 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
This week, users of Helm and other cloud native open source projects will have to find other free sources for their pre-compiled production-ready application images and Helm Charts. As of Monday, Broadcom has revamped its image download program, narrowing the free downloads available in favor of a smaller number of resources mostly available under a commercial license.
Users of many open source applications have been hard hit by the change.
Many administrators, however, have baked the Bitnami into their own automated deployment strategies. For them, work lies ahead to find new images as well as formulate new migration or mirroring strategies to avoid potential disruption.
“For years, Bitnami’s images and Helm charts were the de facto path to running popular apps on Kubernetes. Well-maintained images, sensible defaults, and easy Helm installs. Many teams pinned Bitnami images in deployments, CI pipelines, and internal charts,” noted a blog post from services provider Prequel.
The biggest risks of the Bitnami deprecation, according to Prequel’s post, are:
While disruptive to the Helm community, others are feeling the pinch as well. One Reddit contributor wondered where he could get the latest images for MongoDB, Postgres and Redis.
The Cloud Native Computing Foundation even issued a statement, asserting that the move did not affect Helm itself, in response to user queries.
“Helm is a graduated project that will remain under the CNCF. It continues to be fully open source, Apache 2.0 licensed, and governed by a neutral community,” wrote CNCF CTO Chris Aniszczyk and Helm co-creator Matt Butcher, in a statement. “Bitnami’s decision to deprecate its public chart and image repositories is entirely separate from the Helm project itself.”
The Tanzu Division of Broadcom announced the move in July, when unveiling a new service based on the Bitnami repository, called Bitnami Secure Images, which would offer an initial set of 280 images that have gone through security hardening (SBOM support, CVE patching, enterprise support), and are available commercially.
As part of the move, the company will gradually disable older (non-hardened) Debian-based images, shuffling them to the Bitnami Legacy archive site.
With a few exceptions, no updates will be made to these older images. The company will also provide a limited subset of free, latest-version images for development use.
Helm charts will still be available on Docker Hub as OCI artifacts.
A number of other commercial vendors have also jumped in to offer their own alternatives: RapidFort offered its set of “near-zero CVE” curated images. Prequel has published a set of CREs (Common Reliability Enumerations) that detect Bitnami images being pulled into production settings, also as part of a paid service.
“The Bitnami disruption represents both a challenge and an opportunity. While the immediate need is to replace Bitnami images to maintain operational continuity, the broader opportunity is to significantly enhance your organization’s security posture through RapidFort’s curated, near-zero CVE container images,” the RapidFort post summarized.
As of earlier this year, Bitnami was serving up as many as 500 million images each month, and had even ramped up its support for Helm charts, scanning for vulnerabilities all the images the Helm chart included.
Bitnami itself was started by in 2007 by Daniel López and Erica Brescia, with the goal of making it easier for developers to deploy open source software across different platforms.
(Editor’s note 11/20/2025: This post has been updated with additional information from Broadcom).
