ApeiroRA

Hosted Control Planes

A notable evolution and special case in multi-cluster federation architecture is the concept of Hosted Control Planes (HCP), originating from the idea of Kubeception[1], that is recursively deploying Kubernetes with or in Kubernetes. With HCP the control and data plane components are hosted as tenant workloads in the worker plane of another cluster, a so-called host or seed cluster. Notably, HCP at its core is a Control-Plane-as-a-Service offering. The HCP approach offers:

  • Cost Efficiency: Organizations can reduce operational overhead and costs associated with maintaining dedicated cluster infrastructure.
  • Faster Provisioning: HCPs enable quicker cluster provisioning times, as the control and data plane can be treated like any other cloud-native component deployment.
  • Security Optimizations: With the planes managed separately, HCP enhances security, including strong isolation boundaries between control and work plane.
  • Cloud-Native Benefits: Kubernetes is the cloud-native reference system for automating deployment, scaling, and management of containerized software. As Kubernetes itself is (containerized) software, we inherit all cloud-native advantages and benefits by using Kubernetes to deploy, host, and operate Kubernetes.
Hosted Control Planes
Hosted Control Planes

Learned Kubernetes skills become portable across all layers of the cloud stack; from the technical infrastructure to the platform and service layers.

Managed Kubernetes Provider

The HCP architecture[2] plays a crucial role in building Managed Kubernetes-as-a-Service offerings, which form an indispensable platform runtime service. This cloud-native underlay service supports application and service teams with universal on-demand runtimes (Kubernetes offers highly useful abstractions for their business needs). Portability features allow using Kubernetes as a lingua franca across different infrastructure providers. This underlay allows for other platform services to be offered and operated, forming the basis of a distributed Cloud Operating System (COS).

Automated operations and enterprise-readiness at scale are a key factor for Managed Kubernetes-as-a-Service, as depicted by the tip of the iceberg idiom:

Operating K8s
Operating K8s
(Source: Gardener documentation)

Project Gardener

is the default Kubernetes-as-a-Service provider of choice in ApeiroRA. It specifically has codified and automated crucial operational features which elevate the otherwise generic HCP architecture to enterprise-readiness level. For example, Gardener automates the management and scaling of its own hosting infrastructure.

Although the Gardener architecture is a variant of the more generic HCP architecture, its specific architecture also provided the blueprint for comprehensive Managed Service Providers (MSP). MSP is a service provisioning system capable of initializing and managing its own hosting or seed infrastructure across available resources in the cloud-edge-continuum, with the goal to offer desired, specialized services.

Gardener Schematics
Gardener Schematics

  1. KubeCeption! A Story of Self-Hosted Kubernetes and Turtles All the Way Down: Inception for Kubernetes. ↩︎

  2. Hosting Control Planes can be implemented with or without Kubeception. Any qualified platform can be instrumented to provide the host environment (cf. MKE or Docker). ↩︎

Funded by the European Union, NextGenerationEU; Supported by Federal Ministry of Economic Affairs and Energy on the basis of a decision by the German Bundestag

Funded by the European Union – NextGenerationEU.

The views and opinions expressed are solely those of the author(s) and do not necessarily reflect the views of the European Union or the European Commission. Neither the European Union nor the European Commission can be held responsible for them.

© 2025 SAP SE or an SAP affiliate company. All rights reserved.

Logo of SAP SELogo of the Apeiro Reference ArchitectureLogo of the NeoNephos foundation
Legal Disclosure