We recently added Fluent Bit to the OpenSSF landscape as part of the maintainer’s ongoing efforts to secure it. Learn more.
I have over 20 years experience in software engineering, primarily in the defence domain at Thales. The last few years of this were focused on transformation first to containers then Kubernetes. After Thales I worked on the cloud native team at Couchbase, working on their Golang-based Kubernetes operator. This included producing a custom Fluent Bit deployment for observability needs. Calyptia (founded by the Fluent maintainers) then approached me to come work with them building out their observability products. I joined Chronosphere with their acquisition of Calyptia.
On: Jan 19, 2023
We have been signing the Fluent Bit official container images with Cosign for a while now, and recently we added it to the OpenSSF landscape to publicize this fact.
The OpenSSF (Open Source Software Security Foundation) provides lots of useful tooling to improve supply chain security for open source projects. One of these tools is the sigstore project which “allows developers to securely sign software artifacts” and the Cosign tooling specifically to sign OCI (container) images.
Signing the Fluent Bit container images with Cosign ensures that users can verify that the image they are using is the official one built and provided by the Fluent Bit project. Full details on verifying the signature can be found in the documentation.
This follows a similar approach to the GPG signing we (and package developers in general) have provided for native Linux packages (RPM/DEB) as well as the repository metadata itself which is required for various more secure platforms (e.g. FIPS compliance).
We encourage anyone using OSS to get projects added to the OpenSSF if they can contribute in that way.
Another useful project provided by the OpenSSF is the gitsign tooling. Gitsign simplifies signed commit handling and helps prevent some of the possible attacks with standard GPG keys. We would also encourage anyone using Git to adopt it.
The Fluent Bit maintainers welcome new contributors. Whether you are a security guru, a documentation wizard, or a budding coder, there’s a role for you.
With Chronosphere’s acquisition of Calyptia in 2024, Chronosphere became the primary corporate sponsor of Fluent Bit. Eduardo Silva — the original creator of Fluent Bit and co-founder of Calyptia — leads a team of Chronosphere engineers dedicated full-time to the project, ensuring its continuous development and improvement.
Fluent Bit is a graduated project of the Cloud Native Computing Foundation (CNCF) under the umbrella of Fluentd, alongside other foundational technologies such as Kubernetes and Prometheus. Chronosphere is also a silver-level sponsor of the CNCF.
Request a demo for an in depth walk through of the platform!