Home › Platform Materialisation › Kubernetes Control Planes
Platform Engineering · Capability
Kubernetes Control Planes.
Running RKE2 at scale — multi-region, multi-cluster, air-gapped. We design, deploy, and harden control planes for teams serving AI workloads in production.
Scope
What we do
- Install and harden Rancher RKE2 control planes (bare-metal, cloud, air-gapped).
- Design multi-region federation with GitOps (Fleet, ArgoCD).
- Integrate SeaweedFS-backed CSI persistent storage.
- Wire Envoy Gateway for ingress, mTLS, and policy-driven routing.
Practical
Exercises we run
Small, repeatable drills we use on engagements and teach in workshops. Each has a lab setup, step-by-step outline, and measurable output.
References
Four Kubernetes distributions we choose between
RKE2 is our default, but not every team's. Here's how we decide between it, K3s, OpenShift, and vanilla kubeadm on real engagements.
| Project | Best for | Trade-offs | When we reach for it |
|---|---|---|---|
| Rancher RKE2 | Production clusters with CIS-hardened defaults, FIPS-140 mode, and a sane upgrade story via system-upgrade-controller. Works identically on bare-metal, cloud VMs, and air-gapped bundles. | Stateful operator assumptions — tolerant of Rancher UI but doesn't require it. Slightly slower cold start than K3s; the hardened defaults are deliberate overhead. | Default choice for AI/ML platforms, multi-region federations, and any workload where audit-grade security posture matters out of the box. |
| K3s | Edge, single-node, IoT, and resource-constrained hosts. Single binary, SQLite default datastore, rapid cold start (<1 min). | Datastore tradeoffs: SQLite default is fine for 1–3 nodes; anything bigger wants embedded etcd or external SQL. Fewer hardened defaults than RKE2 — you add them. | Dev clusters, edge inference pods, labs, workshop environments, and any place where the operational overhead of RKE2 isn't worth the weight. |
| Red Hat OpenShift | Enterprises with an existing Red Hat contract and regulated workloads (pharma, finance, gov). Opinionated Source-to-Image pipelines, integrated IdM, and certified compliance paperwork. | Heaviest footprint of the four — CPU, RAM, and licence cost. Opinions around routes, SCCs, and Operators create friction for teams used to upstream Kubernetes patterns. | Engagements where the customer already runs OpenShift and we're a consumer, not a re-platformer. Rare pick for greenfield work. |
| Vanilla kubeadm | Full upstream control — you pick the CNI, CSI, ingress, security defaults. Matches the reference docs exactly, which is useful for teaching. | All assembly, no batteries. Every hardening decision is yours to make and maintain — CIS benchmarks, certificate rotation, upgrade orchestration, the lot. | Customers with a seasoned platform team who explicitly want a bespoke stack, or certification/audit scenarios where "upstream kubeadm" is the stipulated baseline. |
We've shipped production clusters on all four. The honest summary: if you have a Red Hat shop, use OpenShift; if you're a single-digit-engineer platform team, use RKE2; if you're at the edge, use K3s; if you have a specific reason to be different, use kubeadm.
Further reading
More on Kubernetes.
Workshops we teach + field notes we're writing, all linked back to what you just read. See all workshops → See all field notes →
Hands-on: Air-gapped RKE2 — 1-day workshop
Bootstrap a 3-node RKE2 cluster on a sealed network from a single pre-staged tarball. Bundle pipeline + bootstrap script + CIS-benchmark evidence path.
Scheduling soon →
Air-gapped RKE2 bootstrap in 90 minutes
Pre-staged bundle + bootstrap script that survives a procurement-grade transfer to sealed hosts. From cold iron to `kubectl get nodes` under 90 minutes.
Draft →
Engagement
Hands-on: Air-gapped RKE2 — 1-day workshop
Packaged engagement — we scope, build, and hand over with runbooks, against a specific SLA. Add to cart to request delivery; no price is billed up-front.
Neux Ltd
AI Infrastructure · Platform Engineering · London.
Since 2014.
Contact
Legal
© 2014–2026 Neux Ltd
Registered in England & Wales.