// the find
clastix/kamaji
Kamaji is the Hosted Control Plane Manager for Kubernetes.
Kamaji runs Kubernetes control planes as pods inside a management cluster instead of on dedicated VMs, letting you operate hundreds of tenant clusters without hundreds of machines. It exposes `TenantControlPlane` and `Datastore` CRDs and integrates with Cluster API. The target audience is platform teams building managed Kubernetes offerings or dense multi-tenant environments.
1. The datastore abstraction is genuinely useful — you can back control planes with etcd, PostgreSQL, MySQL, or NATS via kine, and migrate between them live. That solves a real operational headache. 2. Konnectivity support is first-class, meaning worker nodes don't need to be routable from the control plane; you can put nodes behind NAT or on-prem while the control plane lives in cloud. 3. kubeadm is used internally for cert management and bootstrapping, so the resulting clusters are vanilla upstream Kubernetes, not a fork — CNCF conformance tests pass. 4. The operator handles cert rotation automatically and reconciles drift in real-time, including recovering from a deleted CoreDNS deployment.
1. The management cluster itself is a single point of failure for all tenant control planes — if your management cluster goes down, every tenant API server goes with it. The docs acknowledge this but the operational story for management cluster DR is thin. 2. Worker node provisioning is entirely out of scope; Kamaji only handles the control plane. You still need a separate mechanism (Cluster API infra providers, bare metal tooling, etc.) to join nodes, which means the 'full cluster' story always involves at least two moving parts. 3. Terraform provider is still on the roadmap as unchecked, so IaC-first teams are stuck with Helm + kubectl or Crossplane workarounds. 4. The multi-datastore pooling feature exists but automatic datastore assignment is still a roadmap item — you have to manually select a datastore per control plane, which doesn't scale well past a few dozen tenants without scripting around it.