The platform layer is the set of in-cluster controllers that sit between bare Kubernetes and the apps. Everything an application can rely on without packaging itself — networking, ingress, certificates, storage, secrets, policy enforcement, backups, observability.
Each page documents the role of one controller, why it was chosen over alternatives, and per-cluster deployment notes generated from the matching k8s/infrastructure/<cluster>/controllers/ tree.
Networking
| Controller | Role |
|---|
| Cilium | eBPF CNI + kube-proxy replacement + WireGuard + Hubble + L2 LB |
| Envoy Gateway | Gateway-API ingress; PPv2 anchor for the edge → production chain |
| NetBird Operator | Brings overlay-mesh ACL primitives into the cluster as CRDs |
Certificates & TLS
Storage
| Controller | Role |
|---|
| Longhorn | Distributed block storage with snapshots, replication, encryption |
Database
| Controller | Role |
|---|
| CloudNative-PG | PostgreSQL operator — every app that needs Postgres uses this |
Secrets
| Controller | Role |
|---|
| External Secrets | Materializes secrets from external providers as in-cluster Secrets |
Policy & security
| Controller | Role |
|---|
| Kyverno | Policy-as-code engine — validates, mutates, generates resources |
| Tetragon | eBPF-based runtime security observability |
Backups
| Controller | Role |
|---|
| k8up | Schedule / Backup CRDs that drive Restic against Hetzner S3 |
Observability
| Controller | Role |
|---|
| metrics-server | kubectl top / HPA source of resource metrics |
| otel-operator | OpenTelemetry collector lifecycle + Instrumentation CRDs |
Hardware & runtime
App composition
| Controller | Role |
|---|
| Crossplane | External-resource provisioning from Kubernetes manifests |
| Crossplane Extras | Provider configurations + cluster-side bits Crossplane needs |
| KubeVela | OAM-flavored application composition layer |
How a platform page is structured
Same two-layer pattern as apps:
- Hand-written prose at the top — what the controller is, why it was chosen, alternatives that were on the table, opinionated operational notes.
## Cluster Deployment at the bottom — auto-generated from the cluster-specific README.md next to the manifests (k8s/infrastructure/<cluster>/controllers/<name>/README.md). Includes the HelmRelease + chart version, container images, and any detected dependencies.
If you're trying to figure out what builds on top of these, see Components for the per-app reusable patches, and Apps for the workloads themselves.