Managed Kubernetes

Production-grade
Kubernetes, managed

HA control planes, autoscaling workers, rolling upgrades, LoadBalancer-backed Services, per-cluster security groups, and custom TLS on the API endpoint - built into the panel.

Explore Features Node Pools Cluster Autoscaler LoadBalancer Annotations
Cluster Provisioning

Launch a cluster in minutes from a six-step wizard

Pick a region, plug into one of your VPCs, choose Single or HA control plane, set worker count and autoscaler bounds, hit create. Provisioning finishes in 5–12 minutes with a live progress overlay.

Multi-region

Each cluster lives in a region of your choice. Deploy in one region or operate clusters across many regions from the same panel.

VPC-native

Clusters run inside one of your VPCs. Control plane nodes sit in private subnets; workers can live in private or public subnets.

Curated versions

Choose from an admin-managed catalogue of supported Kubernetes versions. Each version ships with vetted container images and tested upgrade paths.

Live progress

A real-time overlay shows the current bootstrap phase with optional log expansion. No more guessing whether provisioning is stuck.

panel.yourdomain.com/kubernetes/clusters/create
Kubernetes Cluster Create Wizard
panel.yourdomain.com/kubernetes/clusters/prod
Kubernetes Cluster Detail
Control Plane

Single-node or 3-node HA, with a managed LB in front

The API server is always exposed through a dedicated managed Load Balancer. Run a single control-plane VM to keep costs down, or 3 nodes for production redundancy that survives a single-node failure.

HA-ready etcd

HA clusters run a 3-node etcd quorum. Tolerates the loss of any one node without an apiserver outage.

Public + private endpoints

Each cluster exposes both a public and a VPC-internal API endpoint. Pick which one your kubectl uses, or restrict to private only.

Custom domain TLS

Bind a Let's Encrypt or custom certificate to the API LB and reach kubectl at k8s.example.com with full TLS verification.

One-click kubeconfig

Download a ready-to-use kubeconfig from the cluster page. Point at the public or private endpoint and run kubectl get nodes.

Workers & Autoscaling

Scale workers manually, or let the autoscaler do it

Pin a fixed worker count or set min/max bounds and the cluster autoscaler grows and shrinks the pool in response to pod demand.

Cluster autoscaler

Workers scale up when pods are pending, scale down when nodes are underutilised. Bounds are enforced strictly so costs never run away.

Manual scale

Type a number, hit Scale. The cluster adds or drains workers cleanly while in-flight pods keep running.

Labels & taints

Set worker labels and taints from the panel - NoSchedule, PreferNoSchedule, or NoExecute - pushed to every worker.

Per-node inspection

Click a node to see CPU/memory donuts, pod-level utilisation, and the top consumers - straight from the panel, no kubectl top required.

Graceful drain

Removing a worker cordons it, evicts pods within a configurable grace period, then deletes the VM. PDBs are respected.

Plan-defined sizing

Workers run on the instance plans you already use elsewhere. CPU, RAM, storage and network limits come straight from the plan.

Node pools

Mix node shapes inside one cluster. Per-pool plans, labels, taints, autoscaling bounds, and drain policy. Run a small general pool + a GPU pool + a memory pool side by side.

Node Pools guide
Node Pools guide Cluster Autoscaler reference
Rolling Upgrades

One-click Kubernetes upgrades for control plane and workers

Pick a target version, set surge and drain grace, hit Upgrade. The platform provisions new nodes on the target version, drains the old ones, and repeats wave-by-wave until the cluster is on the new version.

Worker surge-replace

Configure how many extra workers can run in parallel. 1 means one-at-a-time with zero overhead, higher means faster.

Control plane wave-by-wave

CP upgrade always uses surge=1 - one new CP node provisioned, one old drained, then repeat. Apiserver stays available across all waves.

Configurable drain grace

Set how long pods have to exit gracefully before force-removal. PDBs are honoured; stuck workloads are surfaced to you instead of silently retried.

Valid-path enforcement

Kubernetes forbids skipping minor versions. The dropdown only shows versions you're allowed to upgrade to from your current version.

panel.yourdomain.com/kubernetes/clusters/prod#workers
Kubernetes Rolling Upgrade UI
svc.yaml
apiVersion: v1
kind: Service
metadata:
  name: webapp
  annotations:
    service.beta.kubernetes.io/managed-loadbalancer-plan: std-2g
    service.beta.kubernetes.io/managed-loadbalancer-backend-protocol: http
    service.beta.kubernetes.io/managed-loadbalancer-ssl-mode: letsencrypt
    service.beta.kubernetes.io/managed-loadbalancer-ssl-domain: app.example.com
spec:
  type: LoadBalancer
  selector:
    app: webapp
  ports:
  - port: 443
    targetPort: 8080
$ kubectl apply -f svc.yaml
$ kubectl get svc webapp
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
webapp LoadBalancer 10.96.142.10 203.0.113.42 443:30421/TCP
LoadBalancer Services

Apply a Service, get a managed Load Balancer

Every cluster ships with the built-in Cloud Controller Manager. Apply a Service: type=LoadBalancer with a plan annotation and a real platform LB appears with a public IP within a couple of minutes.

  • SSL with Let's Encrypt - auto-issued and auto-renewed certificates.
  • Active + passive health checks - configurable via annotation.
  • Source range filtering, security groups, PROXY protocol, public or VPC-only.
  • Auto worker tracking - scaled-in/out workers appear in the LB pool within seconds.
Full Annotation Reference
Security & Networking

Defense in depth, per scope

Three separate security-group scopes - LB, control plane, workers - with inbound and outbound rules controllable from the panel.

LB SG - who can reach the API

Restrict access to the API LB by source IP. Tighten for production clusters, leave open for development.

Control plane SG

Separate rule set for control plane node networking. Lock down what reaches your apiservers without affecting workers.

Worker SG

Worker-side firewall rules. Cilium CNI runs in eBPF kube-proxy replacement mode, with platform SGs layered on top.

Pod Security Admission

Set the cluster-wide default Pod Security Admission profile at create time - privileged, baseline, or restricted.

Custom API domain TLS

Bind a Let's Encrypt or custom certificate to the API LB and point your DNS at it. Reach kubectl on a domain you own with strict TLS verification.

Multi-tenant by design

Each cluster belongs to a single account and lives in its own VPC. Tenants cannot see or reach each other's clusters from the network layer.

Day-2 Operations

Everything in one pane of glass

The cluster detail page is your unified operations dashboard. Live state, per-task logs, scaling, upgrades, security groups, certificates - no ssh into nodes required.

Live progress overlay

Provisioning and upgrades show a phase-by-phase progress overlay with an optional log expansion. No guessing whether an operation is stuck.

Per-task logs

Every cluster operation is a tracked task with structured logs. Filter by master, slave, cluster, or controller source.

Project organization

Group clusters into projects alongside your VPCs, instances, and load balancers. Filter resources per project in the user dashboard.

Team-friendly RBAC

Invite team members with role-based access. Bucket destructive operations (scale, upgrade, delete) under permissions that match your team structure.

Automatic certificate renewal

Cluster PKI, in-cluster autoscaler tokens, and the cloud controller manager all rotate themselves 30 days before expiry. You get a heads-up email; in-cluster workloads keep running. Only kubectl users re-download the kubeconfig.

panel.yourdomain.com/kubernetes/clusters/prod
Kubernetes Tasks Log
Stack

Battle-tested upstream components

Standard Kubernetes from pkgs.k8s.io, kubeadm-bootstrapped, Cilium for networking. Nothing exotic.

kubeadm + kubelet + containerd

Vanilla upstream control plane and runtime, pinned per supported Kubernetes minor version.

Cilium CNI - eBPF kube-proxy replacement

In-kernel eBPF dataplane. Faster than iptables-based kube-proxy, with native NetworkPolicy support.

Cloud Controller Manager

Pre-installed integration that watches Services and Nodes and reconciles them against the Hypervisor.io platform.

Cluster Autoscaler & metrics-server

Standard cluster autoscaler driving worker scale-up/down, and metrics-server for in-cluster kubectl top.

Ready to ship to Kubernetes?

Launch a cluster in minutes, apply a Service, get a managed LB. The full annotation reference for type: LoadBalancer is one click away.

Read the Docs LoadBalancer Annotations