Support for running clusters in the cloud and on-premise

Provisioning support for AWS (EKS), Azure (AKS), GCP (GCP), OCI, Bare Metal (Upstream Kubernetes) and Edge (Upstream Kubernetes)

Support for TF or GitOps first approaches Support for private Git repos

Ability to orchestrate Node OS upgrades (e.g. AMIs) in a phased manner across fleet of clusters

Ability to enforce the same guardrails as newly provisioned clusters

Ability to do a backup/restore of Control Plane configuration (in the case of an unmanaged K8s distro) + Data Plane (for stateful applications)

Logging “who did what?” + exporting audits to an external system (e.g. Splunk, Datadog) necessary to demonstrate compliance

Ability to consume the platform through the preferred interface: UI, Backstage, GitOps or CMDBs (e.g. ServiceNow)

No time consuming ticket driven process where the Platform team has to manually provision clusters

Ability for end users to quickly look at resources in the clusters and perform operations via the UI. This is especially useful for non savvy users

Do not mandate VPNs or needing to go through a bastion etc.

It shall be possible to implement a “break glass” procedure so that the application team user has temporary access to debug applications in a prod cluster

View into “what resources” are violating policies so that it is easy to remediate and course correct (for future actions)

To help with scenarios such as: application right sizing exercises and requesting platform team for additional compute

Integrated, low touch experience for installing applications that have been scanned for vulnerabilities etc.

Ensure that clusters are always born with the right set of add-ons Examples for add-ons include security and monitoring tools

Ability to inject values to a manifest dynamically so that a single add-on can be used org-wide, e.g. AWS Load Balancer Helm chart requires configuration of “clusterName”

Ensure that add-ons are always in a compliant state without needing expensive reconciliation tools

Support for a staged roll out model for updating add-ons across clusters

Ability to run custom scripts to determine whether the applications are running fine after an add-on update

To ensure that only blessed versions of add-ons can be used and older versions can be retired/made unavailable Also allows organizations to demonstrate compliance

Allow downstream teams to include more add-ons based on their requirements while ensuring the baseline set of add-ons mandated by the platform team always gets installed

Visibility into add-ons/versions across clusters in the organization

Central platorm that can deliver “cluster as a service” to multiple teams within the organization with access to resources controlled by user identity

Workflows to centrally define templates and share templates selectively with downstream users (Developers, SREs) in a consistent manner Ensures that provisioned clusters conform to approved guidelines

“Namespace as a service” across multiple teams, with isolation and tight access controls

“One size fits all” approach doesn’t work for enterprises It shall be possible for end users to override cluster template configurations selectively, e.g. instance types, regions (as deemed permissible by the platform team)

Implementing K8s RBAC at scale with company’s IDP as source of truth without the need to implement expensive solutions such as bastions, VPNs etc.

Centralized visibility into user actvities + ability to export audits to an external system (e.g. Splunk, Datadog)

Ongoing scans against benchmarks such as CIS, NSA hardening recommendations etc. Ability to securely access the fleet of clusters to run periodic scans and centrally aggregate the benchmark reports

Centralized enforcement of policies for security, reliability and operational efficiency. Centralized visibility into policy violations Examples include: Only allow images from blessed repos & ensure that pods are running with appropriate privileges

Control egress/ingress traffic patterns for clusters (N/S traffic)

Collect of Granular utilization metrics from clusters Flexible chargeback/showback models

Implement capabilities such as:TTL: e.g. cluster will be automatically deprovisioned; Schedule: e.g. cluster “scale down” and “scale up” based on configured schedule

Collect of Granular utilization metrics from clusters to show usage by CPU, Memory

Self-hosted airgapped option may be necessary for highly regulated industries such as public sector and biotech