on Kubernetes — nodes, quorum queues, streams, users, and broker policies as CRDs. Raft-backed data safety, streams for replay, and non-voter replicas that decouple durability from consensus latency.\n  - 📖 [Deep dive](https://podostack.substack.com/p/rabbitmq-quorum-streams-cluster-lying) — why mirrored queues are dead and what replaced them\n\n---\n\n## 🚀 GitOps\n\n- **[Flux](https://github.com/fluxcd/flux2)** - GitOps toolkit that actually waits for your deployments to be ready, not just applied. Handles Helm, Kustomize, and multi-tenancy. `CNCF Graduated`\n\n---\n\n## 🏗️ Platform Engineering\n\n- **[Backstage](https://github.com/backstage/backstage)** - Software catalog that finally answers \"who owns the payment service?\" Developers drop a `catalog-info.yaml` next to their code, Backstage auto-discovers it, and the Scaffolder turns a three-day new-service bootstrap into three minutes. `CNCF Incubating`\n  - 📖 [Deep dive](https://podostack.substack.com/p/guardrails-backstage-crossplane)\n\n- **[Crossplane](https://github.com/crossplane/crossplane)** - Your cloud resources become Kubernetes objects with a continuous reconciliation loop. Someone edits an RDS instance by hand? Crossplane fixes it back — no Terraform drift, no CI wrapper. `CNCF Graduated`\n  - 📖 [Deep dive](https://podostack.substack.com/p/crossplane-infrastructure-api-compositions-claims) — Compositions, Claims, Composition Functions, and the secret chain\n  - 🧭 [Platform intro](https://podostack.substack.com/p/guardrails-backstage-crossplane) — Crossplane vs Terraform showdown\n\n- **[Dapr](https://github.com/dapr/dapr)** - Sidecar that exposes distributed systems patterns — state, pub/sub, secrets, service invocation — through plain HTTP calls. Swap Redis for Postgres with a YAML change, not a code rewrite. `CNCF Incubating`\n  - 📖 [Deep dive](https://podostack.substack.com/p/dapr-kargo-wasmedge-koordinator-openfeature)\n\n- **[Kargo](https://github.com/akuity/kargo)** - Continuous promotion engine from the Argo CD team. Warehouse → Freight → Stage → Promotion makes GitOps promotion declarative instead of a shell script that rewrites `values.yaml`.\n  - 📖 [Deep dive](https://podostack.substack.com/p/dapr-kargo-wasmedge-koordinator-openfeature)\n\n- **[OpenFeature](https://github.com/open-feature)** - Does for feature flags what OpenTelemetry did for observability. One API, swap LaunchDarkly for Flagsmith with a single line — the hundreds of flag checks scattered across your codebase stay untouched. `CNCF Incubating`\n  - 📖 [Deep dive](https://podostack.substack.com/p/dapr-kargo-wasmedge-koordinator-openfeature)\n\n---\n\n## 📜 Kyverno Policies\n\nWrite Kubernetes policies in plain YAML — no Rego, no new language to learn. [Kyverno](https://github.com/kyverno/kyverno) validates, mutates, and generates resources through admission webhooks. `CNCF Graduated`\n\n- **[Disallow :latest tag](https://podostack.substack.com/i/185064206/the-policy-disallow-latest-tags)** — The `:latest` tag is mutable — the image it points to can change anytime. This policy blocks containers without explicit tags, preventing unpredictable deployments and rollback nightmares.\n\n- **[Require labels](https://podostack.substack.com/i/185716285/the-policy-require-labels)** — Requires standard labels (`app.kubernetes.io/name`, `app.kubernetes.io/instance`) on Deployments, StatefulSets, and DaemonSets. Helps with cost allocation, automation, and keeping your cluster organized.\n\n- **[Require PodDisruptionBudget](https://podostack.substack.com/i/187230155/the-policy-require-poddisruptionbudget)** — Node drain, three replicas, no PDB, all pods evicted at once, service down. This policy blocks any Deployment or StatefulSet with more than one replica that doesn't have a matching PDB.\n\n---\n\n## 🛠️ CLI Tools \u0026 One-Liners\n\n### kubectl debug\n\nDebug distroless containers by injecting ephemeral debug containers:\n\n```bash\nkubectl debug -it my-pod --image=busybox --target=my-container\n```\n\n### flux diff\n\n\"Terraform plan\" for Kubernetes — see what would change before applying:\n\n```bash\nflux diff kustomization my-app --path ./clusters/prod/\n```\n\n### Karpenter drift detection\n\nCheck which nodes are marked for replacement:\n\n```bash\nkubectl get nodeclaims -o custom-columns=\\\n'NAME:.metadata.name,DRIFT:.status.conditions[?(@.type==\"Drifted\")].status'\n```\n\n---\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.\n\nFound a tool that should be here? [Open an issue](https://github.com/iGusev/awesome-cloud-native/issues/new?template=suggest-tool.md).\n\n---\n\n## License\n\n[![CC0](https://mirrors.creativecommons.org/presskit/buttons/88x31/svg/cc-zero.svg)](https://creativecommons.org/publicdomain/zero/1.0/)\n\nTo the extent possible under law, the author has waived all copyright and related or neighboring rights to this work.\n","projects_url":"https://awesome.ecosyste.ms/api/v1/lists/igusev%2Fawesome-cloud-native/projects"}