Discovering the expanding landscape of CNCF: Teller, OpenCost, OpenFunction, and External-Secrets

Cloud Native Computing Foundation (CNCF) is the largest open source sub-foundation.

It was established in 2015 under the Linux Foundation with the main objective of helping container technology advance and contribute to the growth and evolution of cloud native systems.

The CNCF enables open source projects, including Kubernetes, Prometheus, Envoy, and many others. It serves as the vendor-neutral home for open source projects, and brings together developers, end users and vendors for close collaboration.

The CNCF hosts more than a 100 projects today, which are categorized under the following maturity levels: 

🥚Sandbox: Early Stage

🐣Incubating: Still under development

🐥Graduated: Overall maturity, enterprise-grade

Besides Kubernetes there are many important CNCF projects including Prometheus, CoreDNS, ArgoCD and Helm, some of which we have covered in the previous posts.

This article takes a deep dive into four specific CNCF projects: Teller, OpenCost, OpenFunction, and External-Secrets.


First, let’s explore Teller, a project that has entered the CNCF sandbox stage in 2022. Teller is an open-source secret management hub designed to secure, manage, and control access to sensitive data such as tokens, credentials and keys across applications.

You can use teller to connect it to any vault, key store, or cloud service you like (e.g. Teller supports Hashicorp Vault, AWS Secrets Manager, Google Secret Manager and more). It is a great alternative to having custom bash scripts, tokens in your .zshrc files, visible EXPORTs in your bash history, or misplaced .env files.


Teller’s primary strength lies in its centralized, secure approach to handling sensitive data, reducing the risk of data exposure. It provides enhanced data security, easier management, and better audit capabilities. The versatility of Teller makes it compatible with numerous secret providers such as HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault, to name a few.


However, within its evolving stage, Teller lacks the maturity of some other secret management tools. Organizations with complex needs might find it less comprehensive. There can be potential issues related to configuring access control, especially in large scale, complex environments.


As Teller matures and develops, expect to see more comprehensive features and robust integrations with other CNCF projects and third-party services.


OpenCost was originally developed and open sourced by Kubecost and is now a CNCF sandbox project. This is a cloud-native application designed to provide detailed insights into cloud costs and usage. OpenCost breaks down costs at a granular level, enabling organizations to optimize their cloud spendings.

OpenCost models give teams visibility into current and historical Kubernetes spend and resource allocation. These models provide cost transparency in Kubernetes environments that support multiple applications, teams, organizations, etc.


OpenCost is an excellent tool for managing cloud expenses, offering a clear view of resource usage and costs. It provides organizations with the ability to budget, forecast, and analyze their cloud expenditure effectively.


Effectiveness of OpenCost is reliant on the accurate tagging and categorization of resources, which can be a significant overhead for large-scale deployments. Also, it may likely not cover cost-analysis requirements for multi-cloud environments.


Given the increasing need for cost management and FinOps tools, OpenCost is likely to experience significant growth and development. Future iterations might include more sophisticated cost prediction models and support for a broader range of cloud service providers.


OpenFunction is a CNCF sandbox project that serves as a serverless platform designed to enable developers to build, run, and manage applications effectively without worrying about the underlying infrastructure.

It is (yet, another) cloud-native open source FaaS (Function as a Service) platform that is cloud agnostic and decoupled from cloud providers’ PaaS, it has a pluggable architecture that allows multiple function runtimes and supports both sync and async functions.

OpenFunction allows you to focus on your business logic without having to maintain the underlying runtime environment and infrastructure. You just need to submit business-related source code in the form of functions.


OpenFunction provides a higher level of abstraction, helping developers focus more on their application code rather than infrastructure management. It supports multiple FaaS (Functions as a Service) runtimes and integrates well with other CNCF projects, offering a diverse, interoperable environment.


The biggest challenge with OpenFunction could be its lack of adoption and awareness, given the crowded market of serverless platforms. Also, developers may face a learning curve due to its higher level of abstraction, in case they have no previous serverless experience.


OpenFunction has a good chance of becoming more popular, yet it has to compete with a few FaaS projects available today. Improved integration with cloud service providers and more developments can be expected in the future. Click here to check our precious blog post and learn more about serverless in Kubernetes.


Last, but not least, External-Secrets, a CNCF incubating project, is a Kubernetes operator that aims to securely and automatically sync sensitive information from a wide range of secret management backends to Kubernetes.

It integrates external secret management systems like AWS Secrets Manager, HashiCorp Vault, Google Secrets Manager, Azure Key Vault, IBM Cloud Secrets Manager and  others. The operator reads information from external APIs and automatically injects the values into  Kubernetes Secrets.



External-Secrets greatly enhances the security of Kubernetes deployments by minimizing the exposure of sensitive data. It integrates with several secret management systems and helps maintain consistency across environments.



Given its specific focus on Kubernetes, organizations not using Kubernetes or planning to shift away won’t find External-Secrets beneficial. It also requires basic understanding of Kubernetes secrets and how operators work..



As Kubernetes continues to dominate the container orchestration market, the importance and adoption of External-Secrets is likely to grow. Future enhancements might include support for new secret backends and improved ease-of-use features.


CNCF projects are playing a pivotal role in shaping the future of cloud-native computing. Teller, OpenCost, OpenFunction, and External-Secrets each cater to unique facets of the cloud-native landscape, be it secret management, cost analysis, serverless computing, or Kubernetes secrets automation.

While they are in different stages of development and come with their own sets of pros and cons, their ongoing improvements and increasing adoption reflect the open-source community’s commitment to making cloud-native computing more secure, efficient, and cost-effective. As these projects mature, they’re poised to offer even greater value to organizations, helping them optimize their cloud-native journeys.

Still, it’s important to remember that implementing and managing these technologies requires in-depth understanding and expertise. That’s where we come in. Whether you’re just beginning your cloud-native journey or looking to optimize an existing system, our team is here to help. We offer comprehensive consulting and management services for these and other CNCF projects. Don’t navigate the complex landscape of cloud-native technology alone—contact us today to see how we can help make your cloud-native journey a success.