CoreOS Documentation

Welcome to CoreOS's product documentation. This page includes an index to all Tectonic documentation, as well as links to Quay and CoreOS open source projects

Tectonic Documentation

Tectonic provides enterprise-ready tools to deploy and manage Kubernetes clusters.

Installation Reliable and secure installation of Kubernetes and Tectonic components
Security Configuration for enterprise authorization, authentication, and custom TLS certificates
Networking Customization and extension of Kubernetes network features
Monitoring Built-in end-to-end monitoring of Kubernetes clusters using Prometheus
Management Tools to facilitate effective day-to-day management of Kubernetes clusters
Open Cloud Services Application catalog of fully managed software services available on-demand on Tectonic clusters
Tutorials Tutorials for users new to Tectonic

Some Tectonic features marked as Alpha are available only to users within a private Alpha program. If you are interested in joining this program, please contact us at

Tectonic Installation

Install Tectonic on a full-fledged infrastructure for production level workloads. Platform installers are built on Terraform.

Tectonic Security

Tectonic enables the management of user permissions and authentication through existing corporate identity stores at the user, group, or role level, federated through SAML, LDAP, or OIDC. Access control rules can be defined and mapped to be enforced consistently across all interfaces (Console, command line, or direct API access).

Feature Description Documentation
Identity Federation Enable identity federation through existing enterprise authentication systems, including OpenID Connect (OIDC), LDAP (Lightweight Directory Access Protocol), and Security Assertion Markup Language (SAML), allowing administrators to map cluster RBAC bindings to an existing authentication system over a secure channel. Tectonic Identity and user management Tectonic Identity configuration LDAP integration SAML integration
Role-Based Access Control (RBAC) Use Kubernetes’ Role-Based Access Control (RBAC) to manage user roles and permissions within Tectonic clusters. Use Tectonic to grant cluster-wide or namespace-specific access for users and groups defined within existing IdP systems. Permissions are enforced through both Tectonic Console and kubectl. Tectonic Role-Based Access Control Creating Tectonic accounts Defining Tectonic user roles Adding a service account to a Tectonic cluster
TLS certificates Provide a Certificate Authority Certificate and Key (in PEM format) during Tectonic installation to secure access to Tectonic Console and any service accessing Tectonic ingress controller. The provided Key will be used to sign all generated certificates for the cluster. Tectonic TLS Topology TLS Certificates for Tectonic Custom TLS for etcd Custom TLS for Tectonic Ingress Custom TLS for Kubernetes Custom TLS for Tectonic Identity

Tectonic Networking

Tectonic comes with a number of networking capabilities that are essential for Kubernetes network management at scale.

Feature Description Documentation
Network Policy Use Tectonic supported flannel or Calico to enable network policy, and define namespace isolation at the network layer, and fine-grained security between your Kubernetes pods. [ALPHA] To register for the Network Policy Alpha program, email
Border Gateway Protocol (BGP) routing on bare metal Use the integrated project Calico to enable Border Gateway Protocol (BGP) networks, a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems on the Internet. [ALPHA] To register for the Border Gateway Protocol Alpha program, email
Ingress Use the provided Ingress Controller to expose the Tectonic Console and Tectonic Identity services. Tectonic Ingress is also configured to watch the Kubernetes API for Ingress resources and update their configuration to expose Kubernetes services. Configuring Tectonic Ingress

Tectonic Monitoring

Tectonic ships with a pre-configured and self-updating monitoring stack that is based on the Prometheus open source project and its wider ecosystem. It provides monitoring of cluster components and ships with a set of alerts to immediately notify cluster admins about any occurring problems.

Feature Description Documentation
Built-in Prometheus Use the built-in, fully managed Prometheus instance to monitor the Tectonic cluster itself. This instance includes alerting rules to notify operators about problems in a cluster, based on key metrics collected from each Tectonic node. Tectonic Monitoring Monitoring applications Monitoring namespaces Configuring Tectonic Monitoring
Pre-configured Dashboards Use Tectonic Console’s pre-configured monitoring dashboards to view key cluster capacity and cluster health metrics. Augment these using Grafana dashboards to provide more extensive analysis. Stay tuned for documentation
Prometheus Alerts Configure the included central, highly available Prometheus Alertmanager cluster to notify administrators of potential cluster issues. Tectonic’s pre-configured alert library is built from years of operational knowledge gained through the cumulative set of Tectonic customer clusters. Configuring alerts Tectonic pre-configured alerts

Tectonic Management

Manage clusters using Tectonic’s component-spanning features.

Feature Description Documentation
Console Manage clusters using the web based user interface of Tectonic Console. Restrict user access by namespace through Role-Based Access Control. Managing pull secrets Managing namespaces Persistent volumes
Automated operations Enable single-click operational tasks, such as upgrades and backups of entire clusters, for both pure, upstream Kubernetes and the Container Linux operating system to ensure that clusters are always up to date with the most recent feature and security releases. Upgrading Tectonic Scaling Tectonic clusters on AWS Scaling Tectonic clusters on bare metal
Workload separation Guarantee a clear separation between control plane and user workloads, and improve the reliability of the control plane by spreading services across multiple nodes. Separating Tectonic master and worker workload
Metering and Chargeback Generate usage reports per namespace, pod, label, and application. Reports show CPU and memory usage (actual and reserved), as well as the correlation of usage to underlying IaaS cost for AWS clusters. [PUBLIC ALPHA] Installing Chargeback Chargeback configuration options Using Chargeback Reports
Multi-cluster Registry Manage multiple clusters, across multiple clouds (on public or private, on-premises clouds) through a single Tectonic Console. Define centralized Role-Based Access Control rules for access to different clusters. [PUBLIC ALPHA] Enabling multi-cluster registry in Tectonic Installing the multi-cluster registry Multi-cluster user access policies
Log management Configure Tectonic to direct all host system, container, and API server audit logs to a logging store (using Fluentd and Elasticsearch). Tag logs based on metadata such as container name. Managing infrastructure and application logs with Tectonic
Troubleshooting Troubleshoot Tectonic and Tectonic clusters. Troubleshooting Tectonic clusters

Tectonic Open Cloud Services

Open Cloud Services (OCS) are software services made available to Tectonic users on demand and in their own environment. Like public cloud services, OCSs take care of the heavy lifting of maintaining open source projects by automating maintenance tasks such as regular, one-click, zero-downtime updates, disaster recovery, and horizontal scaling. Unlike public cloud services like AWS DynamoDB, OCSs are first class Kubernetes resources and are truly portable to any datacenter or cloud. Because an OCS runs in your environment, the system is transparent and you can see the see the container, logs, flags, and config file inside of your Kubernetes environment.

Feature Description Documentation
Open Cloud Services catalog Use Tectonic Console’s Open Cloud Services catalog to deploy, consume, and manage services consistently across platforms. Allow infra-admins to easily deploy services into the namespace of their choice, and app developers to easily create and manage the services’ instances. Tectonic Open Cloud Services catalog Working with Open Cloud Services
Vault Open Cloud Service Fully managed Vault secret management instances with support for automated updates, high availability, and backup and restore. Vault enables the disintermediation of cloud provider authentication APIs and associates them with container identity. [BETA] Vault Open Cloud Service Configuring Vault nodes Setting up Ingress Upgrading a Vault cluster Vault resource labels Using the Kubernetes auth backend Using Vault-UI on Tectonic Disaster recovery Setting up TLS for Vault
etcd Open Cloud Service Fully managed etcd distributed key value store instances with support for automated updates, high availability, and backup and restore. etcd is the leading open source distributed key value store for cloud native applications. [BETA] etcd Open Cloud Service etcd client service Status events and conditions etcd resource labels Cluster TLS policy Cluster spec examples
Prometheus Open Cloud Service Fully managed Prometheus monitoring server instances with support for automated updates and high availability. Prometheus is the leading open source monitoring solution for cloud native applications. [PUBLIC ALPHA] Prometheus Open Cloud Service Getting started Alerting

Tectonic Tutorials

These tutorials are designed to help new users create a Tectonic cluster and learn how to use it quickly.

Feature Description Documentation
Tectonic and Kubernetes Demonstrates how to bring up a cluster, then part it out, break the system, and watch it rebuild automatically Tectonic and Kubernetes
Amazon Web Services Install, observe, and scale clusters on AWS using Tectonic. Installing Tectonic on AWS
Microsoft Azure Install, observe, and scale clusters on Azure using Tectonic. Installing Tectonic on Azure


Feature Description Documentation
Quay A comprehensive container registry for building, storing, and distributing containers to your servers. Quay is offered as a packaged solution private instances installation as Quay Enterprise as well as a SaaS service as Quay Enterprise

Container Linux

Feature Description Documentation
Container Linux Container Linux redefines the operating system as a smaller, more compact Linux distribution. Traditional distros package unused software that leads to dependency conflicts and needlessly increases the attack surface. Container Linux


Feature Description Documentation
etcd A distributed key value store that provides a reliable way to store data across a cluster of machines. etcd


Feature Description Documentation
Clair Clair provides static analysis of vulnerabilities in appc and docker containers. Clair


Feature Description Documentation
flannel flannel is a virtual network that gives a subnet to each host for use with container runtimes. flannel