Take Kubernetes
down to the metal
Bare metal, virtualization, networking, and operating system — unified under one cloud-native control plane.
Built for Enterprises, Cloud Providers, and AI Factories.
Three things hypervisor stacks can't give you.
kMetal is the distillation of years operating Kubernetes at scale. It removes the layers you don't need and unifies the ones you do.
No hypervisor. One team.
Bare metal plus Kubernetes-native virtualization collapses the platform / infrastructure divide. The team that runs Kubernetes runs the virtualization layer too — same API, same tools, same on-call rotation.
True multi-tenancy, not namespaces.
Independent clusters per tenant. Independent OVN networks per tenant. Resource quotas and policy enforcement applied at the boundary. Real isolation, the kind you can actually sell as a service.
Everything as Kubernetes — even the OS.
Build immutable OS artifacts declaratively as Kubernetes objects. No more Packer, no more Ansible, no more importers. The same declarative loop, end-to-end.
One control plane.
Every layer of the stack.
kMetal exposes the entire stack — from the OS image up to the tenant cluster — through a single Kubernetes-native API. No bolt-ons. No second operations plane. No glue scripts pretending to be infrastructure.
- ▸ kubectl apply, all the way down
- ▸ GitOps-native by default
- ▸ No proprietary CLI, no out-of-band consoles
Tenant clusters
Independent Kubernetes clusters, one per tenant. Isolated control plane, isolated network, isolated lifecycle.
Networking
Tenant VPCs. Logical networks, Virtual routers, LoadBalancers, no shared L2 broadcast domain across tenants.
Virtualization
KVM-backed virtual machines orchestrated as Kubernetes objects. No vCenter, no separate operations plane.
Bare metal & OS
Immutable OS artifacts built declaratively as Kubernetes objects. Provisioning, lifecycle, drift control — all native.
Real isolation.
The kind you can sell.
"Multi-tenant" usually means "shared namespace with extra YAML." kMetal means independent clusters, independent networks, and independent lifecycles — engineered for operators who put a price tag on a Kubernetes cluster.
Hosted control planes
Each tenant gets their own dedicated Kubernetes API server, isolated etcd, independent lifecycle. Control planes run as pods on shared management infrastructure.
Network isolation
OVN gives every tenant their own L2/L3 fabric. No shared broadcast domain, no leaked traffic, no compromise.
Resource quotas
CPU, memory, GPU, storage — quota and policy enforcement applied at the boundary, observable in Prometheus.
Policy enforcement
Admission policies, security baselines, and platform guardrails enforced declaratively per tenant.
Goodbye Packer. Goodbye Ansible. Welcome Immutable OS.
Operators define their immutable OS artifact as a Kubernetes object — kMetal builds, signs, and rolls it out. The same declarative loop you already trust for your workloads, applied to the metal underneath them.
apiVersion: images.kmetal.io/v1alpha1
kind: ImmutableOS
metadata:
name: tenant-gpu-node
spec:
base: flatcar-stable
kernel:
modules: [nvidia, vfio_pci]
packages:
- name: cuda-toolkit
version: "12.4"
signing:
secretRef: cosign-keys
rollout:
strategy: RollingDrain
maxUnavailable: 10% // Illustrative example. API surface subject to change before GA.
Three stages. Same band.
Enterprises, Cloud Providers, and AI Factories ask the same questions of their infrastructure — isolation, density, repeatability, control. kMetal answers them with the same architecture.
Your private cloud, hyperscaler-clean.
- ▸ Hyperscaler patterns running on hardware you already own.
- ▸ Business-unit isolation as a Kubernetes primitive.
- ▸ License-free virtualization — KVM, no VMware tax.
- ▸ One platform across dev, staging, and edge sites.
Run Kubernetes worth selling.
- ▸ Independent control plane and OVN network per tenant.
- ▸ Self-service tenant provisioning with hosted control planes.
- ▸ Resource quotas observable from your existing Prometheus stack.
- ▸ No hypervisor licensing tax priced into your margin.
GPU fleets, isolated by tenant.
- ▸ Pin GPUs per tenant cluster, not per namespace.
- ▸ Build CUDA / driver-stamped OS images declaratively.
- ▸ Reclaim, reschedule, and re-provision nodes in minutes.
- ▸ Quotas and policy at the tenant boundary — not the workload.
Built on the open source you already trust.
kMetal isn't a re-implementation. It's an opinionated, hardened, supported integration of the open source projects you already have a strong opinion about — wired together so the operating model is consistent from the metal up.
// No proprietary forks. No hidden dependencies.
- Kubernetes
The substrate. kMetal is Kubernetes — not a layer alongside it.
- Kamaji
Hosted control planes. One Kubernetes API server per tenant, no shared kube-apiserver fate.
- Cluster API
Declarative cluster lifecycle. Provisioning, upgrades, and scaling as Kubernetes objects.
- KubeVirt
Virtual machines as first-class Kubernetes workloads, scheduled alongside pods.
- KVM
The hypervisor inside the kernel. No vendor virtualization stack to license or operate.
- OVN
Programmable networking per tenant. Logical switches, routers, and policies, declared and reconciled.
Ready to
unify
your infrastructure?
kMetal is in private BETA. We work hands-on with each design partner to make sure it lands clean in your environment. Tell us about your fleet — we'll bring an engineer to the call.
// BETA → GA on the way