CloudBedrock is a fully open source reference architecture and bootstrap toolchain that turns bare metal, colocation, or on-prem servers into a production-grade private cloud. Every configuration file, every integration, every decision — published without restriction on GitHub. Fork it, own it, run it.
CloudBedrock is the months of integration work you shouldn't have to do yourself. Assembling a production-grade private cloud from open source components is not hard in theory — Talos, Cilium, Rook-Ceph, ArgoCD, cert-manager, Vault, Keycloak. The components are all excellent. What takes time is making them work together: version compatibility, upgrade sequencing, the OIDC chain from identity provider to every service, the GitOps pipeline structure, and the hundreds of edge cases that only appear under load. CloudBedrock is that work, done, and published as a complete reference architecture you fork and own outright.
There is no CloudBedrock service to subscribe to. It is a Git repository. Fork it, read it, modify what doesn't fit, and run it. You own the result from the first command.
CloudBedrock is opinionated. It makes specific choices at every layer and documents why. You may disagree with some of them. That's fine — change the YAML.
No dependency on Plane Sailing to keep it running. The infrastructure is yours. Engineering support is available, but entirely optional.
CloudBedrock is for teams with servers — in a data centre, a colocation facility, or on-premises — who want a cloud-native platform without a hyperscaler bill or a multi-month infrastructure project. Where you're starting from changes the migration path, not the destination.
Broadcom's acquisition changed the VMware commercial reality overnight. If you're facing a licence renewal that no longer makes sense, CloudBedrock is a concrete migration path — not a vague "move to Kubernetes" recommendation, but working infrastructure configuration for the platform that replaces vSphere on your existing hardware.
OpenStack is powerful and famously expensive to operate. If your team spends more time maintaining the control plane than building on top of it, CloudBedrock is a clean exit. The operational surface area — upgrade procedures, component interdependencies, failure modes — is an order of magnitude smaller.
Deploy CloudBedrock to accelerate the journey to Cloudyard and CloudGate.
You have hardware — colocation, a leased rack, servers in a data centre — and you want a cloud-native platform without a hyperscaler contract. CloudBedrock gives you the complete starting configuration so you're building on a tested, integrated foundation rather than assembling the puzzle across a dozen component documentation sites.
Every component CloudBedrock uses is individually documented and deployable. The value is the integration — version compatibility confirmed, configuration tested across layers, upgrade sequences written, and the edge cases that only emerge in production already handled.
Talos Linux was designed specifically for Kubernetes nodes — no SSH, no shell, no package manager, no configuration drift. Nodes are managed entirely via a declarative API. Upgrades are atomic with automatic rollback. The attack surface of a conventional Linux host simply doesn't exist here.
Cilium replaces kube-proxy entirely with eBPF kernel programs — no overlay network, no performance penalty, native load balancing via BGP, and Hubble providing real-time network flow visibility across every namespace without tapping traffic. The networking layer that is usually the hardest to configure is pre-wired and documented.
Rook-Ceph provides block, file, and object storage from the same node fleet — no separate storage infrastructure required. MinIO sits on top for S3-compatible object storage with a familiar API. Both are pre-configured with sensible replication policies, storage classes, and Grafana dashboards out of the box.
Tenants get dedicated namespaces with hard CPU, memory, and storage quotas enforced at the kernel — not at an admission controller that can be misconfigured. Cilium NetworkPolicies enforce tenant network separation at the eBPF layer. OIDC-scoped access from your identity provider grants exactly the right permissions, nothing more.
KubeVirt runs virtual machines through the standard Kubernetes API — no separate hypervisor management plane. VMs and containers share the same networking, storage, and scheduling layer. Essential for VMware migrations where not every workload moves to containers on day one, and for legacy applications that require full OS isolation.
Full NVIDIA stack pre-configured — DCGM exporter, device plugin, MIG partitioning, and time-slicing. Per-tenant GPU quotas enforced at the scheduler. GPU utilisation visible by tenant, by job, and by device in Grafana from day one. The configuration that typically takes a week to assemble correctly is already done.
CloudBedrock does not require you to replace services your organisation already runs. Active Directory, an existing PKI, a SAN, an established monitoring stack — all of them wire in. Every integration point in inventory.yaml has two modes: point it at what you have, or leave it blank and CloudBedrock bootstraps an open source default.
The defaults are not toy configurations. Keycloak is production-grade identity brokering. The cert-manager internal CA is properly chained and auto-rotating. Vault is initialised with Kubernetes auth and auto-unseal. You can run on them indefinitely, or hand off to your existing enterprise services when ready — on your schedule, not ours.
The entire bootstrap is a shell script and a YAML inventory file. No proprietary installer, no binary you can't inspect. What is in the repository is exactly what runs — which is the point.
Fork cloudbedrock on GitHub. The docs folder explains every component choice and the reasoning behind it. Read it before running anything — you are about to own this infrastructure, so you should understand what you are deploying.
Node IPs, roles, and disk devices in one section. Enterprise integration points in another — your AD domain, PKI CA URL, existing storage endpoints. Leave any enterprise field blank and CloudBedrock boots its own. No field is required if you're starting from scratch.
The bootstrap script generates per-node Talos configuration from your inventory, boots each node from a network image or ISO, and brings up the Kubernetes control plane. No SSH, no manual OS installation, no configuration that lives outside Git from day one.
ArgoCD bootstraps itself, then deploys every platform component in dependency order — Cilium, cert-manager, Rook-Ceph, Vault, Keycloak or AD wiring, then the Grafana observability stack. Health-checked at each step. The cluster converges to desired state and stays there through future upgrades.
Add a tenant block to your configuration and apply it via ArgoCD. CloudBedrock creates the namespace, sets hard resource quotas, applies network isolation policies, and provisions OIDC role bindings — all from a single YAML stanza. Hand the credentials to your team. They are already isolated.
Every component, every version pin, every configuration value lives in Git. There are no proprietary wrappers, no opaque binaries, nothing outside the repository. What you read is exactly what runs.
Every CloudBedrock release is integration-tested across the full stack before tagging. Component versions are pinned. Upgrading means bumping a version in a pull request — ArgoCD applies it in dependency order, health-checks each layer, and rolls back automatically on failure.
Apache 2.0. No enterprise tier. No feature flags behind a paywall. No configuration locked in a binary. Fork the repository, modify what doesn't fit, and run it. That is the complete model.
If you want to go beyond the infrastructure layer — a self-service developer portal, a package inspection gateway, or controlled egress — the Plane Sailing products are designed to deploy on top of CloudBedrock with pre-written integration overlays in the repository. This is entirely optional and none of it is required to get value from CloudBedrock itself.
The repository includes a cloudyard/ and cloudgate/ directory — ArgoCD application definitions and values overlays that deploy each product against a CloudBedrock cluster with OIDC, storage, and networking already wired. Enable them with a single flag in inventory.yaml. They are tested against every CloudBedrock release so they work, but they are entirely optional additions, not a requirement.
Most teams deploy CloudBedrock without any involvement from us. If you're navigating a VMware migration, operating under compliance obligations, or need contractual support SLAs for a production cluster — that's what these options are for.
| Severity | Definition | Initial Response | Updates | Target Resolution |
|---|---|---|---|---|
| P1 Critical | Cluster control plane or storage layer unavailable; total production impact | 30 minutes | Every 30 min | 4 hours |
| P2 High | Significant degradation; major feature unavailable; workaround possible | 2 hours | Every 4 hours | 1 business day |
| P3 Medium | Non-critical component issue; limited user impact; stable workaround exists | 8 hours | Daily | 5 business days |
| P4 Low | General questions, configuration guidance, enhancement requests | 1 business day | As needed | Next release |
Clone it, read it, and decide if you need help. Most teams deploy CloudBedrock without us. If you're planning a VMware migration, building in a regulated environment, or standing up a GPU cluster from scratch — we've done this before and we're available.