You are viewing documentation for Cozystack next, which is currently in beta. For the latest stable version, see the v1.3 documentation.
Cozystack Platform Stack
Cozystack is composed entirely of open-source components, layered from the operating system up to user-facing managed services. This page describes each component, its role in the platform, and its upstream license.
Overview
Components are organized by their role in the platform stack. Cozystack-maintained charts, CRDs, controllers, and application APIs are licensed under Apache-2.0 and are not listed individually below.
Operating system and Kubernetes runtime
Immutable Linux distribution built for Kubernetes nodes. Removes shell, SSH, and mutable filesystem layers to minimize the attack surface.
Container orchestration platform managing all Cozystack workloads. Both the management cluster and tenant clusters run on Kubernetes.
Cluster provisioning and virtualization
Deploys tenant Kubernetes control planes as pods in the management cluster. Enables multi-tenancy without dedicated control-plane VMs.
Declarative cluster lifecycle management via Kamaji and KubeVirt providers. Enables consistent, reproducible tenant cluster provisioning and upgrades.
Virtual machine management as native Kubernetes workloads. Powers Cozystack's VM service and tenant cluster worker nodes via CDI disk management.
Networking
eBPF-based CNI for pod networking and NetworkPolicy enforcement. Works alongside Kube-OVN for high-throughput, low-latency packet processing.
OVN-based virtual networking providing VPC isolation, floating IPs, and tenant network segmentation. Built on Open vSwitch technology.
Meta-CNI enabling pods to attach multiple network interfaces simultaneously. Used to connect KubeVirt VMs to secondary physical or VLAN-backed interfaces.
Bare-metal load balancer assigning external IPs to Kubernetes Services via ARP/NDP or BGP. Default load balancer for all platform and tenant services.
NGINX-based ingress controller for HTTP/HTTPS routing with TLS termination. Deployed as the default ingress controller across management and tenant clusters.
Standard Kubernetes Gateway API CRDs for role-oriented L4/L7 routing. Enables modern traffic management with compatible gateway controllers.
Cluster DNS server for service discovery and internal name resolution. Resolves cluster.local service names for all pod-to-service lookups.
Syncs Kubernetes Service and Ingress resources to external DNS providers automatically. Eliminates manual DNS record management for platform and tenant endpoints.
WireGuard-based mesh networking for clusters spanning multiple geographic locations. Creates encrypted tunnels for seamless cross-site pod-to-pod communication.
Load balancer controller for Hetzner dedicated hardware via the Robot API. Enables LoadBalancer-type Services on Hetzner bare-metal without Hetzner Cloud.
Storage and backup
DRBD-based replicated block storage managed by LINSTOR. Provisions persistent volumes with synchronous replication for VM disks and databases.
Distributed object storage backing the managed Bucket service. S3-compatible with O(1) disk read performance and no clustered filesystem dependency.
Backup and restore for Kubernetes clusters and persistent volumes. Stores backups in S3-compatible object storage for off-cluster retention.
CSI driver for mounting NFS shares as persistent volumes. Supports ReadWriteMany access mode required for multi-pod shared storage scenarios.
Manages the VolumeSnapshot lifecycle across all CSI drivers. Provides a consistent API for point-in-time storage snapshots and clone workflows.
Kubernetes-native API for provisioning S3-compatible object storage buckets. Used to provision SeaweedFS buckets for the managed Bucket service.
Lightweight web UI for S3-compatible object storage. Bundled with the managed Bucket service for bucket browsing and file management.
GitOps and platform automation
GitOps engine reconciling cluster state from Helm releases and Kustomizations. ControlPlane Flux Operator is AGPL-3.0; upstream controllers are Apache-2.0.
Manages dedicated etcd clusters for tenant Kubernetes control planes. Handles member lifecycle, scaling, and backup-restore as Kubernetes reconciliation loops.
Automates TLS certificate issuance, renewal, and rotation. Integrates with ACME, internal PKI (OpenBao), and self-signed issuers.
Syncs secrets from external KMS (Vault, OpenBao, AWS, GCP) into Kubernetes Secrets. Enables GitOps secret management without storing values in Git.
Replicates Kubernetes Secrets across namespaces, keeping copies in sync. Used to propagate platform-level credentials to tenant namespaces.
Triggers rolling restarts when ConfigMaps or Secrets change. Ensures Deployments and StatefulSets pick up configuration updates without manual intervention.
iPXE boot and DHCP server for bare-metal node provisioning. Serves boot scripts enabling automated Talos Linux deployment on physical hardware.
Proxies traffic between a local dev machine and a remote Kubernetes cluster. Enables local debugging while accessing live remote cluster services.
Observability
Prometheus-compatible metrics storage and query engine. More memory-efficient than Prometheus at scale; exposes a PromQL-compatible API for Grafana.
Manages Grafana instances, dashboards, and data sources as Kubernetes CRDs. Provides a unified observability UI for platform operators and tenants.
Lightweight log forwarder running as a DaemonSet on every node. Collects platform and tenant workload logs with minimal CPU and memory overhead.
Generates Prometheus-format metrics about Kubernetes object state (deployments, pods, nodes, PVCs). Feeds cluster health data into VictoriaMetrics.
Exports system and hardware metrics (CPU, memory, disk, network) from each node as a DaemonSet. Feeds host telemetry into VictoriaMetrics.
CRDs for ServiceMonitor, PodMonitor, and PrometheusRule resources consumed by VictoriaMetrics. Provides a vendor-neutral monitoring target API.
Provides the Resource Metrics API for HPA and kubectl top. Aggregates kubelet-reported CPU and memory usage across cluster nodes.
Pod-to-pod connectivity checker deployed as a DaemonSet. Surfaces node-to-node network partition failures with metrics and a real-time visualization UI.
Autoscaling and resource management
Automatically right-sizes CPU and memory requests for pods based on observed usage. Eliminates manual resource tuning for platform and tenant workloads (chart: MIT).
Scales node pools based on pending pods or underutilized nodes. Enables cost-efficient elastic scaling of tenant Kubernetes clusters.
GPU and accelerators
Manages the full lifecycle of NVIDIA GPU drivers, device plugins, and runtimes on Kubernetes nodes. Enables AI/ML and LLM inference workloads without per-node manual setup.
GPU sharing and fractional scheduling for Kubernetes. Allows multiple workloads to share a single GPU, maximizing utilization for LLM inference platforms.
Identity, registry, and secrets
OIDC and SAML identity provider for platform SSO. Secures the platform API, Grafana, Harbor, and tenant services with role-based access control.
CNCF-graduated OCI registry for container images and Helm charts. Provides RBAC, vulnerability scanning, content trust signing, and registry replication.
Open-source Vault fork for dynamic secrets, PKI management, and encrypted secret storage. Supports Kubernetes and OIDC authentication backends.
Managed database runtimes
Replicated relational database managed via CloudNativePG. Features automated failover, Barman-based backup scheduling, and connection pooling.
MySQL-compatible replicated database managed via mariadb-operator. Supports Galera multi-primary replication and Restic-based backup scheduling.
Document-oriented NoSQL database deployed via Percona Operator. Supports replica sets, sharded clusters, and automated Percona backup.
Column-oriented DBMS optimized for real-time analytics. Deployed via Altinity ClickHouse Operator with multi-shard distributed clusters.
Search and analytics engine managed via opensearch-k8s-operator. Full-text search, log aggregation, and Elasticsearch-compatible query API.
High-performance vector database for similarity search and AI workloads. Supports dense and sparse vector embeddings for recommendation and semantic search.
Distributed database with strong ACID guarantees across the cluster, managed via FoundationDB Kubernetes Operator. Designed for extreme reliability at scale.
In-memory key-value store deployed as a replicated Sentinel cluster via Spotahome Redis Operator. Supports Redis 7.4 and Redis 8 for caching and pub/sub.
Managed messaging and caching runtimes
Distributed event streaming platform managed via Strimzi Kafka Operator. Multi-broker clusters with configurable replication for event-driven architectures.
Lightweight pub-sub and request-reply messaging deployed via the official Helm chart. Low-latency, minimal-overhead messaging for microservices and IoT.
AMQP message broker managed via RabbitMQ Cluster Operator. Highly available clusters with quorum queues and fanout, topic, and direct exchange routing.
Managed networking services
Powers the managed HTTP Cache service with reverse-proxy caching and GeoIP filtering. Scales horizontally without a shared filesystem.
Enterprise TCP/HTTP load balancer powering the managed TCP Balancer and HTTP Cache. Provides active health checks and high-throughput connection handling.
GeoIP modules (IP2Location and IP2Proxy) bundled into the HTTP Cache. Enables country-based traffic filtering and proxy/VPN detection.
Shadowsocks-based VPN backend developed by Google's Jigsaw team. Manages Shadowsocks instances with symmetric encryption to resist DPI traffic analysis.