Skip to main content
Version: latest

Palette eXtended Kubernetes

Palette eXtended Kubernetes (PXK) is a customized version of the open source Cloud Native Computing Foundation (CNCF) distribution of Kubernetes. This Kubernetes version can be deployed through Palette to all major infrastructure providers, public cloud providers, and private data center providers. This is the default distribution when deploying a Kubernetes cluster through Palette. For Edge deployments, we also offer Palette eXtended Kubernetes - Edge (PXK-E), which is a version of PXK specifically designed for Edge deployments.

PXK and PXK-E share the core Cloud Native Computing Foundation (CNCF) binaries, with out-of-the-box security hardening that makes them ideal for production workloads without manual intervention. The following table offers a comparative overview between PXK and CNCF kubeadm.

FeaturePXKkubeadm
Audit logging✅ Enabled❌ Not enabled by default
PodSecurity admission✅ Enabled + configured❌ Not enabled by default
Hardened kubelet config✅ Enforced❌ Not enforced by default
Kernel tuning✅ Applied automatically❌ Manual
Lifecycle hooks✅ Pre/Post support❌ Not built-in

Shared Core with CNCF-Distribution Kubeadm

The default, non-FIPS-compliant variants of PXK and PXK-E use official upstream images from registry.k8s.io, the same registry used by CNCF distributions. These images include all essential components:

  • kube-apiserver
  • etcd
  • kube-scheduler
  • kube-controller-manager
  • kube-proxy
  • CoreDNS
  • pause

The FIPS-compliant variants of PXK and PXK-E, used in Palette VerteX, do not use upstream images directly. Instead, they use images recompiled with FIPS-compliant cryptographic libraries. For more information, refer to FIPS-Compliant Components.

Both the FIPS and non-FIPS variants of PXK and PXK-E are fully CNCF-conformant and compatible with ecosystem tools such as Helm, kubectl, and Kubernetes-native APIs. The only modifications we make are configuration changes related to security hardening and out-of-the-box ecosystem integration. You can refer to the Kubeadm documentation to learn about all the configurations exposed in the Palette eXtended Kubernetes (PXK) pack.

Security Hardening

In addition to being CNCF-conformant, PXK comes with out-of-the-box security hardening:

  • PodSecurity admission enabled with baseline enforcement and strict warning.
  • Audit logging configured with sane filters and volume mounts.
  • Secure API server flags.
  • Kubelet hardened with read-only port disabled and cert rotation.

These security hardening measures make your clusters production ready without manual security intervention.

Host-level System Tuning

By default, PXK applies Linux kernel parameter tuning that aligns with Kubernetes best practices and production hardening:

  • Allows VM memory overcommit to ensure predictable memory allocation behavior for pods.
  • Automatically reboots the node 10 seconds after a kernel panic.
  • Treats kernel “oops” events as fatal, triggering panic and recovery.

Lifecycle Management

PXK supports declarative lifecycle hooks that allow operators to inject custom logic before and after kubeadm provisioning:

  • Pre-init hooks (preKubeadmCommands) can apply kernel parameters, prepare certificates, or customize node behavior.
  • Post-init hooks (postKubeadmCommands) can adjust permissions, deploy agents, or perform cleanup.

This approach simplifies integration with existing automation workflows, eliminates the need for brittle wrapper scripts, and ensures consistent behavior across environments.

PXK vs PXK-E

The biggest difference between PXK and PXK-E is that PXK-E is only available when integrated with Kairos in a provider image, or used as the Kubernetes layer in agent mode deployments, while PXK is used in controller mode clusters.

In addition, PXK-E makes a few adjustments on top of PXK to account for Edge environments by streamlining configuration files, reducing deployment complexity, and emphasizing immutability. The following table provides a brief comparison between PXK and PXK-E.

FeaturePXKPXK-E
Supported deployment modeController modeAppliance mode or agent mode
Pod security admissionIncludedNot explicitly configured
Kubelet configkubeletExtraArgs + sysctl filesNative kubeletConfiguration block
Audit policyExternal file (mounted)Inline YAML
Lifecycle hookspreKubeadmCommands, postKubeadmCommandsUses cloud-init stages
etcd tuningUses default Kubeadm etcd configurationsCustom arguments for storage efficiency and hardened security

Resources