Managed Vanilla Kubernetes

Enterprise Kubernetes you can’t be locked into — or locked out of.

A fully managed, upstream CNCF-conformant Kubernetes cluster — the EKS, AKS and GKE experience, with nothing proprietary layered on top. We run the highly available control plane, the upgrades and the storage, networking, observability and backup plumbing. You keep standard kubectl, Helm and GitOps, and the freedom to move your workloads to any conformant cluster on the day you choose. EU-owned, in the Netherlands, on 100% renewable power.

Upstream / CNCF-conformant
HA control plane · managed upgrades
NVMe-oF storage
No egress tax

Managed Kubernetes Cluster

Managed HA control plane · up to 99.99% SLA

  • DistributionUpstream Kubernetes, CNCF-conformant
  • Control planeManaged, 3-node HA (etcd quorum)
  • Version policyTracks upstream supported (N to N−2)
  • Worker nodescx1 / m1 / n1 / o1 pools · GPU optional
  • StorageLocal NVMe + Ceph (block / file / S3)
  • NetworkingCNI + MetalLB — included free
  • TenancyVPC (shared HW) or DPC (bare-metal)


CNCF-conformant
Standard kubectl, Helm & GitOps
EU-owned — Netherlands
SLA up to 99.99%
100% renewable-powered

Why GRN.CLOUD

Built on three guarantees

The same three guarantees behind every GRN product — here, applied to a raw managed cluster. They are the things a hyperscaler cannot match on all three axes at once.

Sovereign & Secure

EU-owned infrastructure under Dutch jurisdiction — not a US hyperscaler’s “European region”, which stays subject to the US Cloud Act regardless of where the data sits. No Cloud Act exposure, EU-only data residency and a signed Data Processing Agreement.

Affordable & transparent

Networking functions are included free, storage is a published €/GB-month, and annual commitments take 10% off. No per-feature surcharges, and no egress tax — the line item that quietly consumes 15–40% of a typical hyperscaler bill. Verify egress

Sustainable

Hosted in the Netherlands on 100% renewable solar energy, with server heat reused to warm nearby buildings and peak-shaving to ease grid congestion. Sustainability with a mechanism behind it, not a logo.

Overview

A managed cluster, not a managed cage

“Managed” describes who runs the cluster; “vanilla” describes what runs in it. We operate the control plane, the upgrades and the underlying plumbing so your platform team doesn’t babysit etcd at 3am — but everything we run is unmodified upstream Kubernetes, so nothing about the deal traps you here. Here is exactly where the line sits.

What GRN operates

Run and on-call for the platform layer — the undifferentiated heavy lifting.

  • HA control plane: API server, scheduler, controller-manager and etcd, patched and backed up
  • Managed version upgrades and security patching of nodes and the control plane
  • The CNI, MetalLB, ingress, storage (Ceph / OpenEBS) and backup (Velero) plumbing
  • Node provisioning, replacement of failed hardware and capacity on request
  • The 99.99% control-plane SLA, on dedicated tiers, with named senior engineers

What you operate

Standard Kubernetes, fully in your hands — with full cluster-admin.

  • Your workloads: Deployments, StatefulSets, Jobs, CRDs and Operators
  • Namespaces, RBAC bindings, network policies and resource quotas
  • Your GitOps pipeline (Argo CD / Flux), CI and image registry of choice
  • Application-level autoscaling, rollout strategy and observability dashboards
  • The decision to leave: export your manifests and walk, with no rewrite

The same stack underneath every tier. A vanilla cluster runs the identical cloud-native foundation as our Virtual Private Cloud and Dedicated Private Cloud — the only difference is the isolation and dedication of the compute beneath it. Run on shared-hardware VPC nodes, or on single-tenant bare-metal DPC nodes for regulated and high-security workloads. You are never re-platforming to move between them.

The problem

Why orchestration, and why it is hard to self-run

Kubernetes became the standard because it solves the operational problems every production platform eventually hits. Running it yourself, well, is a second full-time platform that has little to do with your product.

  • Scale without redesignAdd and shed capacity in response to load behind one declarative API, instead of bespoke provisioning scripts.
  • Survive failure automaticallyReschedule and self-heal across node and zone failure, so a dead host is an event, not an outage.
  • Ship without downtimeRoll out new versions with health-gated rollouts and instant rollback when a release misbehaves.
  • The control plane is the hard partetcd quorum, certificate rotation, version-skew rules and upgrades are where self-managed clusters break — this is exactly what we take off your hands.
  • One scheduler for the fleetPlace and connect thousands of containers across nodes by declared intent, not by hand.
  • Many services, one fabricWire microservices, datastores and queues together with service discovery, traffic policy and a service mesh.

Why vanilla

Why vanilla, and not a distribution

We run pure upstream Kubernetes — the same project EKS, AKS and GKE are built on — with no vendor-only control plane or proprietary resource types in the path. Lock-in rarely arrives as a contract clause; it arrives as a hundred small dependencies on one vendor’s APIs that you only notice the day you try to leave. Vanilla is how you never accrue them.

  • CNCF-conformant behaviourTargets the CNCF Certified Kubernetes conformance suite — standard APIs, standard behaviour, the portability badge itself. Confirm cert
  • No proprietary APIsNo vendor-only CRDs or custom control plane to learn now and unwind later. Your YAML is the same YAML everywhere.
  • Migration is a re-point, not a rebuildManifests, Helm charts and Operators move on or off any conformant cluster — you change a kube-context, not your architecture.
  • Portable by constructionIndependence is the default, not a paid “exit” feature. You are never trapped on one provider.
  • The whole CNCF landscape runsService meshes, operators, observability and GitOps from the ecosystem all install and behave as upstream expects.
  • Transferable skillsYour team’s existing kubectl, Helm and GitOps muscle memory transfers intact — nothing new to certify on.

Portability is now a legal requirement, not just good practice. The EU Data Act (applicable 12 September 2025) mandates cloud switching and data portability and phases out egress/switching fees by January 2027. Conformant, upstream Kubernetes is the technical answer regulators are pointing at: a standard, exportable platform you can move without re-engineering.

How it works

Platform architecture

A layered, cloud-native stack — standard upstream Kubernetes on top, dedicated renewable-powered hosts at the bottom. Every layer is a portable, named component you could reproduce elsewhere; none of it is a black box you can only run here.

Applications & WorkloadsYour containers

Containers, manifests, Helm charts, Operators and GitOps pipelines — deployed via kubectl, CI/CD or Argo CD / Flux against the standard API.

Kubernetes Control PlaneManaged · HA · etcd quorum

A managed, highly available upstream control plane — API server, scheduler, controller-manager and a 3-node etcd quorum — handling scheduling, RBAC, autoscaling and self-healing. Patched and upgraded by us.

Networking FabricCNI · MetalLB · ingress · Submariner

Software-defined networking: a CNI for pod networking and NetworkPolicy, MetalLB for bare-metal LoadBalancer services, standard ingress, optional Istio mesh and Submariner for cross-cluster VPN — included free.

Storage LayerRook Ceph · OpenEBS NVMe · Velero

Block, file and S3 object storage on Ceph; local NVMe via OpenEBS for latency-sensitive workloads; volume snapshots and Velero backup with cross-region replication.

Compute & HostsNetherlands · 100% renewable

Worker nodes on EU-owned hosts in the Netherlands — shared-hardware (VPC) or single-tenant bare-metal (DPC) — powered by 100% renewable solar with server-heat reuse.

Every layer uses standard, portable components — nothing proprietary you cannot reproduce on another conformant Kubernetes.

Control plane & nodes

The control plane is ours; the cluster is yours

The control plane is the part of Kubernetes that is genuinely hard to run well — and the part you should never have to think about. The worker nodes are where your decisions live.

Highly available control plane

Redundant control-plane nodes with a 3-member etcd quorum and automated leader failover. We patch the API server, rotate certificates and back up etcd — you never touch a master node. Backed by an SLA of up to 99.99% on dedicated tiers.

Worker node pools

Independently-sized pools for different workload classes — CPU-bound, memory-bound, GPU or real-time — on shared-hardware VPC nodes or single-tenant bare-metal DPC nodes. Taints, labels and topology are yours to set.

Worker instance families

The same instance families as the rest of the platform — pick per node pool.

Compute optimised cx1

1–32 vCPU, high clock — for CI runners, API backends and CPU-bound services.

Memory optimised m1

Up to 256 GB RAM — for in-memory datastores, caches and JVM-heavy estates.

Network optimised n1

4–64 vCPU with high throughput — for ingress tiers, proxies and service mesh.

Universal purpose o1

0.5–128 GB, balanced — the default pool for mixed microservice workloads.

GPU nodes Optional

NVIDIA-accelerated workers for AI/ML training and inference via OpenDataHub, within EU data residency.

ARM nodes Pending validation

Power-efficient ARM worker pools.

Scaling, stated honestly. Pods scale on CPU, memory or custom metrics with the standard Horizontal Pod Autoscaler, available today. Node-level cluster autoscaling — adding and removing worker nodes automatically as scheduling demand changes — is Pending validation; for now, capacity changes are handled on request, fast. Ask us about current behaviour for your cluster.

Networking

Networking — built in, and free

Every networking function below is implemented with a standard, named component and included at no extra charge. There is no per-feature surcharge and no cross-AZ tax — the bill items that distort hyperscaler Kubernetes economics.

Function Implementation Price
Pod networking & policy CNI plugin (NetworkPolicy default-deny capable) Included
Load balancing MetalLB (Layer 2 / BGP) Included
Ingress / HTTP routing Standard Ingress + Gateway API, TLS via cert-manager Included
Service mesh Optional Istio (mTLS, traffic policy, telemetry) Included
DNS CoreDNS in-cluster, External-DNS for public records Included
NAT / egress Egress IP / egress router Included
Site-to-site & cross-cluster VPN Submariner Included
Private subnets / segmentation Network attachments + NetworkPolicy Included
Public / floating IPv4 MetalLB-advertised address € 3.00 / mo
BYO-IP / BYO-ASN (BGP) MetalLB BGP peering € 50.00 / mo
Data egress No per-GB metering Verify No egress tax

Dual-stack IPv4 / IPv6 throughout. Prices in EUR, ex VAT; 10% discount on annual commitment. Verify current rates on the pricing page before quoting.

Storage

Persistent storage & data services

Dynamically-provisioned PersistentVolumes through standard CSI drivers — portable storage classes you could re-create on any cluster. Software-defined on Ceph and OpenEBS, billed transparently per GB-month.

Storage class Implementation (CSI) Best for Price
Local NVMe OpenEBS LocalVolume Latency-sensitive — databases, brokers € 0.044 / GB-mo
Block (RWO) Rook Ceph RBD General-purpose persistent volumes € 0.044 / GB-mo
Shared file (RWX) Rook Ceph FS Shared volumes across pods € 0.044 / GB-mo
S3 object Ceph ObjectBucketClaim Artifacts, backups, data lakes € 0.044 / GB-mo
Cross-region replication Ceph VolumeReplication Geo-redundancy / DR € 0.0465 / GB-mo
Backup & snapshots Velero + CSI snapshots Scheduled backup to meet RPO/RTO € 0.008 / GB-mo

All classes are dynamically provisioned and expandable. NVMe-oF with configurable IOPS available on dedicated tiers. Prices ex VAT; verify on the pricing page before quoting.

Security & identity

Security through standard primitives, layered

Security is enforced across identity, network, workload and data — using the Kubernetes primitives your team already audits against, not proprietary bolt-ons that only we understand. Defence in depth, with nothing you have to take on trust.

  • RBAC across clusters, namespaces and resources, with full audit logging
  • Identity integration via OAuth / OIDC — bring your own IdP
  • Kubernetes Secrets with encryption at rest; external secret stores supported
  • TLS everywhere, issued and rotated automatically via cert-manager
  • Default-deny micro-segmentation with standard NetworkPolicy
  • Pod Security Standards enforced at the namespace level
  • Image & supply-chain scanning Pending validation
  • Private clusters with no public API exposure Pending validation
  • Audit logging of privileged and API actions
  • Hardware & kernel isolation on single-tenant DPC node pools

On compliance, the honest version. The platform runs under EU-only data residency with a signed DPA and no US Cloud Act exposure, which is the substantive part of most regulated requirements. We will support PCI-DSS and HIPAA-aligned deployments on dedicated, isolated infrastructure — but we do not claim certifications we do not hold. Tell us your compliance scope and we will tell you precisely what we can and cannot attest to.

Day-2 operations

Cluster lifecycle, managed end to end

The interesting question about a managed cluster is not day one — it is day two: who owns the upgrade that could break your CRDs, and what happens when a node dies at the weekend. Here is the lifecycle we operate.

01

Provision

A right-sized cluster — control plane plus your initial node pools — on VPC or DPC substrate, API-reachable in minutes.

02

Operate

You ship via kubectl and GitOps; we keep the control plane healthy, patched and backed up underneath you.

03

Upgrade

Managed minor-version upgrades that respect version-skew rules, staged control-plane-then-nodes, coordinated with you.

04

Scale

Grow node pools on demand, add GPU or memory-optimised pools, or move workloads to dedicated nodes — no rebuild.

05

Recover & exit

Velero backup and DR to your RPO/RTO — and, whenever you choose, a clean export to any conformant cluster.

Upgrades, the way they should work. We track upstream’s supported version window (current minor back to N−2) and apply security patches as they land. Minor-version upgrades are scheduled with you, run control-plane-first to honour the kubelet version-skew policy, and are reversible at the workload layer through your GitOps history. You are never silently force-upgraded into a release your Operators haven’t certified against. Confirm cadence

Operations

Observability, backup & disaster recovery

A cluster you cannot see into is a liability. Baseline platform observability is wired in; bring your own stack on top, since it is all standard.

Metrics & monitoring

Cluster, node and workload metrics through a Prometheus-compatible pipeline that also feeds the HPA — one source of truth for dashboards and autoscaling. Name stack

Centralised logging

Aggregated logs across every namespace and workload for search and retention — with alerting on cluster, node and workload conditions. Name stack

Backup & disaster recovery

Scheduled Velero backups, CSI volume snapshots and cross-region replication to meet your RPO/RTO targets. Backup storage is €0.008/GB-month; replication €0.0465/GB-month.

Run your own Prometheus, Grafana, Loki or OpenTelemetry collector alongside the platform baseline — the API is standard, so your existing observability stack works unchanged.

Ecosystem

Supported ecosystem — honestly bucketed

Because the clusters are pure upstream Kubernetes, the whole CNCF landscape runs on them. We separate what we actually provide and operate from what is simply compatible and run by you — so you know exactly what is and isn’t on our pager.

Provided & operated by GRN

Wired in and run as part of the managed platform.

Rook Ceph logoRook Ceph
OpenEBS logoOpenEBS
MetalLB logoMetalLB
cert-manager logocert-manager
External-DNS logoExternal-DNS
Velero logoVelero
Submariner logoSubmariner
Istio logoIstio Optional

Compatible / customer-installed

Run on the cluster and operated by you, unless contracted as a managed add-on.

Helm logoHelm
Argo CD logoArgo CD
Flux logoFlux
Prometheus logoPrometheus
Grafana logoGrafana
Linkerd logoLinkerd
Harbor logoHarbor
Longhorn logoLonghorn
ingress-nginx logoingress-nginx
Traefik logoTraefik
OpenTelemetry logoOpenTelemetry

How it compares

Against the hyperscalers, on the axes that matter

An objective capability comparison against the major managed-Kubernetes services and against running it yourself. Subjective claims (“faster”, “simpler”) are left out — only things you can check.

Capability GRN.CLOUD Vanilla K8s Amazon EKS Azure AKS Google GKE Self-hosted
Upstream / CNCF-conformant Yes (pure upstream) ~ vendor add-ons ~ vendor add-ons ~ vendor add-ons Yes
Vendor lock-in None / portable ~ ecosystem pull ~ ecosystem pull ~ ecosystem pull None
Standard K8s API Yes Yes Yes Yes Yes
Pricing transparency Published €/GB, flat tiers ~ complex ~ complex ~ complex Your cost
Egress / cross-AZ fees Networking included Verify Per-GB + cross-AZ Per-GB + cross-AZ Per-GB + cross-AZ Your cost
Infrastructure control High ~ abstracted ~ abstracted ~ abstracted Total
Genuine EU sovereignty (non-US-owned) Yes (Netherlands) US-owned US-owned US-owned Depends on your DC
Control-plane SLA Up to 99.99% 99.95% / 99.99% 99.95% (with AZs) 99.95% (regional) You operate it
Single-tenant bare-metal option Yes (DPC nodes) ~ dedicated hosts ~ dedicated hosts ~ sole-tenant Yes
100% renewable-powered Yes ~ varies by region ~ varies by region ~ varies by region Depends on your DC
Enterprise support Add-on, named engineers Review Paid tiers Paid tiers Paid tiers DIY / 3rd-party

Compiled from public product & pricing pages, June 2026; competitor features change — verify before quoting. Yes = supported, ~ = partial/conditional, No = not available.

Specifications

Technical specifications

The detail a platform engineer actually evaluates. Items tagged for review are confirmed against a live cluster before publishing — we would rather leave a value open than print one we cannot stand behind.

  • DistributionUpstream Kubernetes, CNCF-conformant Confirm build
  • Kubernetes versionsUpstream supported window, N to N−2 Confirm
  • Control-plane topology3-node HA, etcd quorum, managed kube-apiserver
  • Container runtimecontainerd / CRI-O (CRI-conformant) Confirm
  • CNICNI-conformant (e.g. Cilium / Calico) Confirm default
  • CSIRook Ceph (RBD / FS / RGW), OpenEBS local NVMe
  • Load balancingMetalLB (Layer 2 / BGP)
  • IngressStandard Ingress + Gateway API, cert-manager TLS
  • Storage classesNVMe local, Ceph block / file / S3
  • NetworkingDual-stack IPv4 / IPv6, NetworkPolicy, Submariner VPN
  • Backup / DRVelero, CSI snapshots, cross-region replication
  • Node familiescx1 / m1 / n1 / o1 / rt1, GPU optional
  • TenancyShared-HW (VPC) or single-tenant bare-metal (DPC)
  • API accessFull standard Kubernetes API + REST & GitOps automation
  • Control-plane SLAUp to 99.99% (tier-dependent)
  • RegionNetherlands (EU), 100% renewable-powered

Use cases

What teams build on it

Each of these is well-served because it is standard Kubernetes — the same patterns you would run anywhere, on infrastructure that happens to be sovereign and renewable.

SaaS platforms

Multi-tenant products needing elastic scaling, zero-downtime releases and EU data residency for their own regulated customers.

AI & machine learning

GPU-backed training and inference on NVIDIA nodes via OpenDataHub, with training data kept inside the EU.

Microservices

Service-mesh-ready estates with discovery, mTLS, traffic policy and per-service observability.

Internal developer platforms

A golden-path IDP for product teams — self-service namespaces, templates and GitOps on a shared, governed cluster.

CI/CD & build platforms

Pipelines running as containerised workloads on on-demand cx1 capacity, isolated per team by namespace and quota.

Data & event streaming

Stateful brokers and stream processors on durable NVMe with elastic worker pools and persistent volumes.

API platforms

Gateway-fronted backends with rate limiting, mTLS and horizontal autoscaling on standard ingress.

MSP / multi-cluster fleets

Resell or operate fleets of isolated clusters for your own customers, federated with Submariner across regions.

Regulated workloads

Finance, healthcare and government platforms on EU-sovereign, single-tenant infrastructure with a signed DPA — subject to your compliance scope. Review

FAQ

The questions an engineer actually asks

What exactly is “vanilla” Kubernetes here?
Pure upstream Kubernetes as released by the community — no proprietary control plane and no vendor-only resource types in the path. It is the same Kubernetes EKS, AKS and GKE are built on, so behaviour, APIs and tooling are standard and fully portable.
What’s the difference between “managed” and “vanilla”?
They answer different questions. “Managed” is who runs it — we operate the control plane, HA, upgrades and the underlying plumbing. “Vanilla” is what runs — unmodified upstream Kubernetes. You get both at once: a managed service that adds zero proprietary surface.
Where is the line between what you manage and what I manage?
We own the control plane, node provisioning, upgrades, security patching and the storage/networking/backup plumbing, under SLA. You own your workloads, namespaces, RBAC, network policies, GitOps pipeline and application autoscaling — with full cluster-admin. Anything on our pager is listed explicitly in the “What GRN operates” panel above.
Can I migrate from EKS, AKS or GKE?
Yes. Because all of them run conformant Kubernetes, your manifests, Helm charts and Operators move across with minimal change — you re-point pipelines at the new cluster and re-create storage and ingress with the equivalent standard resources. It is a re-point, not a re-architecture.
How are upgrades handled, and can you force one on me?
We track upstream’s supported window (current minor to N−2) and apply security patches as they land. Minor-version upgrades are scheduled with you, run control-plane-first to honour version-skew rules, and never silently push you onto a release your Operators haven’t certified against. Confirm cadence
Will I get locked in?
No — that is the entire point of running vanilla. There are no proprietary APIs to unwind. Export your manifests and run them on any conformant Kubernetes. The EU Data Act now makes that switching capability a legal requirement, not a courtesy.
Do Helm, Operators and GitOps just work?
Yes. Helm charts and release workflows run unchanged; standard Operators install and reconcile normally; and Argo CD or Flux work against the standard API — the clusters are GitOps-ready out of the box. These run as your components, on your side of the line.
Is it CNCF-certified?
The clusters run upstream Kubernetes and target CNCF Certified Kubernetes conformance — the guarantee that the same workloads run on any other conformant cluster. Confirm cert
How does scaling work — pods and nodes?
Pods scale on CPU, memory or custom metrics with the standard Horizontal Pod Autoscaler, today. Node-level cluster autoscaling is Pending validation; until it is confirmed, capacity is added on request, quickly. Ask us about current behaviour for your cluster.
Can I bring my own container registry?
Yes. Pull from any standard OCI registry — your own Harbor, a hyperscaler registry or a public one — with standard image pull secrets. Nothing forces you onto a GRN registry.
Is GPU supported?
Yes. Optional NVIDIA GPU worker pools are available for AI/ML training and inference via OpenDataHub, all within EU data residency.
What about private networking and private clusters?
Private subnets, NAT egress and site-to-site / cross-cluster VPN via Submariner are included free. Fully private clusters with no public API exposure are Pending validation — ask us where that stands for your deployment.
How is backup and disaster recovery handled?
Scheduled Velero backups, CSI volume snapshots and cross-region replication, sized to your RPO/RTO targets. Backup storage is €0.008/GB-month and cross-region replication €0.0465/GB-month.
What is the SLA?
The control-plane SLA scales with tier, up to a contractual 99.99% on dedicated infrastructure — backed by redundant control-plane nodes, an etcd quorum and NVMe-oF storage with configurable IOPS.
How does pricing work — and is there an egress charge?
Networking functions (firewall, load balancer, ingress, TLS, DNS, NAT, VPN) are included free; storage is €0.044/GB-month and backup €0.008/GB-month, with 10% off on annual commitment. There is no per-GB egress tax. Verify egress
Is it really sovereign, or “sovereignty-washing”?
Genuinely EU-owned infrastructure under Dutch jurisdiction — not a US hyperscaler’s “European region”, which remains subject to the US Cloud Act regardless of where the bytes live. EU-only residency, a signed DPA, and no US ownership in the chain.

Run production Kubernetes on a sovereign, renewable cloud.

Deploy upstream, CNCF-conformant clusters with a managed HA control plane — or talk to our engineers about migrating your existing EKS, AKS or GKE workloads without re-architecting.

100% renewable energy · EU data residency · No US Cloud Act exposure · No vendor lock-in