Kubernetes & Mesh
Nodes talk over an encrypted private mesh by default, traffic is balanced by config rendered from your topology, and Kubernetes is driven from the same CLI.
Private mesh (WireGuard)
The mesh-controller reconciles a private mesh between topology nodes:
- Generates a WireGuard keypair per node.
- Builds per-peer
wg-quickconfigs from the topology edge set. - Returns the whole-topology config keyed by node, so every peer table is consistent.
The agent installs the mesh config on each server over mTLS — no manual WireGuard wrangling.
Load balancing
The lb-controller reconciles lb nodes:
- Renders nginx configuration from the upstream edges in your topology.
- Provisions the load-balancer VM via the cloud-broker.
- Dispatches the install through the agent-gateway.
Load balancing is config-as-data: change the topology and the config is regenerated.
Kubernetes lifecycle
Manage clusters from pdctl:
pdctl k8s cluster createpdctl k8s nodepool addpdctl k8s deploy my-apppdctl k8s scale my-app --replicas 4pdctl k8s ingress ...pdctl k8s secret ...pdctl k8s logs my-apppdctl k8s exec my-app -- shpdctl k8s adopt # adopt an existing clusterOne CLI covers both raw servers and Kubernetes workloads.
Multi-cluster federation
When a plan spans more than one cluster, publishing it renders cross-cluster wiring automatically:
- ClusterSet / MCS — a multi-cluster Services manifest is rendered so workloads can resolve each other across clusters.
- Submariner Broker — when federation mode is set to Submariner, the broker manifest is rendered to connect cluster networks.
- GitOps slices —
plan publishcan emit a per-cluster slice of the plan for a GitOps controller (ArgoCD / Flux) so each cluster only sees its own portion.
Single-cluster plans skip all of this — no ClusterSet is rendered when there is only one cluster.
→ Marketing overview: Kubernetes & Mesh