Enterprise Kubernetes you can’t be locked into — or locked out of.
A fully managed, upstream CNCF-conformant Kubernetes cluster — the EKS, AKS and GKE experience, with nothing proprietary layered on top. We run the highly available control plane, the upgrades and the storage, networking, observability and backup plumbing. You keep standard kubectl, Helm and GitOps, and the freedom to move your workloads to any conformant cluster on the day you choose. EU-owned, in the Netherlands, on 100% renewable power.
Managed Kubernetes Cluster
Managed HA control plane · up to 99.99% SLA
- DistributionUpstream Kubernetes, CNCF-conformant
- Control planeManaged, 3-node HA (etcd quorum)
- Version policyTracks upstream supported (N to N−2)
- Worker nodescx1 / m1 / n1 / o1 pools · GPU optional
- StorageLocal NVMe + Ceph (block / file / S3)
- NetworkingCNI + MetalLB — included free
- TenancyVPC (shared HW) or DPC (bare-metal)
Standard kubectl, Helm & GitOps
EU-owned — Netherlands
SLA up to 99.99%
100% renewable-powered
Built on three guarantees
The same three guarantees behind every GRN product — here, applied to a raw managed cluster. They are the things a hyperscaler cannot match on all three axes at once.
Sovereign & Secure
EU-owned infrastructure under Dutch jurisdiction — not a US hyperscaler’s “European region”, which stays subject to the US Cloud Act regardless of where the data sits. No Cloud Act exposure, EU-only data residency and a signed Data Processing Agreement.
Affordable & transparent
Networking functions are included free, storage is a published €/GB-month, and annual commitments take 10% off. No per-feature surcharges, and no egress tax — the line item that quietly consumes 15–40% of a typical hyperscaler bill. Verify egress
Sustainable
Hosted in the Netherlands on 100% renewable solar energy, with server heat reused to warm nearby buildings and peak-shaving to ease grid congestion. Sustainability with a mechanism behind it, not a logo.
A managed cluster, not a managed cage
“Managed” describes who runs the cluster; “vanilla” describes what runs in it. We operate the control plane, the upgrades and the underlying plumbing so your platform team doesn’t babysit etcd at 3am — but everything we run is unmodified upstream Kubernetes, so nothing about the deal traps you here. Here is exactly where the line sits.
What GRN operates
Run and on-call for the platform layer — the undifferentiated heavy lifting.
- HA control plane: API server, scheduler, controller-manager and etcd, patched and backed up
- Managed version upgrades and security patching of nodes and the control plane
- The CNI, MetalLB, ingress, storage (Ceph / OpenEBS) and backup (Velero) plumbing
- Node provisioning, replacement of failed hardware and capacity on request
- The 99.99% control-plane SLA, on dedicated tiers, with named senior engineers
What you operate
Standard Kubernetes, fully in your hands — with full cluster-admin.
- Your workloads: Deployments, StatefulSets, Jobs, CRDs and Operators
- Namespaces, RBAC bindings, network policies and resource quotas
- Your GitOps pipeline (Argo CD / Flux), CI and image registry of choice
- Application-level autoscaling, rollout strategy and observability dashboards
- The decision to leave: export your manifests and walk, with no rewrite
The same stack underneath every tier. A vanilla cluster runs the identical cloud-native foundation as our Virtual Private Cloud and Dedicated Private Cloud — the only difference is the isolation and dedication of the compute beneath it. Run on shared-hardware VPC nodes, or on single-tenant bare-metal DPC nodes for regulated and high-security workloads. You are never re-platforming to move between them.
Why orchestration, and why it is hard to self-run
Kubernetes became the standard because it solves the operational problems every production platform eventually hits. Running it yourself, well, is a second full-time platform that has little to do with your product.
- Scale without redesignAdd and shed capacity in response to load behind one declarative API, instead of bespoke provisioning scripts.
- Survive failure automaticallyReschedule and self-heal across node and zone failure, so a dead host is an event, not an outage.
- Ship without downtimeRoll out new versions with health-gated rollouts and instant rollback when a release misbehaves.
- The control plane is the hard partetcd quorum, certificate rotation, version-skew rules and upgrades are where self-managed clusters break — this is exactly what we take off your hands.
- One scheduler for the fleetPlace and connect thousands of containers across nodes by declared intent, not by hand.
- Many services, one fabricWire microservices, datastores and queues together with service discovery, traffic policy and a service mesh.
Why vanilla, and not a distribution
We run pure upstream Kubernetes — the same project EKS, AKS and GKE are built on — with no vendor-only control plane or proprietary resource types in the path. Lock-in rarely arrives as a contract clause; it arrives as a hundred small dependencies on one vendor’s APIs that you only notice the day you try to leave. Vanilla is how you never accrue them.
- CNCF-conformant behaviourTargets the CNCF Certified Kubernetes conformance suite — standard APIs, standard behaviour, the portability badge itself. Confirm cert
- No proprietary APIsNo vendor-only CRDs or custom control plane to learn now and unwind later. Your YAML is the same YAML everywhere.
- Migration is a re-point, not a rebuildManifests, Helm charts and Operators move on or off any conformant cluster — you change a kube-context, not your architecture.
- Portable by constructionIndependence is the default, not a paid “exit” feature. You are never trapped on one provider.
- The whole CNCF landscape runsService meshes, operators, observability and GitOps from the ecosystem all install and behave as upstream expects.
- Transferable skillsYour team’s existing
kubectl, Helm and GitOps muscle memory transfers intact — nothing new to certify on.
Portability is now a legal requirement, not just good practice. The EU Data Act (applicable 12 September 2025) mandates cloud switching and data portability and phases out egress/switching fees by January 2027. Conformant, upstream Kubernetes is the technical answer regulators are pointing at: a standard, exportable platform you can move without re-engineering.
Platform architecture
A layered, cloud-native stack — standard upstream Kubernetes on top, dedicated renewable-powered hosts at the bottom. Every layer is a portable, named component you could reproduce elsewhere; none of it is a black box you can only run here.
Containers, manifests, Helm charts, Operators and GitOps pipelines — deployed via kubectl, CI/CD or Argo CD / Flux against the standard API.
A managed, highly available upstream control plane — API server, scheduler, controller-manager and a 3-node etcd quorum — handling scheduling, RBAC, autoscaling and self-healing. Patched and upgraded by us.
Software-defined networking: a CNI for pod networking and NetworkPolicy, MetalLB for bare-metal LoadBalancer services, standard ingress, optional Istio mesh and Submariner for cross-cluster VPN — included free.
Block, file and S3 object storage on Ceph; local NVMe via OpenEBS for latency-sensitive workloads; volume snapshots and Velero backup with cross-region replication.
Worker nodes on EU-owned hosts in the Netherlands — shared-hardware (VPC) or single-tenant bare-metal (DPC) — powered by 100% renewable solar with server-heat reuse.
Every layer uses standard, portable components — nothing proprietary you cannot reproduce on another conformant Kubernetes.
The control plane is ours; the cluster is yours
The control plane is the part of Kubernetes that is genuinely hard to run well — and the part you should never have to think about. The worker nodes are where your decisions live.
Highly available control plane
Redundant control-plane nodes with a 3-member etcd quorum and automated leader failover. We patch the API server, rotate certificates and back up etcd — you never touch a master node. Backed by an SLA of up to 99.99% on dedicated tiers.
Worker node pools
Independently-sized pools for different workload classes — CPU-bound, memory-bound, GPU or real-time — on shared-hardware VPC nodes or single-tenant bare-metal DPC nodes. Taints, labels and topology are yours to set.
Worker instance families
The same instance families as the rest of the platform — pick per node pool.
Compute optimised cx1
1–32 vCPU, high clock — for CI runners, API backends and CPU-bound services.
Memory optimised m1
Up to 256 GB RAM — for in-memory datastores, caches and JVM-heavy estates.
Network optimised n1
4–64 vCPU with high throughput — for ingress tiers, proxies and service mesh.
Universal purpose o1
0.5–128 GB, balanced — the default pool for mixed microservice workloads.
GPU nodes Optional
NVIDIA-accelerated workers for AI/ML training and inference via OpenDataHub, within EU data residency.
ARM nodes Pending validation
Power-efficient ARM worker pools.
Scaling, stated honestly. Pods scale on CPU, memory or custom metrics with the standard Horizontal Pod Autoscaler, available today. Node-level cluster autoscaling — adding and removing worker nodes automatically as scheduling demand changes — is Pending validation; for now, capacity changes are handled on request, fast. Ask us about current behaviour for your cluster.
Networking — built in, and free
Every networking function below is implemented with a standard, named component and included at no extra charge. There is no per-feature surcharge and no cross-AZ tax — the bill items that distort hyperscaler Kubernetes economics.
| Function | Implementation | Price |
|---|---|---|
| Pod networking & policy | CNI plugin (NetworkPolicy default-deny capable) |
Included |
| Load balancing | MetalLB (Layer 2 / BGP) | Included |
| Ingress / HTTP routing | Standard Ingress + Gateway API, TLS via cert-manager | Included |
| Service mesh Optional | Istio (mTLS, traffic policy, telemetry) | Included |
| DNS | CoreDNS in-cluster, External-DNS for public records | Included |
| NAT / egress | Egress IP / egress router | Included |
| Site-to-site & cross-cluster VPN | Submariner | Included |
| Private subnets / segmentation | Network attachments + NetworkPolicy | Included |
| Public / floating IPv4 | MetalLB-advertised address | € 3.00 / mo |
| BYO-IP / BYO-ASN (BGP) | MetalLB BGP peering | € 50.00 / mo |
| Data egress | No per-GB metering Verify | No egress tax |
Dual-stack IPv4 / IPv6 throughout. Prices in EUR, ex VAT; 10% discount on annual commitment. Verify current rates on the pricing page before quoting.
Persistent storage & data services
Dynamically-provisioned PersistentVolumes through standard CSI drivers — portable storage classes you could re-create on any cluster. Software-defined on Ceph and OpenEBS, billed transparently per GB-month.
| Storage class | Implementation (CSI) | Best for | Price |
|---|---|---|---|
| Local NVMe | OpenEBS LocalVolume | Latency-sensitive — databases, brokers | € 0.044 / GB-mo |
| Block (RWO) | Rook Ceph RBD | General-purpose persistent volumes | € 0.044 / GB-mo |
| Shared file (RWX) | Rook Ceph FS | Shared volumes across pods | € 0.044 / GB-mo |
| S3 object | Ceph ObjectBucketClaim |
Artifacts, backups, data lakes | € 0.044 / GB-mo |
| Cross-region replication | Ceph VolumeReplication |
Geo-redundancy / DR | € 0.0465 / GB-mo |
| Backup & snapshots | Velero + CSI snapshots | Scheduled backup to meet RPO/RTO | € 0.008 / GB-mo |
All classes are dynamically provisioned and expandable. NVMe-oF with configurable IOPS available on dedicated tiers. Prices ex VAT; verify on the pricing page before quoting.
Security through standard primitives, layered
Security is enforced across identity, network, workload and data — using the Kubernetes primitives your team already audits against, not proprietary bolt-ons that only we understand. Defence in depth, with nothing you have to take on trust.
- RBAC across clusters, namespaces and resources, with full audit logging
- Identity integration via OAuth / OIDC — bring your own IdP
- Kubernetes Secrets with encryption at rest; external secret stores supported
- TLS everywhere, issued and rotated automatically via cert-manager
- Default-deny micro-segmentation with standard NetworkPolicy
- Pod Security Standards enforced at the namespace level
- Image & supply-chain scanning Pending validation
- Private clusters with no public API exposure Pending validation
- Audit logging of privileged and API actions
- Hardware & kernel isolation on single-tenant DPC node pools
On compliance, the honest version. The platform runs under EU-only data residency with a signed DPA and no US Cloud Act exposure, which is the substantive part of most regulated requirements. We will support PCI-DSS and HIPAA-aligned deployments on dedicated, isolated infrastructure — but we do not claim certifications we do not hold. Tell us your compliance scope and we will tell you precisely what we can and cannot attest to.
Cluster lifecycle, managed end to end
The interesting question about a managed cluster is not day one — it is day two: who owns the upgrade that could break your CRDs, and what happens when a node dies at the weekend. Here is the lifecycle we operate.
Provision
A right-sized cluster — control plane plus your initial node pools — on VPC or DPC substrate, API-reachable in minutes.
Operate
You ship via kubectl and GitOps; we keep the control plane healthy, patched and backed up underneath you.
Upgrade
Managed minor-version upgrades that respect version-skew rules, staged control-plane-then-nodes, coordinated with you.
Scale
Grow node pools on demand, add GPU or memory-optimised pools, or move workloads to dedicated nodes — no rebuild.
Recover & exit
Velero backup and DR to your RPO/RTO — and, whenever you choose, a clean export to any conformant cluster.
Upgrades, the way they should work. We track upstream’s supported version window (current minor back to N−2) and apply security patches as they land. Minor-version upgrades are scheduled with you, run control-plane-first to honour the kubelet version-skew policy, and are reversible at the workload layer through your GitOps history. You are never silently force-upgraded into a release your Operators haven’t certified against. Confirm cadence
Observability, backup & disaster recovery
A cluster you cannot see into is a liability. Baseline platform observability is wired in; bring your own stack on top, since it is all standard.
Metrics & monitoring
Cluster, node and workload metrics through a Prometheus-compatible pipeline that also feeds the HPA — one source of truth for dashboards and autoscaling. Name stack
Centralised logging
Aggregated logs across every namespace and workload for search and retention — with alerting on cluster, node and workload conditions. Name stack
Backup & disaster recovery
Scheduled Velero backups, CSI volume snapshots and cross-region replication to meet your RPO/RTO targets. Backup storage is €0.008/GB-month; replication €0.0465/GB-month.
Run your own Prometheus, Grafana, Loki or OpenTelemetry collector alongside the platform baseline — the API is standard, so your existing observability stack works unchanged.
Supported ecosystem — honestly bucketed
Because the clusters are pure upstream Kubernetes, the whole CNCF landscape runs on them. We separate what we actually provide and operate from what is simply compatible and run by you — so you know exactly what is and isn’t on our pager.
Provided & operated by GRN
Wired in and run as part of the managed platform.
Compatible / customer-installed
Run on the cluster and operated by you, unless contracted as a managed add-on.
Against the hyperscalers, on the axes that matter
An objective capability comparison against the major managed-Kubernetes services and against running it yourself. Subjective claims (“faster”, “simpler”) are left out — only things you can check.
| Capability | GRN.CLOUD Vanilla K8s | Amazon EKS | Azure AKS | Google GKE | Self-hosted |
|---|---|---|---|---|---|
| Upstream / CNCF-conformant | Yes (pure upstream) | ~ vendor add-ons | ~ vendor add-ons | ~ vendor add-ons | Yes |
| Vendor lock-in | None / portable | ~ ecosystem pull | ~ ecosystem pull | ~ ecosystem pull | None |
| Standard K8s API | Yes | Yes | Yes | Yes | Yes |
| Pricing transparency | Published €/GB, flat tiers | ~ complex | ~ complex | ~ complex | Your cost |
| Egress / cross-AZ fees | Networking included Verify | Per-GB + cross-AZ | Per-GB + cross-AZ | Per-GB + cross-AZ | Your cost |
| Infrastructure control | High | ~ abstracted | ~ abstracted | ~ abstracted | Total |
| Genuine EU sovereignty (non-US-owned) | Yes (Netherlands) | US-owned | US-owned | US-owned | Depends on your DC |
| Control-plane SLA | Up to 99.99% | 99.95% / 99.99% | 99.95% (with AZs) | 99.95% (regional) | You operate it |
| Single-tenant bare-metal option | Yes (DPC nodes) | ~ dedicated hosts | ~ dedicated hosts | ~ sole-tenant | Yes |
| 100% renewable-powered | Yes | ~ varies by region | ~ varies by region | ~ varies by region | Depends on your DC |
| Enterprise support | Add-on, named engineers Review | Paid tiers | Paid tiers | Paid tiers | DIY / 3rd-party |
Compiled from public product & pricing pages, June 2026; competitor features change — verify before quoting. Yes = supported, ~ = partial/conditional, No = not available.
Technical specifications
The detail a platform engineer actually evaluates. Items tagged for review are confirmed against a live cluster before publishing — we would rather leave a value open than print one we cannot stand behind.
- DistributionUpstream Kubernetes, CNCF-conformant Confirm build
- Kubernetes versionsUpstream supported window, N to N−2 Confirm
- Control-plane topology3-node HA, etcd quorum, managed
kube-apiserver - Container runtime
containerd/ CRI-O (CRI-conformant) Confirm - CNICNI-conformant (e.g. Cilium / Calico) Confirm default
- CSIRook Ceph (RBD / FS / RGW), OpenEBS local NVMe
- Load balancingMetalLB (Layer 2 / BGP)
- IngressStandard Ingress + Gateway API, cert-manager TLS
- Storage classesNVMe local, Ceph block / file / S3
- NetworkingDual-stack IPv4 / IPv6, NetworkPolicy, Submariner VPN
- Backup / DRVelero, CSI snapshots, cross-region replication
- Node families
cx1/m1/n1/o1/rt1, GPU optional - TenancyShared-HW (VPC) or single-tenant bare-metal (DPC)
- API accessFull standard Kubernetes API + REST & GitOps automation
- Control-plane SLAUp to 99.99% (tier-dependent)
- RegionNetherlands (EU), 100% renewable-powered
What teams build on it
Each of these is well-served because it is standard Kubernetes — the same patterns you would run anywhere, on infrastructure that happens to be sovereign and renewable.
SaaS platforms
Multi-tenant products needing elastic scaling, zero-downtime releases and EU data residency for their own regulated customers.
AI & machine learning
GPU-backed training and inference on NVIDIA nodes via OpenDataHub, with training data kept inside the EU.
Microservices
Service-mesh-ready estates with discovery, mTLS, traffic policy and per-service observability.
Internal developer platforms
A golden-path IDP for product teams — self-service namespaces, templates and GitOps on a shared, governed cluster.
CI/CD & build platforms
Pipelines running as containerised workloads on on-demand cx1 capacity, isolated per team by namespace and quota.
Data & event streaming
Stateful brokers and stream processors on durable NVMe with elastic worker pools and persistent volumes.
API platforms
Gateway-fronted backends with rate limiting, mTLS and horizontal autoscaling on standard ingress.
MSP / multi-cluster fleets
Resell or operate fleets of isolated clusters for your own customers, federated with Submariner across regions.
Regulated workloads
Finance, healthcare and government platforms on EU-sovereign, single-tenant infrastructure with a signed DPA — subject to your compliance scope. Review
The questions an engineer actually asks
What exactly is “vanilla” Kubernetes here?
What’s the difference between “managed” and “vanilla”?
Where is the line between what you manage and what I manage?
cluster-admin. Anything on our pager is listed explicitly in the “What GRN operates” panel above.Can I migrate from EKS, AKS or GKE?
How are upgrades handled, and can you force one on me?
Will I get locked in?
Do Helm, Operators and GitOps just work?
Is it CNCF-certified?
How does scaling work — pods and nodes?
Can I bring my own container registry?
Is GPU supported?
What about private networking and private clusters?
How is backup and disaster recovery handled?
What is the SLA?
How does pricing work — and is there an egress charge?
Is it really sovereign, or “sovereignty-washing”?
Run production Kubernetes on a sovereign, renewable cloud.
Deploy upstream, CNCF-conformant clusters with a managed HA control plane — or talk to our engineers about migrating your existing EKS, AKS or GKE workloads without re-architecting.
100% renewable energy · EU data residency · No US Cloud Act exposure · No vendor lock-in