Cloud-grade control plane, infrastructure-agnostic compute.

K8S Engine is designed like a managed cloud service—with the flexibility to run nodes anywhere. Here's how the architecture works.

Control Plane (K8S Engine)

The control plane runs in K8S Engine's infrastructure. You don't manage any of these components.

Kubernetes API endpoint

Controllers and scheduler

etcd cluster (HA, encrypted)

Backup service

Upgrade orchestrator

Observability stack

You

Nodes run in your accounts, on your hardware, in your datacenters. You control placement and cost.

Node Pools (via Cluster API)

Managed scaling across providers

Nodes across providers / bare metal

Your infrastructure, your choice

Workloads and namespaces

Your applications and services

Optional site connectivity components

For advanced networking scenarios

Secure, outbound-first connectivity between your nodes and the K8S Engine control plane.

Nodes initiate connections to the control plane. No inbound firewall rules required on your infrastructure.

Nodes authenticate using bootstrap tokens and certificates. Association is cryptographically verified.

API rate limiting and request validation protect against misconfigured clients and potential abuse.

Built for production workloads with defined availability guarantees.

Pro and Enterprise tiers include highly available control planes with redundant components.

Control plane components are continuously monitored. Issues are detected and addressed automatically.

Component failures trigger automatic failover. Maintenance routines run without manual intervention.

Control plane availability SLOs are documented and tiered. Enterprise includes premium SLA commitments.

Kubernetes versions	Latest 3 minor versions (e.g., 1.28, 1.29, 1.30)
etcd	Managed, HA, encrypted at rest, daily backups
Control plane SLA	99.9% (Pro), 99.99% (Enterprise)
Node connectivity	Outbound tunnels, mTLS, certificate rotation
Supported providers	AWS, Azure, GCP, Hetzner, IONOS, bare metal