Palette eXtended Kubernetes
Palette eXtended Kubernetes (PXK) is a customized version of the open source Cloud Native Computing Foundation (CNCF) distribution of Kubernetes. This Kubernetes version can be deployed through Palette to all major infrastructure providers, public cloud providers, and private data center providers. This is the default distribution when deploying a Kubernetes cluster through Palette. For Edge deployments, we also offer Palette eXtended Kubernetes - Edge (PXK-E), which is a version of PXK specifically designed for Edge deployments.
PXK and PXK-E share the core Cloud Native Computing Foundation (CNCF) binaries, with out-of-the-box security hardening that makes them ideal for production workloads without manual intervention. The following table offers a comparative overview between PXK and CNCF kubeadm.
| Feature | PXK | kubeadm |
|---|---|---|
| Audit logging | ✅ Enabled | ❌ Not enabled by default |
| PodSecurity admission | ✅ Enabled + configured | ❌ Not enabled by default |
| Hardened kubelet config | ✅ Enforced | ❌ Not enforced by default |
| Kernel tuning | ✅ Applied automatically | ❌ Manual |
| Lifecycle hooks | ✅ Pre/Post support | ❌ Not built-in |
Shared Core with CNCF-Distribution Kubeadm
The default, non-FIPS-compliant variants of PXK and PXK-E use official upstream images from registry.k8s.io, the same
registry used by CNCF distributions. These images include all essential components:
- kube-apiserver
- etcd
- kube-scheduler
- kube-controller-manager
- kube-proxy
- CoreDNS
- pause
The FIPS-compliant variants of PXK and PXK-E, used in Palette VerteX, do not use upstream images directly. Instead, they use images recompiled with FIPS-compliant cryptographic libraries. For more information, refer to FIPS-Compliant Components.
Both the FIPS and non-FIPS variants of PXK and PXK-E are fully CNCF-conformant and compatible with ecosystem tools such
as Helm, kubectl, and Kubernetes-native APIs. The only modifications we make are configuration changes related to
security hardening and out-of-the-box ecosystem integration. You can refer to the Kubeadm documentation
to learn about all the configurations exposed in the
Palette eXtended Kubernetes (PXK) pack.
Security Hardening
In addition to being CNCF-conformant, PXK comes with out-of-the-box security hardening:
- PodSecurity admission enabled with baseline enforcement and strict warning.
- Audit logging configured with sane filters and volume mounts.
- Secure API server flags.
- Kubelet hardened with read-only port disabled and cert rotation.
These security hardening measures make your clusters production ready without manual security intervention.
Host-level System Tuning
By default, PXK applies Linux kernel parameter tuning that aligns with Kubernetes best practices and production hardening:
- Allows VM memory overcommit to ensure predictable memory allocation behavior for pods.
- Automatically reboots the node 10 seconds after a kernel panic.
- Treats kernel “oops” events as fatal, triggering panic and recovery.
Lifecycle Management
PXK supports declarative lifecycle hooks that allow operators to inject custom logic before and after kubeadm provisioning:
- Pre-init hooks (
preKubeadmCommands) can apply kernel parameters, prepare certificates, or customize node behavior. - Post-init hooks (
postKubeadmCommands) can adjust permissions, deploy agents, or perform cleanup.
This approach simplifies integration with existing automation workflows, eliminates the need for brittle wrapper scripts, and ensures consistent behavior across environments.
PXK vs PXK-E
The biggest difference between PXK and PXK-E is that PXK-E is only available when integrated with Kairos in a provider image, or used as the Kubernetes layer in agent mode deployments, while PXK is used in controller mode clusters.
In addition, PXK-E makes a few adjustments on top of PXK to account for Edge environments by streamlining configuration files, reducing deployment complexity, and emphasizing immutability. The following table provides a brief comparison between PXK and PXK-E.
| Feature | PXK | PXK-E |
|---|---|---|
| Supported deployment mode | Controller mode | Appliance mode or agent mode |
| Pod security admission | Included | Not explicitly configured |
| Kubelet config | kubeletExtraArgs + sysctl files | Native kubeletConfiguration block |
| Audit policy | External file (mounted) | Inline YAML |
| Lifecycle hooks | preKubeadmCommands, postKubeadmCommands | Uses cloud-init stages |
| etcd tuning | Uses default Kubeadm etcd configurations | Custom arguments for storage efficiency and hardened security |