The open source movement has entered a new, more pragmatic phase. Long past the era of ideological debates about freedom and community, open source now serves as the operational backbone for artificial intelligence and cloud-native infrastructure. While headline-grabbing AI models remain largely proprietary, the underlying plumbing that makes those models runnable, observable, and scalable is increasingly built from open source components. This is not a retreat from openness but a maturation—a shift from code as a statement of values to code as a strategic asset.
The numbers tell the story. The Cloud Native Computing Foundation (CNCF) now hosts over 230 projects with more than 300,000 contributors worldwide. Its 2025 survey revealed that 98% of organizations have adopted cloud-native techniques, and 82% of container users run Kubernetes in production. GitHub's Octoverse report for 2025 reported 1.12 billion contributions, over 180 million developers, and 518.7 million merged pull requests. The Apache Software Foundation, though less flashy, counted 9,905 committers across 295 projects and issued 1,310 software releases in fiscal year 2025. This is not a movement in decline; it is one that has become deeply embedded in the enterprise.
Control through code
The idea that open source is primarily about altruism or developer-led morality plays has always been a simplification. Today it is nearly impossible to maintain. Companies contribute to open source projects not because they have discovered civic virtue, but because they recognize that whoever shapes the foundational layers of infrastructure gains leverage over everything built on top of them. This is especially true for artificial intelligence, where the cost of compute, the need for observability, and the complexity of orchestration make standardized, inspectable infrastructure not just desirable but necessary.
Consider the leading contributors to CNCF projects in 2025. Red Hat topped the list with 194,699 contributions, followed by Microsoft with 107,645 and Google with 91,158. Independent contributors still matter—they landed fourth with 52,404—but the center of gravity is unmistakably corporate. These companies are investing serious money to have their engineers shape the plumbing their products depend on. The top contributors have remained consistent over the past decade, signaling a long-term commitment to setting defaults and normalizing interfaces.
Red Hat's dominance is easy to explain. Its OpenShift platform is built on Kubernetes, so it makes strategic sense to pour effort into the Kubernetes ecosystem. This is not charity; it is product strategy. Similarly, Microsoft's second-place position is revealing. Once the company most associated with open source hostility, Microsoft now actively contributes to projects like OpenTelemetry, which saw a 39% rise in commits in 2025 and a contributor base that grew from 1,301 to 1,756. Microsoft, along with Splunk and others, is investing in observability standards to ensure that the tools customers use to monitor their systems align with their own product offerings.
The rise of boring infrastructure
One of the most telling examples of open source's evolution is Cilium, a project that provides networking, observability, and security for cloud-native workloads. Cilium's journey report notes that the number of contributing companies rose 90% after it joined the CNCF, from 533 to 1,011, while individual contributors jumped from 1,269 to 4,464. Google, Datadog, and Cloudflare all expanded their contributions as the project matured. This is not random. Cilium sits at the intersection of networking, observability, and security—categories that become mission-critical once workloads become distributed, latency-sensitive, and expensive.
Artificial intelligence amplifies these needs. AI inference workloads, especially when running on Kubernetes, require fine-grained scheduling, efficient networking, and deep observability to manage costs and performance. CNCF data shows that 66% of organizations hosting generative AI models now use Kubernetes for some or all inference workloads, and the foundation explicitly calls Kubernetes the de facto operating system for AI. While that statement may be self-serving given CNCF's dependence on Kubernetes, it reflects a real trend: organizations do not want to build their AI future on opaque, inescapable infrastructure they cannot inspect or influence.
Nvidia's open source strategy
Perhaps the most striking example of corporate investment in open source for AI is Nvidia. The company, which has amassed enormous wealth from AI chip sales, could easily afford to keep all its software proprietary. Instead, it ranks 14th in Kubernetes contributions over the past two years, with 5,892 contributions. It has open sourced KAI Scheduler, a Kubernetes-native GPU scheduler that came out of its Run:ai acquisition, and describes itself as a key contributor to Kubeflow. This is not philanthropy; it is a calculated move to shape the scheduling, orchestration, and workflow layers that determine how effectively Nvidia's chips are used in real-world AI systems.
Nvidia's approach illustrates a broader pattern. Open source projects are no longer just about sharing code; they are about defining the standards that make ecosystems work. Companies that contribute to the control plane—the layers where operational assumptions harden into de facto standards—gain influence that no amount of marketing spend can buy. This is why we see companies like Apple, Amazon, and Meta also active in projects like Kubernetes, despite their reputations for closed ecosystems in other areas.
The democratization of AI infrastructure
One of the less discussed benefits of this shift is the democratization of AI infrastructure. When the foundational layers are open and standardized, smaller companies and individual developers can build on top of them without being locked into a single vendor's stack. Kubernetes, for example, runs on any cloud or on-premises environment, which means that an AI startup can start on a public cloud and later migrate to its own hardware without rewriting its entire deployment. OpenTelemetry provides vendor-neutral observability, so teams can monitor their AI workloads without being tied to a specific monitoring service.
This openness is especially critical in regulated industries like healthcare, finance, and government, where organizations need to inspect the infrastructure they use to ensure compliance with data sovereignty, audit trails, and security requirements. Proprietary black boxes are unacceptable in such contexts. Open source offers a path to compliance without sacrificing innovation, because organizations can audit the code, run their own forks, and contribute improvements back to the community.
At the same time, the commoditization of infrastructure through open source forces vendors to compete on higher-value layers. Companies like Databricks, Snowflake, and even cloud providers like Amazon and Google now build their AI and data services on top of open source foundations. This dynamic keeps prices competitive and drives innovation in the application layer, where proprietary differentiation is sustainable. The open source infrastructure itself becomes a shared utility, similar to how the internet's core protocols are standardized.
The new contributor landscape
The profile of the average open source contributor is also changing. While independent hobbyists still play a role, the vast majority of contributions now come from employees whose companies pay them to work on open source as part of their job. According to the Linux Foundation's 2025 report on open source employment, more than 70% of developers who contribute to open source do so as part of their paid work. This professionalization has led to higher code quality, more predictable release cycles, and better governance, but it has also introduced tensions around transparency and community autonomy.
Some argue that corporate domination threatens the collaborative spirit of open source. However, the data suggests that corporate involvement has been overwhelmingly positive for project health. Projects with strong corporate backing tend to have more resources for security audits, documentation, and long-term maintenance. The key is to maintain a diverse set of contributors so that no single company can dictate the direction of a project. The CNCF and Apache Software Foundation have governance models designed to prevent capture, with processes for community voting, technical oversight committees, and trademark protection.
Microsoft's transformation from open source opponent to top contributor is a case study in how corporate strategy can align with community values. The company not only contributes code but also releases open source tools and libraries, hosts projects on GitHub, and pays engineers to participate in standards bodies. Similarly, Google's contributions to Kubernetes, TensorFlow, and Golang have shaped entire ecosystems. These companies recognize that in the age of AI, control over infrastructure is more valuable than control over individual products.
Infrastructure for AI workloads
The specific infrastructure needs of AI workloads are driving innovation in open source projects. Training large models requires massive compute clusters with high-speed networking and efficient GPU utilization. Projects like Kubeflow, MLflow, and Ray are becoming essential for managing the lifecycle of machine learning models, from data preparation to training to deployment. Kubernetes operators for GPUs, such as the NVIDIA GPU Operator, simplify the management of hardware accelerators in a Kubernetes cluster.
Inference, which is the process of running a trained model on new data, is even more demanding in terms of latency and throughput. Serverless frameworks like Knative, combined with Kubernetes, allow organizations to scale inference endpoints dynamically based on demand. Open source projects like vLLM and TGI (Text Generation Inference) provide optimized runtimes for large language models, and they are often deployed on Kubernetes. The result is a stack where every layer—hardware abstraction, scheduling, serving, monitoring—is open source.
Observability is another area where AI is driving open source adoption. Models in production can behave unpredictably, and teams need to track metrics like token generation speed, error rates, and cost per query. OpenTelemetry provides a unified framework for capturing traces, metrics, and logs, and it integrates with tools like Prometheus, Grafana, and Jaeger. Without such tools, debugging AI systems would be nearly impossible. The rapid growth of OpenTelemetry, with a 39% increase in commits in 2025, reflects the urgency of this need.
Security and supply chain
As open source becomes more central to AI infrastructure, supply chain security becomes paramount. The SolarWinds attack was a wake-up call, but the threat is especially acute for AI because models themselves can be attacked. Open source projects like Sigstore provide a framework for signing and verifying artifacts, while SLSA (Supply Chain Levels for Software Artifacts) helps organizations define and enforce security levels. The CNCF's Security Technical Advisory Group has published guidelines for securing Kubernetes deployments, and tools like OPA (Open Policy Agent) and Falco provide runtime security monitoring.
The open source community is responding to these challenges by making security a first-class citizen in project governance. The Open Source Security Foundation (OpenSSF) has developed scorecards and best practices that projects can adopt. Tens of thousands of projects now have automated vulnerability scanning and dependency management. While no system is perfect, the transparency of open source allows security researchers to identify and patch vulnerabilities faster than in proprietary software. For AI workloads, where a compromised model or inference pipeline could have catastrophic consequences, this transparency is a significant advantage.
Moreover, the fact that AI infrastructure is increasingly standardized on open source means that security tools and practices can be shared across organizations. A vulnerability discovered in Kubernetes affects everyone, but it also gets fixed by a global community of engineers. The same cannot be said for proprietary systems, where fixes depend on a single vendor's roadmap. This collective resilience is one of the strongest arguments for open source in the AI era, even if the motivations behind contributions are now more strategic than altruistic.
The road ahead
Open source did not die. It became the control plane for AI. The projects that matter—Kubernetes, Cilium, OpenTelemetry, Kubeflow, and others—are those that sit at the foundation of modern infrastructure. They are not exciting in the way that a new large language model or a breakthrough algorithm is exciting. They are boring, reliable, and essential. And that is exactly what the industry needs.
The companies that invest in these projects are not doing it out of goodwill. They are doing it because they understand that whoever shapes the underlying layers will have a say in how AI evolves. Open source has become less about sharing code for the sake of sharing and more about setting standards that everyone else has to live with. This is not a betrayal of the open source ethos; it is the natural evolution of a movement that has proven its value in the most demanding environment imaginable: production AI at scale.
Source: InfoWorld News