Kubernetes, Uncontained
No more image rebuilds. Run the same immutable declarative environment across local dev → CI → production Kubernetes clusters: on x86 and ARM. Get faster deployments, SBOMs-by-default, and atomic rollbacks.
Sign up for free →Why Go Uncontained
Skip registry round trips
Pull declarative Flox environments at runtime; each node downloads only required hash-pinned packages—push/pull the environment definition, not the payload; end multi-gigabyte round trips.
Predictable starts
Node-local, hash-addressed, pre-warmed caches mean no multi-gig pulls and fast, predictable startup.
Reproducibility
Run the same cryptographically hashed environment across dev, CI, and prod clusters; zero drift, atomic rollbacks.
Built‑in security
Smaller attack surface, SBOMs and provenance by default.
Operational simplicity
Keep the primitives you know—Kubernetes stays Kubernetes. A Flox-maintained
containerdshim with aRuntimeClasslets pods run closer to the metal, with a smaller footprint that’s faster to deploy.
“Like Kata or gVisor extend CRI for isolation, Flox uses CRI to deliver Nix‑style reproducibility—so you run only the software you actually need.”
800→0 MB
Base image elimination
50%
Faster provisioning
5→2
Pipeline stages eliminated
Uncontained
for All Teams
AI/ML Teams
Define AI/ML models as hash-pinned, declarative environments. Zero‑copy model serving: load once, reuse across pods. Hot-swap models with just one edit. Run the same env across dev, CI, and prod.
Data Science
Enable Jupyter-first data science across the SDLC. Add packages as you explore; when ready, deploy the same locked, hash-addressed environment in Jupyter on Kubernetes, batch jobs (training/ETL pipelines), and services (model serving/APIs). No image rebuilds required.
Platform Engineering / SRE
Eliminate image rebuilds and registry pulls with immutable Flox environments. Deploy faster, without cold starts. Roll back atomically. Run one declarative environment definition across Kubernetes on x86 and ARM.
Security Engineering
Shrink your attack surface, get SBOMs by default, roll back atomically—no mutable images or registry exposure. Deploy only exact, versioned dependencies. Compliance? It’s built-in.
Software Engineering
One declarative environment runs across laptops, CI, and prod clusters—no image drift. Edit and redeploy in seconds; no build-push-pull cycle. Test locally against exactly what runs in prod.
Data Engineering
Reproducible pipelines without custom images. Run Spark, dbt, and CLI stacks in the same hash-addressed environment across dev, CI, and prod clusters. Faster deployments, predictable runs.
How It Works
From definition to running workloads
Define and publish the environment.
Reference it in Kubernetes manifests.
Deploy faster, no images required.
What's Next
Keep the momentum going with curated docs, demos, and events tailored for Imageless Kubernetes from Flox.
- Imageless Kubernetes DocumentationRead the Flox for Kubernetes introduction and learn how to ship environments without images.
- FloxHub EnvironmentOpen the containerd shim installer environment directly in FloxHub and start experimenting.
- Get Your Hands on a DemoTry it out yourself using a Flox environment running KIND and get started right away.
- Video WalkthroughMorgan Helton demos deploying real workloads on Kubernetes without building or pushing images, using Flox environments for reproducible, secure releases.
- Meet Us at KubeConFind Flox sessions, talks, and booth details so you can go hands-on with the team in person.
- Learn FloxIf you're completely new to Flox, start with our Flox in 5 minutes guide.
Frequently asked questions
A CRI-level containerd runtime shim that still runs standard containers inside pods. At startup, the shim activates a Flox environment inside the container. CI/CD stays the same—but instead of shipping image layers, you specify the name of a declarative Flox environment (immutable, Nix-backed). Pods read only the required, input-addressed packages from a node-local cache—so no multi-gigabyte image pulls.
You replace build-push-pull image pipelines with a declarative Flox environment, the dependencies of which resolve to hash-addressed packages that live in an immutable, node-local store. Organizations can run their own private, signed binary caches, enabling them to build or mirror packages inside their networks, generate SBOMs and attestations (see SBOMs, below), and point security scanners at that cache. At runtime, nodes fetch only hash-addressed artifacts, so existing provenance, approval, and CVE workflows carry over.
In sum: organizations shift from shipping snapshots (container images) to shipping recipes (declarative environments); recipes yield SBOMs-by-default, single-edit A/B and atomic rollbacks, faster CVE triaging, and other operational benefits. For developers, AI/ML engineers, and other practitioners, Flox environments run as subshells, not containers, so developers can work directly on their local systems, with free access to all resources. Flox development environments are co-located with Git repos, so PRs always update code and runtime together. The same environment travels across the SDLC: local dev → CI → production Kubernetes clusters.
Build and test locally using the same exact packages you use for deployments. Declaratively define all runtime dependencies, variables, services, build recipes, and system constraints. Push changes to FloxHub with flox push. Your Kubernetes Pod specifications reference Flox environments and pull these automatically from FloxHub at runtime. There are no images to rebuild and push, no layers to pull. Flox maps all dependencies to read-only, node-local store paths; these get mounted into containers at runtime.
You can easily build, package, and publish your own custom software to your private Flox catalog of packages. Use custom packages with your Kubernetes workloads by installing them to your FloxHub-hosted environments. When pods start, Flox mounts all packages directly from each node’s input-addressed cache into the container, wiring up paths and libraries automatically.
Open your private FloxHub, navigate to an environment’s Generations tab, select the target generation, and click Switch. All subsequent deployments of that environment will use the selected generation. If you prefer to pin the generation in your Pod specification, append the generation number to the environment reference—for example,
Yes—and your pipelines will typically get simpler. Keep Argo/Helm/Tekton/GitHub Actions; change what you ship (i.e., a declarative environment pinned to an SHA256 hash), not how you deploy. Most iterations drop build → push → pull entirely.
No. Kubernetes still runs containers. The Flox runtime activates the environment at startup (you can use a tiny placeholder container image). You use the Kubernetes primitives you’re familiar with, along with all Kubernetes orchestration, networking, policy, and admission controls.
Flox makes it easy for teams to recreate the exact production runtime for debugging, maintenance, or audits—anywhere, on any machine: you debug the same environment that runs in the Kubernetes cluster—locally or in a debug pod. No guessing what’s inside an image layer. Plus reproducible behavior at runtime makes issues faster to reproduce and fix.
Very. In Flox (powered by Nix), SBOMs are always derived from the input-addressed build graph—not a post-hoc file scan. Every dependency is a concrete /nix/store/ path, the hash of which covers all build inputs (sources, patches, flags, and transitive deps). This means you get both build-time and runtime SBOMs automatically: the build-time SBOM captures the toolchains/SDKs used to produce built artifacts; the runtime SBOM captures the realized closure. Most scanners only infer runtime after the fact; Flox gives you both, with no opt-in step. Because environments resolve to immutable store paths (and can be constrained per system), SBOMs stay exact for macOS and Linux, x86 and ARM.
This improves security work: CVE matching yields fewer false positives, and provenance is attestable. You can generate an attestation that includes the SBOM and either the Flox environment generation (/nix/store/ paths the environment resolves to on a given system. (Change any input and the digest changes.) Because your Deployment references the same value, your Kubernetes admission policy can verify the match before rollout. Nix’s input-addressed provenance makes that identifier deterministic across dev, CI, and prod, so your SBOM↔environment↔deployment check is enforceable end-to-end.