[{"data":1,"prerenderedAt":25556},["ShallowReactive",2],{"navigation":3,"\u002Fen\u002Fabout\u002Ffabiansander":4,"\u002Fen\u002Fabout\u002Ffabiansander-posts":37},[],{"id":5,"title":6,"avatar":7,"bio":9,"body":10,"description":10,"extension":11,"meta":12,"name":13,"navigation":14,"path":15,"role":16,"seo":17,"socials":18,"stem":35,"__hash__":36},"users\u002Fen\u002Fusers\u002Ffabiansander.yml","Fabiansander",{"src":8},"\u002Fimages\u002Fblog\u002Fauthors\u002Ffabian.png","Fabian Sander is co-founder of lowcloud. As a developer, he experienced the challenges of modern cloud infrastructure firsthand – complex dependencies on large providers, lack of control over your own data, and tedious, error-prone deployments. These experiences from his time at a previous employer motivated him to found lowcloud. His goal: to make cloud deployments so simple and sovereign that developers and companies can focus on what truly matters – their products.",null,"yml",{},"Fabian Sander",true,"\u002Fen\u002Fusers\u002Ffabiansander","Co-Founder at lowcloud",{},[19,24,28,31],{"label":20,"to":21,"icon":22,"target":23},"LinkedIn","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fsander-fabian\u002F","i-simple-icons-linkedin","_blank",{"label":25,"to":26,"icon":27,"target":23},"GitHub","https:\u002F\u002Fgithub.com\u002Fsandfa","i-simple-icons-github",{"label":10,"to":29,"icon":30,"target":23},"https:\u002F\u002Fx.com\u002Ffabiansander911","i-simple-icons-x",{"label":32,"to":33,"icon":34,"target":23},"DEV","https:\u002F\u002Fdev.to\u002Fsandfa","i-simple-icons-devdotto","en\u002Fusers\u002Ffabiansander","iN_RjU2cqYwUbb8PEzrW7srdooij2lkk1ryIWgYqJlg",[38,518,1529,2141,2854,3947,4197,4454,4940,5122,5430,5849,6206,6581,6929,7272,7624,7920,8186,8435,8672,9022,9352,10149,10605,10762,11067,11666,11909,12162,12548,12819,13048,13313,13614,13856,14288,14940,15231,15476,15751,15996,16391,16869,17278,17580,17926,18153,18398,18828,19123,19473,20110,20272,21179,22589,23798,24684,25281],{"id":39,"title":40,"authors":41,"badge":10,"body":47,"date":508,"description":509,"extension":510,"image":511,"lastUpdated":10,"meta":513,"navigation":14,"path":514,"published":14,"seo":515,"stem":516,"tags":10,"__hash__":517},"posts\u002Fen\u002F3.blog\u002F60.heroku-alternatives.md","The Best Heroku Alternatives in 2026",[42],{"name":43,"to":44,"avatar":45},"Thomas Ens","\u002Fabout\u002Fthomasens",{"src":46},"\u002Fimages\u002Fblog\u002Fauthors\u002Fthomas.jpeg",{"type":48,"value":49,"toc":489},"minimark",[50,55,67,70,75,83,86,90,99,102,131,134,138,141,144,176,179,183,186,191,198,204,210,216,220,227,232,237,242,246,253,256,261,266,271,275,282,287,292,297,300,303,306,311,316,320,328,336,339,351,355,358,361,408,416,420,423,429,435,441,447,453,456,460,463,466,472,475,478,481],[51,52,54],"h1",{"id":53},"the-best-heroku-alternatives-in-2026-what-actually-makes-sense-now","The Best Heroku Alternatives in 2026: What Actually Makes Sense Now",[56,57,58,59,66],"p",{},"For many developers, ",[60,61,65],"a",{"href":62,"rel":63},"https:\u002F\u002Fwww.heroku.com\u002F",[64],"nofollow","Heroku"," was their first real introduction to the idea of getting an app into the cloud without any ops knowledge. That promise shaped an entire generation of web developers. Now Heroku is in maintenance mode. No new features, no active development, an unclear roadmap. For teams that have built on Heroku, that's a signal you shouldn't ignore.",[56,68,69],{},"This article shows which alternatives exist, what they can do, and what to watch out for when switching.",[71,72,74],"h2",{"id":73},"what-is-heroku","What is Heroku?",[56,76,77,78,82],{},"Heroku is a ",[60,79,81],{"href":80},"\u002Fen\u002Fblog\u002Fwhat-is-paas","Platform-as-a-Service (PaaS)"," that lets you deploy and run web applications without having to manage your own servers or Kubernetes clusters. Apps are typically built and rolled out directly from a Git repository; configuration runs through environment variables, and typical add-on services (such as databases or queues) are connected as add-ons.",[56,84,85],{},"At its core, Heroku abstracts infrastructure into the simplest possible operating model: applications run in isolated units (dynos), scaling happens by spinning these dynos up and down, and the platform ecosystem takes a lot of operational work off teams' hands.",[71,87,89],{"id":88},"what-heroku-maintenance-mode-means","What Heroku Maintenance Mode Means",[56,91,92,93,98],{},"Heroku has been part of ",[60,94,97],{"href":95,"rel":96},"https:\u002F\u002Fwww.salesforce.com\u002F",[64],"Salesforce"," since 2010. For a long time, the platform was the gold standard for fast deployment without infrastructure overhead. But for years, signs have been piling up that Heroku is no longer an internal priority: the free dynos were shut down, prices went up, the roadmap kept getting thinner.",[56,100,101],{},"The shift to maintenance mode is the formal confirmation of what many people have felt for a while. Concretely, here's what it means:",[103,104,105,113,119,125],"ul",{},[106,107,108,112],"li",{},[109,110,111],"strong",{},"Existing workloads will keep running"," – there's no forced immediate shutdown date.",[106,114,115,118],{},[109,116,117],{},"No more new features."," The platform isn't being developed further.",[106,120,121,124],{},[109,122,123],{},"Support will be reduced."," When something goes wrong, you're more on your own.",[106,126,127,130],{},[109,128,129],{},"Security patches"," will still be delivered for a defined period, but the horizon is limited.",[56,132,133],{},"For production systems that depend on reliability, that's not a sustainable state in the long run. Teams that migrate now have time for an orderly transition. Teams that wait will eventually migrate under pressure.",[71,135,137],{"id":136},"why-many-teams-loved-heroku-and-what-they-expect-from-an-alternative","Why Many Teams Loved Heroku and What They Expect from an Alternative",[56,139,140],{},"Before looking at the alternatives, it's worth understanding what Heroku actually got right. Because not every \"modern PaaS\" delivers the same experience.",[56,142,143],{},"Heroku's core strengths were:",[103,145,146,152,158,164,170],{},[106,147,148,151],{},[109,149,150],{},"Git-based deployment"," – no Docker knowledge required, no CI\u002FCD setup needed.",[106,153,154,157],{},[109,155,156],{},"The Procfile concept"," – simple but powerful for defining process types.",[106,159,160,163],{},[109,161,162],{},"The add-on ecosystem"," – databases, queues, monitoring provisioned with one click.",[106,165,166,169],{},[109,167,168],{},"Dynos as an abstraction layer"," – no servers, no container concepts visible to developers.",[106,171,172,175],{},[109,173,174],{},"A zero-config experience"," – from code to URL in minutes.",[56,177,178],{},"A good alternative doesn't have to replicate all of that identically. But it does need to offer a similarly low entry barrier while being scalable enough that you don't have to switch again in two years.",[71,180,182],{"id":181},"the-best-heroku-alternatives-in-2026-at-a-glance","The Best Heroku Alternatives in 2026 at a Glance",[56,184,185],{},"Today there's a whole range of platforms positioning themselves explicitly as a Heroku replacement. The quality varies widely. Here are the options that are relevant for the majority of teams.",[187,188,190],"h3",{"id":189},"render","Render",[56,192,193,197],{},[60,194,190],{"href":195,"rel":196},"https:\u002F\u002Frender.com\u002F",[64]," is probably the most direct Heroku alternative. The platform offers automatic deployments from Git, supports web services, workers, cron jobs, and static sites, all from a single UI. The developer experience is good, the documentation is solid.",[56,199,200,203],{},[109,201,202],{},"Strengths:"," Active development, a good free tier for smaller projects, simple configuration.",[56,205,206,209],{},[109,207,208],{},"Weaknesses:"," Pricing escalates quickly with larger workloads. The add-on ecosystem is limited, and you have to wire in external services yourself. Managed Postgres is available, but the overall selection of managed services is smaller than Heroku in its prime.",[56,211,212,215],{},[109,213,214],{},"Fits for:"," Teams that want a fast migration and primarily run Node.js, Python, or Ruby services.",[187,217,219],{"id":218},"railway","Railway",[56,221,222,226],{},[60,223,219],{"href":224,"rel":225},"https:\u002F\u002Frailway.com\u002F?referralCode=bacL3e&gad_source=1&gad_campaignid=23611828293&gbraid=0AAAAA-DC02ZL0XT0zU7DtTNf8wUGG8IMQ&gclid=Cj0KCQjwj47OBhCmARIsAF5wUEHsd2HvssW2jh4XSs06PPkO-lZ102bIFcOS3c-b6EC8QQJqStp_2UsaArW9EALw_wcB",[64]," has built up a loyal developer community over the past few years. The deployment model is similar to Heroku's, the interface is modern and visually polished. Railway supports deployments from GitHub, Docker, or your own templates.",[56,228,229,231],{},[109,230,202],{}," Very fast setup, intuitive dashboard, good support for various runtimes. The pricing model based on actual resource usage is fair for smaller teams.",[56,233,234,236],{},[109,235,208],{}," Still relatively young for enterprise use. Regional flexibility is limited; anyone tied to EU-only or specific compliance requirements will hit walls quickly.",[56,238,239,241],{},[109,240,214],{}," Indie developers, small teams, prototypes, and staging environments.",[187,243,245],{"id":244},"flyio","Fly.io",[56,247,248,252],{},[60,249,245],{"href":250,"rel":251},"http:\u002F\u002FFly.io",[64]," is technically a different category. The platform deploys containers globally to edge locations. That means low latency for global users, but a different mental model from Heroku.",[56,254,255],{},"You deploy and Fly.io distributes the containers across multiple regions. That's powerful, but also more complex. Anyone who loved Heroku for its simplicity will have to do more configuration with Fly.io initially.",[56,257,258,260],{},[109,259,202],{}," Excellent performance for globally distributed applications, fair pricing for smaller instances, a strong CLI.",[56,262,263,265],{},[109,264,208],{}," The level of abstraction is lower than with classic PaaS platforms. There's a learning curve for teams without container experience. GDPR compliance comes with caveats since data may live on US infrastructure.",[56,267,268,270],{},[109,269,214],{}," Teams with container experience that want to optimize for global latency.",[187,272,274],{"id":273},"porter","Porter",[56,276,277,281],{},[60,278,274],{"href":279,"rel":280},"https:\u002F\u002Fwww.porter.run\u002F",[64]," is interesting for teams that actually want to be on Kubernetes but don't have the ops capacity to operate a cluster themselves. Porter provides a Heroku-like interface on top of Kubernetes infrastructure, either on your own AWS\u002FGCP\u002FAzure account or as a managed service.",[56,283,284,286],{},[109,285,202],{}," Kubernetes-native, full flexibility on the infrastructure side, a Heroku-like deployment experience for the team.",[56,288,289,291],{},[109,290,208],{}," More expensive and more complex than pure PaaS options. Only really makes sense above a certain team size and workload complexity.",[56,293,294,296],{},[109,295,214],{}," Scale-ups that want to grow into Kubernetes without immediately building a dedicated platform team.",[187,298,299],{"id":299},"lowcloud",[56,301,302],{},"lowcloud is a DevOps-as-a-Service platform focused on European infrastructure and digital sovereignty. That means deployments run in German or European data centers, and GDPR compliance isn't an afterthought but part of the design. On top of that, lowcloud runs everything on the customer's own infrastructure (e.g. in their own cloud account or data center).",[56,304,305],{},"For organizations that work with sensitive customer data or have to meet regulatory requirements, that's a decisive difference compared to US-based providers. lowcloud offers a managed Kubernetes experience: teams deploy applications without cluster management overhead but get the full flexibility of Kubernetes underneath. Importantly, this isn't just \"managed Kubernetes\" — it's a fully managed platform with everything that goes with it, similar to Heroku.",[56,307,308,310],{},[109,309,202],{}," EU hosting, GDPR-compliant by design, Kubernetes-native without ops overhead, suitable for production workloads with compliance requirements.",[56,312,313,315],{},[109,314,214],{}," Companies in Germany and the EU, teams with data protection or compliance requirements, Kubernetes users who want a managed approach.",[71,317,319],{"id":318},"sovereignty-lock-in-why-the-infrastructure-question-matters","Sovereignty & Lock-in: Why the Infrastructure Question Matters",[56,321,322,323,327],{},"Many of the well-known Heroku alternatives are US providers or are heavily built on US infrastructure ecosystems. For organizations that ",[60,324,326],{"href":325},"\u002Fen\u002Fblog\u002Fcloud-illusion-digital-sovereignty","take digital sovereignty seriously"," (e.g. due to data protection, regulation, risk management, or strategic independence), that's more than a detail: jurisdiction, control options, and dependencies become part of the technical decision.",[56,329,330,331,335],{},"There's a second point on top of that: classic PaaS offerings are convenient but ",[60,332,334],{"href":333},"\u002Fen\u002Fblog\u002Fcloud-vendor-lock-in","often lead to lock-in",". That doesn't just affect APIs and add-ons, but also buildpacks, deployment workflows, observability stacks, and the operating model. The more these platform-specific building blocks get used, the higher the cost of switching later.",[56,337,338],{},"Exceptions are mainly models where the platform runs on your own infrastructure:",[103,340,341,346],{},[106,342,343,345],{},[109,344,274],{}," can be operated on your own AWS\u002FGCP\u002FAzure account. That keeps infrastructure ownership with the company, and Kubernetes serves as a portable foundation.",[106,347,348,350],{},[109,349,299],{}," goes one step further: the platform runs on German\u002FEuropean infrastructure and is designed for sovereignty. That combines infrastructure ownership (your own or a controlled environment) with a provider setup in Germany, with the goal of delivering PaaS-level convenience without the typical lock-in effects of classic, proprietary platforms.",[71,352,354],{"id":353},"other-providers-as-an-alternative-to-heroku","Other Providers as an Alternative to Heroku",[56,356,357],{},"Beyond the options above, there are many other platforms that handle hosting, deployments, and sometimes backend functionality. This article deliberately focused on a few candidates that come closest to the classic Heroku experience (\"push code, app runs\") and represent a real alternative for many workloads.",[56,359,360],{},"Other commonly used providers include:",[103,362,363,368,373,378,383,388,393,398,403],{},[106,364,365],{},[109,366,367],{},"Vercel",[106,369,370],{},[109,371,372],{},"Netlify",[106,374,375],{},[109,376,377],{},"Cloudflare Pages \u002F Workers",[106,379,380],{},[109,381,382],{},"Firebase",[106,384,385],{},[109,386,387],{},"AWS Amplify",[106,389,390],{},[109,391,392],{},"Google App Engine",[106,394,395],{},[109,396,397],{},"Azure App Service",[106,399,400],{},[109,401,402],{},"DigitalOcean App Platform",[106,404,405],{},[109,406,407],{},"Elastic Beanstalk",[56,409,410,411,415],{},"Many of these offerings are either heavily optimized for frontend\u002Fserverless scenarios or part of large US cloud ecosystems. In practice, that often comes with the same two limitations as classic PaaS platforms: limited sovereignty (US provider\u002Fjurisdiction) and no operation on your own infrastructure (no deployment in your own account or data center). If that's exactly what you need, you typically end up with ",[60,412,414],{"href":413},"\u002Fen\u002Fblog\u002Fbring-your-own-cloud","BYOC- or on-prem\u002Fprivate-cloud-capable platform approaches",".",[71,417,419],{"id":418},"what-really-matters-in-a-migration","What Really Matters in a Migration",[56,421,422],{},"A migration off Heroku is rarely just copy-paste. Here are the points that take the most work in practice:",[56,424,425,428],{},[109,426,427],{},"Replacing add-ons:"," Heroku's add-on marketplace is a central part of the platform. Postgres, Redis, RabbitMQ, S3-compatible storage — all of that has to either be offered as a managed service on the new platform or wired in externally. Before the migration, it's worth doing a complete inventory of all add-ons in use.",[56,430,431,434],{},[109,432,433],{},"Translating Procfile logic:"," If Procfiles are in use, check how the target platform represents worker processes and release commands. Most modern PaaS platforms have equivalents, but the configuration looks different.",[56,436,437,440],{},[109,438,439],{},"Environment variables:"," Sounds trivial, but it's error-prone. It makes sense to document all config vars before the migration and transfer them completely to the new platform.",[56,442,443,446],{},[109,444,445],{},"Build and deployment process:"," Many teams have built up CI\u002FCD pipelines over the years that hook directly into Heroku's Git integration. These have to be adapted, either to the new platform's deployment mechanisms or to a platform-independent, Docker-based deployment.",[56,448,449,452],{},[109,450,451],{},"Logging and monitoring:"," Heroku Logplex is easy to use, but in a migration that integration is lost. So logging and alerting on the new platform should be reliably set up before go-live.",[56,454,455],{},"A staging deployment on the target system before the production cut-over isn't optional — it's mandatory.",[71,457,459],{"id":458},"which-platform-fits-which-team","Which Platform Fits Which Team?",[56,461,462],{},"There's no universally correct answer. But there are clear patterns:",[56,464,465],{},"Render or Railway are the right choice if the team is small, the workloads are manageable, and a fast switch with minimal effort is the priority.",[56,467,468,471],{},[60,469,245],{"href":250,"rel":470},[64]," makes sense if global latency is a concern and the team already has container experience.",[56,473,474],{},"Porter is a good bridge for teams that want to grow into Kubernetes without immediately hiring a platform engineering team.",[56,476,477],{},"lowcloud is the choice for companies where EU data protection, GDPR compliance, or digital sovereignty are non-negotiable and that don't want to give up a developer-friendly deployment experience to get there. At its core, lowcloud combines several properties that are usually only available separately: the simple, Heroku-style handling and fast developer experience (as with Render or Railway), a Kubernetes foundation for portability and standardization, and operation on your own infrastructure (similar to Porter) instead of on a closed vendor platform. At the same time, the sovereignty aspect is preserved: setup and operation are aligned to Germany\u002FEU, with the goal of avoiding lock-in and keeping control over data, infrastructure, and operating model with the customer.",[479,480],"hr",{},[56,482,483,484,488],{},"If you're currently planning a Heroku migration, now is the right moment for a well-founded decision rather than a quick workaround. lowcloud offers a ",[60,485,487],{"href":486},"\u002Fen\u002Fblog\u002Fdevops-as-a-service","DevOps-as-a-Service platform"," built precisely for this use case: production-ready deployments on European infrastructure, without needing an ops team to do it. That makes it possible to evaluate early what lowcloud can do for your stack before migration pressure builds up.",{"title":490,"searchDepth":491,"depth":491,"links":492},"",2,[493,494,495,496,504,505,506,507],{"id":73,"depth":491,"text":74},{"id":88,"depth":491,"text":89},{"id":136,"depth":491,"text":137},{"id":181,"depth":491,"text":182,"children":497},[498,500,501,502,503],{"id":189,"depth":499,"text":190},3,{"id":218,"depth":499,"text":219},{"id":244,"depth":499,"text":245},{"id":273,"depth":499,"text":274},{"id":299,"depth":499,"text":299},{"id":318,"depth":491,"text":319},{"id":353,"depth":491,"text":354},{"id":418,"depth":491,"text":419},{"id":458,"depth":491,"text":459},"2026-04-11","Heroku is in maintenance mode. We compare Render, Railway, Fly.io, Porter and lowcloud as serious alternatives for teams planning a migration.","md",{"src":512},"\u002Fimages\u002Fblog\u002Fheroku-alternatives.jpg",{},"\u002Fen\u002Fblog\u002Fheroku-alternatives",{"title":40,"description":509},"en\u002F3.blog\u002F60.heroku-alternatives","cGLiVNmXjIZzNM4OJOLrEseanbrMpBH9pyIBP3ebtq0",{"id":519,"title":520,"authors":521,"badge":10,"body":525,"date":1520,"description":1521,"extension":510,"image":1522,"lastUpdated":10,"meta":1524,"navigation":14,"path":1525,"published":14,"seo":1526,"stem":1527,"tags":10,"__hash__":1528},"posts\u002Fen\u002F3.blog\u002F55.minio-alternatives.md","MinIO Alternatives Compared: RustFS, SeaweedFS, and Garage",[522],{"name":13,"to":523,"avatar":524},"\u002Fabout\u002Ffabiansander",{"src":8},{"type":48,"value":526,"toc":1502},[527,530,534,537,540,543,547,550,571,574,577,580,584,587,590,594,597,727,745,752,756,759,762,764,768,771,775,778,968,971,975,978,981,984,986,990,993,997,1000,1284,1287,1291,1294,1297,1300,1304,1459,1462,1469,1473,1476,1479,1482,1485,1493,1495,1498],[56,528,529],{},"MinIO was the go-to answer for self-hosted S3-compatible object storage for years. Easy to install, well-documented, API-compatible with AWS S3 — that was enough for most use cases. But after the switch to an AGPL-3.0 license and a shift in business focus, many teams are now asking whether MinIO is still the right choice. Anyone running MinIO inside a proprietary product or internal service either needs to purchase a commercial license or seriously evaluate the MinIO alternatives. This article compares three of them: RustFS, SeaweedFS, and Garage, all S3-compatible, all self-hosted.",[71,531,533],{"id":532},"why-minio-is-up-for-debate","Why MinIO is up for debate",[56,535,536],{},"MinIO hasn't done anything wrong technically. The software is fast, well-maintained, and still one of the most mature options in the self-hosted object storage space. The problem is the licensing model.",[56,538,539],{},"With the switch to AGPL-3.0, MinIO Inc. drew a clear line: anyone running MinIO inside a product or service that isn't itself published under AGPL needs a commercial license. For many companies using MinIO as a backend for their own services, this is a real problem, not necessarily because of the cost, but because of the uncertainty. AGPL is a red flag in many legal departments, regardless of how defensible the specific use case might be.",[56,541,542],{},"On top of that, MinIO is increasingly orienting itself toward enterprise customers. Features and documentation follow that focus. Teams looking for simple, low-maintenance storage for a smaller setup will often find a better fit among the alternatives.",[71,544,546],{"id":545},"what-a-real-s3-alternative-needs-to-deliver","What a real S3 alternative needs to deliver",[56,548,549],{},"\"S3-compatible\" is not a binary property, and that's important to understand before comparing systems.",[56,551,552,553,557,558,557,561,557,564,557,567,570],{},"S3 API depth: The basic operations — ",[554,555,556],"code",{},"PutObject",", ",[554,559,560],{},"GetObject",[554,562,563],{},"DeleteObject",[554,565,566],{},"ListBuckets",[554,568,569],{},"ListObjects"," — are supported by almost every implementation. Problems arise with less commonly used features like multipart uploads with specific part sizes, Object Lock, Bucket Versioning, server-side encryption, or pre-signed URLs with specific parameters. Anyone running tooling or applications that depend on these features needs to check compatibility explicitly upfront.",[56,572,573],{},"Clustering and high availability: How does the system distribute data across multiple nodes? How does it behave when a node fails? How is the cluster expanded without causing downtime?",[56,575,576],{},"Kubernetes integration: Are Helm charts available? Is there an operator model with automated Day-2 management? CSI drivers for Persistent Volumes? This has a significant impact on actual operational overhead in a Kubernetes environment.",[56,578,579],{},"Simplicity and resource consumption: The smaller the team, the more important it is that the system can be operated cleanly without dedicated storage expertise.",[71,581,583],{"id":582},"rust-based-minio-alternative-rustfs","Rust-based MinIO alternative: RustFS",[56,585,586],{},"RustFS is the youngest of the three projects. It explicitly positions itself as a MinIO successor: same deployment model, same S3 API, but implemented in Rust and licensed under Apache 2.0. The latter is the key point. Apache 2.0 can be used in almost any environment without legal concerns.",[56,588,589],{},"The project has gained momentum since 2024, but it's still relatively young. For production deployments with high demands on stability and feature completeness, the release notes and issue tracker deserve close attention. That's not a free pass, but an honest reflection of where things stand today.",[187,591,593],{"id":592},"installation-and-kubernetes-integration","Installation and Kubernetes integration",[56,595,596],{},"RustFS can be deployed similarly to MinIO, as a single binary or as a container. An official Helm chart exists but is still under development. Anyone wanting a clean Kubernetes setup currently needs to do more manual work than with the more established alternatives.",[598,599,603],"pre",{"className":600,"code":601,"language":602,"meta":490,"style":490},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","# RustFS runs as UID 10001 — prepare the directory first\nmkdir -p .\u002Fdata && chown -R 10001:10001 .\u002Fdata\n\ndocker run -d --name rustfs \\\n -p 9000:9000 -p 9001:9001 \\\n -e RUSTFS_ACCESS_KEY=mykey \\\n -e RUSTFS_SECRET_KEY=mypassword \\\n -v .\u002Fdata:\u002Fdata \\\n rustfs\u002Frustfs:latest \u002Fdata\n","bash",[554,604,605,614,643,648,670,686,697,707,718],{"__ignoreMap":490},[606,607,610],"span",{"class":608,"line":609},"line",1,[606,611,613],{"class":612},"sHwdD","# RustFS runs as UID 10001 — prepare the directory first\n",[606,615,616,620,624,627,631,634,637,640],{"class":608,"line":491},[606,617,619],{"class":618},"sBMFI","mkdir",[606,621,623],{"class":622},"sfazB"," -p",[606,625,626],{"class":622}," .\u002Fdata",[606,628,630],{"class":629},"sMK4o"," &&",[606,632,633],{"class":618}," chown",[606,635,636],{"class":622}," -R",[606,638,639],{"class":622}," 10001:10001",[606,641,642],{"class":622}," .\u002Fdata\n",[606,644,645],{"class":608,"line":499},[606,646,647],{"emptyLinePlaceholder":14},"\n",[606,649,651,654,657,660,663,666],{"class":608,"line":650},4,[606,652,653],{"class":618},"docker",[606,655,656],{"class":622}," run",[606,658,659],{"class":622}," -d",[606,661,662],{"class":622}," --name",[606,664,665],{"class":622}," rustfs",[606,667,669],{"class":668},"sTEyZ"," \\\n",[606,671,673,676,679,681,684],{"class":608,"line":672},5,[606,674,675],{"class":622}," -p",[606,677,678],{"class":622}," 9000:9000",[606,680,623],{"class":622},[606,682,683],{"class":622}," 9001:9001",[606,685,669],{"class":668},[606,687,689,692,695],{"class":608,"line":688},6,[606,690,691],{"class":622}," -e",[606,693,694],{"class":622}," RUSTFS_ACCESS_KEY=mykey",[606,696,669],{"class":668},[606,698,700,702,705],{"class":608,"line":699},7,[606,701,691],{"class":622},[606,703,704],{"class":622}," RUSTFS_SECRET_KEY=mypassword",[606,706,669],{"class":668},[606,708,710,713,716],{"class":608,"line":709},8,[606,711,712],{"class":622}," -v",[606,714,715],{"class":622}," .\u002Fdata:\u002Fdata",[606,717,669],{"class":668},[606,719,721,724],{"class":608,"line":720},9,[606,722,723],{"class":622}," rustfs\u002Frustfs:latest",[606,725,726],{"class":622}," \u002Fdata\n",[56,728,729,730,733,734,737,738,741,742,744],{},"Port 9000 is the S3 API, port 9001 is the web console. Without ",[554,731,732],{},"RUSTFS_ACCESS_KEY"," and ",[554,735,736],{},"RUSTFS_SECRET_KEY",", RustFS falls back to default credentials (",[554,739,740],{},"rustfsadmin","\u002F",[554,743,740],{},"). For production deployments, set them explicitly.",[56,746,747,748,751],{},"Compatibility with the ",[554,749,750],{},"mc"," client (MinIO Client) makes the switch comparatively smooth for teams already familiar with MinIO. Same commands, same concepts, just a different binary.",[187,753,755],{"id":754},"s3-compatibility-and-performance","S3 compatibility and performance",[56,757,758],{},"RustFS covers the most common S3 operations. Less commonly used features like Object Lock or certain encryption modes still have gaps. Performance is good thanks to the Rust implementation, but hasn't been systematically benchmarked against SeaweedFS or MinIO in a direct comparison yet.",[56,760,761],{},"RustFS verdict: Interesting as a long-term project that's clean on licensing and deliberately designed for MinIO compatibility. For critical production deployments today, proceed with caution.",[479,763],{},[71,765,767],{"id":766},"seaweedfs-the-proven-all-rounder","SeaweedFS — the proven all-rounder",[56,769,770],{},"SeaweedFS is a different caliber. The project has existed since 2012, is written in Go, and has proven itself in production deployments at medium to large scale. The architecture differs fundamentally from MinIO and RustFS: SeaweedFS separates the master server (metadata management), volume servers (actual data), and optionally a filer (filesystem interface and S3 emulation).",[187,772,774],{"id":773},"operations-and-clustering","Operations and clustering",[56,776,777],{},"That separation is exactly what makes SeaweedFS powerful, but also more complex. A minimal setup requires at least one master and one volume server. For high availability, a 3-master cluster with RAFT consensus is recommended.",[598,779,781],{"className":600,"code":780,"language":602,"meta":490,"style":490},"# Shared network so the containers can reach each other\ndocker network create seaweedfs\n\n# Master server: manages metadata and coordinates the cluster\ndocker run -d --name weed-master \\\n --network seaweedfs -p 9333:9333 \\\n chrislusf\u002Fseaweedfs master\n\n# Volume server: stores the actual data\ndocker run -d --name weed-volume \\\n --network seaweedfs -p 8080:8080 \\\n -v .\u002Fdata:\u002Fdata \\\n chrislusf\u002Fseaweedfs volume -mserver=weed-master:9333 -dir=\u002Fdata\n\n# Filer: exposes the S3 interface, applications connect on port 8333\ndocker run -d --name weed-filer \\\n --network seaweedfs -p 8333:8333 \\\n chrislusf\u002Fseaweedfs filer -master=weed-master:9333 -s3 -s3.port=8333\n",[554,782,783,788,801,805,810,825,840,848,852,857,873,887,896,910,915,921,937,951],{"__ignoreMap":490},[606,784,785],{"class":608,"line":609},[606,786,787],{"class":612},"# Shared network so the containers can reach each other\n",[606,789,790,792,795,798],{"class":608,"line":491},[606,791,653],{"class":618},[606,793,794],{"class":622}," network",[606,796,797],{"class":622}," create",[606,799,800],{"class":622}," seaweedfs\n",[606,802,803],{"class":608,"line":499},[606,804,647],{"emptyLinePlaceholder":14},[606,806,807],{"class":608,"line":650},[606,808,809],{"class":612},"# Master server: manages metadata and coordinates the cluster\n",[606,811,812,814,816,818,820,823],{"class":608,"line":672},[606,813,653],{"class":618},[606,815,656],{"class":622},[606,817,659],{"class":622},[606,819,662],{"class":622},[606,821,822],{"class":622}," weed-master",[606,824,669],{"class":668},[606,826,827,830,833,835,838],{"class":608,"line":688},[606,828,829],{"class":622}," --network",[606,831,832],{"class":622}," seaweedfs",[606,834,623],{"class":622},[606,836,837],{"class":622}," 9333:9333",[606,839,669],{"class":668},[606,841,842,845],{"class":608,"line":699},[606,843,844],{"class":622}," chrislusf\u002Fseaweedfs",[606,846,847],{"class":622}," master\n",[606,849,850],{"class":608,"line":709},[606,851,647],{"emptyLinePlaceholder":14},[606,853,854],{"class":608,"line":720},[606,855,856],{"class":612},"# Volume server: stores the actual data\n",[606,858,860,862,864,866,868,871],{"class":608,"line":859},10,[606,861,653],{"class":618},[606,863,656],{"class":622},[606,865,659],{"class":622},[606,867,662],{"class":622},[606,869,870],{"class":622}," weed-volume",[606,872,669],{"class":668},[606,874,876,878,880,882,885],{"class":608,"line":875},11,[606,877,829],{"class":622},[606,879,832],{"class":622},[606,881,623],{"class":622},[606,883,884],{"class":622}," 8080:8080",[606,886,669],{"class":668},[606,888,890,892,894],{"class":608,"line":889},12,[606,891,712],{"class":622},[606,893,715],{"class":622},[606,895,669],{"class":668},[606,897,899,901,904,907],{"class":608,"line":898},13,[606,900,844],{"class":622},[606,902,903],{"class":622}," volume",[606,905,906],{"class":622}," -mserver=weed-master:9333",[606,908,909],{"class":622}," -dir=\u002Fdata\n",[606,911,913],{"class":608,"line":912},14,[606,914,647],{"emptyLinePlaceholder":14},[606,916,918],{"class":608,"line":917},15,[606,919,920],{"class":612},"# Filer: exposes the S3 interface, applications connect on port 8333\n",[606,922,924,926,928,930,932,935],{"class":608,"line":923},16,[606,925,653],{"class":618},[606,927,656],{"class":622},[606,929,659],{"class":622},[606,931,662],{"class":622},[606,933,934],{"class":622}," weed-filer",[606,936,669],{"class":668},[606,938,940,942,944,946,949],{"class":608,"line":939},17,[606,941,829],{"class":622},[606,943,832],{"class":622},[606,945,623],{"class":622},[606,947,948],{"class":622}," 8333:8333",[606,950,669],{"class":668},[606,952,954,956,959,962,965],{"class":608,"line":953},18,[606,955,844],{"class":622},[606,957,958],{"class":622}," filer",[606,960,961],{"class":622}," -master=weed-master:9333",[606,963,964],{"class":622}," -s3",[606,966,967],{"class":622}," -s3.port=8333\n",[56,969,970],{},"Helm charts for Kubernetes exist and are significantly more mature than RustFS's. The operational overhead is higher than a single-binary solution, which should be factored into the decision.",[187,972,974],{"id":973},"use-cases","Use cases",[56,976,977],{},"SeaweedFS shines where large numbers of small to medium-sized files are stored, typical workloads like user uploads, build artifacts, and backup data. The S3 API support runs through the filer and is good, but not identical to the original AWS API in every detail. Multipart uploads work; Versioning and Object Lock have limitations.",[56,979,980],{},"One advantage that rarely gets mentioned: SeaweedFS supports FUSE mounts, WebDAV, and its own HTTP interface alongside the S3 API. Teams that need multiple access models from a single system have an interesting option here.",[56,982,983],{},"SeaweedFS verdict: The most mature and flexible MinIO alternative in this comparison. For teams with operational capacity and a need for scalable storage, it's the most solid starting point. The complexity cost is real, but it buys genuine scalability.",[479,985],{},[71,987,989],{"id":988},"garage-lightweight-and-geo-distributed","Garage — lightweight and geo-distributed",[56,991,992],{},"Garage comes from a different context. The project was developed to enable distributed object storage for geo-redundant setups, scenarios where nodes don't sit in the same data center. That's a use case that MinIO and SeaweedFS explicitly don't handle well.",[187,994,996],{"id":995},"architecture-specifics","Architecture specifics",[56,998,999],{},"Garage has no central master node. All nodes are peers; coordination runs through a RAFT-like protocol. Zone-awareness is built in: Garage deliberately distributes replicas across different availability zones or physical locations.",[598,1001,1003],{"className":600,"code":1002,"language":602,"meta":490,"style":490},"# Required: create a configuration file (Garage won't start without it)\ncat > .\u002Fgarage.toml \u003C\u003C 'EOF'\nmetadata_dir = \"\u002Fmeta\"\ndata_dir = \"\u002Fdata\"\nreplication_factor = 1\nrpc_secret = \"$(openssl rand -hex 32)\"\nrpc_bind_addr = \"[::]:3901\"\n\n[s3_api]\ns3_region = \"garage\"\napi_bind_addr = \"[::]:3900\"\n\n[admin]\napi_bind_addr = \"[::]:3903\"\nEOF\n\n# Start Garage\ndocker run -d --name garage \\\n -p 3900:3900 -p 3901:3901 -p 3903:3903 \\\n -v .\u002Fgarage.toml:\u002Fetc\u002Fgarage.toml \\\n -v .\u002Fdata:\u002Fdata \\\n -v .\u002Fmeta:\u002Fmeta \\\n dxflrs\u002Fgarage:v1.0.1\n\n# Show node ID\ndocker exec garage garage node list\n\n# Assign each node to a zone (-z) and set storage capacity (-c, in bytes)\ndocker exec garage garage layout assign -z dc1 -c 1000000000000 \u003Cnode-id>\n\n# Apply the layout (N = version number shown after layout assign)\ndocker exec garage garage layout apply --version 1\n",[554,1004,1005,1010,1027,1032,1037,1042,1047,1052,1056,1061,1066,1071,1075,1080,1085,1090,1094,1099,1114,1134,1144,1153,1163,1169,1174,1180,1198,1203,1209,1251,1256,1262],{"__ignoreMap":490},[606,1006,1007],{"class":608,"line":609},[606,1008,1009],{"class":612},"# Required: create a configuration file (Garage won't start without it)\n",[606,1011,1012,1015,1018,1021,1024],{"class":608,"line":491},[606,1013,1014],{"class":618},"cat",[606,1016,1017],{"class":629}," >",[606,1019,1020],{"class":622}," .\u002Fgarage.toml",[606,1022,1023],{"class":629}," \u003C\u003C",[606,1025,1026],{"class":629}," 'EOF'\n",[606,1028,1029],{"class":608,"line":499},[606,1030,1031],{"class":622},"metadata_dir = \"\u002Fmeta\"\n",[606,1033,1034],{"class":608,"line":650},[606,1035,1036],{"class":622},"data_dir = \"\u002Fdata\"\n",[606,1038,1039],{"class":608,"line":672},[606,1040,1041],{"class":622},"replication_factor = 1\n",[606,1043,1044],{"class":608,"line":688},[606,1045,1046],{"class":622},"rpc_secret = \"$(openssl rand -hex 32)\"\n",[606,1048,1049],{"class":608,"line":699},[606,1050,1051],{"class":622},"rpc_bind_addr = \"[::]:3901\"\n",[606,1053,1054],{"class":608,"line":709},[606,1055,647],{"emptyLinePlaceholder":14},[606,1057,1058],{"class":608,"line":720},[606,1059,1060],{"class":622},"[s3_api]\n",[606,1062,1063],{"class":608,"line":859},[606,1064,1065],{"class":622},"s3_region = \"garage\"\n",[606,1067,1068],{"class":608,"line":875},[606,1069,1070],{"class":622},"api_bind_addr = \"[::]:3900\"\n",[606,1072,1073],{"class":608,"line":889},[606,1074,647],{"emptyLinePlaceholder":14},[606,1076,1077],{"class":608,"line":898},[606,1078,1079],{"class":622},"[admin]\n",[606,1081,1082],{"class":608,"line":912},[606,1083,1084],{"class":622},"api_bind_addr = \"[::]:3903\"\n",[606,1086,1087],{"class":608,"line":917},[606,1088,1089],{"class":629},"EOF\n",[606,1091,1092],{"class":608,"line":923},[606,1093,647],{"emptyLinePlaceholder":14},[606,1095,1096],{"class":608,"line":939},[606,1097,1098],{"class":612},"# Start Garage\n",[606,1100,1101,1103,1105,1107,1109,1112],{"class":608,"line":953},[606,1102,653],{"class":618},[606,1104,656],{"class":622},[606,1106,659],{"class":622},[606,1108,662],{"class":622},[606,1110,1111],{"class":622}," garage",[606,1113,669],{"class":668},[606,1115,1117,1119,1122,1124,1127,1129,1132],{"class":608,"line":1116},19,[606,1118,675],{"class":622},[606,1120,1121],{"class":622}," 3900:3900",[606,1123,623],{"class":622},[606,1125,1126],{"class":622}," 3901:3901",[606,1128,623],{"class":622},[606,1130,1131],{"class":622}," 3903:3903",[606,1133,669],{"class":668},[606,1135,1137,1139,1142],{"class":608,"line":1136},20,[606,1138,712],{"class":622},[606,1140,1141],{"class":622}," .\u002Fgarage.toml:\u002Fetc\u002Fgarage.toml",[606,1143,669],{"class":668},[606,1145,1147,1149,1151],{"class":608,"line":1146},21,[606,1148,712],{"class":622},[606,1150,715],{"class":622},[606,1152,669],{"class":668},[606,1154,1156,1158,1161],{"class":608,"line":1155},22,[606,1157,712],{"class":622},[606,1159,1160],{"class":622}," .\u002Fmeta:\u002Fmeta",[606,1162,669],{"class":668},[606,1164,1166],{"class":608,"line":1165},23,[606,1167,1168],{"class":622}," dxflrs\u002Fgarage:v1.0.1\n",[606,1170,1172],{"class":608,"line":1171},24,[606,1173,647],{"emptyLinePlaceholder":14},[606,1175,1177],{"class":608,"line":1176},25,[606,1178,1179],{"class":612},"# Show node ID\n",[606,1181,1183,1185,1188,1190,1192,1195],{"class":608,"line":1182},26,[606,1184,653],{"class":618},[606,1186,1187],{"class":622}," exec",[606,1189,1111],{"class":622},[606,1191,1111],{"class":622},[606,1193,1194],{"class":622}," node",[606,1196,1197],{"class":622}," list\n",[606,1199,1201],{"class":608,"line":1200},27,[606,1202,647],{"emptyLinePlaceholder":14},[606,1204,1206],{"class":608,"line":1205},28,[606,1207,1208],{"class":612},"# Assign each node to a zone (-z) and set storage capacity (-c, in bytes)\n",[606,1210,1212,1214,1216,1218,1220,1223,1226,1229,1232,1235,1239,1242,1245,1248],{"class":608,"line":1211},29,[606,1213,653],{"class":618},[606,1215,1187],{"class":622},[606,1217,1111],{"class":622},[606,1219,1111],{"class":622},[606,1221,1222],{"class":622}," layout",[606,1224,1225],{"class":622}," assign",[606,1227,1228],{"class":622}," -z",[606,1230,1231],{"class":622}," dc1",[606,1233,1234],{"class":622}," -c",[606,1236,1238],{"class":1237},"sbssI"," 1000000000000",[606,1240,1241],{"class":629}," \u003C",[606,1243,1244],{"class":622},"node-i",[606,1246,1247],{"class":668},"d",[606,1249,1250],{"class":629},">\n",[606,1252,1254],{"class":608,"line":1253},30,[606,1255,647],{"emptyLinePlaceholder":14},[606,1257,1259],{"class":608,"line":1258},31,[606,1260,1261],{"class":612},"# Apply the layout (N = version number shown after layout assign)\n",[606,1263,1265,1267,1269,1271,1273,1275,1278,1281],{"class":608,"line":1264},32,[606,1266,653],{"class":618},[606,1268,1187],{"class":622},[606,1270,1111],{"class":622},[606,1272,1111],{"class":622},[606,1274,1222],{"class":622},[606,1276,1277],{"class":622}," apply",[606,1279,1280],{"class":622}," --version",[606,1282,1283],{"class":1237}," 1\n",[56,1285,1286],{},"Setup effort is minimal. A single binary, a TOML configuration file, that's it. An official Helm chart with good documentation is available for Kubernetes.",[187,1288,1290],{"id":1289},"what-garage-can-and-cant-do","What Garage can and can't do",[56,1292,1293],{},"S3 compatibility is solid for common operations. Bucket Versioning and Object Lock are missing or still experimental. Garage is not optimized for workloads requiring extremely high throughput or thousands of requests per second.",[56,1295,1296],{},"On the other hand, Garage is remarkably resource-efficient. A node runs comfortably on a small VPS with 2 GB of RAM. For home lab setups, smaller production systems, and any scenario where geo-redundancy matters, Garage is an excellent choice.",[56,1298,1299],{},"Garage verdict: The simplest system in this comparison, with a clear focus and an architecture model that's unique in this space. Teams that need geo-redundancy or are looking for lean, low-maintenance storage should seriously consider Garage.",[71,1301,1303],{"id":1302},"direct-comparison-rustfs-vs-seaweedfs-vs-garage","Direct comparison: RustFS vs SeaweedFS vs Garage",[1305,1306,1307,1334],"table",{},[1308,1309,1310],"thead",{},[1311,1312,1313,1319,1324,1329],"tr",{},[1314,1315,1316],"th",{},[109,1317,1318],{},"Criterion",[1314,1320,1321],{},[109,1322,1323],{},"RustFS",[1314,1325,1326],{},[109,1327,1328],{},"SeaweedFS",[1314,1330,1331],{},[109,1332,1333],{},"Garage",[1335,1336,1337,1351,1364,1378,1392,1405,1419,1432,1446],"tbody",{},[1311,1338,1339,1343,1346,1348],{},[1340,1341,1342],"td",{},"License",[1340,1344,1345],{},"Apache 2.0",[1340,1347,1345],{},[1340,1349,1350],{},"AGPL-3.0",[1311,1352,1353,1356,1359,1362],{},[1340,1354,1355],{},"Language",[1340,1357,1358],{},"Rust",[1340,1360,1361],{},"Go",[1340,1363,1358],{},[1311,1365,1366,1369,1372,1375],{},[1340,1367,1368],{},"S3 compatibility",[1340,1370,1371],{},"Good (in development)",[1340,1373,1374],{},"Good (via filer)",[1340,1376,1377],{},"Solid (core features)",[1311,1379,1380,1383,1386,1389],{},[1340,1381,1382],{},"Clustering",[1340,1384,1385],{},"Yes (MinIO mode)",[1340,1387,1388],{},"Yes (master-volume)",[1340,1390,1391],{},"Yes (no master)",[1311,1393,1394,1397,1400,1402],{},[1340,1395,1396],{},"Geo-redundancy",[1340,1398,1399],{},"Limited",[1340,1401,1399],{},[1340,1403,1404],{},"Built-in",[1311,1406,1407,1410,1413,1416],{},[1340,1408,1409],{},"Kubernetes Helm chart",[1340,1411,1412],{},"Available (WIP)",[1340,1414,1415],{},"Available (mature)",[1340,1417,1418],{},"Available (good)",[1311,1420,1421,1424,1427,1430],{},[1340,1422,1423],{},"Operational overhead",[1340,1425,1426],{},"Low",[1340,1428,1429],{},"Medium to high",[1340,1431,1426],{},[1311,1433,1434,1437,1440,1443],{},[1340,1435,1436],{},"Maturity",[1340,1438,1439],{},"Early",[1340,1441,1442],{},"High",[1340,1444,1445],{},"Medium",[1311,1447,1448,1451,1454,1457],{},[1340,1449,1450],{},"Community activity",[1340,1452,1453],{},"Growing",[1340,1455,1456],{},"Active",[1340,1458,1456],{},[56,1460,1461],{},"Note: Garage is also licensed under AGPL-3.0. For internal setups this is generally not a problem; for products with proprietary code, the same review requirements apply as with MinIO.",[56,1463,1464,1465,415],{},"For a complete overview of all S3-compatible solutions, including managed options like Cloudflare R2, Backblaze B2, and Hetzner Object Storage, see the ",[60,1466,1468],{"href":1467},"\u002Fen\u002Fblog\u002Fs3-compatible-object-storage","comparison of all S3-compatible object storage solutions",[71,1470,1472],{"id":1471},"which-minio-alternative-fits-which-use-case","Which MinIO alternative fits which use case?",[56,1474,1475],{},"Home lab and small teams: Garage is the most straightforward choice here. Simple setup, low resource consumption, good documentation. For anyone needing geo-redundancy across multiple locations, there's no real comparable alternative to Garage.",[56,1477,1478],{},"Kubernetes-native deployments: SeaweedFS has the most refined Kubernetes integration and the broadest feature set. For teams treating object storage as a serious part of their infrastructure, it's the most solid starting point.",[56,1480,1481],{},"MinIO migration with minimal rework: Teams looking to replace an existing MinIO installation while changing as little as possible about existing processes should keep an eye on RustFS. The project is explicitly designed for this use case, but maturity should be evaluated carefully.",[56,1483,1484],{},"Production systems with high write loads: SeaweedFS. No other system in this comparison has been more thoroughly proven for this workload.",[56,1486,1487,1488,1492],{},"Teams that want to skip the operational work entirely can deploy RustFS on lowcloud directly as a ",[60,1489,1491],{"href":1490},"\u002Fen\u002Fdocs\u002Fhelm-releases\u002Fdeploy-rustfs","Helm release",": no manual cluster setup, no self-managed monitoring, running on sovereign European infrastructure.",[479,1494],{},[56,1496,1497],{},"The conclusion is unspectacular, but honest: there is no universally best MinIO alternative. RustFS is the most direct replacement but not yet mature enough for critical production workloads. SeaweedFS is the most powerful and proven system, but also the most operationally demanding. Garage is the lightest and most elegant for distributed setups, with a clearly defined strengths-and-weaknesses profile. The right choice depends on what you actually need: license clarity, scalability, geo-redundancy, or simply less operational overhead.",[1499,1500,1501],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}",{"title":490,"searchDepth":491,"depth":491,"links":1503},[1504,1505,1506,1510,1514,1518,1519],{"id":532,"depth":491,"text":533},{"id":545,"depth":491,"text":546},{"id":582,"depth":491,"text":583,"children":1507},[1508,1509],{"id":592,"depth":499,"text":593},{"id":754,"depth":499,"text":755},{"id":766,"depth":491,"text":767,"children":1511},[1512,1513],{"id":773,"depth":499,"text":774},{"id":973,"depth":499,"text":974},{"id":988,"depth":491,"text":989,"children":1515},[1516,1517],{"id":995,"depth":499,"text":996},{"id":1289,"depth":499,"text":1290},{"id":1302,"depth":491,"text":1303},{"id":1471,"depth":491,"text":1472},"2026-04-10","Looking for a MinIO replacement? We compare RustFS, SeaweedFS, and Garage — S3-compatible, self-hosted, and license-friendly for Kubernetes production use.",{"src":1523},"\u002Fimages\u002Fblog\u002Fminio-alternatives.jpg",{},"\u002Fen\u002Fblog\u002Fminio-alternatives",{"title":520,"description":1521},"en\u002F3.blog\u002F55.minio-alternatives","QLVY2w9bNZAl2yJ9hAOX5m0Vf_CkhmDNVvBXvBgdD0s",{"id":1530,"title":1531,"authors":1532,"badge":10,"body":1535,"date":1520,"description":2133,"extension":510,"image":2134,"lastUpdated":10,"meta":2136,"navigation":14,"path":2137,"published":14,"seo":2138,"stem":2139,"tags":10,"__hash__":2140},"posts\u002Fen\u002F3.blog\u002F59.what-is-kustomize.md","What Is Kustomize? Managing Kubernetes Configs Cleanly",[1533],{"name":43,"to":44,"avatar":1534},{"src":46},{"type":48,"value":1536,"toc":2120},[1537,1551,1555,1558,1561,1565,1572,1579,1583,1590,1681,1684,1688,1691,1699,1709,1750,1753,1757,1760,1763,1820,1834,1846,1850,1853,1910,1916,1922,1926,1937,1954,1963,1970,2010,2014,2017,2024,2027,2034,2038,2041,2044,2086,2089,2096,2099,2103,2111,2114,2117],[56,1538,1539,1540,1544,1545,1550],{},"Anyone running multiple environments on ",[60,1541,1543],{"href":1542},"\u002Fen\u002Fblog\u002Fwhat-is-kubernetes","Kubernetes"," knows the problem: the same manifests slightly tweaked for dev, staging, and prod, and at some point something just doesn't match up anymore. ",[60,1546,1549],{"href":1547,"rel":1548},"https:\u002F\u002Fkustomize.io\u002F",[64],"Kustomize"," solves exactly this problem without falling back on a templating language. The result: YAML files that always remain valid Kubernetes YAML but can still be adapted flexibly.",[71,1552,1554],{"id":1553},"the-problem-with-copy-paste-configurations","The problem with copy-paste configurations",[56,1556,1557],{},"A typical Kubernetes project starts innocently enough: a Deployment, a Service, maybe an Ingress. Then the second environment comes along, and you copy the files and change a few values. Then the third. Eventually you end up with six directories that are 90% identical and no reasonable way to roll out a change consistently.",[56,1559,1560],{},"This isn't a rare edge case — it's the normal state in growing teams that built out deployments quickly without a deliberate structure. Kustomize addresses exactly this: instead of duplicating files, you describe differences relative to a base.",[71,1562,1564],{"id":1563},"what-is-kustomize-and-how-does-it-work","What is Kustomize and how does it work",[56,1566,1567,1568,1571],{},"Kustomize is an open-source tool for the declarative management of Kubernetes configurations. It was developed by Google and has been integrated directly into ",[554,1569,1570],{},"kubectl"," since Kubernetes 1.14. The core principle: there is a base — a foundational configuration — and overlays that adapt this base to different contexts.",[56,1573,1574,1575,1578],{},"Important: Kustomize doesn't use a templating language. All files remain valid Kubernetes YAML at all times — no ",[554,1576,1577],{},".Values.image",", no logic, no loops. That makes the configuration significantly easier to read and reduces the cognitive load when reviewing changes.",[187,1580,1582],{"id":1581},"the-kustomizationyaml-the-heart-of-it-all","The kustomization.yaml — the heart of it all",[56,1584,1585,1586,1589],{},"Every Kustomize structure revolves around the ",[554,1587,1588],{},"kustomization.yaml"," file. It describes which resources should be combined and which modifications should be applied:",[598,1591,1595],{"className":1592,"code":1593,"language":1594,"meta":490,"style":490},"language-yaml shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","apiVersion: kustomize.config.k8s.io\u002Fv1beta1\nkind: Kustomization\n\nresources:\n - deployment.yaml\n - service.yaml\n\nnamePrefix: dev-\n\ncommonLabels:\n environment: development\n","yaml",[554,1596,1597,1609,1619,1623,1631,1639,1646,1650,1660,1664,1671],{"__ignoreMap":490},[606,1598,1599,1603,1606],{"class":608,"line":609},[606,1600,1602],{"class":1601},"swJcz","apiVersion",[606,1604,1605],{"class":629},":",[606,1607,1608],{"class":622}," kustomize.config.k8s.io\u002Fv1beta1\n",[606,1610,1611,1614,1616],{"class":608,"line":491},[606,1612,1613],{"class":1601},"kind",[606,1615,1605],{"class":629},[606,1617,1618],{"class":622}," Kustomization\n",[606,1620,1621],{"class":608,"line":499},[606,1622,647],{"emptyLinePlaceholder":14},[606,1624,1625,1628],{"class":608,"line":650},[606,1626,1627],{"class":1601},"resources",[606,1629,1630],{"class":629},":\n",[606,1632,1633,1636],{"class":608,"line":672},[606,1634,1635],{"class":629}," -",[606,1637,1638],{"class":622}," deployment.yaml\n",[606,1640,1641,1643],{"class":608,"line":688},[606,1642,1635],{"class":629},[606,1644,1645],{"class":622}," service.yaml\n",[606,1647,1648],{"class":608,"line":699},[606,1649,647],{"emptyLinePlaceholder":14},[606,1651,1652,1655,1657],{"class":608,"line":709},[606,1653,1654],{"class":1601},"namePrefix",[606,1656,1605],{"class":629},[606,1658,1659],{"class":622}," dev-\n",[606,1661,1662],{"class":608,"line":720},[606,1663,647],{"emptyLinePlaceholder":14},[606,1665,1666,1669],{"class":608,"line":859},[606,1667,1668],{"class":1601},"commonLabels",[606,1670,1630],{"class":629},[606,1672,1673,1676,1678],{"class":608,"line":875},[606,1674,1675],{"class":1601}," environment",[606,1677,1605],{"class":629},[606,1679,1680],{"class":622}," development\n",[56,1682,1683],{},"This file is the only place where Kustomize \"knows\" what should happen with the resources. All other files remain untouched.",[187,1685,1687],{"id":1686},"bases-and-overlays-in-practice","Bases and overlays in practice",[56,1689,1690],{},"The typical directory structure looks like this:",[598,1692,1697],{"className":1693,"code":1695,"language":1696},[1694],"language-text","k8s\u002F\n├── base\u002F\n│ ├── deployment.yaml\n│ ├── service.yaml\n│ └── kustomization.yaml\n└── overlays\u002F\n ├── dev\u002F\n │ └── kustomization.yaml\n ├── staging\u002F\n │ └── kustomization.yaml\n └── prod\u002F\n ├── kustomization.yaml\n └── replica-patch.yaml\n","text",[554,1698,1695],{"__ignoreMap":490},[56,1700,1701,1702,1704,1705,1708],{},"The ",[554,1703,1588],{}," in the ",[554,1706,1707],{},"prod"," overlay references the base and adds a patch:",[598,1710,1712],{"className":1592,"code":1711,"language":1594,"meta":490,"style":490},"resources:\n - ..\u002F..\u002Fbase\n\npatches:\n - path: replica-patch.yaml\n",[554,1713,1714,1720,1727,1731,1738],{"__ignoreMap":490},[606,1715,1716,1718],{"class":608,"line":609},[606,1717,1627],{"class":1601},[606,1719,1630],{"class":629},[606,1721,1722,1724],{"class":608,"line":491},[606,1723,1635],{"class":629},[606,1725,1726],{"class":622}," ..\u002F..\u002Fbase\n",[606,1728,1729],{"class":608,"line":499},[606,1730,647],{"emptyLinePlaceholder":14},[606,1732,1733,1736],{"class":608,"line":650},[606,1734,1735],{"class":1601},"patches",[606,1737,1630],{"class":629},[606,1739,1740,1742,1745,1747],{"class":608,"line":672},[606,1741,1635],{"class":629},[606,1743,1744],{"class":1601}," path",[606,1746,1605],{"class":629},[606,1748,1749],{"class":622}," replica-patch.yaml\n",[56,1751,1752],{},"The patch itself is again valid YAML and only overwrites the fields that differ in production — for example, the number of replicas.",[71,1754,1756],{"id":1755},"patches-and-transformations","Patches and transformations",[56,1758,1759],{},"Kustomize supports two types of patches, each suited for different use cases.",[56,1761,1762],{},"A strategic merge patch works as if you were laying a YAML fragment over the original. You only specify the fields that should change, and the rest remains intact:",[598,1764,1766],{"className":1592,"code":1765,"language":1594,"meta":490,"style":490},"apiVersion: apps\u002Fv1\nkind: Deployment\nmetadata:\n name: my-app\nspec:\n replicas: 3\n",[554,1767,1768,1777,1786,1793,1803,1810],{"__ignoreMap":490},[606,1769,1770,1772,1774],{"class":608,"line":609},[606,1771,1602],{"class":1601},[606,1773,1605],{"class":629},[606,1775,1776],{"class":622}," apps\u002Fv1\n",[606,1778,1779,1781,1783],{"class":608,"line":491},[606,1780,1613],{"class":1601},[606,1782,1605],{"class":629},[606,1784,1785],{"class":622}," Deployment\n",[606,1787,1788,1791],{"class":608,"line":499},[606,1789,1790],{"class":1601},"metadata",[606,1792,1630],{"class":629},[606,1794,1795,1798,1800],{"class":608,"line":650},[606,1796,1797],{"class":1601}," name",[606,1799,1605],{"class":629},[606,1801,1802],{"class":622}," my-app\n",[606,1804,1805,1808],{"class":608,"line":672},[606,1806,1807],{"class":1601},"spec",[606,1809,1630],{"class":629},[606,1811,1812,1815,1817],{"class":608,"line":688},[606,1813,1814],{"class":1601}," replicas",[606,1816,1605],{"class":629},[606,1818,1819],{"class":1237}," 3\n",[56,1821,1822,1823,557,1826,1829,1830,1833],{},"A JSON patch is more precise and allows targeted operations like ",[554,1824,1825],{},"add",[554,1827,1828],{},"remove",", or ",[554,1831,1832],{},"replace"," on individual fields via JSONPath syntax. For most use cases, the strategic merge patch is enough. JSON patch makes sense when you need to, for example, remove a single element from a list or insert something at a specific position.",[56,1835,1836,1837,557,1839,1842,1843,1845],{},"Kustomize also offers transformations like ",[554,1838,1654],{},[554,1840,1841],{},"nameSuffix",", and ",[554,1844,1668],{},", which are applied globally to all resources. This is especially useful for uniquely naming resources across different overlays and avoiding confusion.",[71,1847,1849],{"id":1848},"configmap-and-secret-generators","ConfigMap and secret generators",[56,1851,1852],{},"A common problem in Kubernetes projects: ConfigMaps and Secrets are updated manually, but Pods don't notice and keep running with the old values until the next restart. Kustomize solves this with generators.",[598,1854,1856],{"className":1592,"code":1855,"language":1594,"meta":490,"style":490},"configMapGenerator:\n - name: app-config\n files:\n - config\u002Fapp.properties\n options:\n disableNameSuffixHash: false\n",[554,1857,1858,1865,1877,1884,1892,1899],{"__ignoreMap":490},[606,1859,1860,1863],{"class":608,"line":609},[606,1861,1862],{"class":1601},"configMapGenerator",[606,1864,1630],{"class":629},[606,1866,1867,1869,1872,1874],{"class":608,"line":491},[606,1868,1635],{"class":629},[606,1870,1871],{"class":1601}," name",[606,1873,1605],{"class":629},[606,1875,1876],{"class":622}," app-config\n",[606,1878,1879,1882],{"class":608,"line":499},[606,1880,1881],{"class":1601}," files",[606,1883,1630],{"class":629},[606,1885,1886,1889],{"class":608,"line":650},[606,1887,1888],{"class":629}," -",[606,1890,1891],{"class":622}," config\u002Fapp.properties\n",[606,1893,1894,1897],{"class":608,"line":672},[606,1895,1896],{"class":1601}," options",[606,1898,1630],{"class":629},[606,1900,1901,1904,1906],{"class":608,"line":688},[606,1902,1903],{"class":1601}," disableNameSuffixHash",[606,1905,1605],{"class":629},[606,1907,1909],{"class":1908},"sfNiH"," false\n",[56,1911,1912,1913,415],{},"Kustomize computes a hash from the content of the referenced files and appends it to the ConfigMap's name. When the content changes, the name changes — and Kubernetes automatically rolls out the Deployment again. If you don't want this behavior, you can disable it with ",[554,1914,1915],{},"disableNameSuffixHash: true",[56,1917,1918,1919,1921],{},"For Secrets, the principle is identical, except the values are base64-encoded. Sensitive data obviously shouldn't live directly in the ",[554,1920,1588],{}," — it should be supplied via external secret-management solutions. Kustomize is not a replacement for those.",[71,1923,1925],{"id":1924},"kubectl-kustomize-directly-integrated","kubectl kustomize — directly integrated",[56,1927,1928,1929,1932,1933,1936],{},"Since Kubernetes 1.14, Kustomize is usable without a separate installation. Instead of ",[554,1930,1931],{},"kustomize build"," piped manually into ",[554,1934,1935],{},"kubectl apply",", a single command is enough:",[598,1938,1940],{"className":600,"code":1939,"language":602,"meta":490,"style":490},"kubectl apply -k overlays\u002Fprod\u002F\n",[554,1941,1942],{"__ignoreMap":490},[606,1943,1944,1946,1948,1951],{"class":608,"line":609},[606,1945,1570],{"class":618},[606,1947,1277],{"class":622},[606,1949,1950],{"class":622}," -k",[606,1952,1953],{"class":622}," overlays\u002Fprod\u002F\n",[56,1955,1701,1956,1959,1960,415],{},[554,1957,1958],{},"-k"," flag tells kubectl to interpret the directory as a Kustomize structure. If you want to inspect the generated manifests before applying, you can print them to stdout with ",[554,1961,1962],{},"kubectl kustomize overlays\u002Fprod\u002F",[56,1964,1965,1966,1969],{},"The version built into kubectl lags slightly behind the standalone ",[554,1967,1968],{},"kustomize"," binary. If you need the latest features or bug fixes, it's best to install Kustomize separately:",[598,1971,1973],{"className":600,"code":1972,"language":602,"meta":490,"style":490},"# With brew (macOS\u002FLinux)\nbrew install kustomize\n\n# Or directly via Go\ngo install sigs.k8s.io\u002Fkustomize\u002Fkustomize\u002Fv5@latest\n",[554,1974,1975,1980,1991,1995,2000],{"__ignoreMap":490},[606,1976,1977],{"class":608,"line":609},[606,1978,1979],{"class":612},"# With brew (macOS\u002FLinux)\n",[606,1981,1982,1985,1988],{"class":608,"line":491},[606,1983,1984],{"class":618},"brew",[606,1986,1987],{"class":622}," install",[606,1989,1990],{"class":622}," kustomize\n",[606,1992,1993],{"class":608,"line":499},[606,1994,647],{"emptyLinePlaceholder":14},[606,1996,1997],{"class":608,"line":650},[606,1998,1999],{"class":612},"# Or directly via Go\n",[606,2001,2002,2005,2007],{"class":608,"line":672},[606,2003,2004],{"class":618},"go",[606,2006,1987],{"class":622},[606,2008,2009],{"class":622}," sigs.k8s.io\u002Fkustomize\u002Fkustomize\u002Fv5@latest\n",[71,2011,2013],{"id":2012},"kustomize-vs-helm-which-tool-when","Kustomize vs. Helm. Which tool when?",[56,2015,2016],{},"This is one of those questions that comes up regularly in Kubernetes teams and has no universal answer.",[56,2018,2019,2023],{},[60,2020,2022],{"href":2021},"\u002Fen\u002Fblog\u002Fwhat-is-a-helm-chart","Helm"," is a full package manager with a templating engine. It allows logic in configurations, manages release history, and supports rollbacks. Helm is the right choice when you're distributing packages — finished, reusable application charts that will be installed by other teams or organizations.",[56,2025,2026],{},"Kustomize isn't a package manager — it's a configuration overlay tool. It's the better choice when you want to ship your own deployments to different environments without needing templating logic. The configuration stays simpler, the files stay readable, and there's no additional layer of abstraction.",[56,2028,2029,2030,2033],{},"In practice, the two don't exclude each other. A common pattern is to use Helm for the initial rendering of charts (",[554,2031,2032],{},"helm template",") and then overlay the generated manifests via Kustomize. That combines Helm's packaging capabilities with Kustomize's simplicity for environment-specific adjustments.",[71,2035,2037],{"id":2036},"kustomize-in-gitops-workflows","Kustomize in GitOps workflows",[56,2039,2040],{},"Kustomize and GitOps fit together well because both are built on the principle of \"Git as the single source of truth.\" Tools like ArgoCD and Flux have native Kustomize support built in.",[56,2042,2043],{},"With ArgoCD, it's enough to specify the overlay directory in the Application resource:",[598,2045,2047],{"className":1592,"code":2046,"language":1594,"meta":490,"style":490},"source:\n repoURL: https:\u002F\u002Fgithub.com\u002Fexample\u002Fk8s-config\n targetRevision: HEAD\n path: overlays\u002Fprod\n",[554,2048,2049,2056,2066,2076],{"__ignoreMap":490},[606,2050,2051,2054],{"class":608,"line":609},[606,2052,2053],{"class":1601},"source",[606,2055,1630],{"class":629},[606,2057,2058,2061,2063],{"class":608,"line":491},[606,2059,2060],{"class":1601}," repoURL",[606,2062,1605],{"class":629},[606,2064,2065],{"class":622}," https:\u002F\u002Fgithub.com\u002Fexample\u002Fk8s-config\n",[606,2067,2068,2071,2073],{"class":608,"line":499},[606,2069,2070],{"class":1601}," targetRevision",[606,2072,1605],{"class":629},[606,2074,2075],{"class":622}," HEAD\n",[606,2077,2078,2081,2083],{"class":608,"line":650},[606,2079,2080],{"class":1601}," path",[606,2082,1605],{"class":629},[606,2084,2085],{"class":622}," overlays\u002Fprod\n",[56,2087,2088],{},"ArgoCD automatically detects that this is a Kustomize structure and renders the manifests accordingly. Changes to the base or an overlay trigger a sync — the cluster always stays aligned with the state in the repository.",[56,2090,2091,2092,2095],{},"Flux works similarly through the ",[554,2093,2094],{},"Kustomization"," CRD, which points to a directory in the repository and syncs either on a schedule or event-driven.",[56,2097,2098],{},"The result is a traceable, audited deployment process: every configuration change is a Git commit with an author, timestamp, and diff.",[71,2100,2102],{"id":2101},"conclusion","Conclusion",[56,2104,2105,2106,2110],{},"Kustomize is a pragmatic answer to a very real Kubernetes problem: the same resources across different environments. Instead of copy-paste YAML or complex ",[60,2107,2109],{"href":2108},"\u002Fen\u002Fblog\u002Fsimplify-kubernetes-configuration","templating logic",", base + overlays give you a clean, reviewable structure — while staying fully within valid Kubernetes YAML.",[56,2112,2113],{},"If you're running your own workloads and mostly need to manage variants (dev\u002Fstaging\u002Fprod, customer- or tenant-specific adjustments, feature toggles via patches), Kustomize is often the simplest and most robust choice. Helm remains strong when you want to package, distribute, and manage releases — and in many teams, the two tools even work in combination.",[56,2115,2116],{},"The bottom line: Kustomize reduces friction, minimizes sources of error, and makes GitOps workflows significantly more pleasant — especially when your infrastructure grows and you still want to stay in control.",[1499,2118,2119],{},"html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}html pre.shiki code .sfNiH, html code.shiki .sfNiH{--shiki-light:#FF5370;--shiki-default:#FF9CAC;--shiki-dark:#FF9CAC}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}",{"title":490,"searchDepth":491,"depth":491,"links":2121},[2122,2123,2127,2128,2129,2130,2131,2132],{"id":1553,"depth":491,"text":1554},{"id":1563,"depth":491,"text":1564,"children":2124},[2125,2126],{"id":1581,"depth":499,"text":1582},{"id":1686,"depth":499,"text":1687},{"id":1755,"depth":491,"text":1756},{"id":1848,"depth":491,"text":1849},{"id":1924,"depth":491,"text":1925},{"id":2012,"depth":491,"text":2013},{"id":2036,"depth":491,"text":2037},{"id":2101,"depth":491,"text":2102},"Kustomize manages Kubernetes configurations through bases and overlays — no templates. YAML stays readable, valid, and flexibly adaptable across environments.",{"src":2135},"\u002Fimages\u002Fblog\u002Fwhat-is-kustomize.jpg",{},"\u002Fen\u002Fblog\u002Fwhat-is-kustomize",{"title":1531,"description":2133},"en\u002F3.blog\u002F59.what-is-kustomize","55_y3VVG3kAUhsJnHbtUeTuO4QFW0Ar2nPAxAeO-Xd0",{"id":2142,"title":2143,"authors":2144,"badge":10,"body":2147,"date":2845,"description":2846,"extension":510,"image":2847,"lastUpdated":10,"meta":2849,"navigation":14,"path":2850,"published":14,"seo":2851,"stem":2852,"tags":10,"__hash__":2853},"posts\u002Fen\u002F3.blog\u002F58.docker-vs-kubernetes.md","Docker vs Kubernetes: Compose, Swarm, and K8s Compared",[2145],{"name":43,"to":44,"avatar":2146},{"src":46},{"type":48,"value":2148,"toc":2829},[2149,2167,2170,2174,2182,2190,2194,2199,2225,2228,2232,2320,2325,2329,2339,2343,2491,2502,2508,2514,2518,2530,2562,2565,2568,2574,2578,2585,2591,2594,2611,2615,2716,2719,2723,2731,2750,2760,2765,2781,2785,2788,2791,2794,2798,2801,2823,2826],[56,2150,2151,2152,2157,2158,2161,2162,2166],{},"Most people who start out with ",[60,2153,2156],{"href":2154,"rel":2155},"https:\u002F\u002Fwww.docker.com\u002F",[64],"Docker"," begin with a simple ",[554,2159,2160],{},"docker run",". Sooner or later more containers pile up, then maybe a Compose file appears, and the moment the team starts talking about production, someone says ",[60,2163,1543],{"href":2164,"rel":2165},"https:\u002F\u002Fkubernetes.io\u002F",[64],". At that point, confusion often sets in: what does what, and which tool is actually built for which job?",[56,2168,2169],{},"This article puts Docker, Docker Compose, Docker Swarm, and Kubernetes side by side. Not to crown a winner, but to make the decision easier: which tool fits which problem?",[71,2171,2173],{"id":2172},"what-docker-actually-is-and-what-it-isnt","What Docker actually is – and what it isn't",[56,2175,2176,2177,2181],{},"Docker is a ",[60,2178,2180],{"href":2179},"\u002Fen\u002Fblog\u002Fhow-docker-works","containerization platform",". It makes sure applications run in isolated, reproducible environments – whether on a developer's laptop or a server in a data center. A Docker image contains the application code, all dependencies, and the runtime environment. Once an image is started, it becomes a container.",[56,2183,2184,2185,2189],{},"What Docker is ",[2186,2187,2188],"em",{},"not"," out of the box: an orchestration system. Docker itself does not care about distributing containers across multiple hosts, restarting them after failures, or balancing traffic between them. For that, you need either Docker Swarm or Kubernetes, depending on your requirements.",[71,2191,2193],{"id":2192},"docker-run-the-direct-path-to-a-container","docker run – the direct path to a container",[56,2195,2196,2198],{},[554,2197,2160],{}," is the simplest way to start a container. Anyone who wants to test an image locally gets there immediately:",[598,2200,2202],{"className":600,"code":2201,"language":602,"meta":490,"style":490},"docker run -d -p 8080:80 --name my-nginx nginx:latest\n",[554,2203,2204],{"__ignoreMap":490},[606,2205,2206,2208,2210,2212,2214,2217,2219,2222],{"class":608,"line":609},[606,2207,653],{"class":618},[606,2209,656],{"class":622},[606,2211,659],{"class":622},[606,2213,623],{"class":622},[606,2215,2216],{"class":622}," 8080:80",[606,2218,662],{"class":622},[606,2220,2221],{"class":622}," my-nginx",[606,2223,2224],{"class":622}," nginx:latest\n",[56,2226,2227],{},"This starts nginx in the background, maps port 8080 on the host to port 80 inside the container, and gives the container a name.",[187,2229,2231],{"id":2230},"key-flags-at-a-glance","Key flags at a glance",[1305,2233,2234,2244],{},[1308,2235,2236],{},[1311,2237,2238,2241],{},[1314,2239,2240],{},"Flag",[1314,2242,2243],{},"Meaning",[1335,2245,2246,2256,2266,2276,2290,2300,2310],{},[1311,2247,2248,2253],{},[1340,2249,2250],{},[554,2251,2252],{},"-d",[1340,2254,2255],{},"Run container in the background (detached)",[1311,2257,2258,2263],{},[1340,2259,2260],{},[554,2261,2262],{},"-p host:container",[1340,2264,2265],{},"Port mapping",[1311,2267,2268,2273],{},[1340,2269,2270],{},[554,2271,2272],{},"-v host:container",[1340,2274,2275],{},"Mount a volume",[1311,2277,2278,2287],{},[1340,2279,2280,2283,2284],{},[554,2281,2282],{},"--env"," or ",[554,2285,2286],{},"-e",[1340,2288,2289],{},"Set an environment variable",[1311,2291,2292,2297],{},[1340,2293,2294],{},[554,2295,2296],{},"--rm",[1340,2298,2299],{},"Automatically remove container after it stops",[1311,2301,2302,2307],{},[1340,2303,2304],{},[554,2305,2306],{},"--name",[1340,2308,2309],{},"Give the container a name",[1311,2311,2312,2317],{},[1340,2313,2314],{},[554,2315,2316],{},"--network",[1340,2318,2319],{},"Attach container to a network",[56,2321,2322,2324],{},[554,2323,2160],{}," is great for single containers, quick tests, and local experiments. As soon as multiple containers need to work together, it gets unwieldy – that's where Compose comes in.",[71,2326,2328],{"id":2327},"docker-compose-when-one-container-isnt-enough","Docker Compose – when one container isn't enough",[56,2330,2331,2335,2336,2338],{},[60,2332,2334],{"href":2333},"\u002Fen\u002Fblog\u002Fdocker-compose-for-beginners","Docker Compose solves the problem"," of defining and starting multiple containers as a coherent system. Instead of a long series of ",[554,2337,2160],{}," commands with flags, there's a single YAML file:",[187,2340,2342],{"id":2341},"a-typical-compose-file","A typical Compose file",[598,2344,2346],{"className":1592,"code":2345,"language":1594,"meta":490,"style":490},"services:\n app:\n image: my-app:latest\n ports:\n - \"3000:3000\"\n environment:\n DATABASE_URL: postgres:\u002F\u002Fuser:pass@db:5432\u002Fmydb\n depends_on:\n - db\n\n db:\n image: postgres:15\n volumes:\n - pgdata:\u002Fvar\u002Flib\u002Fpostgresql\u002Fdata\n environment:\n POSTGRES_PASSWORD: pass\n\nvolumes:\n pgdata:\n",[554,2347,2348,2355,2362,2372,2379,2392,2399,2409,2416,2423,2427,2434,2443,2450,2457,2463,2473,2477,2484],{"__ignoreMap":490},[606,2349,2350,2353],{"class":608,"line":609},[606,2351,2352],{"class":1601},"services",[606,2354,1630],{"class":629},[606,2356,2357,2360],{"class":608,"line":491},[606,2358,2359],{"class":1601}," app",[606,2361,1630],{"class":629},[606,2363,2364,2367,2369],{"class":608,"line":499},[606,2365,2366],{"class":1601}," image",[606,2368,1605],{"class":629},[606,2370,2371],{"class":622}," my-app:latest\n",[606,2373,2374,2377],{"class":608,"line":650},[606,2375,2376],{"class":1601}," ports",[606,2378,1630],{"class":629},[606,2380,2381,2383,2386,2389],{"class":608,"line":672},[606,2382,1888],{"class":629},[606,2384,2385],{"class":629}," \"",[606,2387,2388],{"class":622},"3000:3000",[606,2390,2391],{"class":629},"\"\n",[606,2393,2394,2397],{"class":608,"line":688},[606,2395,2396],{"class":1601}," environment",[606,2398,1630],{"class":629},[606,2400,2401,2404,2406],{"class":608,"line":699},[606,2402,2403],{"class":1601}," DATABASE_URL",[606,2405,1605],{"class":629},[606,2407,2408],{"class":622}," postgres:\u002F\u002Fuser:pass@db:5432\u002Fmydb\n",[606,2410,2411,2414],{"class":608,"line":709},[606,2412,2413],{"class":1601}," depends_on",[606,2415,1630],{"class":629},[606,2417,2418,2420],{"class":608,"line":720},[606,2419,1888],{"class":629},[606,2421,2422],{"class":622}," db\n",[606,2424,2425],{"class":608,"line":859},[606,2426,647],{"emptyLinePlaceholder":14},[606,2428,2429,2432],{"class":608,"line":875},[606,2430,2431],{"class":1601}," db",[606,2433,1630],{"class":629},[606,2435,2436,2438,2440],{"class":608,"line":889},[606,2437,2366],{"class":1601},[606,2439,1605],{"class":629},[606,2441,2442],{"class":622}," postgres:15\n",[606,2444,2445,2448],{"class":608,"line":898},[606,2446,2447],{"class":1601}," volumes",[606,2449,1630],{"class":629},[606,2451,2452,2454],{"class":608,"line":912},[606,2453,1888],{"class":629},[606,2455,2456],{"class":622}," pgdata:\u002Fvar\u002Flib\u002Fpostgresql\u002Fdata\n",[606,2458,2459,2461],{"class":608,"line":917},[606,2460,2396],{"class":1601},[606,2462,1630],{"class":629},[606,2464,2465,2468,2470],{"class":608,"line":923},[606,2466,2467],{"class":1601}," POSTGRES_PASSWORD",[606,2469,1605],{"class":629},[606,2471,2472],{"class":622}," pass\n",[606,2474,2475],{"class":608,"line":939},[606,2476,647],{"emptyLinePlaceholder":14},[606,2478,2479,2482],{"class":608,"line":953},[606,2480,2481],{"class":1601},"volumes",[606,2483,1630],{"class":629},[606,2485,2486,2489],{"class":608,"line":1116},[606,2487,2488],{"class":1601}," pgdata",[606,2490,1630],{"class":629},[56,2492,2493,2494,2497,2498,2501],{},"With ",[554,2495,2496],{},"docker compose up -d",", the entire stack starts. Compose handles the startup order (thanks to ",[554,2499,2500],{},"depends_on","), the shared network between containers, and volume management.",[56,2503,2504,2507],{},[109,2505,2506],{},"Where Compose shines:"," local development, CI\u002FCD pipelines, small deployments on a single server. The tool is quick to learn, the configuration is clear, and a single file describes the complete environment.",[56,2509,2510,2513],{},[109,2511,2512],{},"Where Compose hits its limits:"," Compose is designed for a single host. No automatic failover across servers, no built-in load balancing between hosts, no automatic scaling. For anything that goes beyond one machine, you need something else.",[71,2515,2517],{"id":2516},"docker-swarm-clustering-without-kubernetes-complexity","Docker Swarm – clustering without Kubernetes complexity",[56,2519,2520,2521,2525,2526,2529],{},"Docker Swarm is ",[60,2522,2524],{"href":2523},"\u002Fen\u002Fblog\u002Fwhat-is-docker-swarm","Docker's native clustering feature",". A single ",[554,2527,2528],{},"docker swarm init"," turns a machine into a manager node, and additional nodes can join using a token. After that, you can define services – containers distributed across the cluster:",[598,2531,2533],{"className":600,"code":2532,"language":602,"meta":490,"style":490},"docker service create --replicas 3 -p 80:80 --name web nginx:latest\n",[554,2534,2535],{"__ignoreMap":490},[606,2536,2537,2539,2542,2544,2547,2550,2552,2555,2557,2560],{"class":608,"line":609},[606,2538,653],{"class":618},[606,2540,2541],{"class":622}," service",[606,2543,797],{"class":622},[606,2545,2546],{"class":622}," --replicas",[606,2548,2549],{"class":1237}," 3",[606,2551,623],{"class":622},[606,2553,2554],{"class":622}," 80:80",[606,2556,662],{"class":622},[606,2558,2559],{"class":622}," web",[606,2561,2224],{"class":622},[56,2563,2564],{},"Swarm makes sure three replicas are running at any time. If a node fails, the affected containers are restarted on other nodes. Rolling updates are built in as well.",[56,2566,2567],{},"What makes Swarm special: if you know Compose, you practically know Swarm. Compose files can be deployed as Swarm stacks with minimal adjustments. That makes the entry barrier very low.",[56,2569,2570,2573],{},[109,2571,2572],{},"The catch:"," the Swarm ecosystem has shrunk significantly in recent years. Many tools, integrations, and cloud providers have concentrated on Kubernetes. Swarm is technically solid, but anyone thinking about production needs to weigh whether it will hold up long term.",[71,2575,2577],{"id":2576},"docker-vs-kubernetes-the-real-comparison","Docker vs Kubernetes – the real comparison",[56,2579,2580,2581,2584],{},"Kubernetes has become the ",[60,2582,2583],{"href":1542},"standard answer to container orchestration"," in production. That's true – but it's not a tool you introduce casually on the side.",[56,2586,2587,2588,2590],{},"The central difference to Swarm: Kubernetes is not a Docker feature, but a standalone system with its own API, its own CLI (",[554,2589,1570],{},"), and a much richer conceptual model. Instead of services, there are Pods, Deployments, ReplicaSets, StatefulSets, DaemonSets. Instead of simple port mappings, there are Services of type ClusterIP, NodePort, or LoadBalancer, plus Ingress resources for HTTP routing.",[56,2592,2593],{},"That sounds like overhead at first – and it is, if all you want is to run a stack with three containers. But Kubernetes pays off as soon as the following applies:",[103,2595,2596,2599,2602,2605,2608],{},[106,2597,2598],{},"The infrastructure spans multiple nodes",[106,2600,2601],{},"Automatic scaling is required (Horizontal Pod Autoscaler)",[106,2603,2604],{},"Complex network and access management (RBAC, NetworkPolicies)",[106,2606,2607],{},"CI\u002FCD pipelines are expected to interact directly with the infrastructure",[106,2609,2610],{},"Monitoring, logging, and observability need to be deeply integrated",[187,2612,2614],{"id":2613},"when-is-swarm-enough-when-do-you-need-kubernetes","When is Swarm enough, when do you need Kubernetes?",[1305,2616,2617,2631],{},[1308,2618,2619],{},[1311,2620,2621,2623,2626,2629],{},[1314,2622,1318],{},[1314,2624,2625],{},"Docker Compose",[1314,2627,2628],{},"Docker Swarm",[1314,2630,1543],{},[1335,2632,2633,2647,2661,2675,2689,2703],{},[1311,2634,2635,2638,2641,2644],{},[1340,2636,2637],{},"Number of hosts",[1340,2639,2640],{},"1",[1340,2642,2643],{},"2–10",[1340,2645,2646],{},"any",[1311,2648,2649,2652,2655,2658],{},[1340,2650,2651],{},"Learning curve",[1340,2653,2654],{},"low",[1340,2656,2657],{},"medium",[1340,2659,2660],{},"high",[1311,2662,2663,2666,2669,2672],{},[1340,2664,2665],{},"Production readiness",[1340,2667,2668],{},"limited",[1340,2670,2671],{},"good for simple cases",[1340,2673,2674],{},"very good",[1311,2676,2677,2680,2683,2686],{},[1340,2678,2679],{},"Ecosystem",[1340,2681,2682],{},"large (local)",[1340,2684,2685],{},"shrinking",[1340,2687,2688],{},"very large",[1311,2690,2691,2694,2697,2700],{},[1340,2692,2693],{},"Automatic scaling",[1340,2695,2696],{},"no",[1340,2698,2699],{},"manual",[1340,2701,2702],{},"yes (HPA)",[1311,2704,2705,2708,2710,2713],{},[1340,2706,2707],{},"Managed offerings",[1340,2709,2696],{},[1340,2711,2712],{},"rare",[1340,2714,2715],{},"available everywhere",[56,2717,2718],{},"For a small team running a handful of services with no appetite for Kubernetes complexity, Swarm is a valid choice. For anything heading toward scaling, multi-team operations, or cloud-native architecture, Kubernetes is the more realistic path.",[71,2720,2722],{"id":2721},"migrating-from-compose-to-kubernetes","Migrating from Compose to Kubernetes",[56,2724,2725,2726,2730],{},"If a project started with Compose and eventually needs to ",[60,2727,2729],{"href":2728},"\u002Fen\u002Fblog\u002Fkubernetes-migration-guide","migrate to Kubernetes",", Kompose is an official tool that converts Compose files into Kubernetes manifests:",[598,2732,2734],{"className":600,"code":2733,"language":602,"meta":490,"style":490},"kompose convert -f docker-compose.yml\n",[554,2735,2736],{"__ignoreMap":490},[606,2737,2738,2741,2744,2747],{"class":608,"line":609},[606,2739,2740],{"class":618},"kompose",[606,2742,2743],{"class":622}," convert",[606,2745,2746],{"class":622}," -f",[606,2748,2749],{"class":622}," docker-compose.yml\n",[56,2751,2752,2753,733,2756,2759],{},"The result is ",[554,2754,2755],{},"Deployment",[554,2757,2758],{},"Service"," manifests that can serve as a starting point. They're rarely production-ready straight away – resource limits, liveness probes, ConfigMaps, and Secrets need to be added manually. But as an entry point, Kompose saves significant time.",[56,2761,2762],{},[109,2763,2764],{},"Typical pitfalls during migration:",[103,2766,2767,2772,2775,2778],{},[106,2768,2769,2771],{},[554,2770,2500],{}," doesn't exist in Kubernetes; readiness probes take over that role",[106,2773,2774],{},"Volumes need to be defined as PersistentVolumeClaims",[106,2776,2777],{},"Environment variables should be moved into ConfigMaps or Secrets, not placed directly in the Deployment manifest",[106,2779,2780],{},"Inter-service network communication uses Kubernetes service names, not container names",[71,2782,2784],{"id":2783},"managed-kubernetes-as-an-alternative-to-self-hosting","Managed Kubernetes as an alternative to self-hosting",[56,2786,2787],{},"Running Kubernetes yourself is its own discipline. Spinning up a control plane, securing the etcd cluster, handling upgrades, debugging node issues – that ties up capacity many teams would rather put into actual product development.",[56,2789,2790],{},"Managed Kubernetes – Kubernetes clusters operated by a provider – solves this problem in part. GKE, EKS, and AKS take the control plane off your hands. The real question then becomes: how much Kubernetes knowledge and operational work do you still want to own?",[56,2792,2793],{},"If you want to abstract operations even further, DevOps-as-a-Service (DaaS) platforms are an option. They use Kubernetes as a foundation but offer a simplified interface and a managed operational layer. lowcloud, for example, is a Kubernetes-based DaaS platform built specifically for teams that want the benefits of Kubernetes without having to worry about the infrastructure layer. Deployments, scaling, and networking run through the platform, so the team can focus on the code.",[71,2795,2797],{"id":2796},"decision-guide-which-tool-when","Decision guide: which tool when?",[56,2799,2800],{},"In short:",[103,2802,2803,2808,2813,2818],{},[106,2804,2805,2807],{},[109,2806,2160],{}," – for local tests, single containers, quick experiments",[106,2809,2810,2812],{},[109,2811,2625],{}," – for local development and simple single-host deployments",[106,2814,2815,2817],{},[109,2816,2628],{}," – for small clusters with a low complexity budget",[106,2819,2820,2822],{},[109,2821,1543],{}," – for production environments with scaling requirements, multi-team operations, and cloud-native architecture",[56,2824,2825],{},"No tool is right for every case. The question isn't \"which is best?\", but \"what do I need today – and what will I need in six months?\". Starting with Compose doesn't rule out Kubernetes. But if you know from day one that scaling and high availability will matter, you can save yourself the detour.",[1499,2827,2828],{},"html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}",{"title":490,"searchDepth":491,"depth":491,"links":2830},[2831,2832,2835,2838,2839,2842,2843,2844],{"id":2172,"depth":491,"text":2173},{"id":2192,"depth":491,"text":2193,"children":2833},[2834],{"id":2230,"depth":499,"text":2231},{"id":2327,"depth":491,"text":2328,"children":2836},[2837],{"id":2341,"depth":499,"text":2342},{"id":2516,"depth":491,"text":2517},{"id":2576,"depth":491,"text":2577,"children":2840},[2841],{"id":2613,"depth":499,"text":2614},{"id":2721,"depth":491,"text":2722},{"id":2783,"depth":491,"text":2784},{"id":2796,"depth":491,"text":2797},"2026-04-09","Docker, Docker Compose, Docker Swarm, and Kubernetes head-to-head: which tool fits which problem, and when does it make sense to switch?",{"src":2848},"\u002Fimages\u002Fblog\u002Fdocker-vs-kubernetes.jpg",{},"\u002Fen\u002Fblog\u002Fdocker-vs-kubernetes",{"title":2143,"description":2846},"en\u002F3.blog\u002F58.docker-vs-kubernetes","Ixkv8RbTw983kH5CjJw4CFiNt7BIDiY1x0zii9iKPGY",{"id":2855,"title":2856,"authors":2857,"badge":10,"body":2860,"date":3938,"description":3939,"extension":510,"image":3940,"lastUpdated":3942,"meta":3943,"navigation":14,"path":2021,"published":14,"seo":3944,"stem":3945,"tags":10,"__hash__":3946},"posts\u002Fen\u002F3.blog\u002F57.what-is-a-helm-chart.md","What Is a Helm Chart? The Package Manager for Kubernetes",[2858],{"name":43,"to":44,"avatar":2859},{"src":46},{"type":48,"value":2861,"toc":3924},[2862,2868,2871,2875,2882,2885,2888,2892,2895,2901,2905,2908,2975,2983,2987,2990,3080,3083,3087,3090,3229,3244,3248,3251,3254,3318,3321,3422,3432,3438,3442,3445,3616,3619,3623,3637,3640,3681,3688,3692,3695,3708,3711,3717,3783,3790,3794,3801,3806,3809,3812,3826,3829,3833,3840,3896,3903,3906,3908,3915,3921],[56,2863,2864,2865,2867],{},"Anyone running ",[60,2866,1543],{"href":1542}," seriously knows the problem: an application consists of a Deployment, a Service, a ConfigMap, maybe a HorizontalPodAutoscaler, and an Ingress. That's five YAML files — per environment. And you already have a management problem. Helm charts are the standard answer to this complexity. They bundle all Kubernetes resources of an application into a versioned, configurable package.",[56,2869,2870],{},"This article explains how Helm charts are structured, how templating works, and when it makes sense to use them.",[71,2872,2874],{"id":2873},"what-is-helm-and-what-is-a-chart","What is Helm and what is a chart?",[56,2876,2877,2881],{},[60,2878,2022],{"href":2879,"rel":2880},"https:\u002F\u002Fhelm.sh\u002F",[64]," is the package manager for Kubernetes. If you think of apt for Debian, Homebrew for macOS, or npm for Node.js, you're conceptually close. Helm installs, updates, and uninstalls applications on a Kubernetes cluster while keeping track of the state of each installation.",[56,2883,2884],{},"A Helm chart is the package format Helm uses. At its core, it's a collection of files in a defined directory structure that together describe what should be deployed to the cluster, parameterised via a central configuration file.",[56,2886,2887],{},"The key advantage over raw YAML: instead of maintaining separate copies for each environment, you define the structure once and adjust what differs via a values file or CLI parameters.",[71,2889,2891],{"id":2890},"structure-of-a-helm-chart","Structure of a Helm chart",[56,2893,2894],{},"A freshly created chart looks like this:",[598,2896,2899],{"className":2897,"code":2898,"language":1696},[1694],"my-app\u002F\n├── Chart.yaml\n├── values.yaml\n├── charts\u002F\n└── templates\u002F\n ├── deployment.yaml\n ├── service.yaml\n ├── _helpers.tpl\n └── NOTES.txt\n",[554,2900,2898],{"__ignoreMap":490},[187,2902,2904],{"id":2903},"chartyaml","Chart.yaml",[56,2906,2907],{},"This file contains the chart's metadata:",[598,2909,2911],{"className":1592,"code":2910,"language":1594,"meta":490,"style":490},"apiVersion: v2\nname: my-app\ndescription: A Helm chart for my application\ntype: application\nversion: 0.1.0\nappVersion: \"1.2.3\"\n",[554,2912,2913,2922,2931,2941,2951,2961],{"__ignoreMap":490},[606,2914,2915,2917,2919],{"class":608,"line":609},[606,2916,1602],{"class":1601},[606,2918,1605],{"class":629},[606,2920,2921],{"class":622}," v2\n",[606,2923,2924,2927,2929],{"class":608,"line":491},[606,2925,2926],{"class":1601},"name",[606,2928,1605],{"class":629},[606,2930,1802],{"class":622},[606,2932,2933,2936,2938],{"class":608,"line":499},[606,2934,2935],{"class":1601},"description",[606,2937,1605],{"class":629},[606,2939,2940],{"class":622}," A Helm chart for my application\n",[606,2942,2943,2946,2948],{"class":608,"line":650},[606,2944,2945],{"class":1601},"type",[606,2947,1605],{"class":629},[606,2949,2950],{"class":622}," application\n",[606,2952,2953,2956,2958],{"class":608,"line":672},[606,2954,2955],{"class":1601},"version",[606,2957,1605],{"class":629},[606,2959,2960],{"class":1237}," 0.1.0\n",[606,2962,2963,2966,2968,2970,2973],{"class":608,"line":688},[606,2964,2965],{"class":1601},"appVersion",[606,2967,1605],{"class":629},[606,2969,2385],{"class":629},[606,2971,2972],{"class":622},"1.2.3",[606,2974,2391],{"class":629},[56,2976,2977,2979,2980,2982],{},[554,2978,2955],{}," is the version of the chart itself — that is, of the package. ",[554,2981,2965],{}," describes the version of the application being deployed. The two are independent and should be versioned separately.",[187,2984,2986],{"id":2985},"valuesyaml","values.yaml",[56,2988,2989],{},"This is where the default values for all configurable parameters live:",[598,2991,2993],{"className":1592,"code":2992,"language":1594,"meta":490,"style":490},"replicaCount: 2\n\nimage:\n repository: my-registry\u002Fmy-app\n tag: \"1.2.3\"\n pullPolicy: IfNotPresent\n\nservice:\n type: ClusterIP\n port: 80\n",[554,2994,2995,3005,3009,3016,3026,3039,3049,3053,3060,3070],{"__ignoreMap":490},[606,2996,2997,3000,3002],{"class":608,"line":609},[606,2998,2999],{"class":1601},"replicaCount",[606,3001,1605],{"class":629},[606,3003,3004],{"class":1237}," 2\n",[606,3006,3007],{"class":608,"line":491},[606,3008,647],{"emptyLinePlaceholder":14},[606,3010,3011,3014],{"class":608,"line":499},[606,3012,3013],{"class":1601},"image",[606,3015,1630],{"class":629},[606,3017,3018,3021,3023],{"class":608,"line":650},[606,3019,3020],{"class":1601}," repository",[606,3022,1605],{"class":629},[606,3024,3025],{"class":622}," my-registry\u002Fmy-app\n",[606,3027,3028,3031,3033,3035,3037],{"class":608,"line":672},[606,3029,3030],{"class":1601}," tag",[606,3032,1605],{"class":629},[606,3034,2385],{"class":629},[606,3036,2972],{"class":622},[606,3038,2391],{"class":629},[606,3040,3041,3044,3046],{"class":608,"line":688},[606,3042,3043],{"class":1601}," pullPolicy",[606,3045,1605],{"class":629},[606,3047,3048],{"class":622}," IfNotPresent\n",[606,3050,3051],{"class":608,"line":699},[606,3052,647],{"emptyLinePlaceholder":14},[606,3054,3055,3058],{"class":608,"line":709},[606,3056,3057],{"class":1601},"service",[606,3059,1630],{"class":629},[606,3061,3062,3065,3067],{"class":608,"line":720},[606,3063,3064],{"class":1601}," type",[606,3066,1605],{"class":629},[606,3068,3069],{"class":622}," ClusterIP\n",[606,3071,3072,3075,3077],{"class":608,"line":859},[606,3073,3074],{"class":1601}," port",[606,3076,1605],{"class":629},[606,3078,3079],{"class":1237}," 80\n",[56,3081,3082],{},"These values are the control point for everything that differs between environments. If you need different replica counts or a different image tag for production, you only override this file — the templates stay unchanged.",[187,3084,3086],{"id":3085},"the-templates-directory","The templates\u002F directory",[56,3088,3089],{},"This is where the actual Kubernetes manifests live — but with placeholders instead of fixed values:",[598,3091,3093],{"className":1592,"code":3092,"language":1594,"meta":490,"style":490},"apiVersion: apps\u002Fv1\nkind: Deployment\nmetadata:\n name: {{ include \"my-app.fullname\" . }}\nspec:\n replicas: {{ .Values.replicaCount }}\n selector:\n matchLabels:\n {{- include \"my-app.selectorLabels\" . | nindent 6 }}\n template:\n spec:\n containers:\n - name: {{ .Chart.Name }}\n image: \"{{ .Values.image.repository }}:{{ .Values.image.tag }}\"\n",[554,3094,3095,3103,3111,3117,3132,3138,3151,3158,3165,3178,3185,3192,3199,3215],{"__ignoreMap":490},[606,3096,3097,3099,3101],{"class":608,"line":609},[606,3098,1602],{"class":1601},[606,3100,1605],{"class":629},[606,3102,1776],{"class":622},[606,3104,3105,3107,3109],{"class":608,"line":491},[606,3106,1613],{"class":1601},[606,3108,1605],{"class":629},[606,3110,1785],{"class":622},[606,3112,3113,3115],{"class":608,"line":499},[606,3114,1790],{"class":1601},[606,3116,1630],{"class":629},[606,3118,3119,3121,3123,3126,3129],{"class":608,"line":650},[606,3120,1797],{"class":1601},[606,3122,1605],{"class":629},[606,3124,3125],{"class":629}," {{",[606,3127,3128],{"class":622}," include \"my-app.fullname\" .",[606,3130,3131],{"class":629}," }}\n",[606,3133,3134,3136],{"class":608,"line":672},[606,3135,1807],{"class":1601},[606,3137,1630],{"class":629},[606,3139,3140,3142,3144,3146,3149],{"class":608,"line":688},[606,3141,1814],{"class":1601},[606,3143,1605],{"class":629},[606,3145,3125],{"class":629},[606,3147,3148],{"class":622}," .Values.replicaCount",[606,3150,3131],{"class":629},[606,3152,3153,3156],{"class":608,"line":699},[606,3154,3155],{"class":1601}," selector",[606,3157,1630],{"class":629},[606,3159,3160,3163],{"class":608,"line":709},[606,3161,3162],{"class":1601}," matchLabels",[606,3164,1630],{"class":629},[606,3166,3167,3170,3173,3176],{"class":608,"line":720},[606,3168,3169],{"class":629}," {{",[606,3171,3172],{"class":668},"- ",[606,3174,3175],{"class":622},"include \"my-app.selectorLabels\" . | nindent 6",[606,3177,3131],{"class":629},[606,3179,3180,3183],{"class":608,"line":859},[606,3181,3182],{"class":1601}," template",[606,3184,1630],{"class":629},[606,3186,3187,3190],{"class":608,"line":875},[606,3188,3189],{"class":1601}," spec",[606,3191,1630],{"class":629},[606,3193,3194,3197],{"class":608,"line":889},[606,3195,3196],{"class":1601}," containers",[606,3198,1630],{"class":629},[606,3200,3201,3204,3206,3208,3210,3213],{"class":608,"line":898},[606,3202,3203],{"class":629}," -",[606,3205,1871],{"class":1601},[606,3207,1605],{"class":629},[606,3209,3125],{"class":629},[606,3211,3212],{"class":622}," .Chart.Name",[606,3214,3131],{"class":629},[606,3216,3217,3220,3222,3224,3227],{"class":608,"line":912},[606,3218,3219],{"class":1601}," image",[606,3221,1605],{"class":629},[606,3223,2385],{"class":629},[606,3225,3226],{"class":622},"{{ .Values.image.repository }}:{{ .Values.image.tag }}",[606,3228,2391],{"class":629},[56,3230,3231,3232,3235,3236,3239,3240,3243],{},"The double curly braces ",[554,3233,3234],{},"{{ }}"," are Go template syntax. ",[554,3237,3238],{},".Values"," accesses values.yaml, ",[554,3241,3242],{},".Chart"," accesses Chart.yaml.",[71,3245,3247],{"id":3246},"how-helm-templating-works","How Helm templating works",[56,3249,3250],{},"Helm uses the Go template engine, extended with a range of additional functions from the Sprig library. This gives you conditionals, loops, string manipulation, and custom helper functions.",[56,3252,3253],{},"A simple example with a conditional:",[598,3255,3257],{"className":1592,"code":3256,"language":1594,"meta":490,"style":490},"{{- if .Values.ingress.enabled }}\napiVersion: networking.k8s.io\u002Fv1\nkind: Ingress\nmetadata:\n name: {{ include \"my-app.fullname\" . }}\n{{- end }}\n",[554,3258,3259,3271,3280,3289,3295,3307],{"__ignoreMap":490},[606,3260,3261,3264,3266,3269],{"class":608,"line":609},[606,3262,3263],{"class":629},"{{",[606,3265,3172],{"class":668},[606,3267,3268],{"class":622},"if .Values.ingress.enabled",[606,3270,3131],{"class":629},[606,3272,3273,3275,3277],{"class":608,"line":491},[606,3274,1602],{"class":1601},[606,3276,1605],{"class":629},[606,3278,3279],{"class":622}," networking.k8s.io\u002Fv1\n",[606,3281,3282,3284,3286],{"class":608,"line":499},[606,3283,1613],{"class":1601},[606,3285,1605],{"class":629},[606,3287,3288],{"class":622}," Ingress\n",[606,3290,3291,3293],{"class":608,"line":650},[606,3292,1790],{"class":1601},[606,3294,1630],{"class":629},[606,3296,3297,3299,3301,3303,3305],{"class":608,"line":672},[606,3298,1797],{"class":1601},[606,3300,1605],{"class":629},[606,3302,3125],{"class":629},[606,3304,3128],{"class":622},[606,3306,3131],{"class":629},[606,3308,3309,3311,3313,3316],{"class":608,"line":688},[606,3310,3263],{"class":629},[606,3312,3172],{"class":668},[606,3314,3315],{"class":622},"end",[606,3317,3131],{"class":629},[56,3319,3320],{},"Or a loop over multiple hosts:",[598,3322,3324],{"className":1592,"code":3323,"language":1594,"meta":490,"style":490},"rules:\n {{- range .Values.ingress.hosts }}\n - host: {{ .host | quote }}\n http:\n paths:\n {{- range .paths }}\n - path: {{ .path }}\n {{- end }}\n {{- end }}\n",[554,3325,3326,3333,3345,3361,3368,3375,3387,3402,3412],{"__ignoreMap":490},[606,3327,3328,3331],{"class":608,"line":609},[606,3329,3330],{"class":1601},"rules",[606,3332,1630],{"class":629},[606,3334,3335,3338,3340,3343],{"class":608,"line":491},[606,3336,3337],{"class":629}," {{",[606,3339,3172],{"class":668},[606,3341,3342],{"class":622},"range .Values.ingress.hosts",[606,3344,3131],{"class":629},[606,3346,3347,3349,3352,3354,3356,3359],{"class":608,"line":499},[606,3348,1635],{"class":629},[606,3350,3351],{"class":1601}," host",[606,3353,1605],{"class":629},[606,3355,3125],{"class":629},[606,3357,3358],{"class":622}," .host | quote",[606,3360,3131],{"class":629},[606,3362,3363,3366],{"class":608,"line":650},[606,3364,3365],{"class":1601}," http",[606,3367,1630],{"class":629},[606,3369,3370,3373],{"class":608,"line":672},[606,3371,3372],{"class":1601}," paths",[606,3374,1630],{"class":629},[606,3376,3377,3380,3382,3385],{"class":608,"line":688},[606,3378,3379],{"class":629}," {{",[606,3381,3172],{"class":668},[606,3383,3384],{"class":622},"range .paths",[606,3386,3131],{"class":629},[606,3388,3389,3391,3393,3395,3397,3400],{"class":608,"line":699},[606,3390,3203],{"class":629},[606,3392,1744],{"class":1601},[606,3394,1605],{"class":629},[606,3396,3125],{"class":629},[606,3398,3399],{"class":622}," .path",[606,3401,3131],{"class":629},[606,3403,3404,3406,3408,3410],{"class":608,"line":709},[606,3405,3379],{"class":629},[606,3407,3172],{"class":668},[606,3409,3315],{"class":622},[606,3411,3131],{"class":629},[606,3413,3414,3416,3418,3420],{"class":608,"line":720},[606,3415,3337],{"class":629},[606,3417,3172],{"class":668},[606,3419,3315],{"class":622},[606,3421,3131],{"class":629},[56,3423,3424,3425,3428,3429,415],{},"Custom helper functions live in ",[554,3426,3427],{},"_helpers.tpl",". The file starts with an underscore so Helm doesn't treat it as a standalone manifest. There you define named templates that you pull into the other files via ",[554,3430,3431],{},"include",[56,3433,2493,3434,3437],{},[554,3435,3436],{},"helm template my-app .\u002Fmy-app"," you can render the YAML locally — useful for debugging before you let anything loose on the cluster.",[71,3439,3441],{"id":3440},"helm-commands-for-daily-use","Helm commands for daily use",[56,3443,3444],{},"The most important operations:",[598,3446,3448],{"className":600,"code":3447,"language":602,"meta":490,"style":490},"# Install a chart\nhelm install my-release .\u002Fmy-app\n\n# Override with custom values\nhelm install my-release .\u002Fmy-app -f production-values.yaml\n\n# Upgrade an existing installation\nhelm upgrade my-release .\u002Fmy-app --set image.tag=1.3.0\n\n# Install or upgrade (idempotent — good for CI)\nhelm upgrade --install my-release .\u002Fmy-app\n\n# Show status of an installation\nhelm status my-release\n\n# List all releases\nhelm list\n\n# Rollback to an earlier version\nhelm rollback my-release 1\n\n# Uninstall\nhelm uninstall my-release\n",[554,3449,3450,3455,3468,3472,3477,3493,3497,3502,3522,3526,3531,3544,3548,3553,3563,3567,3572,3578,3582,3587,3598,3602,3607],{"__ignoreMap":490},[606,3451,3452],{"class":608,"line":609},[606,3453,3454],{"class":612},"# Install a chart\n",[606,3456,3457,3460,3462,3465],{"class":608,"line":491},[606,3458,3459],{"class":618},"helm",[606,3461,1987],{"class":622},[606,3463,3464],{"class":622}," my-release",[606,3466,3467],{"class":622}," .\u002Fmy-app\n",[606,3469,3470],{"class":608,"line":499},[606,3471,647],{"emptyLinePlaceholder":14},[606,3473,3474],{"class":608,"line":650},[606,3475,3476],{"class":612},"# Override with custom values\n",[606,3478,3479,3481,3483,3485,3488,3490],{"class":608,"line":672},[606,3480,3459],{"class":618},[606,3482,1987],{"class":622},[606,3484,3464],{"class":622},[606,3486,3487],{"class":622}," .\u002Fmy-app",[606,3489,2746],{"class":622},[606,3491,3492],{"class":622}," production-values.yaml\n",[606,3494,3495],{"class":608,"line":688},[606,3496,647],{"emptyLinePlaceholder":14},[606,3498,3499],{"class":608,"line":699},[606,3500,3501],{"class":612},"# Upgrade an existing installation\n",[606,3503,3504,3506,3509,3511,3513,3516,3519],{"class":608,"line":709},[606,3505,3459],{"class":618},[606,3507,3508],{"class":622}," upgrade",[606,3510,3464],{"class":622},[606,3512,3487],{"class":622},[606,3514,3515],{"class":622}," --set",[606,3517,3518],{"class":622}," image.tag=",[606,3520,3521],{"class":1237},"1.3.0\n",[606,3523,3524],{"class":608,"line":720},[606,3525,647],{"emptyLinePlaceholder":14},[606,3527,3528],{"class":608,"line":859},[606,3529,3530],{"class":612},"# Install or upgrade (idempotent — good for CI)\n",[606,3532,3533,3535,3537,3540,3542],{"class":608,"line":875},[606,3534,3459],{"class":618},[606,3536,3508],{"class":622},[606,3538,3539],{"class":622}," --install",[606,3541,3464],{"class":622},[606,3543,3467],{"class":622},[606,3545,3546],{"class":608,"line":889},[606,3547,647],{"emptyLinePlaceholder":14},[606,3549,3550],{"class":608,"line":898},[606,3551,3552],{"class":612},"# Show status of an installation\n",[606,3554,3555,3557,3560],{"class":608,"line":912},[606,3556,3459],{"class":618},[606,3558,3559],{"class":622}," status",[606,3561,3562],{"class":622}," my-release\n",[606,3564,3565],{"class":608,"line":917},[606,3566,647],{"emptyLinePlaceholder":14},[606,3568,3569],{"class":608,"line":923},[606,3570,3571],{"class":612},"# List all releases\n",[606,3573,3574,3576],{"class":608,"line":939},[606,3575,3459],{"class":618},[606,3577,1197],{"class":622},[606,3579,3580],{"class":608,"line":953},[606,3581,647],{"emptyLinePlaceholder":14},[606,3583,3584],{"class":608,"line":1116},[606,3585,3586],{"class":612},"# Rollback to an earlier version\n",[606,3588,3589,3591,3594,3596],{"class":608,"line":1136},[606,3590,3459],{"class":618},[606,3592,3593],{"class":622}," rollback",[606,3595,3464],{"class":622},[606,3597,1283],{"class":1237},[606,3599,3600],{"class":608,"line":1146},[606,3601,647],{"emptyLinePlaceholder":14},[606,3603,3604],{"class":608,"line":1155},[606,3605,3606],{"class":612},"# Uninstall\n",[606,3608,3609,3611,3614],{"class":608,"line":1165},[606,3610,3459],{"class":618},[606,3612,3613],{"class":622}," uninstall",[606,3615,3562],{"class":622},[56,3617,3618],{},"Helm stores the state of each installation as a release in the cluster (as a Secret or ConfigMap) and manages revisions. That allows rollback to an earlier version with a single command.",[71,3620,3622],{"id":3621},"chart-repositories-and-artifact-hub","Chart repositories and Artifact Hub",[56,3624,3625,3626,3631,3632,3636],{},"Ready-made charts for common software can be found on ",[60,3627,3630],{"href":3628,"rel":3629},"https:\u002F\u002Fartifacthub.io",[64],"Artifact Hub",", the central directory for public Helm charts. There are charts for cert-manager, ingress-nginx, Prometheus, ",[60,3633,3635],{"href":3634},"\u002Fen\u002Fblog\u002Fpostgresql-helm-chart-kubernetes","PostgreSQL",", and hundreds more.",[56,3638,3639],{},"Adding a repository and installing from it:",[598,3641,3643],{"className":600,"code":3642,"language":602,"meta":490,"style":490},"helm repo add ingress-nginx https:\u002F\u002Fkubernetes.github.io\u002Fingress-nginx\nhelm repo update\nhelm install ingress-nginx ingress-nginx\u002Fingress-nginx\n",[554,3644,3645,3661,3670],{"__ignoreMap":490},[606,3646,3647,3649,3652,3655,3658],{"class":608,"line":609},[606,3648,3459],{"class":618},[606,3650,3651],{"class":622}," repo",[606,3653,3654],{"class":622}," add",[606,3656,3657],{"class":622}," ingress-nginx",[606,3659,3660],{"class":622}," https:\u002F\u002Fkubernetes.github.io\u002Fingress-nginx\n",[606,3662,3663,3665,3667],{"class":608,"line":491},[606,3664,3459],{"class":618},[606,3666,3651],{"class":622},[606,3668,3669],{"class":622}," update\n",[606,3671,3672,3674,3676,3678],{"class":608,"line":499},[606,3673,3459],{"class":618},[606,3675,1987],{"class":622},[606,3677,3657],{"class":622},[606,3679,3680],{"class":622}," ingress-nginx\u002Fingress-nginx\n",[56,3682,3683,3684,3687],{},"For your own charts, you can run a private repository — classically as a static HTTP server with an ",[554,3685,3686],{},"index.yaml",", or in a more modern way as an OCI registry. Since Helm 3.8, OCI support is stable, and many teams use their existing container registry for both charts and images.",[71,3689,3691],{"id":3690},"creating-a-helm-chart-deploying-your-own-application","Creating a Helm chart. Deploying your own application",[56,3693,3694],{},"Creating a new chart:",[598,3696,3698],{"className":600,"code":3697,"language":602,"meta":490,"style":490},"helm create my-app\n",[554,3699,3700],{"__ignoreMap":490},[606,3701,3702,3704,3706],{"class":608,"line":609},[606,3703,3459],{"class":618},[606,3705,797],{"class":622},[606,3707,1802],{"class":622},[56,3709,3710],{},"This generates the full directory structure with example templates for a Deployment including Service, Ingress, HPA, and ServiceAccount. The generated code is functional and a good starting point.",[56,3712,3713,3714,3716],{},"From there you adapt ",[554,3715,2986],{}," to your application and clean up the templates by removing anything you don't need. You can test this with:",[598,3718,3720],{"className":600,"code":3719,"language":602,"meta":490,"style":490},"# Check rendering\nhelm template my-release .\u002Fmy-app -f my-values.yaml\n\n# Lint check\nhelm lint .\u002Fmy-app\n\n# Dry-run against the cluster\nhelm install my-release .\u002Fmy-app --dry-run\n",[554,3721,3722,3727,3743,3747,3752,3761,3765,3770],{"__ignoreMap":490},[606,3723,3724],{"class":608,"line":609},[606,3725,3726],{"class":612},"# Check rendering\n",[606,3728,3729,3731,3734,3736,3738,3740],{"class":608,"line":491},[606,3730,3459],{"class":618},[606,3732,3733],{"class":622}," template",[606,3735,3464],{"class":622},[606,3737,3487],{"class":622},[606,3739,2746],{"class":622},[606,3741,3742],{"class":622}," my-values.yaml\n",[606,3744,3745],{"class":608,"line":499},[606,3746,647],{"emptyLinePlaceholder":14},[606,3748,3749],{"class":608,"line":650},[606,3750,3751],{"class":612},"# Lint check\n",[606,3753,3754,3756,3759],{"class":608,"line":672},[606,3755,3459],{"class":618},[606,3757,3758],{"class":622}," lint",[606,3760,3467],{"class":622},[606,3762,3763],{"class":608,"line":688},[606,3764,647],{"emptyLinePlaceholder":14},[606,3766,3767],{"class":608,"line":699},[606,3768,3769],{"class":612},"# Dry-run against the cluster\n",[606,3771,3772,3774,3776,3778,3780],{"class":608,"line":709},[606,3773,3459],{"class":618},[606,3775,1987],{"class":622},[606,3777,3464],{"class":622},[606,3779,3487],{"class":622},[606,3781,3782],{"class":622}," --dry-run\n",[56,3784,3785,3786,3789],{},"Before you run a chart in production, it's worth running ",[554,3787,3788],{},"helm lint",", which checks for common problems in chart structure and templates.",[71,3791,3793],{"id":3792},"helm-vs-kustomize-when-to-use-what","Helm vs. Kustomize. When to use what?",[56,3795,3796,3797,3800],{},"Both tools solve the ",[60,3798,3799],{"href":2108},"YAML management problem in Kubernetes",", but with different approaches.",[56,3802,3803,3805],{},[60,3804,1549],{"href":2137}," works with overlays: you have a base configuration and layer environment-specific changes on top, without templates or variables. It's closer to plain YAML and doesn't introduce its own DSL. It's been built into kubectl since version 1.14.",[56,3807,3808],{},"Helm relies on templating and packaging. It's more powerful for complex configurations, but has a steeper learning curve and more moving parts.",[56,3810,3811],{},"Rules of thumb from practice:",[103,3813,3814,3817,3820,3823],{},[106,3815,3816],{},"Deploying third-party software (cert-manager, Prometheus, etc.)? Helm, because the maintainers ship it as a chart.",[106,3818,3819],{},"Managing your own apps across many environments with different configurations? Helm works well, but Kustomize is often clearer.",[106,3821,3822],{},"Want to stay GitOps-friendly and prefer plain YAML? Kustomize.",[106,3824,3825],{},"Need rollback functionality and release tracking? Helm.",[56,3827,3828],{},"Many teams combine both: Helm for installing external charts, Kustomize for their own application configuration.",[71,3830,3832],{"id":3831},"helm-in-cicd-and-gitops","Helm in CI\u002FCD and GitOps",[56,3834,3835,3836,3839],{},"In CI\u002FCD pipelines, ",[554,3837,3838],{},"helm upgrade --install"," is the standard command — it installs if nothing is there yet, and upgrades otherwise. This makes pipelines idempotent:",[598,3841,3843],{"className":600,"code":3842,"language":602,"meta":490,"style":490},"helm upgrade --install my-app .\u002Fchart \\\n --namespace production \\\n --create-namespace \\\n --set image.tag=$CI_COMMIT_SHA \\\n -f environments\u002Fproduction\u002Fvalues.yaml\n",[554,3844,3845,3861,3871,3878,3888],{"__ignoreMap":490},[606,3846,3847,3849,3851,3853,3856,3859],{"class":608,"line":609},[606,3848,3459],{"class":618},[606,3850,3508],{"class":622},[606,3852,3539],{"class":622},[606,3854,3855],{"class":622}," my-app",[606,3857,3858],{"class":622}," .\u002Fchart",[606,3860,669],{"class":668},[606,3862,3863,3866,3869],{"class":608,"line":491},[606,3864,3865],{"class":622}," --namespace",[606,3867,3868],{"class":622}," production",[606,3870,669],{"class":668},[606,3872,3873,3876],{"class":608,"line":499},[606,3874,3875],{"class":622}," --create-namespace",[606,3877,669],{"class":668},[606,3879,3880,3883,3885],{"class":608,"line":650},[606,3881,3882],{"class":622}," --set",[606,3884,3518],{"class":622},[606,3886,3887],{"class":668},"$CI_COMMIT_SHA \\\n",[606,3889,3890,3893],{"class":608,"line":672},[606,3891,3892],{"class":622}," -f",[606,3894,3895],{"class":622}," environments\u002Fproduction\u002Fvalues.yaml\n",[56,3897,3898,3899,3902],{},"In GitOps setups with ArgoCD or Flux, Helm is natively supported. ArgoCD can point directly at chart repositories and manage Helm releases as Application resources. Flux brings its own ",[554,3900,3901],{},"HelmRelease"," custom resource type. The benefit: the desired state lives in the Git repository, and the cluster reconciles itself automatically.",[56,3904,3905],{},"For secrets in Helm there are several approaches: the Helm Secrets plugin (works with SOPS or Vault), External Secrets Operator, or a Secret Store CSI driver. Values with passwords or API keys don't belong in values.yaml unencrypted — that's one of the most common security mistakes in Helm use.",[479,3907],{},[56,3909,3910,3911,3914],{},"Helm charts are today the de facto standard for structured Kubernetes deployments — for both standard software and your own applications. The learning curve is manageable: ",[554,3912,3913],{},"helm create"," generates a functional chart in seconds, and the concepts of templating and releases become clear quickly in practice.",[56,3916,3917,3918,3920],{},"Teams running Kubernetes on a platform with native Helm support get an extra benefit: ",[109,3919,299],{}," offers a Kubernetes environment where Helm deployments just work, without the infrastructure overhead around them. That lets teams focus on chart content, not cluster management.",[1499,3922,3923],{},"html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}",{"title":490,"searchDepth":491,"depth":491,"links":3925},[3926,3927,3932,3933,3934,3935,3936,3937],{"id":2873,"depth":491,"text":2874},{"id":2890,"depth":491,"text":2891,"children":3928},[3929,3930,3931],{"id":2903,"depth":499,"text":2904},{"id":2985,"depth":499,"text":2986},{"id":3085,"depth":499,"text":3086},{"id":3246,"depth":491,"text":3247},{"id":3440,"depth":491,"text":3441},{"id":3621,"depth":491,"text":3622},{"id":3690,"depth":491,"text":3691},{"id":3792,"depth":491,"text":3793},{"id":3831,"depth":491,"text":3832},"2026-04-08","Helm charts bundle Kubernetes resources into a versioned package. How they are structured, how templating works, and when to use them.",{"src":3941},"\u002Fimages\u002Fblog\u002Fwhat-is-a-helm-chart.jpg","2026-04-13",{},{"title":2856,"description":3939},"en\u002F3.blog\u002F57.what-is-a-helm-chart","eX_z4kan8JtubN2Pm6aW-a30DLy3LZy4UTSHhmJLr88",{"id":3948,"title":3949,"authors":3950,"badge":10,"body":3953,"date":4188,"description":4189,"extension":510,"image":4190,"lastUpdated":10,"meta":4192,"navigation":14,"path":4193,"published":14,"seo":4194,"stem":4195,"tags":10,"__hash__":4196},"posts\u002Fen\u002F3.blog\u002F50.ai-agent-infrastructure.md","AI Agent Infrastructure: What You Really Need for Production",[3951],{"name":13,"to":523,"avatar":3952},{"src":8},{"type":48,"value":3954,"toc":4175},[3955,3958,3962,3965,3968,3972,3975,3990,3993,3997,4000,4003,4006,4009,4013,4016,4019,4033,4036,4039,4043,4046,4063,4066,4069,4073,4076,4079,4082,4085,4089,4092,4098,4101,4104,4107,4110,4114,4117,4120,4128,4131,4135,4138,4141,4144,4152,4155,4158,4162,4165,4168],[56,3956,3957],{},"An AI agent is not a single API call. Behind it lies an entire infrastructure layer of model hosting, orchestration, memory, and observability. That's exactly where many teams stumble when moving from prototype to production. This article covers the components you need for a functional AI agent infrastructure and how they work together.",[71,3959,3961],{"id":3960},"what-is-an-ai-agent-technically","What Is an AI Agent, Technically?",[56,3963,3964],{},"The term \"AI agent\" is being used for everything right now. A quick distinction: a simple chatbot responds to inputs. An AI agent, by contrast, can make independent decisions, call tools, and execute tasks across multiple steps without a human needing to trigger each step manually.",[56,3966,3967],{},"Technically, it usually works like this: the language model analyzes the task, decides which tool to call, executes the call, evaluates the result, and then decides whether the task is done or whether further steps are needed. This Reason-Act Loop is the core element. Model, orchestration, memory, and tools form the infrastructure that keeps this loop running.",[71,3969,3971],{"id":3970},"the-infrastructure-layers-at-a-glance","The Infrastructure Layers at a Glance",[56,3973,3974],{},"A production-ready AI agent infrastructure consists of four main layers:",[3976,3977,3978,3981,3984,3987],"ol",{},[106,3979,3980],{},"The language model is the \"brain\" of the agent.",[106,3982,3983],{},"Orchestration controls the flow of the agent.",[106,3985,3986],{},"Tools and actions give the agent the ability to interact with the outside world.",[106,3988,3989],{},"Memory holds context beyond individual requests.",[56,3991,3992],{},"On top of these come cross-cutting concerns like observability, security, and cost control. Let's look at each layer in detail.",[187,3994,3996],{"id":3995},"layer-1-the-language-model","Layer 1 – The Language Model",[56,3998,3999],{},"The first decision is whether to use a model via an external API or host it yourself. Both paths have clear use cases.",[56,4001,4002],{},"Hosted APIs like OpenAI, Anthropic, or Mistral are the fastest entry point. You pay per token, don't need to manage GPU infrastructure, and benefit from fast model updates. For most teams, this is the right starting point, as long as cost, privacy, and latency aren't an issue.",[56,4004,4005],{},"Self-hosted models make sense when you have data sovereignty requirements and can't send data to external APIs, when API costs exceed infrastructure costs at high request volumes, or when you want to fine-tune a specialized model.",[56,4007,4008],{},"For self-hosting, you need GPU capacity (on-premise or cloud), an inference server like vLLM or Ollama, and an API layer through which your agent reaches the model. It's more operationally demanding, but gives you full control.",[187,4010,4012],{"id":4011},"layer-2-orchestration","Layer 2 – Orchestration",[56,4014,4015],{},"The orchestration framework is the glue between model, tools, and memory. It controls what happens in which order, and ensures the agent runs its Reason-Act Loop correctly.",[56,4017,4018],{},"The most widely used frameworks today:",[103,4020,4021,4024,4027,4030],{},[106,4022,4023],{},"LangChain is the oldest and most comprehensive framework. It offers ready-made integrations for almost everything, but can get complex quickly. It works well for prototypes and teams that want many pre-built building blocks.",[106,4025,4026],{},"LlamaIndex is more focused on retrieval and data integration and is particularly well suited when an agent primarily works over your own documents or data.",[106,4028,4029],{},"CrewAI is designed for multi-agent scenarios where multiple specialized agents collaborate.",[106,4031,4032],{},"AutoGen from Microsoft takes a similar approach to CrewAI, but focuses on conversation between agents.",[56,4034,4035],{},"For simpler use cases, a direct integration of OpenAI's Assistants API or Anthropic's Tool Use functionality often suffices, without an additional framework.",[56,4037,4038],{},"The choice of framework has long-term implications for maintainability and debugging. Start simple, and add complexity only when you actually need it.",[187,4040,4042],{"id":4041},"layer-3-tools-and-actions","Layer 3 – Tools and Actions",[56,4044,4045],{},"What an agent can \"do\" depends on its tools. In practice, these are mostly functions the model can call via Function Calling or Tool Use, depending on the model provider. These can include:",[103,4047,4048,4051,4054,4057,4060],{},[106,4049,4050],{},"HTTP requests to external APIs",[106,4052,4053],{},"Database queries",[106,4055,4056],{},"File reading and writing",[106,4058,4059],{},"Code execution",[106,4061,4062],{},"Browser interaction",[56,4064,4065],{},"The critical point here is sandboxing. An agent that can execute code must run in an isolated environment. Without isolation, a poorly worded prompt can lead to unintended system access. Kubernetes offers good tools here: resource limits, network policies, and separate namespaces for agent workloads.",[56,4067,4068],{},"You should also think about secrets management early. API keys for external services should never appear in the prompt or tool definitions, but should be managed through a dedicated secrets store like Vault or Kubernetes Secrets.",[187,4070,4072],{"id":4071},"layer-4-memory","Layer 4 – Memory",[56,4074,4075],{},"The context window of a language model is limited. For short tasks, sending the full context along is fine. For longer workflows or agents that need to \"remember\" across sessions, you need explicit memory layers.",[56,4077,4078],{},"Short-term memory is the conversation history in the prompt. Frameworks like LangChain manage this automatically, including compression strategies when the context gets too large.",[56,4080,4081],{},"Long-term memory requires persistent storage. This is where vector databases come in: Chroma, Qdrant, Weaviate, or pgvector as a PostgreSQL extension. Information is stored as vectors and retrieved semantically on demand, so the agent can query the database for relevant memories instead of keeping everything in the prompt.",[56,4083,4084],{},"For many production scenarios, pgvector is sufficient if you're already running PostgreSQL. Dedicated vector databases like Qdrant are worth it at very high volumes or when vector search is a core feature.",[71,4086,4088],{"id":4087},"ai-agent-infrastructure-on-kubernetes","AI Agent Infrastructure on Kubernetes",[56,4090,4091],{},"Once agents need to go into production, questions quickly arise that go beyond the framework itself: How do I scale under high load? How do I deploy updates without interrupting running agent tasks? How do I isolate different agent types from each other?",[56,4093,4094,4097],{},[60,4095,4096],{"href":1542},"Kubernetes for production deployments"," provides a solid foundation for all of this, provided you account for a few specifics of agent workloads.",[56,4099,4100],{},"Agent processes are often long-running and unpredictable in their resource consumption. An agent processing a complex task may require significantly more CPU and memory than a short API call. Agents should therefore be configured with resource limits and requests, and critical runs should ideally run on dedicated node pools.",[56,4102,4103],{},"For horizontal scaling, agent workers work well. Instead of scaling a monolithic agent, you process tasks from a queue (e.g., Kafka or RabbitMQ) with a configurable number of worker pods. Kubernetes-native solutions like KEDA can help automatically adjust the number of workers based on queue length.",[56,4105,4106],{},"Rolling updates are more critical for agents than for classical services. If a model or framework update changes the agent's behavior, you want to roll that out in a controlled way. Canary deployments help test new versions on a subset of traffic before fully switching over.",[56,4108,4109],{},"If you use a Kubernetes platform that addresses these aspects out of the box, it saves considerable setup effort. Lowcloud provides exactly that: a hardened Kubernetes base with network isolation, resource controls, and deployment workflows on which you can build agent infrastructure directly.",[71,4111,4113],{"id":4112},"observability-watching-the-agent-think","Observability: Watching the Agent Think",[56,4115,4116],{},"Debugging AI agents is different from debugging regular services. A 500 error is easy to find. But when an agent makes the wrong decision, the problem lies somewhere in the interplay of prompt, model output, and tool call. Without good tracing, that's nearly impossible to diagnose.",[56,4118,4119],{},"That's why distributed tracing at the agent level is not a nice-to-have. Tools like LangSmith (for LangChain-based agents), Langfuse, or Arize Phoenix give you a complete trace of every agent run: which tools were called, what the model decided next, how long each step took, how many tokens were consumed.",[56,4121,4122,4123,4127],{},"At the infrastructure level, you also need classic observability tools like ",[60,4124,4126],{"href":4125},"\u002Fen\u002Fblog\u002Fkubernetes-monitoring-logs-metrics","Prometheus and Grafana"," for metrics (latency, error rate, token consumption) and Loki or Elasticsearch for structured logging.",[56,4129,4130],{},"One point that's often underestimated is prompt logging. All prompts sent to the model in production should be stored persistently, at least for a period of time. When an agent shows unexpected behavior, the full prompt is often the only thing that helps you figure out why.",[71,4132,4134],{"id":4133},"from-prototype-to-production-what-actually-changes","From Prototype to Production — What Actually Changes",[56,4136,4137],{},"A working prototype obscures what production really requires. The most common gaps are the following.",[56,4139,4140],{},"Error handling: Agent loops can get stuck in infinite loops or freeze on tool errors. Timeouts, retry logic, and maximum iteration limits are mandatory.",[56,4142,4143],{},"Cost control: Without token budgets, a single poorly worded prompt can get surprisingly expensive. Set hard limits per run and monitor token consumption at an aggregated level.",[56,4145,4146,4147,4151],{},"Privacy and compliance: What goes into the prompt? If personal data or internal documents are part of the context, that needs to be addressed in the architecture, both in model hosting and memory design. The ",[60,4148,4150],{"href":4149},"\u002Fen\u002Fblog\u002Feu-ai-act-hosting","EU AI Act obligations for deployers"," add further requirements around logging and human oversight that directly affect production agent systems.",[56,4153,4154],{},"Reliability: External APIs your agent calls can fail. Circuit breakers and fallback strategies prevent a single tool failure from destroying the entire agent run.",[56,4156,4157],{},"These points sound trivial, but in practice, the list of things that can go wrong in production is significantly longer than when building the prototype.",[71,4159,4161],{"id":4160},"infrastructure-is-not-optional","Infrastructure Is Not Optional",[56,4163,4164],{},"AI agents are not a feature you just deploy. They place real demands on isolation, scaling, observability, and security. Those demands grow with the complexity of the tasks the agent handles.",[56,4166,4167],{},"The stack is manageable: a language model (hosted or self-run), an orchestration framework, tool integration with clean sandboxing, a memory layer for persistent context, and Kubernetes as the foundation for production deployments. What makes the difference is not the choice of any single tool, but how well these layers work together.",[56,4169,4170,4171,4174],{},"If you're new to Kubernetes, a ",[60,4172,4173],{"href":2728},"step-by-step Kubernetes migration"," covers the preparation work that makes the difference between a stable cluster and a frustrating one. If you're looking for a Kubernetes platform on which you can build this stack without having to configure every aspect yourself, take a look at Lowcloud. The platform is built specifically for teams that want to run containerized workloads including AI agent infrastructure in production without needing to develop in-house Kubernetes expertise.",{"title":490,"searchDepth":491,"depth":491,"links":4176},[4177,4178,4184,4185,4186,4187],{"id":3960,"depth":491,"text":3961},{"id":3970,"depth":491,"text":3971,"children":4179},[4180,4181,4182,4183],{"id":3995,"depth":499,"text":3996},{"id":4011,"depth":499,"text":4012},{"id":4041,"depth":499,"text":4042},{"id":4071,"depth":499,"text":4072},{"id":4087,"depth":491,"text":4088},{"id":4112,"depth":491,"text":4113},{"id":4133,"depth":491,"text":4134},{"id":4160,"depth":491,"text":4161},"2026-04-07","An AI agent is more than a single API call. This guide explains the four infrastructure layers — model hosting, orchestration, memory, and observability — and how they work together in production.",{"src":4191},"\u002Fimages\u002Fblog\u002Fai-agent-infrastructure.jpg",{},"\u002Fen\u002Fblog\u002Fai-agent-infrastructure",{"title":3949,"description":4189},"en\u002F3.blog\u002F50.ai-agent-infrastructure","ALxtSoXrlieIY5RQduUPrX9g1glR-3qfg2LdEzIYSxg",{"id":4198,"title":4199,"authors":4200,"badge":10,"body":4203,"date":4188,"description":4447,"extension":510,"image":4448,"lastUpdated":3942,"meta":4450,"navigation":14,"path":2523,"published":14,"seo":4451,"stem":4452,"tags":10,"__hash__":4453},"posts\u002Fen\u002F3.blog\u002F56.what-is-docker-swarm.md","What is Docker Swarm? Container Orchestration Built In",[4201],{"name":43,"to":44,"avatar":4202},{"src":46},{"type":48,"value":4204,"toc":4435},[4205,4212,4216,4219,4228,4232,4235,4238,4241,4244,4248,4254,4257,4260,4264,4267,4270,4274,4277,4280,4283,4287,4297,4304,4307,4311,4322,4327,4332,4335,4401,4405,4408,4424,4427,4429],[56,4206,4207,4208,4211],{},"Docker Swarm is the native clustering and orchestration solution from ",[60,4209,2156],{"href":2154,"rel":4210},[64],". It is built directly into the Docker Engine and makes it possible to combine several Docker hosts into a single cluster without installing any separate tools. Anyone who wants to run containers on more than one server gets a solid foundation with Docker Swarm: easy to set up, built on familiar Docker tooling, and perfectly sufficient for many setups.",[71,4213,4215],{"id":4214},"swarm-mode-whats-behind-it","Swarm Mode. What's behind it?",[56,4217,4218],{},"Since Docker 1.12, Swarm is no longer a separate project but a built-in operating mode of the Docker Engine, known as Swarm Mode. That means every current Docker installation can run a Swarm cluster without any additional packages or external dependencies.",[56,4220,4221,4222,2283,4224,4227],{},"The conceptual difference between ",[554,4223,2160],{},[554,4225,4226],{},"docker-compose"," and Swarm lies in the level of abstraction. Swarm does not think in terms of individual containers running on a specific host; it thinks in terms of services that are executed across the cluster as a whole. Where exactly a container ends up is decided by the scheduler.",[71,4229,4231],{"id":4230},"manager-and-worker-nodes-at-a-glance","Manager and worker nodes at a glance",[56,4233,4234],{},"A Swarm cluster consists of two types of nodes:",[56,4236,4237],{},"Manager nodes are responsible for cluster administration. They accept API requests, distribute jobs (so-called tasks) to worker nodes, and monitor the state of the cluster. Manager nodes use the Raft consensus protocol to maintain a consistent cluster state among themselves. If one manager fails, another takes over, provided that the majority of the managers is still reachable.",[56,4239,4240],{},"That leads to a practical rule of thumb: anyone who wants high availability should run 3 or 5 manager nodes. With 3 managers, one may fail; with 5 managers, two may fail.",[56,4242,4243],{},"Worker nodes run the containers. They receive tasks from the manager and report their status back — nothing more. Worker nodes have no access to the cluster state and cannot perform management operations.",[71,4245,4247],{"id":4246},"services-tasks-and-the-desired-state","Services, tasks, and the desired state",[56,4249,4250,4251,4253],{},"The central concept in Docker Swarm is the ",[109,4252,3057],{},". Instead of starting a container manually, you define a service with a desired number of replicas.",[56,4255,4256],{},"Swarm makes sure that exactly 3 instances of the Nginx container are running at all times, distributed across the available worker nodes. If one fails, the manager detects it and starts a new task. This principle is called desired state reconciliation: Swarm continuously compares the desired state with the actual state.",[56,4258,4259],{},"Tasks are the smallest units in Swarm; each task corresponds to one container on a specific node. The service is the object you describe and manage; the tasks are created from it automatically.",[187,4261,4263],{"id":4262},"rolling-updates-and-rollbacks","Rolling updates and rollbacks",[56,4265,4266],{},"A common problem with manual deployments: either brief downtime when swapping out the container, or complicated blue\u002Fgreen setups. Swarm solves this with built-in rolling updates.",[56,4268,4269],{},"Swarm remembers the previous state of the service and can restore it without any manual intervention.",[71,4271,4273],{"id":4272},"overlay-networks-and-service-discovery","Overlay networks and service discovery",[56,4275,4276],{},"When several services on different nodes need to communicate — for instance, a backend service talking to a database — you need a network that bridges host boundaries. Docker Swarm provides overlay networks for exactly that.",[56,4278,4279],{},"Services that are assigned to the same overlay network can reach each other by their service name, regardless of which node the containers are currently running on. The integrated DNS resolver handles service discovery automatically.",[56,4281,4282],{},"That removes the need to manually manage IP addresses and makes service-to-service communication within the cluster transparent.",[71,4284,4286],{"id":4285},"docker-stack-and-compose-integration","Docker Stack and Compose integration",[56,4288,4289,4290,4292,4293,4296],{},"Teams that already work with ",[554,4291,4226],{}," can bring their existing knowledge straight into Swarm. With ",[554,4294,4295],{},"docker stack deploy",", Compose files in v3 format can be deployed directly into Swarm.",[56,4298,4299,4300,4303],{},"A stack is essentially a group of services that are deployed and managed together. The Compose file remains largely unchanged; only Swarm-specific settings such as replica count or update configuration are added under the ",[554,4301,4302],{},"deploy"," key:",[56,4305,4306],{},"This path makes the entry into Swarm especially low-barrier for Compose users.",[71,4308,4310],{"id":4309},"docker-swarm-vs-kubernetes-when-to-use-which","Docker Swarm vs. Kubernetes. When to use which?",[56,4312,1701,4313,4317,4318,4321],{},[60,4314,4316],{"href":4315},"\u002Fen\u002Fblog\u002Fkubernetes-vs-docker-swarm","comparison between Docker Swarm and Kubernetes"," comes up regularly, and the answer is less binary than is often claimed. For the wider ",[60,4319,4320],{"href":2850},"decision between Docker, Compose, Swarm, and Kubernetes",", see our full comparison.",[56,4323,4324,4326],{},[109,4325,1543],{}," has a significantly larger feature set: native Horizontal Pod Autoscaling, detailed RBAC, Custom Resource Definitions, a huge ecosystem of operators and tools. In return, the entry barrier is higher, operations are more demanding, and the learning curve is steeper.",[56,4328,4329,4331],{},[109,4330,2628],{}," is conceptually simpler, faster to set up, and sufficient for many use cases. Anyone without a dedicated DevOps team or who does not need Kubernetes often fares more pragmatically with Swarm.",[56,4333,4334],{},"Key differences at a glance:",[1305,4336,4337,4347],{},[1308,4338,4339],{},[1311,4340,4341,4343,4345],{},[1314,4342],{},[1314,4344,2628],{},[1314,4346,1543],{},[1335,4348,4349,4360,4371,4381,4391],{},[1311,4350,4351,4354,4357],{},[1340,4352,4353],{},"Getting started",[1340,4355,4356],{},"Simple",[1340,4358,4359],{},"Complex",[1311,4361,4362,4365,4368],{},[1340,4363,4364],{},"Auto-scaling",[1340,4366,4367],{},"Not native",[1340,4369,4370],{},"Yes",[1311,4372,4373,4376,4378],{},[1340,4374,4375],{},"RBAC",[1340,4377,1399],{},[1340,4379,4380],{},"Full",[1311,4382,4383,4385,4388],{},[1340,4384,2679],{},[1340,4386,4387],{},"Small",[1340,4389,4390],{},"Large",[1311,4392,4393,4396,4398],{},[1340,4394,4395],{},"Resource footprint",[1340,4397,1426],{},[1340,4399,4400],{},"Higher",[187,4402,4404],{"id":4403},"when-swarm-is-the-right-choice","When Swarm is the right choice",[56,4406,4407],{},"Swarm makes sense when:",[103,4409,4410,4415,4418,4421],{},[106,4411,4412,4413],{},"The team knows Docker but has not yet adopted ",[60,4414,1543],{"href":1542},[106,4416,4417],{},"The infrastructure is manageable and no automatic scaling is needed",[106,4419,4420],{},"Bare-metal servers or small VMs are used without cloud-managed Kubernetes",[106,4422,4423],{},"Operational complexity should deliberately be kept low",[56,4425,4426],{},"As soon as the requirements grow — more teams, more complex network topologies, fine-grained access control, scaling automation — Swarm hits its limits.",[479,4428],{},[56,4430,4431,4432,4434],{},"Docker Swarm is a solid entry point into container orchestration, without the operational overhead that Kubernetes brings with it. But anyone who realises that the requirements are growing and that a full Kubernetes setup would make sense does not have to build and operate it themselves. lowcloud offers a ",[60,4433,487],{"href":486}," with Kubernetes at its core that simplifies the operation of Kubernetes clusters on sovereign infrastructure — without cloud, without vendor lock-in, and with a focus on what matters: your own application.",{"title":490,"searchDepth":491,"depth":491,"links":4436},[4437,4438,4439,4442,4443,4444],{"id":4214,"depth":491,"text":4215},{"id":4230,"depth":491,"text":4231},{"id":4246,"depth":491,"text":4247,"children":4440},[4441],{"id":4262,"depth":499,"text":4263},{"id":4272,"depth":491,"text":4273},{"id":4285,"depth":491,"text":4286},{"id":4309,"depth":491,"text":4310,"children":4445},[4446],{"id":4403,"depth":499,"text":4404},"Docker Swarm explained: clusters, services, overlay networks, and how it compares to Kubernetes. When Swarm is the right choice for container orchestration.",{"src":4449},"\u002Fimages\u002Fblog\u002Fwhat-is-docker-swarm.jpg",{},{"title":4199,"description":4447},"en\u002F3.blog\u002F56.what-is-docker-swarm","Ucw6_O9AFjS5tnaD1aRTVJ4yodakZlrGvL8XH9W4tfA",{"id":4455,"title":4456,"authors":4457,"badge":10,"body":4460,"date":4932,"description":4933,"extension":510,"image":4934,"lastUpdated":3942,"meta":4936,"navigation":14,"path":2728,"published":14,"seo":4937,"stem":4938,"tags":10,"__hash__":4939},"posts\u002Fen\u002F3.blog\u002F49.kubernetes-migration-guide.md","Kubernetes Migration: What You Need to Know Before You Start",[4458],{"name":13,"to":523,"avatar":4459},{"src":8},{"type":48,"value":4461,"toc":4914},[4462,4469,4473,4480,4487,4490,4494,4497,4500,4517,4521,4524,4527,4541,4545,4555,4566,4575,4579,4582,4586,4589,4668,4671,4675,4678,4681,4692,4695,4699,4702,4709,4725,4729,4732,4735,4746,4749,4777,4781,4788,4801,4804,4808,4811,4814,4817,4821,4824,4833,4870,4875,4878,4882,4885,4899,4902,4904,4911],[56,4463,4464,4465,4468],{},"Migrating to Kubernetes sounds like a straightforward infrastructure task. You take your existing applications, pack them into containers, write a few YAML files, and roll out. In practice, it rarely works that way. Teams that migrate without proper preparation quickly end up with a cluster that technically runs but makes nobody happy operationally: unstable pods, unclear responsibilities, and alerts going off in the middle of the night. Before committing to the migration, it's worth ",[60,4466,4467],{"href":2850},"evaluating Docker Compose, Swarm, and Kubernetes"," side by side. This article shows where the real problems arise and how to avoid them.",[71,4470,4472],{"id":4471},"kubernetes-is-a-tool-not-a-goal","Kubernetes Is a Tool, Not a Goal",[56,4474,4475,4476,4479],{},"A common misconception: Kubernetes migration is treated as an infrastructure project when it's actually an architecture project. The platform provides mechanisms (",[60,4477,4478],{"href":1542},"scheduling, self-healing, scaling, service discovery",") that only work when applications are designed for them.",[56,4481,4482,4483,4486],{},"A classic VM application that writes configuration locally to disk, stores log files under ",[554,4484,4485],{},"\u002Fvar\u002Flog",", and assumes the process never restarts will technically start on Kubernetes. But it will misbehave. Pods get restarted, logs are lost, configuration disappears.",[56,4488,4489],{},"Kubernetes only pays off when applications are ephemeral, stateless, and observable. That's not a criticism of the platform, but the prerequisite for using it sensibly. Understanding this at the start of a migration saves a lot of frustration.",[71,4491,4493],{"id":4492},"before-the-kubernetes-migration-what-you-need-to-analyze","Before the Kubernetes Migration: What You Need to Analyze",[56,4495,4496],{},"Before the first pod gets deployed, an honest inventory is worthwhile. Not every application is equally ready for Kubernetes, and different readiness levels require different migration paths.",[56,4498,4499],{},"These questions help:",[103,4501,4502,4505,4508,4511,4514],{},[106,4503,4504],{},"Which services are stateless, which have persistent state?",[106,4506,4507],{},"Which services have external dependencies (databases, message queues, legacy APIs)?",[106,4509,4510],{},"What are the resource profiles of your applications: CPU-intensive, memory-hungry, IO-bound?",[106,4512,4513],{},"What do your current deployment processes look like: how is deployment done, how is rollback handled?",[106,4515,4516],{},"Is there hardcoded configuration, or are environment variables and external config stores used?",[187,4518,4520],{"id":4519},"handle-stateful-services-separately","Handle Stateful Services Separately",[56,4522,4523],{},"Databases, message queues, and similar systems need their own migration strategy. Simply pulling them into the cluster as StatefulSets is rarely the best idea, at least not at the beginning.",[56,4525,4526],{},"Many teams do well by leaving databases outside the cluster initially, managed on AWS RDS, Cloud SQL, or similar services, and migrating only the application layer. This significantly reduces the attack surface and allows teams to gain experience with Kubernetes without simultaneously having to manage data persistence in the cluster.",[56,4528,4529,4530,4533,4534,557,4537,4540],{},"If databases should go into the cluster anyway: ",[60,4531,4532],{"href":3634},"StatefulSets with persistent volumes"," are the right approach, but ",[554,4535,4536],{},"PodDisruptionBudgets",[554,4538,4539],{},"StorageClasses",", backup strategies, and upgrade processes must be understood and tested before going to production.",[187,4542,4544],{"id":4543},"gather-resource-requirements","Gather Resource Requirements",[56,4546,4547,4548,733,4551,4554],{},"One of the most common mistakes in Kubernetes migration is deploying without ",[554,4549,4550],{},"resources.requests",[554,4552,4553],{},"resources.limits",". This feels simpler at first, since no configuration is required and nothing seems to need thinking through. But the price comes later.",[56,4556,4557,4558,4561,4562,4565],{},"Without ",[554,4559,4560],{},"requests",", the Kubernetes scheduler doesn't know how to distribute pods across nodes. Without ",[554,4563,4564],{},"limits",", a single misbehaving pod can destabilize the node. Both lead to hard-to-reproduce problems in production systems.",[56,4567,4568,4569,4571,4572,4574],{},"Before you migrate: measure the current memory and CPU consumption of your services under load. These values are the foundation for sensible ",[554,4570,4560],{},". Set ",[554,4573,4564],{}," conservatively above them, with some buffer, but not so generous that a bug goes unnoticed.",[71,4576,4578],{"id":4577},"the-most-common-mistakes-in-kubernetes-migration","The Most Common Mistakes in Kubernetes Migration",[56,4580,4581],{},"Some problems appear so regularly they're almost predictable. Here are the most important ones:",[187,4583,4585],{"id":4584},"dont-forget-resource-limits","Don't Forget Resource Limits",[56,4587,4588],{},"OOMKills are unpleasant. The pod is silently terminated, Kubernetes restarts it, and if nobody is watching the events, the team only notices when users complain. The solution isn't complicated, but it requires sitting down once and thinking through the values.",[598,4590,4592],{"className":1592,"code":4591,"language":1594,"meta":490,"style":490},"resources:\n requests:\n memory: \"256Mi\"\n cpu: \"250m\"\n limits:\n memory: \"512Mi\"\n cpu: \"500m\"\n",[554,4593,4594,4600,4607,4621,4635,4642,4655],{"__ignoreMap":490},[606,4595,4596,4598],{"class":608,"line":609},[606,4597,1627],{"class":1601},[606,4599,1630],{"class":629},[606,4601,4602,4605],{"class":608,"line":491},[606,4603,4604],{"class":1601}," requests",[606,4606,1630],{"class":629},[606,4608,4609,4612,4614,4616,4619],{"class":608,"line":499},[606,4610,4611],{"class":1601}," memory",[606,4613,1605],{"class":629},[606,4615,2385],{"class":629},[606,4617,4618],{"class":622},"256Mi",[606,4620,2391],{"class":629},[606,4622,4623,4626,4628,4630,4633],{"class":608,"line":650},[606,4624,4625],{"class":1601}," cpu",[606,4627,1605],{"class":629},[606,4629,2385],{"class":629},[606,4631,4632],{"class":622},"250m",[606,4634,2391],{"class":629},[606,4636,4637,4640],{"class":608,"line":672},[606,4638,4639],{"class":1601}," limits",[606,4641,1630],{"class":629},[606,4643,4644,4646,4648,4650,4653],{"class":608,"line":688},[606,4645,4611],{"class":1601},[606,4647,1605],{"class":629},[606,4649,2385],{"class":629},[606,4651,4652],{"class":622},"512Mi",[606,4654,2391],{"class":629},[606,4656,4657,4659,4661,4663,4666],{"class":608,"line":699},[606,4658,4625],{"class":1601},[606,4660,1605],{"class":629},[606,4662,2385],{"class":629},[606,4664,4665],{"class":622},"500m",[606,4667,2391],{"class":629},[56,4669,4670],{},"These are example values, since the right numbers depend on your application. What matters is that you set them and that they're based on real measurements, not estimates.",[187,4672,4674],{"id":4673},"manage-secrets-securely","Manage Secrets Securely",[56,4676,4677],{},"Kubernetes Secrets are only Base64-encoded by default, not encrypted. Anyone who stores sensitive data such as database passwords, API keys, and TLS certificates directly as Kubernetes Secrets without cluster-side encryption at rest has a security problem they may not yet see.",[56,4679,4680],{},"The recommended approaches:",[103,4682,4683,4686,4689],{},[106,4684,4685],{},"External Secrets Operator with an external secret store (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager)",[106,4687,4688],{},"Sealed Secrets for GitOps workflows where secrets are stored as encrypted CRDs in the repository",[106,4690,4691],{},"Vault Agent Injector for direct integration with HashiCorp Vault",[56,4693,4694],{},"Which path you choose depends on your infrastructure. But you should take one of these paths before production data lands in the cluster.",[187,4696,4698],{"id":4697},"set-up-observability-before-things-break","Set Up Observability Before Things Break",[56,4700,4701],{},"Without metrics, logs, and traces, a Kubernetes cluster is a black box. Problems occur, but there's no basis for isolating them quickly.",[56,4703,4704,4705,4708],{},"This doesn't mean building the complete observability stack immediately. But at minimum ",[60,4706,4707],{"href":4125},"Prometheus for metrics and a central log aggregation system"," (Loki, Elasticsearch, or a managed service) should be running before the first services are migrated. Grafana dashboards for the most important service metrics help identify problems early.",[56,4710,4711,4712,733,4715,4718,4719,4721,4722,4724],{},"The health checks ",[554,4713,4714],{},"livenessProbe",[554,4716,4717],{},"readinessProbe"," are not nice-to-haves. Without ",[554,4720,4717],{},", Kubernetes sends traffic to pods that aren't ready yet. Without ",[554,4723,4714],{},", hung processes go undetected.",[71,4726,4728],{"id":4727},"kubernetes-migration-step-by-step","Kubernetes Migration Step by Step",[56,4730,4731],{},"The safest path to Kubernetes migration is an incremental approach, migrating one service at a time rather than everything at once.",[56,4733,4734],{},"This has several advantages:",[103,4736,4737,4740,4743],{},[106,4738,4739],{},"Errors remain isolated and only affect one service",[106,4741,4742],{},"The team gains more experience with each service",[106,4744,4745],{},"Rollbacks are manageable because only part of the system is affected",[56,4747,4748],{},"A typical process looks like this:",[3976,4750,4751,4754,4757,4765,4768,4771,4774],{},[106,4752,4753],{},"Start with a non-critical, stateless service, ideally one that's well-documented and has few external dependencies.",[106,4755,4756],{},"Containerize and test the service, if not already done.",[106,4758,4759,4760,733,4762,4764],{},"Create Kubernetes manifests (or Helm chart \u002F Kustomize overlay), set ",[554,4761,4560],{},[554,4763,4564],{},", and configure health checks.",[106,4766,4767],{},"Deploy to a staging cluster and test under realistic load.",[106,4769,4770],{},"Define a rollout strategy: rolling update works for most services, but for critical paths canary deployment or blue-green is worth considering.",[106,4772,4773],{},"Validate observability: are logs arriving, do metrics show the expected picture, and are health checks triggering correctly?",[106,4775,4776],{},"Go live and deactivate the old deployments.",[187,4778,4780],{"id":4779},"namespace-strategy-and-rbac-from-the-start","Namespace Strategy and RBAC from the Start",[56,4782,4783,4784,4787],{},"Namespaces are the primary means of isolation in Kubernetes. Deploying all services to the ",[554,4785,4786],{},"default"," namespace mixes responsibilities and complicates RBAC configuration, network policies, and later governance.",[56,4789,4790,4791,557,4794,1829,4797,4800],{},"A sensible basic structure separates by teams or domains, such as ",[554,4792,4793],{},"team-backend",[554,4795,4796],{},"team-platform",[554,4798,4799],{},"monitoring",", and defines clear access rights per namespace via RBAC. The principle is least privilege: every service account gets exactly the rights it needs, and no more.",[56,4802,4803],{},"NetworkPolicies complement this: without explicit policies, all pods in the cluster communicate with each other. That's rarely desired. Simple default-deny policies per namespace, supplemented by explicit allow rules, significantly reduce the attack surface.",[187,4805,4807],{"id":4806},"observability-as-a-prerequisite-not-an-afterthought","Observability as a Prerequisite, Not an Afterthought",[56,4809,4810],{},"The difference between a well-operable Kubernetes cluster and a hard-to-maintain one often lies not in the workload configuration but in the quality of observability.",[56,4812,4813],{},"Metrics (Prometheus + Grafana), structured logging (JSON logs, central aggregation system), and for more complex systems distributed tracing (OpenTelemetry + Jaeger or Tempo) should be part of the foundation.",[56,4815,4816],{},"Particularly useful are alert rules for pods in CrashLoopBackOff, high restart rates, and unusual resource utilization. These three alerts cover a large portion of the most common production problems in Kubernetes clusters.",[71,4818,4820],{"id":4819},"aligning-cicd-pipelines-with-kubernetes","Aligning CI\u002FCD Pipelines with Kubernetes",[56,4822,4823],{},"Existing CI\u002FCD pipelines built for classic deployments, such as direct SSH, Ansible playbooks, or simple Docker deployments, usually can't be transferred directly to Kubernetes.",[56,4825,4826,4828,4829,4832],{},[60,4827,2022],{"href":2021}," is the most pragmatic starting point for most teams. Charts allow ",[60,4830,4831],{"href":2108},"Kubernetes manifests to be parameterized"," and made reusable. For multiple environments (dev, staging, prod), per-environment values files can be defined.",[598,4834,4836],{"className":600,"code":4835,"language":602,"meta":490,"style":490},"helm upgrade --install my-service .\u002Fcharts\u002Fmy-service \\\n -f values.production.yaml \\\n --namespace team-backend\n",[554,4837,4838,4854,4863],{"__ignoreMap":490},[606,4839,4840,4842,4844,4846,4849,4852],{"class":608,"line":609},[606,4841,3459],{"class":618},[606,4843,3508],{"class":622},[606,4845,3539],{"class":622},[606,4847,4848],{"class":622}," my-service",[606,4850,4851],{"class":622}," .\u002Fcharts\u002Fmy-service",[606,4853,669],{"class":668},[606,4855,4856,4858,4861],{"class":608,"line":491},[606,4857,3892],{"class":622},[606,4859,4860],{"class":622}," values.production.yaml",[606,4862,669],{"class":668},[606,4864,4865,4867],{"class":608,"line":499},[606,4866,3865],{"class":622},[606,4868,4869],{"class":622}," team-backend\n",[56,4871,4872,4874],{},[60,4873,1549],{"href":2137}," is an alternative without its own templating language, particularly useful when you want to stay closer to native Kubernetes manifests.",[56,4876,4877],{},"GitOps with Argo CD or Flux ensures that the cluster state always matches the Git repository. Changes aren't applied manually but triggered by commits. This improves traceability and significantly reduces human errors in deployments.",[71,4879,4881],{"id":4880},"when-a-paas-is-the-better-choice","When a PaaS Is the Better Choice",[56,4883,4884],{},"Kubernetes is powerful, but it comes with operational overhead. Cluster management, upgrades, security patches, network configuration, and building and maintaining the observability stack are a non-trivial package of tasks that many teams have to handle alongside actual product development.",[56,4886,4887,4888,4891,4892,4895,4896],{},"If Kubernetes infrastructure isn't core to your business, it's worth asking whether a PaaS platform, which can also help ",[60,4889,4890],{"href":333},"avoid cloud vendor lock-in",", is the better choice. Platforms like lowcloud abstract exactly this layer: teams get a deployable Kubernetes environment via a ",[60,4893,4894],{"href":486},"DevOps as a Service"," platform, without having to become cluster administrators themselves. ",[60,4897,4898],{"href":80},"What is a PaaS",[56,4900,4901],{},"That doesn't mean every application belongs on a PaaS. Teams with specific requirements for cluster configuration or existing Kubernetes expertise in the team often do well managing the cluster themselves. But for teams that want to be productive quickly, without getting lost in Kubernetes infrastructure, a PaaS is a legitimate and often underestimated option.",[479,4903],{},[56,4905,4906,4907,4910],{},"lowcloud is a Kubernetes-based PaaS platform for teams who want to run their applications reliably with minimal overhead. If you want to reduce Kubernetes complexity without giving up control over your deployments, lowcloud is worth a look. If your migration target includes ",[60,4908,4909],{"href":4193},"AI agent workloads in production",", that guide covers the specific infrastructure layers — orchestration, memory, and observability — those workloads require.",[1499,4912,4913],{},"html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}",{"title":490,"searchDepth":491,"depth":491,"links":4915},[4916,4917,4921,4926,4930,4931],{"id":4471,"depth":491,"text":4472},{"id":4492,"depth":491,"text":4493,"children":4918},[4919,4920],{"id":4519,"depth":499,"text":4520},{"id":4543,"depth":499,"text":4544},{"id":4577,"depth":491,"text":4578,"children":4922},[4923,4924,4925],{"id":4584,"depth":499,"text":4585},{"id":4673,"depth":499,"text":4674},{"id":4697,"depth":499,"text":4698},{"id":4727,"depth":491,"text":4728,"children":4927},[4928,4929],{"id":4779,"depth":499,"text":4780},{"id":4806,"depth":499,"text":4807},{"id":4819,"depth":491,"text":4820},{"id":4880,"depth":491,"text":4881},"2026-04-06","A successful Kubernetes migration requires solid preparation. Learn the most common mistakes, a step-by-step approach, and when a PaaS is the better choice.",{"src":4935},"\u002Fimages\u002Fblog\u002Fkubernetes-migration.jpg",{},{"title":4456,"description":4933},"en\u002F3.blog\u002F49.kubernetes-migration-guide","S0u7bsnRo9xiPlMHolgdvIPnPbxD65RXL6TTyKMQSXs",{"id":4941,"title":4942,"authors":4943,"badge":10,"body":4946,"date":5113,"description":5114,"extension":510,"image":5115,"lastUpdated":10,"meta":5117,"navigation":14,"path":5118,"published":14,"seo":5119,"stem":5120,"tags":10,"__hash__":5121},"posts\u002Fen\u002F3.blog\u002F48.cloud-agnostic-architecture.md","Cloud Agnostic Architecture: Meaning and Trade-offs",[4944],{"name":13,"to":523,"avatar":4945},{"src":8},{"type":48,"value":4947,"toc":5096},[4948,4951,4954,4958,4961,4964,4968,4971,4974,4977,4980,4988,4991,4994,4997,5001,5004,5007,5013,5016,5019,5023,5026,5029,5032,5035,5038,5042,5045,5048,5051,5054,5062,5065,5068,5071,5079,5083,5086,5093],[56,4949,4950],{},"\"Cloud agnostic\" is one of those terms that comes up regularly in architecture reviews and technology discussions, often without anyone clearly explaining what it actually means. The underlying idea is neither complicated nor abstract. It is about designing software architecture and infrastructure so that it does not depend on a specific cloud provider. If you build cloud agnostically, you can run your workload on AWS, Google Cloud, Azure or your own infrastructure without having to fundamentally rewrite your codebase.",[56,4952,4953],{},"This matters for one simple reason. Once you have invested deeply in the services of a single provider, switching costs you. Not just money, but also time, regression testing and rewritten integrations.",[71,4955,4957],{"id":4956},"what-cloud-agnostic-actually-means","What \"cloud agnostic\" actually means",[56,4959,4960],{},"Cloud agnostic describes a design philosophy. It is not a product, not a tool and not a magic layer that solves everything, but a decision that gets made at every architectural step. Do I rely on a standard that works everywhere, or on a managed service that only one provider offers?",[56,4962,4963],{},"In practice, this means using containers instead of provider-specific runtimes, standard databases instead of DynamoDB or Firestore, and open message brokers instead of SQS or Pub\u002FSub. This is not because proprietary services are bad, since they are often more convenient. It is because every step in that direction creates a dependency that will eventually come back to bite you.",[187,4965,4967],{"id":4966},"the-difference-between-cloud-agnostic-and-multi-cloud","The difference between cloud agnostic and multi-cloud",[56,4969,4970],{},"These terms are often confused or used interchangeably, but they are not the same.",[56,4972,4973],{},"Multi-cloud means that a company uses multiple cloud providers simultaneously, for example AWS for compute, GCP for machine learning and Azure for Microsoft workloads. This can happen for various reasons, such as better pricing, geographic availability or the technical strengths of individual providers.",[56,4975,4976],{},"Cloud agnostic is the prerequisite for multi-cloud to work smoothly at all. A cloud-agnostic architecture can be deployed across multiple providers without friction. An architecture that is deeply integrated with AWS-specific services is not cloud agnostic, even if it is theoretically distributed across multiple regions.",[56,4978,4979],{},"In short, multi-cloud is an operating model, while cloud agnostic is a design principle.",[71,4981,4983,4984,4987],{"id":4982},"where-vendor-lock-in-really-comes-from","Where ",[60,4985,4986],{"href":333},"vendor lock-in"," really comes from",[56,4989,4990],{},"Lock-in rarely happens through a single large decision. It usually creeps in through small, pragmatic steps, each individually reasonable but collectively a problem.",[56,4992,4993],{},"The most obvious sources are provider-specific managed services such as AWS RDS with Aurora-specific features, Google Cloud Spanner or Azure Cosmos DB. Once you build on Spanner, you will not be reproducing that on another provider any time soon.",[56,4995,4996],{},"Less obvious but equally critical are several other areas. Serverless functions like AWS Lambda, Google Cloud Functions and Azure Functions share similar concepts but have different trigger systems, configuration formats and runtime environments, so code often cannot be transferred 1:1. IAM and permission models are another sensitive point, because anyone who builds their entire access management on AWS IAM faces the task of constructing a completely new permission model when switching providers. Proprietary networking services add to this, as VPC-specific configurations, load balancer setups and DNS management differ significantly between providers. The same applies to monitoring and logging, since deep investment in CloudWatch, Stackdriver or Azure Monitor does not migrate easily.",[187,4998,5000],{"id":4999},"the-invisible-lock-in-traps","The invisible lock-in traps",[56,5002,5003],{},"Some services appear neutral at first glance but still create dependencies. Object storage is a good example. S3 is the de facto standard, but S3-compatible APIs have subtle differences. If you rely on S3-specific features like certain event types or lifecycle policies, you will only notice this during migration.",[56,5005,5006],{},"The same applies to Kubernetes distributions. EKS, GKE and AKS are all Kubernetes, but with different add-ons, network plugins and storage classes. Relying on these provider-specific details means your workload is not actually portable, even with Kubernetes underneath.",[71,5008,5010,5012],{"id":5009},"kubernetes-as-the-foundation-for-cloud-agnostic-architectures",[60,5011,1543],{"href":1542}," as the foundation for cloud-agnostic architectures",[56,5014,5015],{},"Kubernetes has established itself as the most practical common denominator for cloud-agnostic infrastructure. This is not just because it runs on every provider, but because the Kubernetes API itself is the standard. A Deployment, a Service or a ConfigMap works the same on EKS as on GKE, on a bare-metal cluster in a German data center, or on a local kind cluster.",[56,5017,5018],{},"This means that portability is largely guaranteed when workloads are consistently defined as Kubernetes resources and do not use provider-specific annotations or custom resources outside the Kubernetes standard.",[187,5020,5022],{"id":5021},"tools-that-enable-portability","Tools that enable portability",[56,5024,5025],{},"Kubernetes alone is not enough. A fully cloud-agnostic infrastructure requires a stack that also abstracts the infrastructure itself.",[56,5027,5028],{},"Terraform is the standard for Infrastructure as Code that works across providers. The same workflow can provision AWS, GCP and Azure resources, even if the provider modules differ.",[56,5030,5031],{},"Helm and Kustomize standardize the deployment of Kubernetes applications. Once packaged as a Helm chart, an application can be deployed to any cluster.",[56,5033,5034],{},"Crossplane goes one step further and brings cloud resources like databases or object storage into the cluster as Kubernetes custom resources, abstracting the underlying provider. Someone running a PostgreSQL instance via Crossplane on AWS today can provision the same resource on a different provider tomorrow without changing any application logic.",[56,5036,5037],{},"The Container Storage Interface (CSI) standard ensures that storage volumes can be mounted regardless of the provider. The same applies to the Open Container Initiative (OCI) format for container images.",[71,5039,5041],{"id":5040},"where-cloud-agnostic-architectures-hit-their-limits","Where cloud-agnostic architectures hit their limits",[56,5043,5044],{},"Portability is not free. Building consistently cloud-agnostically often means forgoing optimizations that a specific provider offers.",[56,5046,5047],{},"The clearest example is AWS Aurora, which is significantly faster than standard PostgreSQL on RDS for certain workloads. Not using Aurora to stay cloud agnostic means leaving performance on the table. The same goes for Google's BigQuery, since using standard OLAP tools does not automatically give you the same scale and performance.",[56,5049,5050],{},"The trade-off is real and should be made deliberately. For most use cases the difference is marginal. For highly specific, heavily optimized workloads it can be significant.",[56,5052,5053],{},"Another constraint is the abstraction overhead, which is non-trivial. A well-configured Crossplane setup, a clean Helm chart library and consistent IaC across multiple providers all cost effort to build and operate. For an early-stage startup primarily optimizing for time-to-market, this is often not the right focus. Being cloud agnostic is an investment that pays off in the long run.",[71,5055,5057,5061],{"id":5056},"data-sovereignty-as-a-driver-especially-in-europe",[60,5058,5060],{"href":5059},"\u002Fen\u002Fblog\u002Fdata-residency-vs-data-sovereignty","Data sovereignty"," as a driver, especially in Europe",[56,5063,5064],{},"For European companies, cloud-agnostic architecture has a second, increasingly important dimension, namely data sovereignty.",[56,5066,5067],{},"The GDPR and sector-specific regulations like KRITIS or the NIS2 directive place clear requirements on where data may be stored and processed. Companies deeply integrated into the infrastructure of a US hyperscaler have little flexibility when new requirements force a different solution.",[56,5069,5070],{},"Cloud-agnostic architectures restore that flexibility. If an application runs on a standardized Kubernetes stack with no proprietary dependencies on a specific provider, moving to a European or sovereign cloud provider is not a reimplementation, but a deployment to a new cluster.",[56,5072,5073,5074,5078],{},"This is especially relevant for companies in the financial, healthcare and public sectors, but also for anyone who wants to keep their infrastructure independent of political and regulatory developments in the US in the long run. The connection between ",[60,5075,5077],{"href":5076},"\u002Fen\u002Fblog\u002Fkubernetes-digital-sovereignty","Kubernetes and digital sovereignty"," becomes particularly clear here.",[71,5080,5082],{"id":5081},"how-a-paas-platform-puts-provider-independence-into-practice","How a PaaS platform puts provider independence into practice",[56,5084,5085],{},"The idea behind cloud-agnostic architecture is compelling, but implementation takes time and expertise. Anyone without a dedicated platform engineering team mastering Crossplane, Terraform and Kubernetes operations simultaneously will quickly hit capacity limits.",[56,5087,5088,5089,5092],{},"This is where a ",[60,5090,5091],{"href":80},"Kubernetes-based PaaS platform"," like lowcloud comes in. The platform abstracts the underlying cloud provider and gives development teams a unified interface, regardless of whether the workload runs on a German data center, a sovereign cloud provider or a hyperscaler. Deployments, monitoring, scaling and network configuration work identically.",[56,5094,5095],{},"The result is that teams work with Kubernetes-native workflows without having to deal with provider-specific details. And when requirements change, whether regulatory, economic or technical, switching providers is an operational decision and not an architectural crisis.",{"title":490,"searchDepth":491,"depth":491,"links":5097},[5098,5101,5105,5109,5110,5112],{"id":4956,"depth":491,"text":4957,"children":5099},[5100],{"id":4966,"depth":499,"text":4967},{"id":4982,"depth":491,"text":5102,"children":5103},"Where vendor lock-in really comes from",[5104],{"id":4999,"depth":499,"text":5000},{"id":5009,"depth":491,"text":5106,"children":5107},"Kubernetes as the foundation for cloud-agnostic architectures",[5108],{"id":5021,"depth":499,"text":5022},{"id":5040,"depth":491,"text":5041},{"id":5056,"depth":491,"text":5111},"Data sovereignty as a driver, especially in Europe",{"id":5081,"depth":491,"text":5082},"2026-04-05","What cloud-agnostic architecture means in practice, where vendor lock-in really occurs, and how Kubernetes enables infrastructure portability.",{"src":5116},"\u002Fimages\u002Fblog\u002Fcloud-agnostic.jpg",{},"\u002Fen\u002Fblog\u002Fcloud-agnostic-architecture",{"title":4942,"description":5114},"en\u002F3.blog\u002F48.cloud-agnostic-architecture","6F20hP-mDVoDuuaW2jNUMI6rYkKmEqD_nbd7lc5hR2o",{"id":5123,"title":5124,"authors":5125,"badge":10,"body":5128,"date":5113,"description":5422,"extension":510,"image":5423,"lastUpdated":10,"meta":5425,"navigation":14,"path":5426,"published":14,"seo":5427,"stem":5428,"tags":10,"__hash__":5429},"posts\u002Fen\u002F3.blog\u002F54.hetzner-kubernetes-hosting.md","Hetzner Kubernetes Hosting with lowcloud",[5126],{"name":43,"to":44,"avatar":5127},{"src":46},{"type":48,"value":5129,"toc":5408},[5130,5138,5141,5145,5148,5151,5163,5167,5170,5180,5225,5228,5232,5235,5238,5252,5255,5259,5266,5269,5286,5289,5293,5296,5319,5323,5326,5330,5337,5340,5348,5352,5355,5358,5361,5365,5368,5374,5382,5388,5391,5393,5396,5399,5405],[56,5131,5132,5137],{},[60,5133,5136],{"href":5134,"rel":5135},"https:\u002F\u002Fhetzner.com\u002F",[64],"Hetzner"," is no longer a hidden gem among developers and DevOps teams. The German data centers, NVMe SSDs, and above all the pricing have led many teams to migrate away from AWS or GCP. What Hetzner doesn't provide is a ready-made platform. Running Kubernetes on top of it means setting up, maintaining, and upgrading clusters — and that takes time most teams don't have.",[56,5139,5140],{},"lowcloud fills exactly this gap. The platform builds on Hetzner infrastructure and abstracts Kubernetes operations to the point where developers can simply deploy their applications without worrying about cluster lifecycle or node management.",[71,5142,5144],{"id":5143},"why-hetzner","Why Hetzner?",[56,5146,5147],{},"The answer is usually: cost and reliability. A dedicated server with 32 CPU cores, 128 GB RAM, and NVMe storage costs a fraction at Hetzner compared to equivalent instances on AWS or Azure. Cloud VMs (CCX types) offer dedicated vCPUs without noisy-neighbor issues — that makes a difference for latency-sensitive applications.",[56,5149,5150],{},"Then there's the geographic location. Hetzner operates data centers in Germany (Nuremberg, Falkenstein) and Finland. For teams in the DACH region, that means low latency and, more importantly, data processing and storage within the EU without detours.",[56,5152,5153,5156,5157,5162],{},[109,5154,5155],{},"Sustainability"," is another factor: Hetzner powers its data centers with renewable energy. For teams that need or want to meet ",[60,5158,5161],{"href":5159,"rel":5160},"https:\u002F\u002Fwww.dekra-akademie.de\u002Fcontent\u002Fesg-kriterien",[64],"ESG"," criteria, that's no minor detail.",[71,5164,5166],{"id":5165},"the-problem-with-just-hetzner","The Problem with \"Just Hetzner\"",[56,5168,5169],{},"Hetzner provides VMs and dedicated servers. Everything built on top is up to the team. That's both the strength and the problem.",[56,5171,5172,5173,5175,5176,5179],{},"Setting up ",[60,5174,1543],{"href":1542}," yourself isn't rocket science, but it is work. ",[554,5177,5178],{},"kubeadm",", network plugin, ingress controller, cert-manager, monitoring stack, log aggregation — hours pass before a production-ready environment is standing. Weeks pass before it runs stably and updates work without downtime.",[598,5181,5183],{"className":600,"code":5182,"language":602,"meta":490,"style":490},"# What you need to consider with your own cluster:\n# - etcd backups\n# - Node upgrades\n# - Control plane HA\n# - Network policies\n# - Ingress configuration\n# - TLS certificates\n# - Monitoring and alerting\n",[554,5184,5185,5190,5195,5200,5205,5210,5215,5220],{"__ignoreMap":490},[606,5186,5187],{"class":608,"line":609},[606,5188,5189],{"class":612},"# What you need to consider with your own cluster:\n",[606,5191,5192],{"class":608,"line":491},[606,5193,5194],{"class":612},"# - etcd backups\n",[606,5196,5197],{"class":608,"line":499},[606,5198,5199],{"class":612},"# - Node upgrades\n",[606,5201,5202],{"class":608,"line":650},[606,5203,5204],{"class":612},"# - Control plane HA\n",[606,5206,5207],{"class":608,"line":672},[606,5208,5209],{"class":612},"# - Network policies\n",[606,5211,5212],{"class":608,"line":688},[606,5213,5214],{"class":612},"# - Ingress configuration\n",[606,5216,5217],{"class":608,"line":699},[606,5218,5219],{"class":612},"# - TLS certificates\n",[606,5221,5222],{"class":608,"line":709},[606,5223,5224],{"class":612},"# - Monitoring and alerting\n",[56,5226,5227],{},"The real question is: Is this a core competency? For most product teams, the answer is no. The focus is on deploying code, not managing Kubernetes.",[187,5229,5231],{"id":5230},"why-teams-still-run-kubernetes-somehow","Why Teams Still Run Kubernetes \"Somehow\"",[56,5233,5234],{},"In practice, many product teams lack both the time and the deep operational know-how to set up Kubernetes properly and keep it stable over months. Day-to-day work consists of feature development, bugfixes, support, and releases — infrastructure topics get pushed back until something breaks.",[56,5236,5237],{},"This often leads to two typical patterns:",[103,5239,5240,5246],{},[106,5241,5242,5245],{},[109,5243,5244],{},"\"Quick & dirty\" in-house:"," A setup is cobbled together on the side, often without clear standards for updates, backups, monitoring, or security. As long as it runs, nobody touches it — until an upgrade, a certificate, or a node issue suddenly becomes a production blocker.",[106,5247,5248,5251],{},[109,5249,5250],{},"Outsourcing to externals:"," Agencies or freelancers set up the cluster and maintain it on an ad-hoc basis. This can help short-term but creates dependencies. Knowledge stays outside the team, response times depend on the service provider, and every change becomes a ticket.",[56,5253,5254],{},"The bottom line: Kubernetes isn't just a technical topic — it's an organizational problem. Without dedicated ops roles or a platform layer, operations permanently consume focus that most teams actually need for the product.",[71,5256,5258],{"id":5257},"what-lowcloud-contributes","What lowcloud Contributes",[56,5260,5261,5262,5265],{},"lowcloud is a ",[60,5263,5264],{"href":486},"DevOps-as-a-Service"," platform that runs Kubernetes on Hetzner infrastructure. This means product teams get the cost advantages of Hetzner without the operational burden of a self-managed cluster.",[56,5267,5268],{},"The platform handles:",[103,5270,5271,5274,5277,5280,5283],{},[106,5272,5273],{},"Cluster setup and updates",[106,5275,5276],{},"Network configuration and ingress",[106,5278,5279],{},"TLS certificates (automatically via Let's Encrypt)",[106,5281,5282],{},"Workload scaling",[106,5284,5285],{},"Monitoring and logging infrastructure",[56,5287,5288],{},"What the developer controls is the application itself.",[187,5290,5292],{"id":5291},"what-a-deploy-looks-like","What a Deploy Looks Like",[56,5294,5295],{},"The workflow is intentionally simple. A team connects the Git repository, defines environment variables, and deploys. No writing Kubernetes manifests. No wrestling with YAML depths.",[56,5297,5298,5299,557,5304,557,5309,5314,5315,5318],{},"For teams using CI\u002FCD, it integrates into existing pipelines. ",[60,5300,5303],{"href":5301,"rel":5302},"https:\u002F\u002Fgithub.com\u002Ffeatures\u002Factions",[64],"GitHub Actions",[60,5305,5308],{"href":5306,"rel":5307},"https:\u002F\u002Fabout.gitlab.com\u002Fde-de\u002Ffree-trial\u002Fdevsecops\u002F?utm_medium=cpc&utm_source=google&utm_campaign=gitlab_search_de&utm_content=de_br_gitlab_pricing&&utm_term=gitlab+enterprise+preise&_bt=742593468209&_bk=gitlab+enterprise+preise&_bm=b&_bn=g&_bg=161379510140&gad_source=1&gad_campaignid=21074610213&gbraid=0AAAAADcJCbdMKBb3hO-x-_mXvPH0gDxhp&gclid=Cj0KCQjwj47OBhCmARIsAF5wUEEeZoEL8JDAYRuCSUh5KwbiAm8_yHGwhcfuWTaTblP5T-wRbgKeKeUaAl5bEALw_wcB",[64],"GitLab CI",[60,5310,5313],{"href":5311,"rel":5312},"https:\u002F\u002Fcircleci.com\u002Fenterprise\u002F?utm_term=circleci&utm_campaign=sem-google-dg--emea-en-brandAuth-tCPA-auth-brand&utm_source=google&utm_medium=sem&utm_content=&hsa_acc=2021276923&hsa_cam=20616025375&hsa_grp=155812226562&hsa_ad=675839591946&hsa_src=g&hsa_tgt=kwd-309807705051&hsa_kw=circleci&hsa_mt=e&hsa_net=adwords&hsa_ver=3&gad_source=1&gad_campaignid=20616025375&gbraid=0AAAAAD2FEzxS2FKDCvo-v0BBlAW9-FpNz&gclid=Cj0KCQjwj47OBhCmARIsAF5wUEFv3BT9q2uZghway_PUlem0X7HFETUGqSUKlg8URvG7-xawRamlqtEaAhZ0EALw_wcB",[64],"CircleCI",". A push to ",[554,5316,5317],{},"main"," triggers the deploy, and lowcloud takes care of rolling updates without downtime.",[187,5320,5322],{"id":5321},"what-lowcloud-manages-vs-what-the-developer-controls","What lowcloud Manages vs. What the Developer Controls",[56,5324,5325],{},"This is an important distinction. lowcloud is not a complete black-box system. It provides visibility into logs, metrics, and deployment status. What it eliminates: having to worry about the underlying Kubernetes layer. The platform keeps the cluster up-to-date and stable — that's the deal.",[71,5327,5329],{"id":5328},"hetzner-kubernetes-hosting-cost-comparison","Hetzner Kubernetes Hosting: Cost Comparison",[56,5331,5332,5333,415],{},"Concrete numbers: A typical setup for a mid-sized web application with three services, staging, and production easily costs 400–700 euros per month on AWS EKS or GKE — infrastructure alone, without ",[60,5334,5336],{"href":5335},"\u002Fen\u002Fblog\u002Fcloud-tco-hidden-costs","operational overhead",[56,5338,5339],{},"The same setup on Hetzner with lowcloud comes in at a fraction of that. Hetzner VMs are significantly cheaper than comparable instance types at hyperscalers. lowcloud charges a platform usage fee, but the total price stays well below the alternatives.",[56,5341,5342,5343,5347],{},"For startups and growing teams, this matters. It means working in a ",[60,5344,5346],{"href":5345},"\u002Fen\u002Fblog\u002Fmanaged-services-roi","production-ready environment"," early on without spending a disproportionate share of the budget on infrastructure.",[71,5349,5351],{"id":5350},"gdpr-and-data-sovereignty","GDPR and Data Sovereignty",[56,5353,5354],{},"This isn't a marketing argument — it's a practical one. Anyone processing personal data — and that's virtually every SaaS application — must ensure that data is processed and stored within the EU or that appropriate contracts with third-country providers are in place.",[56,5356,5357],{},"With Hetzner as the infrastructure base and lowcloud as the platform, operations stay within European jurisdiction. No data transfers to the US, less hassle with standard contractual clauses, and less need to explain to the data protection officer why customer data sits on servers in Virginia.",[56,5359,5360],{},"For teams in the public sector, healthcare, or finance, this isn't optional.",[71,5362,5364],{"id":5363},"comparison-with-alternatives","Comparison with Alternatives",[56,5366,5367],{},"Anyone looking for affordable, simple hosting also considers other providers. A brief comparison:",[56,5369,5370,5373],{},[109,5371,5372],{},"Render and Railway"," are easy to use and good for smaller projects. But they run on US infrastructure, which is a problem for GDPR-sensitive workloads. Costs also scale quickly with growing traffic.",[56,5375,5376,5381],{},[60,5377,5379],{"href":250,"rel":5378},[64],[109,5380,245],{}," offers interesting global distribution but no European data sovereignty by default, and the pricing structure is less transparent.",[56,5383,5384,5387],{},[109,5385,5386],{},"Managed Kubernetes on Hetzner itself"," (Hetzner Cloud with k3s or k8s) is possible, but you carry the operational burden yourself. lowcloud takes exactly that off your hands.",[56,5389,5390],{},"The key difference: lowcloud combines European infrastructure with a complete PaaS experience (built on Kubernetes). That's a niche other providers either don't occupy or don't prioritize.",[71,5392,2102],{"id":2101},[56,5394,5395],{},"Hetzner is a solid foundation for teams that want to control costs while staying in the EU. The problem has long been that you had to build on this foundation yourself. lowcloud changes that.",[56,5397,5398],{},"If a development team should focus on product development rather than Kubernetes operations, this combination is worth a close look. The cost savings compared to hyperscalers are real, GDPR compliance is built in, and the deployment workflow is as close to modern PaaS platforms as possible.",[56,5400,5401,5404],{},[109,5402,5403],{},"Try lowcloud"," on Hetzner infrastructure, in European data centers, without Kubernetes overhead.",[1499,5406,5407],{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":490,"searchDepth":491,"depth":491,"links":5409},[5410,5411,5414,5418,5419,5420,5421],{"id":5143,"depth":491,"text":5144},{"id":5165,"depth":491,"text":5166,"children":5412},[5413],{"id":5230,"depth":499,"text":5231},{"id":5257,"depth":491,"text":5258,"children":5415},[5416,5417],{"id":5291,"depth":499,"text":5292},{"id":5321,"depth":499,"text":5322},{"id":5328,"depth":491,"text":5329},{"id":5350,"depth":491,"text":5351},{"id":5363,"depth":491,"text":5364},{"id":2101,"depth":491,"text":2102},"Run Kubernetes on Hetzner without the ops overhead: lowcloud combines affordable EU infrastructure with full cluster management for product teams.",{"src":5424},"\u002Fimages\u002Fblog\u002Fhetzner-kubernetes-hosting.jpg",{},"\u002Fen\u002Fblog\u002Fhetzner-kubernetes-hosting",{"title":5124,"description":5422},"en\u002F3.blog\u002F54.hetzner-kubernetes-hosting","H8g6si7R_XwwPevk1jioRzDW4Nt_fldalnSDp08DcKg",{"id":5431,"title":5432,"authors":5433,"badge":10,"body":5436,"date":5841,"description":5842,"extension":510,"image":5843,"lastUpdated":3942,"meta":5845,"navigation":14,"path":4315,"published":14,"seo":5846,"stem":5847,"tags":10,"__hash__":5848},"posts\u002Fen\u002F3.blog\u002F53.kubernetes-vs-docker-swarm.md","Kubernetes vs. Docker Swarm: Key Differences and Why K8s Won",[5434],{"name":43,"to":44,"avatar":5435},{"src":46},{"type":48,"value":5437,"toc":5827},[5438,5449,5459,5461,5465,5475,5478,5481,5483,5487,5492,5495,5509,5512,5514,5518,5522,5525,5528,5532,5535,5538,5558,5561,5565,5568,5699,5702,5706,5709,5734,5737,5741,5744,5747,5749,5753,5756,5759,5762,5765,5767,5771,5774,5787,5793,5799,5805,5807,5811,5814,5821,5824],[56,5439,5440,5441,733,5444],{},"If you want to run containers in production, you need an answer to a simple question: who decides where each container runs, how it scales, and what happens when a node goes down? That's container orchestration. And two names have long been compared in this space: ",[60,5442,1543],{"href":2164,"rel":5443},[64],[60,5445,5448],{"href":5446,"rel":5447},"https:\u002F\u002Fdocs.docker.com\u002Fengine\u002Fswarm\u002F",[64],"Docker Swarm.",[56,5450,5451,5452,5455,5456,5458],{},"Kubernetes vs. Docker Swarm is no longer an academic comparison. The market has decided — but it's still worth understanding why, and when Swarm can still be a valid option. For the ",[60,5453,5454],{"href":2850},"full Docker-to-Kubernetes tooling landscape"," — including ",[554,5457,2160],{}," and Compose — see our broader comparison.",[479,5460],{},[71,5462,5464],{"id":5463},"what-is-docker-swarm","What Is Docker Swarm?",[56,5466,5467,5469,5470,5474],{},[60,5468,2628],{"href":2523}," is ",[60,5471,5473],{"href":2154,"rel":5472},[64],"Docker's"," native clustering solution. It's built directly into the Docker daemon, which makes its biggest advantage also its biggest limitation: if you know Docker, there's almost nothing new to learn. A Swarm cluster can be set up in minutes.",[56,5476,5477],{},"At its core, a Swarm consists of manager nodes and worker nodes. Managers coordinate the cluster state and distribute tasks, workers run containers. Configuration uses docker-compose-like stack files — most Docker developers feel right at home.",[56,5479,5480],{},"That's exactly why Swarm was attractive for a while: no new abstraction layer, no new toolchain, no steep learning curve. Just Docker, but distributed.",[479,5482],{},[71,5484,5486],{"id":5485},"what-is-kubernetes","What Is Kubernetes?",[56,5488,5489,5491],{},[60,5490,1543],{"href":1542}," has a different origin. It was created at Google as an open-source version of the internal Borg system that orchestrates Google's entire infrastructure. Since 2016, it has been maintained by the Cloud Native Computing Foundation (CNCF) and is now the most widely adopted container orchestration system in the world.",[56,5493,5494],{},"The architecture is more complex than Swarm. A Kubernetes cluster consists of:",[103,5496,5497,5503],{},[106,5498,5499,5502],{},[109,5500,5501],{},"Control Plane",": API server (central entry point), etcd (distributed key-value store for cluster state), scheduler (decides which node a pod runs on), controller manager (maintains the desired state).",[106,5504,5505,5508],{},[109,5506,5507],{},"Worker Nodes",": Running on each node — kubelet (communicates with the API server), kube-proxy (network rules), container runtime (e.g., containerd).",[56,5510,5511],{},"The fundamental unit isn't the container but the pod — a group of one or more tightly coupled containers that share a network namespace.",[479,5513],{},[71,5515,5517],{"id":5516},"kubernetes-vs-docker-swarm-the-key-differences","Kubernetes vs. Docker Swarm: The Key Differences",[187,5519,5521],{"id":5520},"architecture-and-complexity","Architecture and Complexity",[56,5523,5524],{},"Swarm is simple. That's not a value judgment — it's a technical fact. The lower complexity makes getting started easy but becomes a problem as requirements grow. Kubernetes has more moving parts, and for good reason.",[56,5526,5527],{},"With Kubernetes, you get fine-grained control over every aspect of deployment: ResourceRequests and ResourceLimits per container, PodDisruptionBudgets, PriorityClasses, taints and tolerations for targeted scheduling. This isn't feature overkill — these are tools that production environments sooner or later require.",[187,5529,5531],{"id":5530},"scaling-and-scheduling","Scaling and Scheduling",[56,5533,5534],{},"Docker Swarm scales services horizontally — you increase the replica count and that's it. It works, but it's manual or requires external tooling.",[56,5536,5537],{},"Kubernetes has native concepts built in for this:",[103,5539,5540,5546,5552],{},[106,5541,5542,5545],{},[109,5543,5544],{},"Horizontal Pod Autoscaler (HPA)",": Automatically scales pods based on CPU, memory, or custom metrics.",[106,5547,5548,5551],{},[109,5549,5550],{},"Vertical Pod Autoscaler (VPA)",": Automatically adjusts ResourceRequests.",[106,5553,5554,5557],{},[109,5555,5556],{},"Cluster Autoscaler",": Adds new nodes to the cluster on demand — fully automatic in cloud environments.",[56,5559,5560],{},"The Kubernetes scheduler is also significantly more mature. It considers node affinities, resource availability, spread constraints, and more. In Swarm, a task runs somewhere. In Kubernetes, it runs exactly where it belongs.",[187,5562,5564],{"id":5563},"networking","Networking",[56,5566,5567],{},"Kubernetes uses the CNI model (Container Network Interface). This means you choose a network plugin that fits your requirements — Calico for NetworkPolicies and security, Flannel for simplicity, Cilium for eBPF-based high-performance networking.",[598,5569,5571],{"className":1592,"code":5570,"language":1594,"meta":490,"style":490},"# NetworkPolicy example: allow only port 80 from specific pods\napiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n name: allow-frontend\nspec:\n podSelector:\n matchLabels:\n app: backend\n ingress:\n - from:\n - podSelector:\n matchLabels:\n app: frontend\n ports:\n - port: 80\n",[554,5572,5573,5578,5586,5595,5601,5610,5616,5623,5629,5639,5646,5655,5665,5672,5682,5688],{"__ignoreMap":490},[606,5574,5575],{"class":608,"line":609},[606,5576,5577],{"class":612},"# NetworkPolicy example: allow only port 80 from specific pods\n",[606,5579,5580,5582,5584],{"class":608,"line":491},[606,5581,1602],{"class":1601},[606,5583,1605],{"class":629},[606,5585,3279],{"class":622},[606,5587,5588,5590,5592],{"class":608,"line":499},[606,5589,1613],{"class":1601},[606,5591,1605],{"class":629},[606,5593,5594],{"class":622}," NetworkPolicy\n",[606,5596,5597,5599],{"class":608,"line":650},[606,5598,1790],{"class":1601},[606,5600,1630],{"class":629},[606,5602,5603,5605,5607],{"class":608,"line":672},[606,5604,1797],{"class":1601},[606,5606,1605],{"class":629},[606,5608,5609],{"class":622}," allow-frontend\n",[606,5611,5612,5614],{"class":608,"line":688},[606,5613,1807],{"class":1601},[606,5615,1630],{"class":629},[606,5617,5618,5621],{"class":608,"line":699},[606,5619,5620],{"class":1601}," podSelector",[606,5622,1630],{"class":629},[606,5624,5625,5627],{"class":608,"line":709},[606,5626,3162],{"class":1601},[606,5628,1630],{"class":629},[606,5630,5631,5634,5636],{"class":608,"line":720},[606,5632,5633],{"class":1601}," app",[606,5635,1605],{"class":629},[606,5637,5638],{"class":622}," backend\n",[606,5640,5641,5644],{"class":608,"line":859},[606,5642,5643],{"class":1601}," ingress",[606,5645,1630],{"class":629},[606,5647,5648,5650,5653],{"class":608,"line":875},[606,5649,1635],{"class":629},[606,5651,5652],{"class":1601}," from",[606,5654,1630],{"class":629},[606,5656,5657,5660,5663],{"class":608,"line":889},[606,5658,5659],{"class":629}," -",[606,5661,5662],{"class":1601}," podSelector",[606,5664,1630],{"class":629},[606,5666,5667,5670],{"class":608,"line":898},[606,5668,5669],{"class":1601}," matchLabels",[606,5671,1630],{"class":629},[606,5673,5674,5677,5679],{"class":608,"line":912},[606,5675,5676],{"class":1601}," app",[606,5678,1605],{"class":629},[606,5680,5681],{"class":622}," frontend\n",[606,5683,5684,5686],{"class":608,"line":917},[606,5685,2376],{"class":1601},[606,5687,1630],{"class":629},[606,5689,5690,5692,5695,5697],{"class":608,"line":923},[606,5691,5659],{"class":629},[606,5693,5694],{"class":1601}," port",[606,5696,1605],{"class":629},[606,5698,3079],{"class":1237},[56,5700,5701],{},"Swarm has a built-in overlay network that works out of the box. But fine-grained network rules, service meshes, or advanced traffic policies are nearly impossible to implement with it.",[187,5703,5705],{"id":5704},"storage-and-persistence","Storage and Persistence",[56,5707,5708],{},"Stateful workloads are one of the biggest challenges in container environments. Kubernetes addresses this with a mature storage model:",[103,5710,5711,5717,5723,5728],{},[106,5712,5713,5716],{},[109,5714,5715],{},"PersistentVolumes (PV)",": Abstraction over the actual storage backend (NFS, Ceph, cloud disks, etc.)",[106,5718,5719,5722],{},[109,5720,5721],{},"PersistentVolumeClaims (PVC)",": A pod's request for a PV",[106,5724,5725,5727],{},[109,5726,4539],{},": Dynamic provisioning of storage on demand",[106,5729,5730,5733],{},[109,5731,5732],{},"StatefulSets",": A specialized workload type for databases and other stateful applications with stable network identities",[56,5735,5736],{},"Swarm supports volumes, but the concept is far less mature. Anyone running databases in a cluster will hit Swarm's limits early.",[187,5738,5740],{"id":5739},"self-healing-and-resilience","Self-Healing and Resilience",[56,5742,5743],{},"Both systems restart failed containers. Kubernetes goes further: it detects failed health checks, removes affected pods from service load balancing before restarting them, and automatically redistributes workloads when a node fails.",[56,5745,5746],{},"Liveness probes and readiness probes are first-class citizens in Kubernetes — every deployment can be configured to define how the cluster determines a container's health. Once you've set this up properly, you won't want to go without it.",[479,5748],{},[71,5750,5752],{"id":5751},"when-does-docker-swarm-still-make-sense","When Does Docker Swarm Still Make Sense?",[56,5754,5755],{},"Honestly: in fewer and fewer situations. But they still exist.",[56,5757,5758],{},"If you have a small team that already knows Docker, runs a manageable number of services, and has no complex scaling requirements, then Swarm is faster to set up and easier to operate. For internal tools, staging environments, or small SaaS setups with static workloads, Kubernetes overhead can sometimes be hard to justify.",[56,5760,5761],{},"The problem: these situations are rarely stable. Workloads grow, requirements change, and migrating from Swarm to Kubernetes in the middle of a growth phase is painful. Many teams that bet on Swarm early end up regretting that decision later.",[56,5763,5764],{},"On top of that: Docker hasn't actively developed Swarm. It's not dead, but it's stagnating — while Kubernetes ships new features multiple times a year.",[479,5766],{},[71,5768,5770],{"id":5769},"why-kubernetes-became-the-standard","Why Kubernetes Became the Standard",[56,5772,5773],{},"It would be too simple to say Kubernetes won because it's better. The reality is more nuanced, but the conclusion is the same.",[56,5775,5776,5778,5779,5782,5783,5786],{},[109,5777,2679],{},": A massive ecosystem has grown around Kubernetes. ",[60,5780,5781],{"href":2021},"Helm for package management",", Argo CD for GitOps deployments, Istio or Linkerd for service meshes, ",[60,5784,5785],{"href":4125},"Prometheus and Grafana for monitoring",", cert-manager for TLS automation. Each of these tools solves a real problem that Swarm alone doesn't address.",[56,5788,5789,5792],{},[109,5790,5791],{},"Cloud support",": AWS (EKS), Google (GKE), and Azure (AKS) offer managed Kubernetes as a first-class service. Node provisioning, control plane management, updates, security patches — the cloud provider handles it all. Managed Swarm no longer exists in comparable form.",[56,5794,5795,5798],{},[109,5796,5797],{},"Community and future-proofing",": Kubernetes is developed by hundreds of companies and thousands of contributors. The CNCF ensures neutral governance. Investing in Kubernetes today means investing in a technology that will still exist in five years — that's less certain for Swarm.",[56,5800,5801,5804],{},[109,5802,5803],{},"Standardization",": Anyone who knows Kubernetes can work on any cloud provider, on-premise, and on bare metal. The knowledge is portable. Kubernetes has become the common denominator of the industry, simplifying collaboration, hiring, and the use of external tooling.",[479,5806],{},[71,5808,5810],{"id":5809},"what-does-this-mean-for-your-team","What Does This Mean for Your Team?",[56,5812,5813],{},"Kubernetes is the right path, but that doesn't mean getting started is easy. The learning curve is real. YAML manifests, Custom Resource Definitions, RBAC, ingress controllers, storage configuration — these are all topics you need to work through.",[56,5815,5816,5817,5820],{},"For teams that want to use Kubernetes in production without managing the entire infrastructure themselves, there's a pragmatic middle ground: Kubernetes-based ",[60,5818,5819],{"href":486},"DevOps-as-a-Service platforms",". These abstract away the complexity of cluster management without giving up the advantages of Kubernetes.",[56,5822,5823],{},"lowcloud is one such platform — built on Kubernetes, operated on European infrastructure, designed for development teams that want to focus on their applications, not on cluster management. If you want to use Kubernetes without building a dedicated platform team, it offers a direct path to production.",[1499,5825,5826],{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":490,"searchDepth":491,"depth":491,"links":5828},[5829,5830,5831,5838,5839,5840],{"id":5463,"depth":491,"text":5464},{"id":5485,"depth":491,"text":5486},{"id":5516,"depth":491,"text":5517,"children":5832},[5833,5834,5835,5836,5837],{"id":5520,"depth":499,"text":5521},{"id":5530,"depth":499,"text":5531},{"id":5563,"depth":499,"text":5564},{"id":5704,"depth":499,"text":5705},{"id":5739,"depth":499,"text":5740},{"id":5751,"depth":491,"text":5752},{"id":5769,"depth":491,"text":5770},{"id":5809,"depth":491,"text":5810},"2026-04-04","Kubernetes and Docker Swarm compared: architecture, scaling, networking, and storage. Why Kubernetes became the standard and when Swarm still makes sense.",{"src":5844},"\u002Fimages\u002Fblog\u002Fkubernetes-vs-docker-swarm.jpg",{},{"title":5432,"description":5842},"en\u002F3.blog\u002F53.kubernetes-vs-docker-swarm","YChbMTmzZbDpCDsy-x4PzyIsfLQE_e9wFAh00NNhgxY",{"id":5850,"title":5851,"authors":5852,"badge":10,"body":5855,"date":6197,"description":6198,"extension":510,"image":6199,"lastUpdated":10,"meta":6201,"navigation":14,"path":6202,"published":14,"seo":6203,"stem":6204,"tags":10,"__hash__":6205},"posts\u002Fen\u002F3.blog\u002F52.lowcloud-vs-devops-service-providers.md","lowcloud vs. DevOps as a Service Providers Compared",[5853],{"name":43,"to":44,"avatar":5854},{"src":46},{"type":48,"value":5856,"toc":6186},[5857,5861,5864,5872,5876,5883,5886,5934,5937,5940,5944,5947,5950,5953,5957,5960,5965,5968,5971,5976,5979,5987,5991,5994,5998,6001,6008,6011,6015,6018,6026,6029,6033,6036,6041,6058,6061,6065,6178,6180,6183],[51,5858,5860],{"id":5859},"lowcloud-vs-devops-as-a-service-providers-whats-really-behind-the-decision","lowcloud vs. DevOps as a Service Providers: What's Really Behind the Decision",[56,5862,5863],{},"The question of whether to outsource DevOps or run it yourself sounds like a technical decision. In reality, it's a strategic one. Behind it lie questions about control over your own infrastructure, long-term costs, compliance requirements, and whether your team builds the necessary expertise or remains permanently dependent.",[56,5865,5866,5867,5871],{},"This article compares the model of external DevOps-as-a-Service providers with a self-operated DevOps-as-a-Service (DaaS) platform like ",[60,5868,299],{"href":5869,"rel":5870},"https:\u002F\u002Flowcloud.de",[64],". No blanket recommendation — just an honest look at both approaches.",[71,5873,5875],{"id":5874},"what-does-devops-as-a-service-actually-mean","What Does DevOps as a Service Actually Mean?",[56,5877,5878,5879,5882],{},"The term ",[60,5880,5881],{"href":486},"isn't sharply defined",". In practice, DevOps-as-a-Service providers offer different services, from setting up CI\u002FCD pipelines and monitoring to complete infrastructure management including on-call support.",[56,5884,5885],{},"Typical service components:",[103,5887,5888,5904,5925,5928,5931],{},[106,5889,5890,5891,557,5894,557,5898,5903],{},"Building and operating CI\u002FCD pipelines (",[60,5892,5303],{"href":5301,"rel":5893},[64],[60,5895,5308],{"href":5896,"rel":5897},"https:\u002F\u002Fdocs.gitlab.com\u002Fci\u002F",[64],[60,5899,5902],{"href":5900,"rel":5901},"https:\u002F\u002Fargoproj.github.io\u002Fcd\u002F",[64],"ArgoCD",")",[106,5905,5906,5909,5910,557,5915,1829,5920],{},[60,5907,1543],{"href":2164,"rel":5908},[64]," cluster management on ",[60,5911,5914],{"href":5912,"rel":5913},"https:\u002F\u002Faws.amazon.com\u002F",[64],"AWS",[60,5916,5919],{"href":5917,"rel":5918},"https:\u002F\u002Fcloud.google.com\u002F",[64],"GCP",[60,5921,5924],{"href":5922,"rel":5923},"https:\u002F\u002Fazure.microsoft.com\u002F",[64],"Azure",[106,5926,5927],{},"Monitoring, alerting, log aggregation",[106,5929,5930],{},"Incident response and 24\u002F7 on-call support",[106,5932,5933],{},"Security hardening and compliance documentation",[56,5935,5936],{},"It sounds appealing, especially for teams that lack DevOps expertise or need to deliver quickly. The service provider handles the complexity while the internal team focuses on application development.",[56,5938,5939],{},"So much for the theory.",[71,5941,5943],{"id":5942},"what-is-lowcloud-and-how-does-it-differ","What Is lowcloud and How Does It Differ?",[56,5945,5946],{},"lowcloud is a Kubernetes DaaS platform built on GitOps principles. Instead of hiring a service provider, your team gets a platform that abstracts Kubernetes complexity without sacrificing control or transparency.",[56,5948,5949],{},"The difference from a classic managed service or DevOps provider: the infrastructure runs on resources under your own control or on sovereign European infrastructure. There's no black box, no external hands in production systems, no dependency on an outside team for every deployment.",[56,5951,5952],{},"This model suits teams that want to build platform engineering internally without developing everything from scratch.",[71,5954,5956],{"id":5955},"cost-comparison","Cost Comparison",[56,5958,5959],{},"At first glance, external DevOps providers seem expensive. On closer inspection, the picture is more complex.",[56,5961,5962],{},[109,5963,5964],{},"Typical costs with DevOps-as-a-Service providers:",[56,5966,5967],{},"An experienced DevOps engineer as an external contractor costs between 800 and 1,400 euros per day in Germany. For a complete retainer model with on-call coverage, ongoing operations, and regular adjustments, monthly costs quickly reach 8,000 to 20,000 euros — depending on scope.",[56,5969,5970],{},"Then there are hidden costs: onboarding time, communication overhead, and dependencies whenever any change needs to go through the provider.",[56,5972,5973],{},[109,5974,5975],{},"Typical costs with a DaaS platform like lowcloud:",[56,5977,5978],{},"A platform subscription has predictable monthly fees. The initial effort is higher — the team needs to understand and set up the platform. After that, operational overhead drops significantly because routine tasks are handled by the platform.",[56,5980,5981,5982,5986],{},"The crucial difference: with a DaaS platform, the company invests in its own expertise. With a service provider, it ",[60,5983,5985],{"href":5984},"\u002Fen\u002Fblog\u002Fdevops-vs-devops-as-a-service","buys time that disappears"," as soon as the contract ends.",[71,5988,5990],{"id":5989},"control-transparency-and-data-sovereignty","Control, Transparency, and Data Sovereignty",[56,5992,5993],{},"This is the point where many teams only feel the difference when it's too late.",[187,5995,5997],{"id":5996},"vendor-lock-in-and-switching-costs","Vendor Lock-in and Switching Costs",[56,5999,6000],{},"External DevOps providers build infrastructure according to their own standards. That's efficient as long as the collaboration works. When the contract ends or the provider changes, the internal team faces a setup that nobody fully understands.",[56,6002,6003,6004,6007],{},"Undocumented configurations, proprietary scripts, secrets in external vaults — ",[60,6005,6006],{"href":333},"switching costs in many outsourcing models"," are systematically high. That's not an oversight; it's a business model.",[56,6009,6010],{},"With a self-operated DaaS platform, everything stays internal: configurations in Git, complete documentation, no knowledge that only exists in the heads of external staff.",[187,6012,6014],{"id":6013},"compliance-requirements-and-gdpr","Compliance Requirements and GDPR",[56,6016,6017],{},"For companies with stricter requirements — such as those in healthcare, financial services, or public administration — the question of who has access to production systems is not a formality.",[56,6019,6020,6021,6025],{},"Many DevOps-as-a-Service providers work with subcontractors, have teams in different countries, and require extensive access to infrastructure to do their job. This is often ",[60,6022,6024],{"href":6023},"\u002Fen\u002Fblog\u002Fcloud-act-vs-gdpr","difficult to reconcile with GDPR"," requirements or industry-specific compliance mandates.",[56,6027,6028],{},"lowcloud runs on infrastructure in German or European data centers, without external third parties needing access to production systems.",[71,6030,6032],{"id":6031},"lowcloud-when-is-the-platform-the-better-path","lowcloud: When Is the Platform the Better Path?",[56,6034,6035],{},"lowcloud is suited for teams that view infrastructure as a strategic asset — not as a necessary evil they'd rather delegate.",[56,6037,6038],{},[109,6039,6040],{},"lowcloud makes sense when:",[103,6042,6043,6046,6049,6052,6055],{},[106,6044,6045],{},"The team wants to manage Kubernetes workloads themselves without building everything from scratch",[106,6047,6048],{},"Data sovereignty and control over production systems are non-negotiable",[106,6050,6051],{},"Building long-term internal expertise is a priority",[106,6053,6054],{},"Predictable infrastructure costs matter more than maximum outsourcing flexibility",[106,6056,6057],{},"Compliance requirements restrict access by external third parties",[56,6059,6060],{},"The platform model pays off especially when the application landscape grows and infrastructure needs to scale with it — without every change having to be coordinated through an external provider.",[71,6062,6064],{"id":6063},"decision-guide-the-key-criteria","Decision Guide: The Key Criteria",[1305,6066,6067,6084],{},[1308,6068,6069],{},[1311,6070,6071,6075,6079],{},[1314,6072,6073],{},[109,6074,1318],{},[1314,6076,6077],{},[109,6078,4894],{},[1314,6080,6081],{},[109,6082,6083],{},"lowcloud (DaaS Platform)",[1335,6085,6086,6097,6106,6117,6128,6137,6145,6156,6167],{},[1311,6087,6088,6091,6094],{},[1340,6089,6090],{},"Infrastructure control",[1340,6092,6093],{},"Low (provider decides)",[1340,6095,6096],{},"High (own team)",[1311,6098,6099,6102,6104],{},[1340,6100,6101],{},"Initial effort",[1340,6103,1426],{},[1340,6105,1426],{},[1311,6107,6108,6111,6114],{},[1340,6109,6110],{},"Long-term costs",[1340,6112,6113],{},"High, hard to predict",[1340,6115,6116],{},"Low, predictable",[1311,6118,6119,6122,6125],{},[1340,6120,6121],{},"Internal knowledge building",[1340,6123,6124],{},"Minimal",[1340,6126,6127],{},"Yes, systematic",[1311,6129,6130,6133,6135],{},[1340,6131,6132],{},"Vendor lock-in",[1340,6134,1442],{},[1340,6136,1426],{},[1311,6138,6139,6141,6143],{},[1340,6140,5060],{},[1340,6142,1399],{},[1340,6144,4380],{},[1311,6146,6147,6150,6153],{},[1340,6148,6149],{},"Compliance (GDPR, BSI)",[1340,6151,6152],{},"Complex, often problematic",[1340,6154,6155],{},"Easy to implement",[1311,6157,6158,6161,6164],{},[1340,6159,6160],{},"Scalability",[1340,6162,6163],{},"Depends on provider",[1340,6165,6166],{},"Self-managed",[1311,6168,6169,6172,6175],{},[1340,6170,6171],{},"Best suited for",[1340,6173,6174],{},"Small teams without infra focus",[1340,6176,6177],{},"(Small) teams with sovereignty focus",[479,6179],{},[56,6181,6182],{},"If you want to run a Kubernetes environment without being permanently dependent on an external provider, lowcloud offers a platform that reduces operational overhead without giving up control. The model isn't right for everyone, but for teams that see infrastructure as a core competency, it's the more direct path.",[56,6184,6185],{},"If you want to know whether lowcloud fits your setup, check out the platform documentation or talk to us directly. No sales funnel, no mandatory demo — just an honest conversation about whether the model works for you.",{"title":490,"searchDepth":491,"depth":491,"links":6187},[6188,6189,6190,6191,6195,6196],{"id":5874,"depth":491,"text":5875},{"id":5942,"depth":491,"text":5943},{"id":5955,"depth":491,"text":5956},{"id":5989,"depth":491,"text":5990,"children":6192},[6193,6194],{"id":5996,"depth":499,"text":5997},{"id":6013,"depth":499,"text":6014},{"id":6031,"depth":491,"text":6032},{"id":6063,"depth":491,"text":6064},"2026-04-03","Self-managed DaaS platform or external provider? Compare costs, control, vendor lock-in, and compliance for DevOps outsourcing decisions.",{"src":6200},"\u002Fimages\u002Fblog\u002Flowcloud-vs-devops-service-providers.jpg",{},"\u002Fen\u002Fblog\u002Flowcloud-vs-devops-service-providers",{"title":5851,"description":6198},"en\u002F3.blog\u002F52.lowcloud-vs-devops-service-providers","udt6xdSvGaW2oIy-J8kYqRWN_y9VIZUclUFcVR4XLk0",{"id":6207,"title":6208,"authors":6209,"badge":10,"body":6212,"date":6573,"description":6574,"extension":510,"image":6575,"lastUpdated":3938,"meta":6577,"navigation":14,"path":5345,"published":14,"seo":6578,"stem":6579,"tags":10,"__hash__":6580},"posts\u002Fen\u002F3.blog\u002F51.managed-services-roi.md","Managed Services ROI: Why Self-Hosting Costs More Than You Think",[6210],{"name":43,"to":44,"avatar":6211},{"src":46},{"type":48,"value":6213,"toc":6556},[6214,6221,6225,6228,6232,6239,6243,6250,6253,6256,6260,6263,6267,6270,6273,6277,6301,6304,6307,6311,6314,6318,6321,6477,6480,6484,6487,6490,6494,6497,6523,6526,6530,6533,6536,6539,6543,6546,6549,6551],[56,6215,6216,6217,6220],{},"If you run Kubernetes yourself, it feels like you're staying in control and saving money. Managed services seem more expensive at first glance because the costs are right there on the invoice. With self-hosting, however, costs are spread across hours, outages, and missed product features – making them largely invisible. This article shows what a ",[60,6218,6219],{"href":5335},"complete TCO calculation"," looks like and when the ROI of managed services tips the scales.",[71,6222,6224],{"id":6223},"what-actually-belongs-in-the-cost-calculation","What Actually Belongs in the Cost Calculation?",[56,6226,6227],{},"The most common mistake when choosing between self-hosted and managed is an incomplete cost basis. Teams compare server costs with the monthly price of a managed service and wonder why the managed option seems more expensive.",[187,6229,6231],{"id":6230},"direct-costs-servers-licenses-tools","Direct Costs: Servers, Licenses, Tools",[56,6233,6234,6235,6238],{},"Direct costs are easy to grasp: VMs or bare-metal servers, storage, networking, load balancers, and potentially enterprise licenses for logging, monitoring, or service mesh. Add CI\u002FCD tooling, container registry, and backup infrastructure. A mid-sized Kubernetes cluster for a production application with two to three nodes quickly reaches 400–800 EUR per month for compute alone – before everything else. On ",[60,6236,6237],{"href":5426},"cost-efficient providers like Hetzner",", these numbers drop significantly.",[187,6240,6242],{"id":6241},"indirect-costs-staff-maintenance-on-call","Indirect Costs: Staff, Maintenance, On-Call",[56,6244,6245,6246,6249],{},"This is where the real problem lies. A production-ready Kubernetes cluster requires ongoing maintenance: security updates, Kubernetes version upgrades (a new minor version every three months), certificate renewals, etcd backups, and node maintenance. Running this in-house ties up DevOps capacity that a ",[60,6247,6248],{"href":486},"DevOps-as-a-Service provider"," would otherwise handle.",[56,6251,6252],{},"Let's do the math: A senior DevOps engineer in Germany costs 80,000–100,000 EUR per year including employer contributions, equipment, and overhead. If that engineer spends 20% of their time on cluster operations – a conservative estimate for a single production cluster – that's 16,000–20,000 EUR per year directly attributable to Kubernetes operations. Per month: 1,300–1,700 EUR.",[56,6254,6255],{},"Then there's on-call duty. If you run production systems yourself, you need an on-call rotation. In small teams, this means the same people who develop during the day can be paged at night. The exhaustion and error effects are real – and hard to put a price on until something goes wrong.",[71,6257,6259],{"id":6258},"running-kubernetes-yourself-what-it-really-means","Running Kubernetes Yourself. What It Really Means",[56,6261,6262],{},"Kubernetes is not a system you set up once and forget about. It's living infrastructure that demands continuous attention.",[187,6264,6266],{"id":6265},"the-upgrade-effort-nobody-plans-for","The Upgrade Effort Nobody Plans For",[56,6268,6269],{},"Kubernetes releases a new minor version every three months, each supported with patches for twelve months. If you don't upgrade regularly, you run into a support gap – and then a security problem. A cluster upgrade in a production environment is not a one-click operation: check add-on compatibility, account for API deprecations, upgrade test environments, create a rollback plan, coordinate maintenance windows. Experienced teams budget 1–2 days per upgrade cycle.",[56,6271,6272],{},"That's 4–8 engineering days per year for Kubernetes version management alone – not counting unplanned patches for critical CVEs that need to be rolled out on short notice.",[187,6274,6276],{"id":6275},"monitoring-alerting-incident-response","Monitoring, Alerting, Incident Response",[56,6278,6279,6280,6283,6284,557,6289,6294,6295,6300],{},"A production-grade ",[60,6281,6282],{"href":4125},"monitoring setup for Kubernetes"," is not an afternoon project. ",[60,6285,6288],{"href":6286,"rel":6287},"https:\u002F\u002Fprometheus.io\u002F",[64],"Prometheus",[60,6290,6293],{"href":6291,"rel":6292},"https:\u002F\u002Fgrafana.com\u002F",[64],"Grafana",", Alertmanager, ",[60,6296,6299],{"href":6297,"rel":6298},"https:\u002F\u002Fgrafana.com\u002Foss\u002Floki\u002F",[64],"Loki",", or an alternative log backend. The setup alone takes several days; ongoing maintenance is continuous. Dashboards become outdated, alerts need calibration, new services require new metrics.",[56,6302,6303],{},"And when an incident occurs? Mean time to detection (MTTD) and mean time to resolution (MTTR) depend directly on the maturity of your observability infrastructure. Poorly configured monitoring is sometimes more dangerous than none at all – because it creates a false sense of security.",[56,6305,6306],{},"Downtime costs aren't even included in most calculations. Yet they're often the largest single line item: one hour of downtime in an e-commerce system or SaaS application can cost thousands of euros in lost revenue, SLA penalties, or reputational damage.",[71,6308,6310],{"id":6309},"calculating-the-roi-of-managed-services-correctly","Calculating the ROI of Managed Services Correctly",[56,6312,6313],{},"A simple model helps make the numbers tangible.",[187,6315,6317],{"id":6316},"a-simple-cost-model","A Simple Cost Model",[56,6319,6320],{},"Assume a team operates a mid-sized Kubernetes cluster with three worker nodes:",[1305,6322,6323,6347],{},[1308,6324,6325],{},[1311,6326,6327,6332,6337,6342],{},[1314,6328,6329],{},[109,6330,6331],{},"Cost Item",[1314,6333,6334],{},[109,6335,6336],{},"Self-Hosted",[1314,6338,6339],{},[109,6340,6341],{},"Managed Service",[1314,6343,6344],{},[109,6345,6346],{},"Notes",[1335,6348,6349,6364,6382,6405,6420,6435,6455],{},[1311,6350,6351,6356,6359,6361],{},[1340,6352,6353],{},[109,6354,6355],{},"Infrastructure",[1340,6357,6358],{},"600 EUR",[1340,6360,6358],{},[1340,6362,6363],{},"Pure resource costs (CPU, RAM, disk).",[1311,6365,6366,6371,6374,6379],{},[1340,6367,6368],{},[109,6369,6370],{},"Management Fee",[1340,6372,6373],{},"0 EUR",[1340,6375,6376],{},[109,6377,6378],{},"350 EUR",[1340,6380,6381],{},"Provider's flat fee for operations & support.",[1311,6383,6384,6389,6392,6395],{},[1340,6385,6386],{},[109,6387,6388],{},"DevOps Staff",[1340,6390,6391],{},"1,500 EUR",[1340,6393,6394],{},"150 EUR",[1340,6396,6397,6400,6401,6404],{},[109,6398,6399],{},"Self:"," Internal expertise required. ",[109,6402,6403],{},"Managed:"," Review\u002Fsteering only.",[1311,6406,6407,6412,6414,6417],{},[1340,6408,6409],{},[109,6410,6411],{},"Monitoring & Tools",[1340,6413,6394],{},[1340,6415,6416],{},"included",[1340,6418,6419],{},"Licenses for logging, metrics & alerting systems.",[1311,6421,6422,6427,6430,6432],{},[1340,6423,6424],{},[109,6425,6426],{},"Maintenance & Upgrades",[1340,6428,6429],{},"300 EUR",[1340,6431,6416],{},[1340,6433,6434],{},"Time spent on security patches & version updates.",[1311,6436,6437,6442,6445,6447],{},[1340,6438,6439],{},[109,6440,6441],{},"On-Call (24\u002F7)",[1340,6443,6444],{},"250 EUR",[1340,6446,6416],{},[1340,6448,6449,6451,6452,6454],{},[109,6450,6399],{}," Internal risk\u002Fallowances. ",[109,6453,6403],{}," Contractually guaranteed SLA.",[1311,6456,6457,6462,6467,6472],{},[1340,6458,6459],{},[109,6460,6461],{},"Total (monthly)",[1340,6463,6464],{},[109,6465,6466],{},"2,800 EUR",[1340,6468,6469],{},[109,6470,6471],{},"1,100 EUR",[1340,6473,6474],{},[109,6475,6476],{},"Savings of approx. 60% with managed.",[56,6478,6479],{},"The numbers are indicative and depend heavily on the team and complexity, but they show the order of magnitude the difference can reach. The ROI of managed services doesn't come from comparing list prices – it comes from comparing real total costs.",[187,6481,6483],{"id":6482},"opportunity-cost-what-your-team-could-be-doing-instead","Opportunity Cost: What Your Team Could Be Doing Instead",[56,6485,6486],{},"The hardest factor to quantify – but often the most important – is opportunity cost. Time a DevOps engineer spends on Kubernetes upgrades, alerting tuning, or node debugging is time not spent on product features, better developer experience, or strategic infrastructure projects.",[56,6488,6489],{},"In a five-person team spending 30% of its capacity on platform operations, that's 1.5 full-time equivalents. What could that team build in that time? For growth-oriented companies, this isn't a rhetorical question – it's a strategic one.",[71,6491,6493],{"id":6492},"when-self-hosting-still-makes-sense","When Self-Hosting Still Makes Sense",[56,6495,6496],{},"Managed services aren't a silver bullet. There are scenarios where self-hosting is the right call:",[103,6498,6499,6505,6511,6517],{},[106,6500,6501,6504],{},[109,6502,6503],{},"Very specific hardware requirements"," that no managed provider supports (e.g., proprietary GPUs, specialized network stacks)",[106,6506,6507,6510],{},[109,6508,6509],{},"Regulatory requirements"," that explicitly mandate physical control over hardware (rare, but they exist)",[106,6512,6513,6516],{},[109,6514,6515],{},"Deliberate competency building",": When a company intentionally wants to build platform expertise in-house and treats the costs as an investment",[106,6518,6519,6522],{},[109,6520,6521],{},"Very high workloads"," where self-hosting becomes cheaper at a certain scale – though this applies to very few companies",[56,6524,6525],{},"The critical distinction: These decisions should be made deliberately and with full cost transparency – not based on a gut feeling that self-hosting is \"cheaper.\"",[71,6527,6529],{"id":6528},"compliance-and-security-who-bears-the-responsibility","Compliance and Security: Who Bears the Responsibility?",[56,6531,6532],{},"One aspect rarely discussed in TCO debates: the compliance burden. If you run Kubernetes yourself, you're responsible for security updates, CVE patching, audit logs, encryption, access controls, and documenting all of it – relevant for GDPR, BSI baseline protection, ISO 27001, or industry-specific requirements.",[56,6534,6535],{},"This means not just technical effort but also documentation and accountability obligations. Auditors ask about processes, responsibilities, and evidence. This takes time – and in regulated industries, the effort can be substantial.",[56,6537,6538],{},"A qualified managed service takes on a large share of this responsibility and typically provides certifications and documentation as part of the package. This isn't just convenience – it's genuine risk transfer.",[71,6540,6542],{"id":6541},"conclusion-managed-services-as-a-strategic-decision","Conclusion: Managed Services as a Strategic Decision",[56,6544,6545],{},"The question isn't \"managed or self-hosted?\" but rather \"What's the real price of each option, and what do we want to spend our time on?\" When you run a complete TCO calculation, the result in most cases differs from the intuitive comparison of server prices.",[56,6547,6548],{},"The ROI of managed services isn't just about saving euros – it's about gaining capacity for product development, stability, and the work your team is actually there to do. Running infrastructure is not a competitive advantage. What runs on it is.",[479,6550],{},[56,6552,6553,6555],{},[109,6554,299],{}," offers a DevOps-as-a-Service platform with managed Kubernetes at its core, built on sovereign European infrastructure – no vendor lock-in, clear SLAs, and full focus on data protection under German and European law. If you want to find out whether switching makes sense, you can have your own infrastructure compared with a concrete offer.",{"title":490,"searchDepth":491,"depth":491,"links":6557},[6558,6562,6566,6570,6571,6572],{"id":6223,"depth":491,"text":6224,"children":6559},[6560,6561],{"id":6230,"depth":499,"text":6231},{"id":6241,"depth":499,"text":6242},{"id":6258,"depth":491,"text":6259,"children":6563},[6564,6565],{"id":6265,"depth":499,"text":6266},{"id":6275,"depth":499,"text":6276},{"id":6309,"depth":491,"text":6310,"children":6567},[6568,6569],{"id":6316,"depth":499,"text":6317},{"id":6482,"depth":499,"text":6483},{"id":6492,"depth":491,"text":6493},{"id":6528,"depth":491,"text":6529},{"id":6541,"depth":491,"text":6542},"2026-04-02","A full TCO comparison of self-hosted vs. managed Kubernetes. Why running your own cluster often costs 60% more than expected – with a concrete cost model.",{"src":6576},"\u002Fimages\u002Fblog\u002Fmanaged-services-roi.jpg",{},{"title":6208,"description":6574},"en\u002F3.blog\u002F51.managed-services-roi","Ocb_BZTCjbvAn6wVndukAdBE8c7jr_btKJAxF0yyikI",{"id":6582,"title":6583,"authors":6584,"badge":10,"body":6587,"date":6920,"description":6921,"extension":510,"image":6922,"lastUpdated":10,"meta":6924,"navigation":14,"path":6925,"published":14,"seo":6926,"stem":6927,"tags":10,"__hash__":6928},"posts\u002Fen\u002F3.blog\u002F47.data-governance-act-devops-guide.md","Data Governance Act: What SMBs and DevOps Teams Need to Know",[6585],{"name":43,"to":44,"avatar":6586},{"src":46},{"type":48,"value":6588,"toc":6909},[6589,6592,6596,6599,6602,6622,6625,6629,6632,6640,6644,6647,6666,6669,6673,6676,6679,6683,6686,6689,6695,6723,6729,6809,6815,6830,6834,6837,6840,6846,6852,6858,6861,6865,6868,6900,6903,6906],[56,6590,6591],{},"The Data Governance Act has been binding across the EU since September 2023, yet unlike the GDPR, it barely registers on the radar of technical teams. That's a mistake. The DGA has direct implications for how companies share, manage, and retain data within their infrastructure. Ignoring it doesn't just risk compliance issues — it leads to architecture decisions that become expensive to reverse later on.",[71,6593,6595],{"id":6594},"what-the-data-governance-act-covers-and-what-it-doesnt","What the Data Governance Act Covers — and What It Doesn't",[56,6597,6598],{},"The DGA is not a data protection law. It complements the GDPR but doesn't override it. While the GDPR governs the protection of personal data, the DGA addresses something different: it creates the legal and organizational framework for data sharing between companies, public bodies, and individuals across the EU.",[56,6600,6601],{},"Specifically, the DGA defines three core areas:",[103,6603,6604,6610,6616],{},[106,6605,6606,6609],{},[109,6607,6608],{},"Re-use of public sector data"," — under what conditions government-held data can be used for commercial or scientific purposes",[106,6611,6612,6615],{},[109,6613,6614],{},"Data intermediation services"," — neutral intermediaries that facilitate data exchange between providers and users without having their own economic interest in the data",[106,6617,6618,6621],{},[109,6619,6620],{},"Data altruism"," — organizations that collect and make data available for the common good",[56,6623,6624],{},"This sounds abstract, but it has tangible consequences the moment your company shares data with partners, uses external data services, or acts as a data intermediary itself.",[187,6626,6628],{"id":6627},"how-it-differs-from-the-data-act","How It Differs from the Data Act",[56,6630,6631],{},"A common misconception: the Data Governance Act and the Data Act are often mentioned together but are fundamentally different. The DGA governs the structures — who is allowed to share data and under what conditions. The Data Act governs the rights — who is entitled to access data generated through the use of products and services.",[56,6633,6634,6635,6639],{},"Put simply: the DGA builds the road, the Data Act determines who gets to drive on it. Both frameworks need to be considered together — the ",[60,6636,6638],{"href":6637},"\u002Fen\u002Fblog\u002Feu-data-act-business-devops","Data Act and its implications for DevOps"," are covered in a separate article.",[71,6641,6643],{"id":6642},"who-the-data-governance-act-directly-affects","Who the Data Governance Act Directly Affects",[56,6645,6646],{},"At first glance, the DGA seems like a topic for public authorities and large data intermediation platforms. That's only partly true. Directly affected are:",[103,6648,6649,6655,6660],{},[106,6650,6651,6654],{},[109,6652,6653],{},"Public bodies"," that make protected data (e.g., health, mobility, or financial data) available for re-use",[106,6656,6657,6659],{},[109,6658,6614],{}," that act as neutral marketplaces between data providers and users — they must register with national authorities",[106,6661,6662,6665],{},[109,6663,6664],{},"Data altruism organizations"," that collect data for public interest purposes",[56,6667,6668],{},"For SMBs and DevOps teams, the DGA applies indirectly but still noticeably: anyone sourcing or sharing data through a certified data intermediary must meet the technical and contractual requirements of these intermediaries. And anyone running their own services on infrastructure that could be classified as a data intermediary should take a close look at whether a registration obligation applies.",[71,6670,6672],{"id":6671},"data-governance-act-and-deployment-what-changes-for-devops","Data Governance Act and Deployment: What Changes for DevOps",[56,6674,6675],{},"The technical dimension of the DGA is often overlooked. Yet it's particularly relevant for DevOps teams because it directly impacts architecture decisions.",[56,6677,6678],{},"The core principle: anyone managing or intermediating data under the DGA must be able to demonstrate where that data resides, who accesses it, and how it's protected. This isn't a new concept, but the DGA gives it a new regulatory framework — with consequences for Kubernetes deployments.",[187,6680,6682],{"id":6681},"implementing-data-sovereignty-in-practice","Implementing Data Sovereignty in Practice",[56,6684,6685],{},"Data classification within the cluster is the first step. Which workloads process data that could fall under the DGA? This might include data from public sources, data from partners via a data intermediary, or your own data that you share through such a service.",[56,6687,6688],{},"Concrete technical measures that become relevant in this context:",[56,6690,6691,6694],{},[109,6692,6693],{},"Namespace isolation:"," Sensitive workloads belong in dedicated namespaces with clear RBAC rules. It's not rocket science, but many teams don't do it consistently.",[598,6696,6698],{"className":600,"code":6697,"language":602,"meta":490,"style":490},"kubectl create namespace data-regulated\nkubectl apply -f rbac-data-regulated.yaml\n",[554,6699,6700,6712],{"__ignoreMap":490},[606,6701,6702,6704,6706,6709],{"class":608,"line":609},[606,6703,1570],{"class":618},[606,6705,797],{"class":622},[606,6707,6708],{"class":622}," namespace",[606,6710,6711],{"class":622}," data-regulated\n",[606,6713,6714,6716,6718,6720],{"class":608,"line":491},[606,6715,1570],{"class":618},[606,6717,1277],{"class":622},[606,6719,2746],{"class":622},[606,6721,6722],{"class":622}," rbac-data-regulated.yaml\n",[56,6724,6725,6728],{},[109,6726,6727],{},"Network policies:"," By default, all pods in a Kubernetes cluster can communicate with each other. For regulated data, that's a problem. An explicit default-deny policy combined with allowed exceptions is mandatory:",[598,6730,6732],{"className":1592,"code":6731,"language":1594,"meta":490,"style":490},"apiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n name: default-deny-all\n namespace: data-regulated\nspec:\n podSelector: {}\n policyTypes:\n - Ingress\n - Egress\n",[554,6733,6734,6742,6750,6756,6765,6774,6780,6789,6796,6802],{"__ignoreMap":490},[606,6735,6736,6738,6740],{"class":608,"line":609},[606,6737,1602],{"class":1601},[606,6739,1605],{"class":629},[606,6741,3279],{"class":622},[606,6743,6744,6746,6748],{"class":608,"line":491},[606,6745,1613],{"class":1601},[606,6747,1605],{"class":629},[606,6749,5594],{"class":622},[606,6751,6752,6754],{"class":608,"line":499},[606,6753,1790],{"class":1601},[606,6755,1630],{"class":629},[606,6757,6758,6760,6762],{"class":608,"line":650},[606,6759,1797],{"class":1601},[606,6761,1605],{"class":629},[606,6763,6764],{"class":622}," default-deny-all\n",[606,6766,6767,6770,6772],{"class":608,"line":672},[606,6768,6769],{"class":1601}," namespace",[606,6771,1605],{"class":629},[606,6773,6711],{"class":622},[606,6775,6776,6778],{"class":608,"line":688},[606,6777,1807],{"class":1601},[606,6779,1630],{"class":629},[606,6781,6782,6784,6786],{"class":608,"line":699},[606,6783,5620],{"class":1601},[606,6785,1605],{"class":629},[606,6787,6788],{"class":629}," {}\n",[606,6790,6791,6794],{"class":608,"line":709},[606,6792,6793],{"class":1601}," policyTypes",[606,6795,1630],{"class":629},[606,6797,6798,6800],{"class":608,"line":720},[606,6799,1635],{"class":629},[606,6801,3288],{"class":622},[606,6803,6804,6806],{"class":608,"line":859},[606,6805,1635],{"class":629},[606,6807,6808],{"class":622}," Egress\n",[56,6810,6811,6814],{},[109,6812,6813],{},"Audit logging:"," To ensure traceability of data access, you need centralized logging at the API server level. If you don't have this in place yet, set it up — not just because of the DGA, but as a general best practice.",[56,6816,6817,6820,6821,6824,6825,6829],{},[109,6818,6819],{},"Infrastructure choice:"," If your cluster runs on a US hyperscaler, you have a structural problem. US providers are subject to the ",[60,6822,6823],{"href":6023},"CLOUD Act",", which potentially grants American authorities access to data regardless of whether the servers are physically located in the EU. For deployments falling under the DGA, European infrastructure with clear legal sovereignty isn't optional — it's a must. For why this requires ",[60,6826,6828],{"href":6827},"\u002Fen\u002Fblog\u002Fcloud-sovereignty-governance","board-level cloud governance",", not just technical fixes, see our dedicated analysis.",[71,6831,6833],{"id":6832},"data-governance-act-for-smbs-obligations-and-opportunities","Data Governance Act for SMBs: Obligations and Opportunities",[56,6835,6836],{},"SMBs face a particular challenge: they have fewer resources for compliance but are affected just as much as larger companies. The DGA makes no exception here — there are no explicit SMB exemptions.",[56,6838,6839],{},"What SMBs should do:",[56,6841,6842,6845],{},[109,6843,6844],{},"Map your data flows:"," What data comes in from outside, goes out, and through which services? Many SMBs don't have this overview — that's the first problem to solve.",[56,6847,6848,6851],{},[109,6849,6850],{},"Classify the services you use:"," Are external data sources or services registered data intermediaries under the DGA? This affects how contracts need to be structured.",[56,6853,6854,6857],{},[109,6855,6856],{},"Technical implementation:"," Not every SMB runs Kubernetes. But anyone using cloud-based services should understand where their data resides and what control they have over it. A platform that operates natively on sovereign EU infrastructure takes a large part of this burden off your shoulders.",[56,6859,6860],{},"On the flip side, the DGA also creates opportunities. The EU is building European Data Spaces — sector-specific data ecosystems for health, mobility, energy, and other domains. SMBs that position themselves early can access data pools that were previously out of reach.",[71,6862,6864],{"id":6863},"first-steps-toward-dga-compliance-in-practice","First Steps Toward DGA Compliance in Practice",[56,6866,6867],{},"No company needs to overhaul everything overnight. But having a clear starting point helps:",[3976,6869,6870,6876,6882,6888,6894],{},[106,6871,6872,6875],{},[109,6873,6874],{},"Document data flows"," — Which systems process what data? Where does it come from, where does it go?",[106,6877,6878,6881],{},[109,6879,6880],{},"Audit external services"," — Are the data intermediation or data altruism services you use registered in compliance with the DGA?",[106,6883,6884,6887],{},[109,6885,6886],{},"Evaluate your infrastructure"," — Where do the workloads that process regulated data run? Is the location legally sovereign?",[106,6889,6890,6893],{},[109,6891,6892],{},"Establish technical baselines"," — Set up network policies, RBAC, and audit logging as a foundation",[106,6895,6896,6899],{},[109,6897,6898],{},"Review contracts"," — Clarify with data suppliers and recipients what DGA obligations arise from the collaboration",[56,6901,6902],{},"This isn't a massive project if you approach it step by step. The biggest mistake would be to ignore the topic entirely just because there's no wave of fines yet.",[56,6904,6905],{},"lowcloud operates Kubernetes infrastructure exclusively in sovereign European data centers — with no US hyperscalers in the stack. For teams that need DGA-compliant deployments without building an entire infrastructure themselves, it's a practical starting point.",[1499,6907,6908],{},"html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}",{"title":490,"searchDepth":491,"depth":491,"links":6910},[6911,6914,6915,6918,6919],{"id":6594,"depth":491,"text":6595,"children":6912},[6913],{"id":6627,"depth":499,"text":6628},{"id":6642,"depth":491,"text":6643},{"id":6671,"depth":491,"text":6672,"children":6916},[6917],{"id":6681,"depth":499,"text":6682},{"id":6832,"depth":491,"text":6833},{"id":6863,"depth":491,"text":6864},"2026-04-01","The EU Data Governance Act affects technical teams too. Learn what the DGA means for your Kubernetes deployments, data flows, and infrastructure choices.",{"src":6923},"\u002Fimages\u002Fblog\u002Fdata-governance-act-devops-guide.jpg",{},"\u002Fen\u002Fblog\u002Fdata-governance-act-devops-guide",{"title":6583,"description":6921},"en\u002F3.blog\u002F47.data-governance-act-devops-guide","ADUIDUW_qqMERodIiYftEMQcqeqD4n3kAP7A4A8jOR0",{"id":6930,"title":6931,"authors":6932,"badge":10,"body":6935,"date":7264,"description":7265,"extension":510,"image":7266,"lastUpdated":6920,"meta":7268,"navigation":14,"path":6637,"published":14,"seo":7269,"stem":7270,"tags":10,"__hash__":7271},"posts\u002Fen\u002F3.blog\u002F46.eu-data-act-business-devops.md","EU Data Act: What Businesses and DevOps Teams Need to Know",[6933],{"name":43,"to":44,"avatar":6934},{"src":46},{"type":48,"value":6936,"toc":7249},[6937,6940,6947,6951,6965,6968,6971,6975,6978,6981,6998,7001,7021,7036,7040,7043,7063,7066,7070,7073,7079,7085,7091,7095,7098,7112,7115,7119,7127,7135,7138,7142,7145,7151,7157,7163,7169,7173,7176,7179,7182,7186,7189,7195,7198,7201,7204,7208,7211,7217,7223,7229,7235,7241,7244,7246],[56,6938,6939],{},"The EU Data Act has been legally binding since September 2025, and most companies are still in the early stages of coming to terms with it. That's not a criticism — it's a reality check. The law is complex, its impact varies widely depending on company size and cloud setup, and many of the concrete technical consequences are buried in the fine print.",[56,6941,6942,6943,6946],{},"This article explains what the ",[109,6944,6945],{},"EU Data Act"," actually demands of businesses — without legalese, but without downplaying the rigor of the requirements either. If you operate, use, or develop cloud services, you should understand what's changing.",[71,6948,6950],{"id":6949},"what-the-eu-data-act-is-and-why-it-matters-now","What the EU Data Act Is and Why It Matters Now",[56,6952,1701,6953,6958,6959,6964],{},[60,6954,6957],{"href":6955,"rel":6956},"https:\u002F\u002Fbmds.bund.de\u002Fthemen\u002Fdigitale-wirtschaft\u002Fdata-act",[64],"Data Act"," is an EU regulation that entered into force in June 2023 and has been fully applicable since September 2025. It complements the ",[60,6960,6963],{"href":6961,"rel":6962},"https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FDE\u002FTXT\u002FHTML\u002F?uri=CELEX:32022R0868",[64],"Data Governance Act"," and pursues a clear goal: data should be more accessible, shareable, and portable — between companies, between providers, and between users.",[56,6966,6967],{},"The core idea: whoever generates or holds data shouldn't automatically have exclusive access to it. Whoever uses data should be able to switch providers or take their data with them.",[56,6969,6970],{},"That sounds like data policy. But the specific requirements are deeply technical — and that's exactly why they end up on DevOps teams' desks sooner or later.",[71,6972,6974],{"id":6973},"what-the-data-governance-act-is","What the Data Governance Act Is",[56,6976,6977],{},"The Data Governance Act (DGA) is the \"predecessor\u002Fframework law\" in the European data package. It has been in force since 2022 and primarily establishes rules and structures for how data may be shared — trust, roles, and mechanisms.",[56,6979,6980],{},"In simple terms:",[103,6982,6983,6989],{},[106,6984,1701,6985,6988],{},[109,6986,6987],{},"DGA"," creates the framework so that data sharing can work properly (who can mediate, how is trust organized, how are data spaces enabled?).",[106,6990,1701,6991,6993,6994,6997],{},[109,6992,6957],{}," then specifically ",[2186,6995,6996],{},"requires"," data to be accessible and portable, and reduces lock-in, particularly with cloud services.",[56,6999,7000],{},"Key building blocks of the DGA:",[103,7002,7003,7009,7015],{},[106,7004,7005,7008],{},[109,7006,7007],{},"Data intermediary services:"," Neutral \"data trustees\" that enable data sharing without exploiting the data themselves.",[106,7010,7011,7014],{},[109,7012,7013],{},"Data altruism:"," Rules for how data can be voluntarily made available for public interest purposes (e.g., research).",[106,7016,7017,7020],{},[109,7018,7019],{},"European data spaces:"," A legal\u002Forganizational framework for sector-specific data spaces (health, mobility, industry, etc.).",[56,7022,7023,7024,7027,7028,7031,7032,7035],{},"For businesses, the DGA is often less of a \"DevOps backlog item\" than the Data Act, but it's the strategic umbrella: it shows that the EU is ",[2186,7025,7026],{},"institutionalizing"," data sharing, which means more requirements (and opportunities) around interoperability, governance, and portability in the long run. ",[60,7029,7030],{"href":6925},"In our dedicated guide to the Data Governance Act",", we cover what the DGA means for DevOps teams. ",[60,7033,7034],{"href":6827},"Our article on cloud sovereignty governance"," covers the broader governance implications.",[187,7037,7039],{"id":7038},"scope-who-does-the-data-act-affect","Scope: Who Does the Data Act Affect?",[56,7041,7042],{},"The Data Act affects three groups:",[3976,7044,7045,7051,7057],{},[106,7046,7047,7050],{},[109,7048,7049],{},"Manufacturers of connected products"," — IoT devices, machines, vehicles, any device that generates data",[106,7052,7053,7056],{},[109,7054,7055],{},"Cloud and data service providers"," — SaaS, PaaS, IaaS",[106,7058,7059,7062],{},[109,7060,7061],{},"Data holders in B2B contexts"," — companies that hold data from connected products or services and must make it available to others",[56,7064,7065],{},"If none of these apply to you, the core regulation affects you less directly. But: almost every company that uses cloud services is indirectly affected as a customer, because the provider must meet the switching requirements.",[71,7067,7069],{"id":7068},"the-three-core-obligations-businesses-need-to-know","The Three Core Obligations Businesses Need to Know",[56,7071,7072],{},"The Data Act can be broken down into three central requirements:",[56,7074,7075,7078],{},[109,7076,7077],{},"1. Data access:"," Users of connected products and services must have access to the data they generate — in real time, without disproportionate barriers.",[56,7080,7081,7084],{},[109,7082,7083],{},"2. Data portability:"," Data must be exportable in a structured, machine-readable format. This applies not only to personal data under GDPR, but also to usage, operational, and machine data.",[56,7086,7087,7090],{},[109,7088,7089],{},"3. Provider switching:"," Cloud providers must actively enable customers to switch to another provider — both technically and contractually.",[187,7092,7094],{"id":7093},"provider-switching-must-be-technically-possible","Provider Switching Must Be Technically Possible",[56,7096,7097],{},"The Data Act requires cloud providers to facilitate switching to another provider. That sounds abstract, but the implications are very concrete:",[103,7099,7100,7103,7106,7109],{},[106,7101,7102],{},"Export interfaces must exist and be documented",[106,7104,7105],{},"Data formats must be portable — no exclusive proprietary formats without a migration path",[106,7107,7108],{},"Contractual lock-in clauses that hinder switching must be limited",[106,7110,7111],{},"The switching process itself must be technically supported",[56,7113,7114],{},"For DevOps teams, this means: if you offer or operate cloud services, you need to ensure that customer data is exportable. Not as a workaround, but as a documented, testable process.",[187,7116,7118],{"id":7117},"the-end-of-egress-fees","The End of Egress Fees",[56,7120,7121,7122,7126],{},"One point that's particularly relevant in practice: the Data Act provides for data export fees (so-called egress fees) to be phased out gradually. By September 2027, they should be eliminated entirely. ",[60,7123,7125],{"href":7124},"\u002Fen\u002Fblog\u002Fcloud-egress-fees","In our article on cloud egress fees",", we took a deeper look at this topic.",[56,7128,7129,7130,7134],{},"This is a direct response to a common practice: hyperscalers have historically made data exports expensive — not because it's technically necessary, but because it discourages customers from switching. ",[60,7131,5914],{"href":7132,"rel":7133},"https:\u002F\u002Faws.amazon.com\u002Fde\u002Ffree\u002F?trk=e0c8e0e1-c8e1-4be3-af52-da7fd94810cd&sc_channel=ps&ef_id=CjwKCAjwyYPOBhBxEiwAgpT8P8hPYx5soED5QlLONlWXEsOPRuXRzlfJJmdCRzOwoDbmnNuuJaLElxoCqggQAvD_BwE:G:s&s_kwcid=AL!4422!3!798550574377!e!!g!!aws%20services!23606219756!193209716386&gad_campaignid=23606219756&gbraid=0AAAAADjHtp8_pJIm28H21JTth_V_wy6Gm&gclid=CjwKCAjwyYPOBhBxEiwAgpT8P8hPYx5soED5QlLONlWXEsOPRuXRzlfJJmdCRzOwoDbmnNuuJaLElxoCqggQAvD_BwE",[64],", for example, charges per GB of outgoing traffic. If you hold large amounts of data in the cloud, you pay when switching — or with every data use outside the provider.",[56,7136,7137],{},"From 2027 onwards, this is no longer tenable under EU regulation.",[71,7139,7141],{"id":7140},"eu-data-act-and-devops-what-changes-in-practice","EU Data Act and DevOps: What Changes in Practice",[56,7143,7144],{},"Compliance requirements are often stated abstractly. That's why it makes sense to translate them into concrete technical decisions.",[56,7146,7147,7150],{},[109,7148,7149],{},"API design:"," If you develop services that hold or process data, check whether your export APIs are documented, stable, and machine-readable. Not as an afterthought, but as part of the service design.",[56,7152,7153,7156],{},[109,7154,7155],{},"Infrastructure as Code:"," When infrastructure is described through IaC tools like Terraform or Helm, switching is fundamentally easier — provided you don't rely on provider-specific resource types without alternatives. Kubernetes-native workloads have an advantage here.",[56,7158,7159,7162],{},[109,7160,7161],{},"Data pipelines:"," Where is data stored, in what format, and how can it be extracted? These are questions that will be asked in a Data Act audit — and ones you should have answered during the design phase.",[56,7164,7165,7168],{},[109,7166,7167],{},"Documentation:"," Compliance doesn't just mean being technically compliant — it means being able to prove it. Which data is stored where, who has access, and how does the export process work? This must be documented and verifiable.",[187,7170,7172],{"id":7171},"interoperability-as-a-technical-requirement","Interoperability as a Technical Requirement",[56,7174,7175],{},"The Data Act explicitly requires data services to be interoperable. In concrete terms: interfaces should be based on open standards — no proprietary protocols without a documented alternative.",[56,7177,7178],{},"For the cloud world, this is an interesting signal. If you use Kubernetes, S3-compatible storage APIs, and avoid proprietary managed services, you're in a better regulatory position — not because you had regulation in mind, but because open standards simply make more technical sense.",[56,7180,7181],{},"Gaia-X-compliant platforms and Kubernetes-based solutions have structural advantages here over solutions that rely heavily on proprietary APIs.",[71,7183,7185],{"id":7184},"hyperscalers-vs-open-platforms-who-has-the-upper-hand","Hyperscalers vs. Open Platforms: Who Has the Upper Hand?",[56,7187,7188],{},"This is one of the more interesting questions around the Data Act — and the answer isn't straightforward.",[56,7190,7191,7192,415],{},"Hyperscalers like AWS, Azure, and GCP have the resources to implement compliance requirements. They will. But their starting position is complicated: their architecture is historically designed for customer retention. Proprietary services, deep integrations, egress fees — that's not an accident, it's ",[60,7193,7194],{"href":333},"strategically designed vendor lock-in",[56,7196,7197],{},"The Data Act forces them to dismantle some of these barriers. Whether this actually leads to more portability or whether lock-in mechanisms simply shift elsewhere remains to be seen.",[56,7199,7200],{},"Open platforms — those built on Kubernetes, open storage standards, and documented APIs — have a different starting point. They aren't designed for lock-in by default. That makes compliance easier because the technical foundation is a better fit.",[56,7202,7203],{},"For companies choosing or switching providers, this is a real decision factor: with which provider is Data Act-compliant infrastructure easier to implement?",[71,7205,7207],{"id":7206},"what-companies-should-do-now","What Companies Should Do Now",[56,7209,7210],{},"No company needs to restructure everything immediately. But some things should be addressed now:",[56,7212,7213,7216],{},[109,7214,7215],{},"Audit your data holdings:"," What data is stored where, in what format, and who has access? This is the foundation for everything else.",[56,7218,7219,7222],{},[109,7220,7221],{},"Check export capability:"," Can customer data be exported from your systems in a format that can be reused? If not: that's a concrete risk.",[56,7224,7225,7228],{},[109,7226,7227],{},"Contract review:"," Cloud contracts should be checked for lock-in clauses. Existing contracts may need to be adjusted before deadlines expire.",[56,7230,7231,7234],{},[109,7232,7233],{},"API documentation:"," If you offer services, make sure export and interoperability APIs are documented and testable.",[56,7236,7237,7240],{},[109,7238,7239],{},"Clarify internal responsibilities:"," Data Act compliance isn't purely a legal task. It has a strong technical component. DevOps teams should be involved in the assessment.",[56,7242,7243],{},"The Data Act isn't GDPR 2.0. It's more technical, more focused on cloud and connected systems, and it hits companies at a different point in their infrastructure. Those who understand this early can approach compliance as a design challenge rather than a box-ticking exercise.",[479,7245],{},[56,7247,7248],{},"lowcloud is a Kubernetes DevOps-as-a-Service platform built on open standards — no proprietary dependencies, with S3-compatible storage and documented APIs. For companies looking to run Data Act-compliant infrastructure, it's a solid starting point.",{"title":490,"searchDepth":491,"depth":491,"links":7250},[7251,7252,7255,7259,7262,7263],{"id":6949,"depth":491,"text":6950},{"id":6973,"depth":491,"text":6974,"children":7253},[7254],{"id":7038,"depth":499,"text":7039},{"id":7068,"depth":491,"text":7069,"children":7256},[7257,7258],{"id":7093,"depth":499,"text":7094},{"id":7117,"depth":499,"text":7118},{"id":7140,"depth":491,"text":7141,"children":7260},[7261],{"id":7171,"depth":499,"text":7172},{"id":7184,"depth":491,"text":7185},{"id":7206,"depth":491,"text":7207},"2026-03-31","The EU Data Act has been in effect since 2025. What it means for cloud services, data portability, and DevOps — and what companies should do now.",{"src":7267},"\u002Fimages\u002Fblog\u002Feu-data-act-business-devops.jpg",{},{"title":6931,"description":7265},"en\u002F3.blog\u002F46.eu-data-act-business-devops","b2SNITqcYMD_zOXxyULkmJjTATQXpRMZsrRj6_iWTPk",{"id":7273,"title":7274,"authors":7275,"badge":10,"body":7278,"date":7615,"description":7616,"extension":510,"image":7617,"lastUpdated":10,"meta":7619,"navigation":14,"path":7620,"published":14,"seo":7621,"stem":7622,"tags":10,"__hash__":7623},"posts\u002Fen\u002F3.blog\u002F45.smb-software-deployment.md","Software Deployment for SMBs: How Small Teams Ship Faster",[7276],{"name":43,"to":44,"avatar":7277},{"src":46},{"type":48,"value":7279,"toc":7600},[7280,7283,7287,7295,7303,7307,7315,7318,7322,7325,7328,7332,7335,7361,7376,7380,7386,7395,7398,7402,7405,7436,7439,7443,7449,7452,7478,7481,7501,7509,7513,7516,7519,7531,7535,7538,7541,7544,7548,7551,7554,7586,7589,7595,7597],[56,7281,7282],{},"Many SMBs spend more time deploying software than developing it. The reason is rarely a lack of skill — it's processes that grew organically and were never optimized for speed. That can be fixed without building a platform engineering team.",[71,7284,7286],{"id":7285},"why-slow-deployments-cost-more-than-they-save","Why Slow Deployments Cost More Than They Save",[56,7288,7289,7290,7294],{},"A bug fix that takes three days to reach the customer isn't a technical problem. It's a business problem. Every hour between finished code and a live system is an hour where bugs stay visible, features go unused, and developers wait for feedback instead of moving forward. This is the ",[60,7291,7293],{"href":7292},"\u002Fen\u002Fblog\u002Fdeployment-bottleneck","deployment bottleneck"," many teams face today.",[56,7296,7297,7298,7302],{},"In typical SMB environments, deployment looks something like this: a developer builds locally, uploads an archive via FTP, logs into the server via SSH, and restarts the service — a pattern with ",[60,7299,7301],{"href":7300},"\u002Fen\u002Fblog\u002Fmanual-deployment-risks","well-documented risks",". If it doesn't work, troubleshooting begins. It costs time, creates stress, and means the more frequently you deploy, the more effort it takes. A direct incentive to deploy less often.",[187,7304,7306],{"id":7305},"the-typical-patterns-in-smbs","The Typical Patterns in SMBs",[56,7308,7309,7310,7314],{},"The problem rarely lies with individuals. It lies with ",[60,7311,7313],{"href":7312},"\u002Fen\u002Fblog\u002Fdevops-problems-smb","missing structures",". When nobody has built a deployment pipeline because \"it's worked so far,\" you end up with a system that's acceptable for a few releases per month but breaks down as soon as multiple teams or services are involved.",[56,7316,7317],{},"Then there's the fear of the deploy button. When deployments are manual and there's no rollback option, every rollout is a small gamble. This fear slows everything down — not just the technology, but the entire development culture.",[71,7319,7321],{"id":7320},"cicd-for-smbs-what-it-actually-means","CI\u002FCD for SMBs: What It Actually Means",[56,7323,7324],{},"Continuous Integration (CI) and Continuous Delivery (CD) sound like enterprise infrastructure, but at their core they're a simple idea: every code commit automatically triggers a chain — tests run, a build is created, the result lands in the target environment. No human intervention required.",[56,7326,7327],{},"For an SMB, this doesn't necessarily mean Kubernetes, multi-cluster setups, or a dedicated platform team. It means a pipeline that is deterministic and repeatable. When the same steps always produce the same result, deployment becomes boring — and boring is exactly what you want.",[187,7329,7331],{"id":7330},"what-a-good-pipeline-needs-to-do","What a Good Pipeline Needs to Do",[56,7333,7334],{},"A solid CI\u002FCD pipeline for an SMB doesn't need much:",[3976,7336,7337,7343,7349,7355],{},[106,7338,7339,7342],{},[109,7340,7341],{},"Automated tests"," — unit tests, at minimum smoke tests. No deploy without green tests.",[106,7344,7345,7348],{},[109,7346,7347],{},"Reproducible builds"," — container images are the way to go. Built once, deployable anywhere.",[106,7350,7351,7354],{},[109,7352,7353],{},"Automated deployment"," — to staging first, then production, ideally with a manual approval step for critical environments.",[106,7356,7357,7360],{},[109,7358,7359],{},"Rollback mechanism"," — the previous image must be active again in under five minutes.",[56,7362,7363,7364,557,7367,1829,7370,7375],{},"Tools like ",[60,7365,5303],{"href":5301,"rel":7366},[64],[60,7368,5308],{"href":5896,"rel":7369},[64],[60,7371,7374],{"href":7372,"rel":7373},"https:\u002F\u002Fwoodpecker-ci.org\u002F",[64],"Woodpecker CI"," cover this. Free, manageable in small teams, with solid documentation.",[71,7377,7379],{"id":7378},"kubernetes-and-paas-the-difference-between-effort-and-value","Kubernetes and PaaS: The Difference Between Effort and Value",[56,7381,7382,7385],{},[60,7383,1543],{"href":2164,"rel":7384},[64]," is the foundation of most modern deployment infrastructure. But running Kubernetes yourself is expensive. Cluster upgrades, networking configuration, storage classes, RBAC, monitoring — these are all topics a small team can't handle on the side.",[56,7387,7388,7389,7394],{},"This is exactly where a ",[109,7390,7391],{},[60,7392,7393],{"href":80},"PaaS platform"," (Platform as a Service) comes in. Instead of managing a Kubernetes cluster yourself, the development team gets a preconfigured environment where they can deploy applications — without worrying about the underlying infrastructure.",[56,7396,7397],{},"That sounds like a minor simplification. In practice, it's a difference of weeks to months of setup effort.",[187,7399,7401],{"id":7400},"what-a-paas-platform-takes-off-your-plate","What a PaaS Platform Takes Off Your Plate",[56,7403,7404],{},"A well-built PaaS platform handles:",[103,7406,7407,7413,7418,7424,7430],{},[106,7408,7409,7412],{},[109,7410,7411],{},"Cluster management and upgrades"," — Kubernetes versions are updated without downtime",[106,7414,7415,7417],{},[109,7416,5564],{}," — ingress, TLS certificates, internal service discovery",[106,7419,7420,7423],{},[109,7421,7422],{},"Scaling"," — Horizontal Pod Autoscaler works out of the box",[106,7425,7426,7429],{},[109,7427,7428],{},"Baseline monitoring"," — metrics and logs are immediately available without setting up Prometheus yourself",[106,7431,7432,7435],{},[109,7433,7434],{},"Access management"," — teams get isolated namespaces without needing Kubernetes expertise",[56,7437,7438],{},"For an SMB, this means developers can focus on their applications. The platform solves the infrastructure problems.",[71,7440,7442],{"id":7441},"devops-as-a-service-paas-plus-implementation-operations-and-accountability","DevOps as a Service: PaaS Plus Implementation, Operations, and Accountability",[56,7444,7445,7446,7448],{},"A ",[60,7447,4894],{"href":486}," platform extends the PaaS approach with what still falls through the cracks at many SMBs: ongoing implementation, operations, and continuous optimization by an external team.",[56,7450,7451],{},"While a PaaS platform productizes the standard case (provisioning, deployments, scaling, baseline observability), DevOps as a Service typically also covers:",[103,7453,7454,7460,7466,7472],{},[106,7455,7456,7459],{},[109,7457,7458],{},"Pipeline and platform engineering \"done for you\":"," CI\u002FCD, GitOps setup, Helm\u002FKustomize, release processes.",[106,7461,7462,7465],{},[109,7463,7464],{},"Operations & incident response:"," monitoring, alerting, on-call, troubleshooting, postmortems.",[106,7467,7468,7471],{},[109,7469,7470],{},"Security & compliance work:"," hardening, policies, patch management, audits\u002Fdocs.",[106,7473,7474,7477],{},[109,7475,7476],{},"Migrations & edge cases:"," legacy workloads, custom integrations, non-standard deployments.",[56,7479,7480],{},"The advantages are clear, especially when speed matters more than internal enablement in the short term:",[103,7482,7483,7489,7495],{},[106,7484,7485,7488],{},[109,7486,7487],{},"Fast start:"," results in days instead of weeks, without immediate DevOps hires.",[106,7490,7491,7494],{},[109,7492,7493],{},"Experienced execution:"," best practices come built in.",[106,7496,7497,7500],{},[109,7498,7499],{},"Day-to-day relief:"," fewer interruptions for the dev team, less production stress.",[56,7502,7503,7504,7508],{},"The trade-off: the more that's solved through people, the more likely you are to create dependency, coordination overhead, and variable costs. That's exactly why the sweet spot for many teams is PaaS as a standard product plus DevOps as a Service for the rest. This is where DevOps-as-a-Service platforms like ",[60,7505,299],{"href":7506,"rel":7507},"https:\u002F\u002Flowcloud.io",[64]," come in.",[71,7510,7512],{"id":7511},"gitops-as-a-workflow-push-to-deploy-without-magic","GitOps as a Workflow: Push to Deploy Without Magic",[56,7514,7515],{},"GitOps isn't a tool — it's a principle: the Git repository is the single source of truth for the state of infrastructure and applications. Every change, whether a new feature, configuration update, or rollback, happens as a commit in Git.",[56,7517,7518],{},"For an SMB, this has a practical advantage: there's no separate \"deploy process\" anymore. Push to the main branch, the pipeline runs, the application is updated. The deployment log is the Git history — traceable, reversible, visible to everyone on the team.",[56,7520,7363,7521,2283,7525,7530],{},[60,7522,7524],{"href":5900,"rel":7523},[64],"Argo CD",[60,7526,7529],{"href":7527,"rel":7528},"https:\u002F\u002Ffluxcd.io\u002F",[64],"Flux"," synchronize the desired state from Git with the actual state in the Kubernetes cluster. If the cluster deviates — say someone changed something manually — the system corrects itself automatically.",[71,7532,7534],{"id":7533},"safety-net-rollbacks-and-canary-deployments","Safety Net: Rollbacks and Canary Deployments",[56,7536,7537],{},"Deploying faster doesn't mean taking on more risk. It means making the risk per deployment smaller — through more frequent, smaller changes and through mechanisms that catch problems early.",[56,7539,7540],{},"A rollback in the container context means: the previous image tag is set active again. Kubernetes executes this as a rolling update — zero downtime, familiar process. With a properly configured pipeline, you can execute a rollback in less than a minute.",[56,7542,7543],{},"Canary deployments go a step further: a new release initially receives only a small percentage of traffic. If error rate and latency stay normal, the system gradually rolls out. If problems arise, it automatically falls back. This isn't a concept reserved for large enterprises — it's a risk minimization strategy that makes particular sense for SMBs, because errors in production are expensive.",[71,7545,7547],{"id":7546},"where-smbs-can-start-today","Where SMBs Can Start Today",[56,7549,7550],{},"The most common mistake when trying to speed up deployments: too much at once. Kubernetes, CI\u002FCD, GitOps, monitoring — all in one sprint. The result is a half-finished setup that nobody understands and everyone finds frustrating.",[56,7552,7553],{},"A sensible starting point looks like this:",[3976,7555,7556,7562,7568,7574,7580],{},[106,7557,7558,7561],{},[109,7559,7560],{},"Step 1: Containerization"," — every application gets a Dockerfile. If you don't have a Docker build yet, start here.",[106,7563,7564,7567],{},[109,7565,7566],{},"Step 2: Simple CI pipeline"," — GitHub Actions or GitLab CI build the image on every commit. Tests run automatically.",[106,7569,7570,7573],{},[109,7571,7572],{},"Step 3: Managed deployment target"," — instead of running Kubernetes yourself, the team uses a PaaS platform that manages the cluster.",[106,7575,7576,7579],{},[109,7577,7578],{},"Step 4: Introduce a GitOps workflow"," — deployments happen through commits, not manual commands.",[106,7581,7582,7585],{},[109,7583,7584],{},"Step 5: Document and test the rollback process"," — try it once before you need it.",[56,7587,7588],{},"Following this path, you can go from manual deployments to a fully automated workflow within a few weeks — without hiring a platform team.",[56,7590,7591,7594],{},[109,7592,7593],{},"Realistic timeline:"," An experienced developer can implement steps 1 through 3 in one to two weeks if the application is already containerizable. Steps 4 and 5 follow in the second iteration.",[479,7596],{},[56,7598,7599],{},"If you want to skip the infrastructure part, you can start with lowcloud — a Kubernetes DevOps-as-a-Service platform built specifically for teams that aren't Kubernetes experts. The platform handles cluster management, networking, and baseline observability so developers can focus on their applications. This significantly reduces the barrier to entry and lets you keep the focus where it belongs: on the code.",{"title":490,"searchDepth":491,"depth":491,"links":7601},[7602,7605,7608,7611,7612,7613,7614],{"id":7285,"depth":491,"text":7286,"children":7603},[7604],{"id":7305,"depth":499,"text":7306},{"id":7320,"depth":491,"text":7321,"children":7606},[7607],{"id":7330,"depth":499,"text":7331},{"id":7378,"depth":491,"text":7379,"children":7609},[7610],{"id":7400,"depth":499,"text":7401},{"id":7441,"depth":491,"text":7442},{"id":7511,"depth":491,"text":7512},{"id":7533,"depth":491,"text":7534},{"id":7546,"depth":491,"text":7547},"2026-03-30","How small teams move from manual deployments to automated workflows using CI\u002FCD, PaaS, and GitOps — without building a platform team.",{"src":7618},"\u002Fimages\u002Fblog\u002Fsmb-software-deployment.jpg",{},"\u002Fen\u002Fblog\u002Fsmb-software-deployment",{"title":7274,"description":7616},"en\u002F3.blog\u002F45.smb-software-deployment","L7dfS1O5-MwXr7C48CD-9TyapkcW-f8cg3bxzMbpLE8",{"id":7625,"title":7626,"authors":7627,"badge":10,"body":7630,"date":7912,"description":7913,"extension":510,"image":7914,"lastUpdated":6920,"meta":7916,"navigation":14,"path":413,"published":14,"seo":7917,"stem":7918,"tags":10,"__hash__":7919},"posts\u002Fen\u002F3.blog\u002F42.bring-your-own-cloud.md","Bring Your Own Cloud: What the Model Means and Why It",[7628],{"name":13,"to":523,"avatar":7629},{"src":8},{"type":48,"value":7631,"toc":7900},[7632,7635,7639,7642,7645,7648,7651,7655,7658,7662,7665,7668,7671,7674,7678,7681,7692,7695,7699,7702,7705,7719,7730,7737,7741,7744,7835,7838,7845,7849,7852,7855,7858,7861,7868,7872,7875,7878,7881,7884,7887,7890,7894,7897],[56,7633,7634],{},"Bring Your Own Cloud is not a marketing term that explains itself. If you encounter it for the first time, you might think it is yet another cloud flavor alongside public, private, and hybrid. In reality, BYOC describes a fundamentally different software delivery model — and it solves a problem that has been waiting for a solution in regulated industries for years. Anyone running software in heavily regulated environments knows the dilemma: modern SaaS tools with comfortable operations, but no control over where the data ends up.",[71,7636,7638],{"id":7637},"what-is-bring-your-own-cloud","What Is Bring Your Own Cloud?",[56,7640,7641],{},"In the classic SaaS model, the vendor deploys its software in its own infrastructure. The customer gets access via an API or web interface — the underlying servers, databases, and network components are all on the vendor's side. Simple, scalable, but also: data control belongs to the vendor.",[56,7643,7644],{},"Bring Your Own Cloud flips this relationship. The vendor deploys its software into the customer's cloud account. Data never leaves the customer's own infrastructure. The vendor still retains responsibility for operations, updates, and support — which clearly distinguishes BYOC from classic self-hosting.",[56,7646,7647],{},"Self-hosting means: you download the software, install it on your infrastructure, and are responsible for everything yourself. BYOC means: the vendor continues to handle the operational part but deploys into your environment instead of their own.",[56,7649,7650],{},"That sounds like a minor technical detail, but in practice it makes a substantial difference — especially for companies operating under strict data protection or compliance requirements.",[71,7652,7654],{"id":7653},"how-does-bring-your-own-cloud-work-technically","How Does Bring Your Own Cloud Work Technically?",[56,7656,7657],{},"BYOC is not a single protocol or standard but an architectural pattern. The concrete implementation varies by vendor, but a basic structure has emerged.",[187,7659,7661],{"id":7660},"control-plane-and-data-plane-the-most-important-distinction","Control Plane and Data Plane: The Most Important Distinction",[56,7663,7664],{},"The core of BYOC is the separation between Control Plane and Data Plane.",[56,7666,7667],{},"The Control Plane belongs to the vendor. Configuration logic, orchestration, monitoring, and the APIs through which the customer interacts with the service all run here. It is typically hosted in the vendor's infrastructure but has only minimal, tightly defined access paths into the customer account.",[56,7669,7670],{},"The Data Plane runs in the customer's cloud account. This is where the actual workloads flow, where data is processed and stored. The vendor typically has no direct data access — they can only transmit configuration instructions via the Control Plane.",[56,7672,7673],{},"This separation is what makes BYOC possible in the first place: the vendor can develop and operate their service without ever needing direct access to customer data.",[187,7675,7677],{"id":7676},"typical-deployment-mechanisms","Typical Deployment Mechanisms",[56,7679,7680],{},"How does the software get into the customer account? The most common methods:",[103,7682,7683,7686,7689],{},[106,7684,7685],{},"Kubernetes Operator: The vendor provides an operator deployed into the customer's cluster. The operator communicates with the vendor's Control Plane and maintains the desired state of the deployment resources.",[106,7687,7688],{},"Helm Charts: For simpler setups, Helm charts are delivered that the customer installs into their own cluster.",[106,7690,7691],{},"Terraform Modules: For full infrastructure-as-code setups that provision cloud resources and Kubernetes workloads together.",[56,7693,7694],{},"After installation, the operator registers with the Control Plane, and from that point the vendor can roll out deployments, updates, and configuration changes — without needing direct access to your cluster.",[71,7696,7698],{"id":7697},"who-needs-byoc-and-why-now","Who Needs BYOC — and Why Now?",[56,7700,7701],{},"The short answer: everyone who works with sensitive data and does not want to build their own platform team.",[56,7703,7704],{},"In practice, this mainly means companies from heavily regulated industries:",[103,7706,7707,7710,7713,7716],{},[106,7708,7709],{},"Financial services firms operating under MiFID II, DORA, or national banking regulations that often require data to be held explicitly in certain regions or under their own control.",[106,7711,7712],{},"Healthcare providers for whom HIPAA, GDPR, or similar frameworks set clear requirements for data storage.",[106,7714,7715],{},"Government agencies and public institutions that generally cannot process data outside their own or certified infrastructure.",[106,7717,7718],{},"Telecommunications companies that must keep network data under their own control.",[56,7720,7721,7722,7724,7725,7729],{},"But pressure is increasing beyond these classic industries too. European enterprise customers now routinely ask about data localization during SaaS purchasing decisions. NIS2 and the ",[60,7723,6945],{"href":6637}," are making the topic binding for more companies. For a practical guide to ",[60,7726,7728],{"href":7727},"\u002Fen\u002Fblog\u002Fsovereign-cloud-saas-data-control","evaluating how sovereign a SaaS provider really is",", including a ready-to-use checklist, see our dedicated analysis.",[56,7731,7732,7733,7736],{},"What makes BYOC relevant right now: ",[60,7734,7735],{"href":1542},"Kubernetes has established itself"," as the de facto standard for container-based workloads. This means portable deployments are no longer a technical challenge. An operator running on GKE today runs on an on-premises cluster tomorrow — as long as both speak Kubernetes. This portability was the fundamental prerequisite for BYOC moving beyond theory.",[71,7738,7740],{"id":7739},"byoc-vs-classic-saas-vs-self-hosted","BYOC vs. Classic SaaS vs. Self-hosted",[56,7742,7743],{},"To put the model in context, a direct comparison helps:",[1305,7745,7746,7761],{},[1308,7747,7748],{},[1311,7749,7750,7752,7755,7758],{},[1314,7751,1318],{},[1314,7753,7754],{},"Classic SaaS",[1314,7756,7757],{},"BYOC",[1314,7759,7760],{},"Self-hosted",[1335,7762,7763,7776,7789,7799,7810,7821],{},[1311,7764,7765,7768,7771,7774],{},[1340,7766,7767],{},"Data storage",[1340,7769,7770],{},"At vendor",[1340,7772,7773],{},"At customer",[1340,7775,7773],{},[1311,7777,7778,7781,7784,7786],{},[1340,7779,7780],{},"Operations & updates",[1340,7782,7783],{},"Vendor",[1340,7785,7783],{},[1340,7787,7788],{},"Customer",[1311,7790,7791,7793,7795,7797],{},[1340,7792,6090],{},[1340,7794,7783],{},[1340,7796,7788],{},[1340,7798,7788],{},[1311,7800,7801,7804,7806,7808],{},[1340,7802,7803],{},"Compliance suitability",[1340,7805,1399],{},[1340,7807,1442],{},[1340,7809,1442],{},[1311,7811,7812,7815,7817,7819],{},[1340,7813,7814],{},"Operational effort",[1340,7816,6124],{},[1340,7818,1426],{},[1340,7820,1442],{},[1311,7822,7823,7826,7829,7832],{},[1340,7824,7825],{},"Time-to-value",[1340,7827,7828],{},"Very fast",[1340,7830,7831],{},"Fast",[1340,7833,7834],{},"Slow",[56,7836,7837],{},"BYOC combines the operational advantages of SaaS (someone else handles operations) with the data control of self-hosting. That is not a compromise — for many use cases it is the best of both worlds.",[56,7839,7840,7841,7844],{},"The catch: BYOC is more complex to build and operate for the vendor than classic multi-tenant SaaS. It requires a cleanly separated architecture, monitoring across customer accounts, and clear processes for updates in isolated environments. Not every vendor can or wants to deliver this. For teams evaluating whether a BYOC model genuinely protects against ",[60,7842,7843],{"href":333},"cloud platform lock-in",", the architecture of the vendor's control plane is the decisive factor.",[71,7846,7848],{"id":7847},"what-bring-your-own-cloud-means-for-kubernetes-platforms","What Bring Your Own Cloud Means for Kubernetes Platforms",[56,7850,7851],{},"Kubernetes is no coincidence in this development. The entire BYOC architecture builds on properties that Kubernetes provides out of the box:",[56,7853,7854],{},"Portability: A Helm chart or operator runs on any conformant Kubernetes cluster — whether AWS EKS, Google GKE, Azure AKS, or an on-premises setup with k3s. Deployment code does not need to be rewritten for each cloud provider.",[56,7856,7857],{},"Declarative management: Kubernetes resources describe the desired state. An operator can manage this state remotely without needing direct cluster access — it writes manifests, the cluster executes them.",[56,7859,7860],{},"RBAC and network policies: Kubernetes provides the tools to precisely restrict an operator's access scope. The vendor operator gets exactly the permissions it needs — nothing more.",[56,7862,7863,7864,7867],{},"For ",[60,7865,7866],{"href":80},"Kubernetes-based PaaS vendors"," building on Kubernetes, BYOC is a logical extension of the product model. Platform logic remains centrally manageable while the execution environment becomes flexible. Customers who previously could not use cloud PaaS for regulatory reasons suddenly become reachable.",[71,7869,7871],{"id":7870},"what-to-look-for-in-a-byoc-vendor","What to Look For in a BYOC Vendor",[56,7873,7874],{},"Not every BYOC offering is equal. Anyone evaluating the model should ask a few concrete questions:",[56,7876,7877],{},"Isolation: How is the Control Plane separated from the customer network? What network paths exist between the vendor and the customer account — and who controls them?",[56,7879,7880],{},"Access model: Does the vendor technically have the ability to access customer data — or is that architecturally excluded? A clean BYOC design should guarantee the latter.",[56,7882,7883],{},"Compliance certifications: What certifications does the vendor hold? SOC 2 Type II, ISO 27001, BSI C5 — depending on the industry, these are not optional extras but requirements.",[56,7885,7886],{},"Update process: Who decides when updates are rolled out? With BYOC, the customer should at least be able to control the time window.",[56,7888,7889],{},"Support model: How does the vendor debug problems if they have no direct data access? A good BYOC vendor has structured processes for this — logs are shared by the customer on request, not automatically collected.",[71,7891,7893],{"id":7892},"byoc-on-a-kubernetes-paas-platform","BYOC on a Kubernetes PaaS Platform",[56,7895,7896],{},"Anyone operating or evaluating a Kubernetes-based PaaS platform will find BYOC a model that pairs well with the platform approach. Platform intelligence — scheduling, autoscaling, deployment pipelines, observability — stays centrally managed and continuously developed. The execution environment, on the other hand, can sit entirely in the customer's own account.",[56,7898,7899],{},"On lowcloud, exactly this model can be implemented: the platform handles operational complexity while workloads run in your own cloud infrastructure. Anyone who wants to understand what a BYOC setup based on Kubernetes looks like in practice will find a good starting point in the documentation and in conversations with the team.",{"title":490,"searchDepth":491,"depth":491,"links":7901},[7902,7903,7907,7908,7909,7910,7911],{"id":7637,"depth":491,"text":7638},{"id":7653,"depth":491,"text":7654,"children":7904},[7905,7906],{"id":7660,"depth":499,"text":7661},{"id":7676,"depth":499,"text":7677},{"id":7697,"depth":491,"text":7698},{"id":7739,"depth":491,"text":7740},{"id":7847,"depth":491,"text":7848},{"id":7870,"depth":491,"text":7871},{"id":7892,"depth":491,"text":7893},"2026-03-29","BYOC is not just another cloud flavor — it is a fundamentally different software delivery model: the vendor deploys into your infrastructure. What that means technically and who needs it.",{"src":7915},"\u002Fimages\u002Fblog\u002Fbring-your-own-cloud.jpg",{},{"title":7626,"description":7913},"en\u002F3.blog\u002F42.bring-your-own-cloud","0jjq_olbK5Q11uCuJhzUMCR2FVi27r3uE4gCHNvp-RQ",{"id":7921,"title":7922,"authors":7923,"badge":10,"body":7926,"date":7912,"description":8178,"extension":510,"image":8179,"lastUpdated":10,"meta":8181,"navigation":14,"path":8182,"published":14,"seo":8183,"stem":8184,"tags":10,"__hash__":8185},"posts\u002Fen\u002F3.blog\u002F44.minimalist-cloud-architecture.md","Minimalist Cloud Architecture: Why Less Complexity Means More Stability",[7924],{"name":43,"to":44,"avatar":7925},{"src":46},{"type":48,"value":7927,"toc":8165},[7928,7933,7936,7940,7943,7946,7972,7975,7979,7982,7985,7989,7992,7995,8006,8010,8013,8016,8020,8023,8029,8039,8056,8062,8066,8069,8075,8081,8087,8091,8094,8100,8106,8112,8118,8124,8128,8131,8134,8137,8140,8144,8147,8150,8158,8160],[56,7929,7445,7930,7932],{},[60,7931,1543],{"href":1542}," cluster with eight different operators, three separate service mesh implementations, and a CI\u002FCD pipeline that nobody can understand without documentation. This isn't an extreme example – it's the norm at many companies that migrated to the cloud over the past few years. The problem isn't the technology. It's the unspoken assumption that more components equal more capability.",[56,7934,7935],{},"Minimalist cloud architecture flips that assumption on its head.",[71,7937,7939],{"id":7938},"complexity-is-not-a-sign-of-maturity","Complexity Is Not a Sign of Maturity",[56,7941,7942],{},"There's a well-documented reflex in development teams: when a new technology exists and solves a real problem, it gets adopted – even when the existing problem is already solved. The result is infrastructure born from a genuine desire to do things well, but whose operational burden eventually outweighs every other benefit.",[56,7944,7945],{},"Complexity has real costs that show up in daily work:",[103,7947,7948,7954,7960,7966],{},[106,7949,7950,7953],{},[109,7951,7952],{},"Longer incident response times."," When five systems are involved in a single request, troubleshooting takes five times as long.",[106,7955,7956,7959],{},[109,7957,7958],{},"Difficult onboarding."," New team members need weeks to understand what's actually happening.",[106,7961,7962,7965],{},[109,7963,7964],{},"Cognitive overhead."," Anyone working with ten different abstractions every day makes more mistakes.",[106,7967,7968,7971],{},[109,7969,7970],{},"Growing security attack surface."," Every additional component is a potential attack vector.",[56,7973,7974],{},"The difference between good and bad architecture isn't the number of technologies in use. It's whether every component delivers clearly measurable value that justifies its maintenance cost.",[71,7976,7978],{"id":7977},"what-minimalist-cloud-architecture-actually-means","What Minimalist Cloud Architecture Actually Means",[56,7980,7981],{},"Minimalism in the cloud doesn't mean giving up scalability or running a single container on a single server. It means deliberately deciding which parts of a system are truly needed – and leaving out the rest.",[56,7983,7984],{},"That sounds trivial. In practice, it's hard, because leaving things out requires active decisions, while adding things is usually the path of least resistance.",[187,7986,7988],{"id":7987},"the-principle-of-minimal-footprint","The Principle of Minimal Footprint",[56,7990,7991],{},"Every component in an architecture must answer one question: what happens if we remove it? If the answer is \"not much\" or \"we're not sure,\" that's a signal. A good architecture review asks exactly these questions on a regular basis – not during the initial design, but every few months, because systems change and components that were necessary yesterday may be redundant today.",[56,7993,7994],{},"In concrete terms, this means:",[103,7996,7997,8000,8003],{},[106,7998,7999],{},"No sidecar that doesn't deliver actively used data",[106,8001,8002],{},"No operator whose custom resources nobody on the team touches daily",[106,8004,8005],{},"No managed service whose added value can't be translated into reduced operational effort",[187,8007,8009],{"id":8008},"managed-services-simplification-or-hidden-complexity","Managed Services: Simplification or Hidden Complexity?",[56,8011,8012],{},"Managed services are often marketed as the solution to complexity. That's sometimes true. A managed database service eliminates backup management, patching, and failover configuration. That's real simplification.",[56,8014,8015],{},"But managed services can also just shift complexity around. When a team uses five different managed services, each with its own configuration language, monitoring endpoints, and IAM concepts, the overall system is more complex than before – even though each individual component is \"managed.\" The question isn't \"managed or self-hosted?\" but \"does this simplify our overall operations?\"",[71,8017,8019],{"id":8018},"kubernetes-and-the-tendency-to-bloat","Kubernetes and the Tendency to Bloat",[56,8021,8022],{},"Kubernetes as a platform is flexible enough to support nearly any architectural decision. That's both a strength and a problem. The flexibility tempts teams into solving everything at the infrastructure level, even when the solution actually belongs in the application or the process.",[56,8024,8025,8026,1605],{},"Common patterns that make ",[60,8027,8028],{"href":2108},"Kubernetes setups unnecessarily complex",[56,8030,8031,8034,8035,415],{},[109,8032,8033],{},"Operator inflation."," There's an operator for every database, every message broker, and every monitoring tool. Each operator brings its own custom resource definitions, its own RBAC rules, and its own update cycles. Ten operators mean ten potential sources of conflict and ten separate update processes -- a Kubernetes-specific form of ",[60,8036,8038],{"href":8037},"\u002Fen\u002Fblog\u002Fdevops-tool-sprawl","DevOps tool sprawl",[56,8040,8041,8044,8045,2283,8050,8055],{},[109,8042,8043],{},"Sidecar overload."," Service meshes like ",[60,8046,8049],{"href":8047,"rel":8048},"https:\u002F\u002Fistio.io\u002F",[64],"Istio",[60,8051,8054],{"href":8052,"rel":8053},"https:\u002F\u002Flinkerd.io\u002F",[64],"Linkerd"," inject sidecar containers into every pod. That brings mTLS, traffic management, and observability – but also double the resource consumption and an additional layer that needs to be configured, updated, and debugged. For many teams, the effort-to-benefit ratio is unfavorable.",[56,8057,8058,8061],{},[109,8059,8060],{},"Custom controller sprawl."," Once teams start writing their own Kubernetes operators, maintenance effort grows exponentially. Every custom controller is code that needs to be maintained – usually by the same people building the actual application.",[187,8063,8065],{"id":8064},"practical-patterns-for-lean-clusters","Practical Patterns for Lean Clusters",[56,8067,8068],{},"A few principles that make a real difference in practice:",[56,8070,8071,8074],{},[109,8072,8073],{},"Simplify your namespace strategy."," Many teams work with dozens of namespaces that provide barely any additional isolation but multiply the RBAC configuration. Fewer, clearly delineated namespaces with well-defined boundaries work better.",[56,8076,8077,8080],{},[109,8078,8079],{},"Keep ingress configuration minimal."," A single ingress controller with standardized annotations is sufficient for most workloads. Specialized routing hidden across hundreds of different ingress objects makes debugging unnecessarily difficult.",[56,8082,8083,8086],{},[109,8084,8085],{},"Set resource defaults."," Instead of giving every deployment definition individual resource requests and limits, LimitRanges and ResourceQuotas at the namespace level work more cleanly and reduce copy-paste errors.",[71,8088,8090],{"id":8089},"what-minimalist-architecture-delivers-in-practice","What Minimalist Architecture Delivers in Practice",[56,8092,8093],{},"The benefits of a leaner architecture don't show up immediately, but they're measurable.",[56,8095,8096,8099],{},[109,8097,8098],{},"Stability."," Fewer components mean fewer possible causes of failure. In a system with five parts instead of fifteen, the probability of two components having issues simultaneously is significantly lower. That sounds trivial, but it has real impact on availability.",[56,8101,8102,8105],{},[109,8103,8104],{},"Shorter incident response."," When an alert fires and the team has the entire architecture in their head, troubleshooting takes minutes instead of hours. Observability data is clearer, trace data is less noisy, and the number of possible causes is smaller.",[56,8107,8108,8111],{},[109,8109,8110],{},"Easier onboarding."," New developers who can understand an architecture in half a day become productive faster. That has a direct impact on team capacity – especially in growing teams or those with frequent turnover.",[56,8113,8114,8117],{},[109,8115,8116],{},"Smaller security attack surface."," Every running process, every exposed service, every network connection is a potential attack vector. A minimalist architecture has structurally fewer of them. On top of that, fewer components also mean fewer CVEs that need regular patching.",[56,8119,8120,8123],{},[109,8121,8122],{},"Lower operating costs."," This is often the most convincing point for decision-makers: fewer running services mean less compute cost, fewer license fees for managed services, and less time spent on maintenance.",[71,8125,8127],{"id":8126},"when-complexity-is-justified","When Complexity Is Justified",[56,8129,8130],{},"Minimalism isn't an absolute principle. There are situations where complexity is unavoidable – and it would be dishonest to pretend otherwise.",[56,8132,8133],{},"Multi-region deployments with active-active configuration are complex because the problem is complex. Database replication across regions, conflict resolution for distributed write operations, and network latency management can't be defined away.",[56,8135,8136],{},"Systems with strict compliance requirements – in finance or healthcare, for example – sometimes need audit trails, encryption layers, and access controls that simpler systems don't require.",[56,8138,8139],{},"The difference is: in these cases, complexity is a direct consequence of a real requirement. Every team should be able to answer, for every architectural decision, which requirement drives it. If the answer is \"because we might need it someday,\" that's not a good reason.",[71,8141,8143],{"id":8142},"the-platform-approach-as-a-structural-answer-to-complexity","The Platform Approach as a Structural Answer to Complexity",[56,8145,8146],{},"One of the core problems with Kubernetes infrastructure in growing organizations is that complexity gets distributed. Every team running Kubernetes workloads has to deal with ingress, RBAC, resource management, monitoring configuration, and deployment processes. This leads to inconsistent setups, duplicated work, and varying security standards across teams.",[56,8148,8149],{},"A platform approach solves this problem structurally: instead of letting each team manage its own infrastructure complexity, a shared platform pulls these concerns upward and provides them in a standardized way. Teams deploy applications – they don't configure the same ingress controller for the twentieth time.",[56,8151,8152,8153,8157],{},"This is the core of what lowcloud is built on: a ",[60,8154,8156],{"href":8155},"\u002Fen\u002Fblog\u002Fzero-config-kubernetes","Kubernetes DevOps-as-a-Service platform"," that centralizes infrastructure complexity so development teams can focus on their applications. If you want to see what this looks like in practice, the lowcloud platform offers concrete answers to the question of how to simplify Kubernetes operations without losing control.",[479,8159],{},[56,8161,8162],{},[2186,8163,8164],{},"Minimalist cloud architecture isn't a trend or a counter-proposal to modern cloud practices. It's the consequence of recognizing that every component has a cost – even when it's not currently causing problems. Those who regularly question what's truly needed build systems that work better in the long run.",{"title":490,"searchDepth":491,"depth":491,"links":8166},[8167,8168,8172,8175,8176,8177],{"id":7938,"depth":491,"text":7939},{"id":7977,"depth":491,"text":7978,"children":8169},[8170,8171],{"id":7987,"depth":499,"text":7988},{"id":8008,"depth":499,"text":8009},{"id":8018,"depth":491,"text":8019,"children":8173},[8174],{"id":8064,"depth":499,"text":8065},{"id":8089,"depth":491,"text":8090},{"id":8126,"depth":491,"text":8127},{"id":8142,"depth":491,"text":8143},"Why fewer components in your cloud infrastructure lead to greater stability – and how teams can deliberately reduce Kubernetes complexity.",{"src":8180},"\u002Fimages\u002Fblog\u002Fminimalist-cloud-architecture.jpg",{},"\u002Fen\u002Fblog\u002Fminimalist-cloud-architecture",{"title":7922,"description":8178},"en\u002F3.blog\u002F44.minimalist-cloud-architecture","DkkFz74IyFCO-V15s20UrllUjcEC5M8IRN6vx7GG-3Y",{"id":8187,"title":8188,"authors":8189,"badge":10,"body":8192,"date":8427,"description":8428,"extension":510,"image":8429,"lastUpdated":7615,"meta":8431,"navigation":14,"path":8155,"published":14,"seo":8432,"stem":8433,"tags":10,"__hash__":8434},"posts\u002Fen\u002F3.blog\u002F43.zero-config-kubernetes.md","Zero-Config Kubernetes: Why Simplicity Wins",[8190],{"name":43,"to":44,"avatar":8191},{"src":46},{"type":48,"value":8193,"toc":8413},[8194,8199,8203,8218,8221,8236,8240,8247,8250,8253,8256,8260,8263,8266,8281,8285,8288,8291,8297,8303,8309,8313,8316,8322,8331,8334,8338,8341,8347,8353,8359,8362,8366,8369,8372,8375,8379,8382,8388,8394,8400,8404,8407,8410],[56,8195,8196,8198],{},[60,8197,1543],{"href":1542}," can do almost anything — but that sentence has a catch. The ability to do almost anything also means you have to configure almost everything yourself. For many teams, this isn't a theoretical problem but a practical one that costs hours every day and delays deployments. Zero-configuration isn't giving up control — it's a design decision that says: sensible defaults are better than forced freedom.",[71,8200,8202],{"id":8201},"what-zero-configuration-actually-means","What Zero-Configuration Actually Means",[56,8204,8205,8206,8211,8212,8217],{},"The term originally comes from web development. ",[60,8207,8210],{"href":8208,"rel":8209},"https:\u002F\u002Frubyonrails.org\u002F",[64],"Ruby on Rails"," popularized it, ",[60,8213,8216],{"href":8214,"rel":8215},"https:\u002F\u002Fmaven.apache.org\u002F",[64],"Maven"," adopted it for Java builds, and Webpack eventually forgot about it — which came back to bite them. The core idea is simple: a system should work without or with minimal configuration when covering the most common use case.",[56,8219,8220],{},"For infrastructure and Kubernetes, this means: a platform that knows what a typical deployment looks like shouldn't require every team to translate that knowledge from scratch into YAML. Network configuration, resource limits, health checks, TLS termination — these aren't individual decisions for each project. In 80% of cases, the requirements are identical.",[56,8222,8223,8224,8227,8228,8231,8232,8235],{},"Zero-configuration doesn't mean you ",[2186,8225,8226],{},"can't"," configure anything. It means you don't ",[2186,8229,8230],{},"have to"," in order to get started. The reasoning behind this approach is grounded in ",[60,8233,8234],{"href":8182},"minimalist cloud architecture"," -- the principle that every component must justify its maintenance cost.",[71,8237,8239],{"id":8238},"how-much-configuration-overhead-kubernetes-really-causes","How Much Configuration Overhead Kubernetes Really Causes",[56,8241,8242,8243,8246],{},"Anyone who has set up Kubernetes themselves knows the feeling. You start deploying a simple application and end up with a ",[60,8244,8245],{"href":2108},"stack of YAML files",": Deployment, Service, Ingress, ConfigMap, Secret, HorizontalPodAutoscaler, NetworkPolicy. For an app that needs to run in three environments, this multiplies quickly.",[56,8248,8249],{},"This isn't a criticism of Kubernetes as a system. It's a powerful tool built for complex, scalable infrastructure. But this tool treats configuration as the explicit responsibility of the user — for every detail, in every environment, for every team.",[56,8251,8252],{},"What emerges isn't malice but configuration drift: every team develops its own conventions, its own templates, its own workarounds. After two years, you don't have one Kubernetes platform — you have ten slightly different Kubernetes setups that all claim to do the same thing.",[56,8254,8255],{},"The real effort isn't just in the initial setup. It's in ongoing operations: onboarding new developers, keeping configurations up to date, debugging errors that stem from inconsistent setups.",[71,8257,8259],{"id":8258},"convention-over-configuration-an-old-principle-cloud-native-needs-again","Convention over Configuration — An Old Principle Cloud Native Needs Again",[56,8261,8262],{},"The principle is older than Kubernetes. Martin Fowler described it, Rails made it famous: a framework should make decisions for the developer as long as those decisions correctly cover the most common use cases. The developer only needs to intervene when they want to deviate from the default behavior.",[56,8264,8265],{},"In the Kubernetes world, this thinking has struggled to take hold. Kubernetes is deliberately designed as a platform for platforms — it offers primitives, not opinions. This makes sense at the orchestrator level itself. But the layer above it, the one developers use daily, has been missing for a long time.",[56,8267,8268,8269,557,8273,1842,8277,8280],{},"What has changed: platforms like ",[60,8270,367],{"href":8271,"rel":8272},"https:\u002F\u002Fvercel.com\u002F",[64],[60,8274,219],{"href":8275,"rel":8276},"https:\u002F\u002Frailway.com\u002F",[64],[60,8278,190],{"href":195,"rel":8279},[64]," have shown that developers are willing to give up control when the defaults are right. The growth of these platforms is no coincidence — it's a signal.",[187,8282,8284],{"id":8283},"what-makes-good-defaults","What Makes Good Defaults",[56,8286,8287],{},"Not every default is a good default. Bad defaults are those that break at scale, open security vulnerabilities, or are so restrictive that they need to be changed at the first real requirement.",[56,8289,8290],{},"Good defaults have three properties:",[56,8292,8293,8296],{},[109,8294,8295],{},"Security:"," The default state should be the secure state. A pod without explicit SecurityContext settings shouldn't run as root. TLS should be enabled by default. Network access should be restricted by default, not open.",[56,8298,8299,8302],{},[109,8300,8301],{},"Functionality:"," The default must work. A health check that's configured by default but points to a non-existent endpoint is worse than no health check at all.",[56,8304,8305,8308],{},[109,8306,8307],{},"Customizability:"," When someone needs to deviate from the default, it should be possible — without leaving the entire abstraction model. Zero-configuration means easy getting-started, not a prison.",[71,8310,8312],{"id":8311},"zero-configuration-kubernetes-in-practice","Zero-Configuration Kubernetes in Practice",[56,8314,8315],{},"Managed Kubernetes services like GKE, EKS, or AKS take some of the burden off. They manage the control plane, updates, and underlying infrastructure. But the application layer — how deployments are structured, how networking works, how environments are separated — remains the team's responsibility.",[56,8317,8318,8321],{},[60,8319,8320],{"href":80},"PaaS"," layers on Kubernetes go a step further. They abstract Kubernetes primitives behind a higher-level interface: instead of a Deployment, there's an App. Instead of an Ingress object, there's a Domain. Instead of an HPA, there's a scaling policy in readable form.",[56,8323,8324,8326,8327,415],{},[60,8325,5264],{"href":486}," platforms often go even further: they don't just provide the abstraction but also take over operations, monitoring, security baselines, and incident handling as a service, allowing teams to focus even more on product development. All without vendor lock-in, as is often the case with ",[60,8328,8330],{"href":8329},"\u002Fen\u002Fblog\u002Fpaas-vs-daas","traditional PaaS solutions",[56,8332,8333],{},"The result: a developer can deploy an app without ever having seen a YAML file. A DevOps engineer can define infrastructure standards centrally that all teams automatically follow.",[187,8335,8337],{"id":8336},"when-zero-config-hits-its-limits","When Zero-Config Hits Its Limits",[56,8339,8340],{},"No approach fits every context. Zero-configuration at the PaaS level has limits you should be aware of.",[56,8342,8343,8346],{},[109,8344,8345],{},"Highly specific infrastructure:"," Teams with GPU workloads, specialized network architectures, or bare-metal requirements will quickly hit the limits of opinionated defaults.",[56,8348,8349,8352],{},[109,8350,8351],{},"Compliance-driven environments:"," Regulatory requirements can demand very specific configurations that a generic default doesn't cover. Here you need a platform that offers both good defaults and fine-grained customizability.",[56,8354,8355,8358],{},[109,8356,8357],{},"Migration scenarios:"," Teams with complex, organically grown Kubernetes infrastructure can't switch to zero-config overnight. Migration requires a clear strategy.",[56,8360,8361],{},"These are real limitations, but they affect a significantly smaller portion of teams than the Kubernetes community sometimes assumes.",[71,8363,8365],{"id":8364},"developer-experience-as-a-business-decision","Developer Experience as a Business Decision",[56,8367,8368],{},"Time-to-deploy is a metric that's rarely measured yet tells almost everything about the health of a development process. How long does it take until a new developer has their first pull request in production? How many hours per week does an experienced team spend configuring infrastructure instead of building features?",[56,8370,8371],{},"These numbers aren't an abstract DX topic. They're direct productivity losses.",[56,8373,8374],{},"Configuration overhead is particularly expensive because it doesn't scale linearly. The more projects, teams, and environments a company has, the more configuration work accumulates. And because configuration is rarely documented, this knowledge is often tied to individuals — a risk that surfaces at the next personnel change.",[187,8376,8378],{"id":8377},"the-hidden-costs-of-kubernetes-complexity","The Hidden Costs of Kubernetes Complexity",[56,8380,8381],{},"The obvious cost factor is personnel: someone has to understand, build, and maintain the infrastructure. But there are subtler costs.",[56,8383,8384,8387],{},[109,8385,8386],{},"Error sources from complexity:"," Every configuration line is a potential source of errors. A misconfigured resource limit, a missing network policy rule, a misconfigured liveness probe. These errors are hard to debug and expensive in production.",[56,8389,8390,8393],{},[109,8391,8392],{},"Onboarding overhead:"," A new developer who needs three weeks to understand the infrastructure before becoming productive is a real cost factor. Zero-configuration platforms reduce this overhead dramatically.",[56,8395,8396,8399],{},[109,8397,8398],{},"Cognitive load:"," Developers who have to think about business logic and Kubernetes internals at the same time make worse decisions in both areas. Focus is a limited resource.",[71,8401,8403],{"id":8402},"zero-configuration-kubernetes-with-lowcloud","Zero-Configuration Kubernetes with lowcloud",[56,8405,8406],{},"lowcloud addresses exactly this. As a Kubernetes DaaS platform, lowcloud comes with sensible defaults for security, networking, scaling, and monitoring — without requiring teams to define these themselves. Those who want to dig deeper can. Those who just want to deploy can do so right away.",[56,8408,8409],{},"The goal isn't to hide Kubernetes. It's to manage Kubernetes complexity where it belongs — at the platform level — instead of distributing it across every development team.",[56,8411,8412],{},"If your team wants to spend more time on product development and less on infrastructure configuration, that's the starting point worth thinking about.",{"title":490,"searchDepth":491,"depth":491,"links":8414},[8415,8416,8417,8420,8423,8426],{"id":8201,"depth":491,"text":8202},{"id":8238,"depth":491,"text":8239},{"id":8258,"depth":491,"text":8259,"children":8418},[8419],{"id":8283,"depth":499,"text":8284},{"id":8311,"depth":491,"text":8312,"children":8421},[8422],{"id":8336,"depth":499,"text":8337},{"id":8364,"depth":491,"text":8365,"children":8424},[8425],{"id":8377,"depth":499,"text":8378},{"id":8402,"depth":491,"text":8403},"2026-03-28","Kubernetes configuration costs teams hours every day. How zero-configuration approaches with sensible defaults simplify deployments and boost productivity.",{"src":8430},"\u002Fimages\u002Fblog\u002Fzero-config-kubernetes.jpg",{},{"title":8188,"description":8428},"en\u002F3.blog\u002F43.zero-config-kubernetes","OoKCmujrP-bvHS4_ySiAOGYRlCtJxi3l8jXwCMNCnoQ",{"id":8436,"title":8437,"authors":8438,"badge":10,"body":8441,"date":8664,"description":8665,"extension":510,"image":8666,"lastUpdated":6920,"meta":8668,"navigation":14,"path":7124,"published":14,"seo":8669,"stem":8670,"tags":10,"__hash__":8671},"posts\u002Fen\u002F3.blog\u002F41.cloud-egress-fees.md","Cloud Egress Fees Compared: AWS vs. Azure vs. GCP Pricing",[8439],{"name":43,"to":44,"avatar":8440},{"src":46},{"type":48,"value":8442,"toc":8652},[8443,8446,8450,8453,8456,8459,8463,8466,8475,8484,8493,8496,8500,8506,8509,8513,8516,8522,8529,8533,8536,8541,8544,8549,8552,8555,8558,8562,8570,8607,8610,8614,8637,8641,8644,8647,8649],[56,8444,8445],{},"When evaluating a new cloud provider, most people look at the instance price first. That's understandable — and still a mistake. The real cost driver is buried in the fine print: egress fees, the charges for outbound data transfer. For data-intensive applications, these costs can exceed the compute bill itself. Ignore them, and the end-of-month invoice becomes a surprise.",[71,8447,8449],{"id":8448},"what-are-egress-fees-and-how-do-they-arise","What Are Egress Fees and How Do They Arise?",[56,8451,8452],{},"Cloud providers fundamentally distinguish between two directions of data traffic: ingress (data flowing into the data center) and egress (data leaving the data center). Ingress is free with nearly all major providers. Egress is not.",[56,8454,8455],{},"This applies regardless of where the data is going: to an end user on the internet, to another cloud region of the same provider, or to a different cloud provider entirely. Each of these routes has its own rate — and all of them cost extra.",[56,8457,8458],{},"The model isn't new. It dates back to the early days of the public cloud, when bandwidth was genuinely scarce and expensive. At the infrastructure level, that's no longer the case today — but egress prices at the hyperscalers have barely moved.",[71,8460,8462],{"id":8461},"the-hyperscaler-pricing-model-in-detail","The Hyperscaler Pricing Model in Detail",[56,8464,8465],{},"The big three — AWS, Azure, and GCP — follow a similar pattern. Concrete numbers (as of 2025, EU region):",[56,8467,8468,8474],{},[60,8469,8472],{"href":8470,"rel":8471},"https:\u002F\u002Faws.amazon.com\u002Fec2\u002Fpricing\u002Fon-demand\u002F#Data_Transfer",[64],[109,8473,5914],{},": Internet egress costs approximately $0.09\u002FGB from the first GB (after a 100 GB free tier per month). Transfer between AWS regions runs $0.02–0.08\u002FGB depending on the region. Transfer between Availability Zones within a region: $0.01\u002FGB — in both directions.",[56,8476,8477,8483],{},[60,8478,8481],{"href":8479,"rel":8480},"https:\u002F\u002Fazure.microsoft.com\u002Fen-us\u002Fpricing\u002Fdetails\u002Fbandwidth\u002F",[64],[109,8482,5924],{},": Internet egress between €0.05 and €0.087\u002FGB (after a 5 GB free tier). Cross-zone transfer: €0.01\u002FGB.",[56,8485,8486,8492],{},[60,8487,8490],{"href":8488,"rel":8489},"https:\u002F\u002Fcloud.google.com\u002Fvpc\u002Fnetwork-pricing",[64],[109,8491,5919],{},": Internet egress from $0.085\u002FGB. Between zones: $0.01\u002FGB.",[56,8494,8495],{},"These numbers sound small. They aren't — not when the application transfers multiple terabytes daily.",[187,8497,8499],{"id":8498},"the-kubernetes-factor-egress-between-availability-zones","The Kubernetes Factor: Egress Between Availability Zones",[56,8501,8502,8503,8505],{},"In ",[60,8504,1543],{"href":1542}," clusters distributed across multiple Availability Zones, an additional cost dimension emerges: pods communicate with each other across zones, and every byte on that path costs money. With microservice architectures that generate heavy internal traffic, this adds up quickly.",[56,8507,8508],{},"A commonly used countermeasure is Topology-Aware Routing: Kubernetes can be configured so that pods preferentially communicate with endpoints in the same zone. This significantly reduces cross-zone traffic but requires deliberate setup — it's not the default.",[71,8510,8512],{"id":8511},"how-egress-fees-become-a-lock-in-mechanism","How Egress Fees Become a Lock-in Mechanism",[56,8514,8515],{},"Egress costs work in two directions. On one hand, they accrue during normal operations. On the other, they protect the provider against customer churn: anyone who wants to migrate their data to another provider pays egress fees on every byte that leaves the data center. With hundreds of terabytes, that can mean a substantial one-time payment.",[56,8517,8518,8519,8521],{},"This structural lock-in is no accident. The EU Commission has recognized it: the ",[60,8520,6945],{"href":6637}," obligates cloud providers, among other things, to facilitate switching by reducing or eliminating switching costs — and mandates that egress fees be eliminated entirely by 2027.",[56,8523,8524,8525,8528],{},"For DevOps teams, this means: portability and ",[60,8526,8527],{"href":333},"migration capability"," should be built into the architecture from the start — not only when the desire to switch arises.",[71,8530,8532],{"id":8531},"egress-fees-in-practice-concrete-cost-examples","Egress Fees in Practice: Concrete Cost Examples",[56,8534,8535],{},"A realistic scenario: a SaaS application transfers 10 TB of data per month to the internet. A normal figure for a mid-sized product with an active user base.",[56,8537,8538],{},[109,8539,8540],{},"With AWS (EU region):",[56,8542,8543],{},"10,000 GB × $0.09 = $900\u002Fmonth. For egress alone. Add compute, storage, and any cross-zone traffic on top.",[56,8545,8546],{},[109,8547,8548],{},"With a European provider offering 20 TB of included traffic:",[56,8550,8551],{},"$0 for egress. Up to the included allowance.",[56,8553,8554],{},"The difference over a year: nearly $10,800, solely from data transfer charges. Compute costs not even included.",[56,8556,8557],{},"This isn't an extreme example. It's a typical one.",[71,8559,8561],{"id":8560},"tco-over-list-price-how-to-calculate-true-cloud-costs","TCO Over List Price: How to Calculate True Cloud Costs",[56,8563,8564,8569],{},[109,8565,8566],{},[60,8567,8568],{"href":5335},"Total Cost of Ownership (TCO)"," in a cloud context encompasses more than compute and storage. A complete calculation considers:",[103,8571,8572,8578,8583,8589,8595,8601],{},[106,8573,8574,8577],{},[109,8575,8576],{},"Internet egress"," (by volume)",[106,8579,8580],{},[109,8581,8582],{},"Egress between regions and Availability Zones",[106,8584,8585,8588],{},[109,8586,8587],{},"Egress to other cloud services"," (e.g., CDN, external APIs)",[106,8590,8591,8594],{},[109,8592,8593],{},"Support costs"," (basic support at hyperscalers is often paid)",[106,8596,8597,8600],{},[109,8598,8599],{},"License costs"," for proprietary services (load balancers, managed services)",[106,8602,8603,8606],{},[109,8604,8605],{},"Migration costs"," when switching providers",[56,8608,8609],{},"Plug these items into a spreadsheet and project based on your actual traffic profiles — you'll quickly get a far more realistic picture than the first glance at the instance price list provides.",[187,8611,8613],{"id":8612},"checklist-what-to-consider-when-comparing-providers","Checklist: What to Consider When Comparing Providers",[103,8615,8616,8619,8622,8625,8628,8631,8634],{},[106,8617,8618],{},"Internet egress rate (per GB, after free tier)",[106,8620,8621],{},"Monthly free allowance — absolute or percentage-based?",[106,8623,8624],{},"Costs for transfer between regions and zones",[106,8626,8627],{},"Costs for outbound traffic to CDN providers",[106,8629,8630],{},"Included traffic in managed Kubernetes offerings",[106,8632,8633],{},"Switching costs upon cancellation (egress for data migration)",[106,8635,8636],{},"Pricing transparency — is everything summarized on one page?",[71,8638,8640],{"id":8639},"alternatives-to-the-hyperscalers-what-european-providers-do-differently","Alternatives to the Hyperscalers: What European Providers Do Differently",[56,8642,8643],{},"While AWS, Azure, and GCP have established their egress model as the standard, European cloud providers often take a different approach: included traffic, flat-rate models, or significantly lower per-GB rates.",[56,8645,8646],{},"This isn't purely a cost argument. For companies based in the EU, data protection, GDPR compliance, and digital sovereignty are additional factors. Those who cannot or prefer not to run workloads on infrastructure outside the EU do have EU regions with the hyperscalers — but not EU companies as contractual partners.",[479,8648],{},[56,8650,8651],{},"Egress fees aren't a technical detail. They're a pricing model designed to work in the background until the first surprising invoice arrives. If you truly want to understand your cloud costs, calculate with TCO — not the cheapest instance type. And if you take flexibility and cost transparency seriously, weigh traffic costs just as heavily as CPU and RAM in your next provider comparison.",{"title":490,"searchDepth":491,"depth":491,"links":8653},[8654,8655,8658,8659,8660,8663],{"id":8448,"depth":491,"text":8449},{"id":8461,"depth":491,"text":8462,"children":8656},[8657],{"id":8498,"depth":499,"text":8499},{"id":8511,"depth":491,"text":8512},{"id":8531,"depth":491,"text":8532},{"id":8560,"depth":491,"text":8561,"children":8661},[8662],{"id":8612,"depth":499,"text":8613},{"id":8639,"depth":491,"text":8640},"2026-03-27","AWS charges up to $0.09\u002FGB for outbound traffic. See how egress fees compare across major providers and what to include in your true data transfer TCO.",{"src":8667},"\u002Fimages\u002Fblog\u002Fcloud-egress-fees.jpg",{},{"title":8437,"description":8665},"en\u002F3.blog\u002F41.cloud-egress-fees","o9CoV-B5ojy8Xs51W7rRseGxX1EFN1u3Uuwa3BvaFpM",{"id":8673,"title":8674,"authors":8675,"badge":10,"body":8678,"date":9014,"description":9015,"extension":510,"image":9016,"lastUpdated":4188,"meta":9018,"navigation":14,"path":4149,"published":14,"seo":9019,"stem":9020,"tags":10,"__hash__":9021},"posts\u002Fen\u002F3.blog\u002F39.eu-ai-act-hosting.md","EU AI Act Hosting: What Changes for AI Workload Operators",[8676],{"name":43,"to":44,"avatar":8677},{"src":46},{"type":48,"value":8679,"toc":9004},[8680,8684,8687,8691,8699,8725,8728,8732,8735,8755,8769,8772,8776,8779,8782,8813,8816,8820,8823,8849,8852,8856,8859,8861,8872,8875,8879,8882,8889,8895,8926,8930,8933,8938,8941,8946,8949,8954,8957,8962,8969,8974,8977,8982,8985,8989,8992,8995,8997],[51,8681,8683],{"id":8682},"eu-ai-act-hosting-what-changes-for-ai-workload-operators-now","EU AI Act Hosting: What Changes for AI Workload Operators Now",[56,8685,8686],{},"Since August 2024, the EU AI Act has been officially in force — the first comprehensive AI regulation worldwide. What initially sounds abstract to many companies is becoming increasingly concrete: anyone deploying, integrating, or running AI systems on their infrastructure now has obligations that can no longer be ignored. Especially for hosting customers running AI workloads in their environment or using SaaS tools with AI capabilities, pressing questions are emerging.",[71,8688,8690],{"id":8689},"what-is-the-eu-ai-act","What Is the EU AI Act?",[56,8692,1701,8693,8698],{},[60,8694,8697],{"href":8695,"rel":8696},"https:\u002F\u002Fwww.bundesregierung.de\u002Fbreg-de\u002Faktuelles\u002Fai-act-2285944",[64],"EU AI Act"," follows a risk-based approach. AI systems are classified into four categories:",[103,8700,8701,8707,8713,8719],{},[106,8702,8703,8706],{},[109,8704,8705],{},"Unacceptable risk:"," Prohibited (e.g., social scoring by authorities, real-time biometric surveillance in public spaces)",[106,8708,8709,8712],{},[109,8710,8711],{},"High risk:"," Strict requirements for documentation, conformity, and monitoring (e.g., AI in HR, credit scoring, medical devices)",[106,8714,8715,8718],{},[109,8716,8717],{},"Limited risk:"," Transparency obligations toward users (e.g., chatbots)",[106,8720,8721,8724],{},[109,8722,8723],{},"Minimal risk:"," No special obligations (e.g., spam filters, AI in games)",[56,8726,8727],{},"The bans for systems in the \"unacceptable risk\" category have been in effect since February 2025. Full requirements for high-risk AI systems take effect from August 2026.",[71,8729,8731],{"id":8730},"who-is-affected-providers-deployers-importers","Who Is Affected? Providers, Deployers, Importers",[56,8733,8734],{},"The AI Act distinguishes clear roles:",[103,8736,8737,8743,8749],{},[106,8738,8739,8742],{},[109,8740,8741],{},"Provider:"," Anyone who develops or places an AI system on the market.",[106,8744,8745,8748],{},[109,8746,8747],{},"Deployer:"," Anyone who uses an AI system in their own context — companies using AI tools in their processes.",[106,8750,8751,8754],{},[109,8752,8753],{},"Importer and Distributor:"," Anyone who imports or distributes AI systems from third countries.",[56,8756,8757,8758,557,8763,8768],{},"For hosting customers, the deployer role is particularly relevant. Anyone integrating ",[60,8759,8762],{"href":8760,"rel":8761},"https:\u002F\u002Fopenai.com\u002Fde-DE\u002F",[64],"OpenAI",[60,8764,8767],{"href":8765,"rel":8766},"https:\u002F\u002Fazure.microsoft.com\u002Fde-de\u002Fproducts\u002Fai-foundry\u002Ftools",[64],"Azure Cognitive"," Services, or other AI APIs into their own applications and running them on hosting infrastructure qualifies as a deployer — with all corresponding obligations.",[56,8770,8771],{},"This applies even when the underlying model is hosted by a third-party provider. What matters is the deployment of AI in your own product or process, not the development of the model itself.",[71,8773,8775],{"id":8774},"what-obligations-arise-for-deployers","What Obligations Arise for Deployers?",[56,8777,8778],{},"The specific requirements depend on the risk classification of each AI system. For systems with limited risk, a transparency obligation is often sufficient: users must know when they are interacting with an AI.",[56,8780,8781],{},"For high-risk systems, the effort is significantly greater:",[103,8783,8784,8790,8795,8801,8807],{},[106,8785,8786,8789],{},[109,8787,8788],{},"Technical documentation:"," The system must be documented — its purpose, how it works, and known limitations.",[106,8791,8792,8794],{},[109,8793,451],{}," Operators must maintain logs to ensure the traceability of AI decisions. Depending on the area of application, retention periods of at least six months apply.",[106,8796,8797,8800],{},[109,8798,8799],{},"Risk assessment:"," An internal review of whether and how the system can affect individuals' fundamental rights.",[106,8802,8803,8806],{},[109,8804,8805],{},"Human oversight:"," High-risk systems must not operate fully autonomously. There must be mechanisms for human control.",[106,8808,8809,8812],{},[109,8810,8811],{},"Registration:"," Certain high-risk AI systems must be registered in an EU-wide database.",[56,8814,8815],{},"Anyone operating AI-powered candidate screening, automated credit decisions, or medical diagnostic tools must carefully assess which category their system falls into.",[71,8817,8819],{"id":8818},"high-risk-ai-special-requirements-for-systems-in-sensitive-areas","High-Risk AI: Special Requirements for Systems in Sensitive Areas",[56,8821,8822],{},"Annex III of the AI Act lists the areas where AI systems are generally considered high-risk:",[103,8824,8825,8828,8831,8834,8837,8840,8843,8846],{},[106,8826,8827],{},"Biometric identification and categorization",[106,8829,8830],{},"Critical infrastructure (energy, water, transport)",[106,8832,8833],{},"Education and vocational training",[106,8835,8836],{},"Employment and workforce management (e.g., automated CV analysis)",[106,8838,8839],{},"Essential services (credit, social benefits)",[106,8841,8842],{},"Law enforcement",[106,8844,8845],{},"Migration and border control",[106,8847,8848],{},"Justice and democratic processes",[56,8850,8851],{},"Anyone deploying AI in any of these areas — even if it's \"just\" a purchased tool — should assess the classification now. The AI Act explicitly requires deployers to independently determine whether a system falls under the high-risk category.",[71,8853,8855],{"id":8854},"ai-act-and-gdpr-where-the-frameworks-overlap","AI Act and GDPR: Where the Frameworks Overlap",[56,8857,8858],{},"The EU AI Act and the GDPR are not alternatives — they apply in parallel. Wherever AI systems process personal data, both regulatory frameworks apply simultaneously.",[56,8860,7994],{},[103,8862,8863,8866,8869],{},[106,8864,8865],{},"Automated decisions with significant impact (Article 22 GDPR) still require a legal basis and remain contestable by affected individuals.",[106,8867,8868],{},"The technical requirements of the AI Act — particularly logging and traceability — can conflict with GDPR principles of data minimization and purpose limitation. This requires well-thought-out approaches.",[106,8870,8871],{},"Data Protection Impact Assessments (DPIAs) under the GDPR can be combined with the AI Act risk assessment. This saves effort and creates consistent documentation.",[56,8873,8874],{},"A common mistake: companies assume GDPR compliance is sufficient. However, the AI Act adds systemic requirements that go beyond data protection.",[71,8876,8878],{"id":8877},"infrastructure-as-a-compliance-lever-why-the-operating-location-matters","Infrastructure as a Compliance Lever: Why the Operating Location Matters",[56,8880,8881],{},"One aspect that gets overlooked in many AI Act discussions: where AI workloads run has direct compliance relevance.",[56,8883,8884,8885,8888],{},"Running AI inference on US-based cloud services creates not only a ",[60,8886,8887],{"href":6023},"GDPR issue through potential third-country transfers"," — it also means losing control over technical measures like logging, auditability, and access restrictions that the AI Act requires.",[56,8890,8891,8892,1605],{},"European, sovereign infrastructure offers a structural advantage here — because ",[60,8893,8894],{"href":5059},"data residency alone is not sovereignty",[103,8896,8897,8903,8909,8920],{},[106,8898,8899,8902],{},[109,8900,8901],{},"Data localization:"," AI processing stays in the EU — no transfer issues.",[106,8904,8905,8908],{},[109,8906,8907],{},"Full technical control:"," Logging requirements can be implemented without restrictions from third-party providers.",[106,8910,8911,8914,8915,8919],{},[109,8912,8913],{},"Auditability:"," All evidence can be provided seamlessly during regulatory audits. The EU's ",[60,8916,8918],{"href":8917},"\u002Fen\u002Fblog\u002Fcloud-sovereignty-framework","Cloud Sovereignty Framework"," provides formal criteria for verifying these protections.",[106,8921,8922,8925],{},[109,8923,8924],{},"Contractual clarity:"," With a European provider, data processing agreements and AI Act-compliant arrangements can be concluded directly and without legal risks.",[71,8927,8929],{"id":8928},"what-should-hosting-customers-do-now","What Should Hosting Customers Do Now?",[56,8931,8932],{},"The AI Act is being phased in gradually. Those who act today have a clear advantage. The following steps are specifically recommended:",[56,8934,8935],{},[109,8936,8937],{},"1. Inventory your AI systems",[56,8939,8940],{},"Which AI tools and APIs are being used in which processes? This includes embedded AI features in SaaS products that you operate yourself.",[56,8942,8943],{},[109,8944,8945],{},"2. Perform risk classification",[56,8947,8948],{},"For each identified system: does it fall under high, limited, or minimal risk? The European Commission has published guidance documents to help with this.",[56,8950,8951],{},[109,8952,8953],{},"3. Close documentation gaps",[56,8955,8956],{},"High-risk systems require complete technical documentation. If you don't have it yet, start now — regardless of whether the system was developed in-house or purchased.",[56,8958,8959],{},[109,8960,8961],{},"4. Set up logging and monitoring",[56,8963,8964,8965,8968],{},"Technical measures for tracing AI decisions need to be integrated into operations. This is not a one-time project but an ongoing process. Our guide to ",[60,8966,8967],{"href":4193},"production AI agent infrastructure"," covers the observability stack — LangSmith, Langfuse, Prometheus — in detail.",[56,8970,8971],{},[109,8972,8973],{},"5. Review your infrastructure",[56,8975,8976],{},"Where are AI workloads running? If you rely on non-European services, assess whether migrating to sovereign infrastructure makes sense — for both compliance and operational reasons.",[56,8978,8979],{},[109,8980,8981],{},"6. Clarify internal responsibilities",[56,8983,8984],{},"The AI Act doesn't prescribe a dedicated \"AI officer,\" but clear responsibilities for AI governance are sensible. Who is internally responsible for risk assessment and documentation?",[71,8986,8988],{"id":8987},"conclusion-the-ai-act-is-not-a-future-problem","Conclusion: The AI Act Is Not a Future Problem",[56,8990,8991],{},"A widespread misconception is that the AI Act is still a long way off. The first bans have been in effect since early 2025, full high-risk requirements apply from August 2026 — but the preparation window is now. Anyone who only analyzes their AI systems shortly before the deadline will run into problems.",[56,8993,8994],{},"For hosting customers, this means concretely: understand your own AI usage, know your deployer obligations, and set up your infrastructure so that technical compliance requirements can be met. Sovereign, European infrastructure is not a nice-to-have — it's a structural advantage that saves effort and reduces risk.",[479,8996],{},[56,8998,8999,9000,9003],{},"The DevOps-as-a-Service platform is a ",[60,9001,9002],{"href":5076},"Kubernetes-based sovereign application"," operated entirely in Germany. If you want to run AI workloads in compliance with the AI Act — with full data control, comprehensive logging, and clear contractual foundations — you'll find a solid technical basis here.",{"title":490,"searchDepth":491,"depth":491,"links":9005},[9006,9007,9008,9009,9010,9011,9012,9013],{"id":8689,"depth":491,"text":8690},{"id":8730,"depth":491,"text":8731},{"id":8774,"depth":491,"text":8775},{"id":8818,"depth":491,"text":8819},{"id":8854,"depth":491,"text":8855},{"id":8877,"depth":491,"text":8878},{"id":8928,"depth":491,"text":8929},{"id":8987,"depth":491,"text":8988},"2026-03-26","The EU AI Act introduces new obligations for AI system operators. What hosting customers need to know about risk classification, logging, and sovereign infrastructure.",{"src":9017},"\u002Fimages\u002Fblog\u002Feu-ai-act-hosting.jpg",{},{"title":8674,"description":9015},"en\u002F3.blog\u002F39.eu-ai-act-hosting","LlqhAq2Dxiy5pgUVCM8EEcvv5r44JEW1jwLTEEcjf80",{"id":9023,"title":9024,"authors":9025,"badge":10,"body":9028,"date":9014,"description":9344,"extension":510,"image":9345,"lastUpdated":10,"meta":9347,"navigation":14,"path":9348,"published":14,"seo":9349,"stem":9350,"tags":10,"__hash__":9351},"posts\u002Fen\u002F3.blog\u002F40.full-stack-developer-reality.md","Full-Stack Developer Reality: What the Title Actually Means",[9026],{"name":13,"to":523,"avatar":9027},{"src":8},{"type":48,"value":9029,"toc":9329},[9030,9033,9036,9038,9042,9045,9048,9051,9053,9057,9060,9115,9118,9122,9129,9132,9134,9138,9141,9144,9147,9154,9157,9159,9163,9166,9169,9172,9186,9189,9193,9196,9199,9202,9206,9209,9212,9214,9218,9221,9224,9249,9252,9254,9258,9261,9264,9290,9292,9296,9303,9310,9313,9316,9318,9320,9323,9326],[56,9031,9032],{},"Anyone applying for or hiring a full-stack developer today is stepping into a semantic minefield. The job title sounds precise. What it means in practice varies wildly from company to company — and increasingly overlaps with what used to require entire departments.",[56,9034,9035],{},"This article isn't a motivational post. It's an honest assessment of what full-stack development actually means today, where the real problems lie, and how developers can deal with it without burning out.",[479,9037],{},[71,9039,9041],{"id":9040},"what-full-stack-used-to-mean-and-what-its-become","What Full Stack Used to Mean and What It's Become",[56,9043,9044],{},"Ten years ago, the picture was reasonably clear. Full-stack meant: someone who could work in both the frontend (HTML, CSS, JavaScript) and the backend (server, database, APIs). That was the deal.",[56,9046,9047],{},"Then came cloud infrastructure, containerization, microservices, CI\u002FCD pipelines, observability stacks, and security requirements that previously lived exclusively in the Ops domain. All of this was, more or less explicitly, absorbed into the expected profile of a \"full-stack developer.\"",[56,9049,9050],{},"That's not an exaggeration. Look at current job postings: many simultaneously require React experience, Node.js knowledge, database design, Docker, basic Kubernetes understanding, cloud experience (AWS, GCP, or Azure), CI\u002FCD skills, and an understanding of security concepts. That's no longer a full-stack profile. That's an engineering team compressed into one person.",[479,9052],{},[71,9054,9056],{"id":9055},"the-full-stack-developer-reality-in-layers","The Full-Stack Developer Reality in Layers",[56,9058,9059],{},"What a full-stack developer is typically expected to cover today:",[103,9061,9062,9068,9074,9080,9086,9092,9097,9103,9109],{},[106,9063,9064,9067],{},[109,9065,9066],{},"Frontend:"," UI development, state management, performance optimization, accessibility",[106,9069,9070,9073],{},[109,9071,9072],{},"Backend:"," API design, business logic, authentication, database access",[106,9075,9076,9079],{},[109,9077,9078],{},"Databases:"," Schema design, query optimization, migration management",[106,9081,9082,9085],{},[109,9083,9084],{},"Infrastructure:"," Containers, orchestration, cloud resources",[106,9087,9088,9091],{},[109,9089,9090],{},"CI\u002FCD:"," Build pipelines, automated testing, deployment strategies",[106,9093,9094,9096],{},[109,9095,8295],{}," OWASP basics, secrets management, dependency scanning",[106,9098,9099,9102],{},[109,9100,9101],{},"Monitoring & Observability:"," Logs, metrics, tracing, alerting",[106,9104,9105,9108],{},[109,9106,9107],{},"Networking:"," DNS, load balancing, TLS, API gateways",[106,9110,9111,9114],{},[109,9112,9113],{},"Incident Response:"," On-call, debugging in production, postmortems",[56,9116,9117],{},"That's nine clearly distinct domains. In mid-sized companies, each of these has specialized roles. A full-stack developer is expected to move across all of them — even if not at expert level.",[187,9119,9121],{"id":9120},"the-mini-engineering-organization-problem","The Mini-Engineering-Organization Problem",[56,9123,9124,9125,415],{},"This leads to a structural problem that's rarely addressed openly: a full-stack developer is often no longer a developer who masters multiple disciplines. They're a mini-engineering organization: all the responsibilities, but none of the resources. The structural consequences of this pattern are well documented in how ",[60,9126,9128],{"href":9127},"\u002Fen\u002Fblog\u002Fmissing-devops-roles-smb","missing DevOps roles damage small teams",[56,9130,9131],{},"Constant context switching means producing subpar work in every domain. Quality comes from focus. That's not an opinion, it's a well-documented property of human cognition.",[479,9133],{},[71,9135,9137],{"id":9136},"why-learn-everything-is-not-a-strategy","Why \"Learn Everything\" Is Not a Strategy",[56,9139,9140],{},"The most common reaction to this problem is understandable but misguided: learn even more. More tutorials. More side projects. More certifications.",[56,9142,9143],{},"That doesn't solve the problem. It just moves it.",[56,9145,9146],{},"The real problem isn't a lack of knowledge about specific tools. It's a lack of clarity about what actually matters in a given context. Anyone trying to be equally good at everything falls into a trap: too much context, too little depth, too little time for real problem-solving.",[56,9148,9149,9150,9153],{},"Developer burnout rarely comes from a single difficult project. It comes from chronic overload: too many areas of responsibility, too many open loops, and the persistent feeling of never truly finishing anything. This maps directly onto the structural problems small engineering teams face. The ",[60,9151,9152],{"href":7312},"most common DevOps challenges in SMBs"," stem from exactly this overload pattern.",[56,9155,9156],{},"Context switching is not a minor productivity problem. Research shows that switching between conceptually different tasks can cost up to 40% of working time. Someone working on a React component in the morning, debugging a Kubernetes deployment config in the afternoon, and writing a database migration in the evening is effectively working half-days.",[479,9158],{},[71,9160,9162],{"id":9161},"full-context-instead-of-full-stack-the-critical-shift","Full-Context Instead of Full-Stack: the Critical Shift",[56,9164,9165],{},"There's a mindset that works better in practice than \"full stack\": Full Context.",[56,9167,9168],{},"This means the ability to understand a system as a whole — not knowing every detail, but understanding how parts connect, where data flows, where errors originate, and what dependencies exist.",[56,9170,9171],{},"A developer with full context can:",[103,9173,9174,9177,9180,9183],{},[106,9175,9176],{},"trace a frontend performance issue back to a database problem",[106,9178,9179],{},"make a deployment decision because they broadly understand the infrastructure",[106,9181,9182],{},"communicate meaningfully with a DevOps engineer because they speak the language",[106,9184,9185],{},"make architectural decisions that don't need to be refactored three months later",[56,9187,9188],{},"That's more valuable than memorizing Kubernetes manifests or the latest state management framework.",[187,9190,9192],{"id":9191},"depth-beats-breadth-in-the-long-run","Depth Beats Breadth — in the Long Run",[56,9194,9195],{},"The careers that prove valuable over time are rarely the ones where someone was decent at everything. Breadth creates collaborability. Depth creates value.",[56,9197,9198],{},"That doesn't mean learning only one thing and ignoring the rest. It means having a clear core domain where you're genuinely skilled, and building sufficient understanding of adjacent areas around it.",[56,9200,9201],{},"A backend developer who has gone deep into database optimization, API design, and server architecture can collaborate productively with frontend developers, DevOps teams, and architects — even without mastering everything themselves.",[187,9203,9205],{"id":9204},"fundamentals-vs-frameworks","Fundamentals vs. Frameworks",[56,9207,9208],{},"React will eventually be replaced by something else. Kubernetes will evolve or be displaced. What remains: caching strategies, concurrency models, API design principles, networking fundamentals, security concepts.",[56,9210,9211],{},"Those who build on fundamentals can quickly make sense of new tools. Those who've only learned tools start over with every new technology layer.",[479,9213],{},[71,9215,9217],{"id":9216},"devops-basics-what-developers-actually-need","DevOps Basics: What Developers Actually Need",[56,9219,9220],{},"There's a difference between \"being a DevOps expert\" and \"understanding DevOps fundamentals.\" The first is a full-time job. The second is an expectation placed on every developer today, and that's actually reasonable.",[56,9222,9223],{},"What a full-stack developer should know about DevOps:",[103,9225,9226,9231,9237,9243],{},[106,9227,9228,9230],{},[109,9229,9090],{}," How pipelines work, what a build artifact is, how tests integrate into the pipeline",[106,9232,9233,9236],{},[109,9234,9235],{},"Monitoring:"," What logs, metrics, and traces are, and where to look when something goes wrong",[106,9238,9239,9242],{},[109,9240,9241],{},"Deployment:"," Blue\u002Fgreen, canary, rolling updates — the core principles, not the implementation details",[106,9244,9245,9248],{},[109,9246,9247],{},"Containers:"," What a Docker image is, how a container runs, what the difference between a container and a VM is",[56,9250,9251],{},"This isn't a comprehensive education to become a Site Reliability Engineer. It's the minimum needed to be productive in modern development teams.",[479,9253],{},[71,9255,9257],{"id":9256},"protecting-cognitive-bandwidth","Protecting Cognitive Bandwidth",[56,9259,9260],{},"Doing everything means doing nothing well. That's not a moral statement, it's a cognitive one. The human brain has a limited capacity for parallel contexts, and that capacity is routinely exceeded in full-stack roles.",[56,9262,9263],{},"Practical approaches that help:",[103,9265,9266,9272,9278,9284],{},[106,9267,9268,9271],{},[109,9269,9270],{},"Define ownership clearly:"," What genuinely belongs to my role? What should be delegated, automated, or escalated?",[106,9273,9274,9277],{},[109,9275,9276],{},"Protect focus blocks:"," Deep, concentrated work requires time without interruptions. Two hours without Slack messages and meetings are more productive than eight hours in reactive mode.",[106,9279,9280,9283],{},[109,9281,9282],{},"Communicate trade-offs:"," The best developers aren't those who can do everything. They're those who can explain why something shouldn't be done — and what it costs.",[106,9285,9286,9289],{},[109,9287,9288],{},"Offload infrastructure complexity:"," Not every team needs to run Kubernetes from scratch. Platforms that encapsulate that complexity give developers exactly the bandwidth they need for their actual work.",[479,9291],{},[71,9293,9295],{"id":9294},"how-platforms-take-the-infrastructure-load-off","How Platforms Take the Infrastructure Load Off",[56,9297,9298,9299,9302],{},"A concrete example of the last point: ",[60,9300,9301],{"href":1542},"Kubernetes is powerful, but complex",". A smaller team running Kubernetes themselves spends significant time on cluster management, network configuration, upgrades, and security patches, time that doesn't go into product development.",[56,9304,9305,9306,9309],{},"Platforms like ",[60,9307,299],{"href":9308},"\u002Fen"," encapsulate exactly this layer. That doesn't mean developers can be ignorant of the infrastructure — the full-context principle still applies. But it means they don't have to implement and maintain every detail themselves.",[56,9311,9312],{},"The result: developers can focus on what actually constitutes their core value: clean code, good architecture, working features. The platform handles the rest.",[56,9314,9315],{},"If you want to free your team from infrastructure overhead and reclaim focus for product development, that's the right starting point.",[479,9317],{},[71,9319,2102],{"id":2101},[56,9321,9322],{},"\"Full-stack developer\" isn't a bad term. It describes a real need — developers who can think and communicate across systems. The problem arises when the term becomes a justification for unlimited responsibility.",[56,9324,9325],{},"The developers who work well long-term and don't burn out aren't the ones who can do the most. They're the ones who clearly know where their value lies, what they can delegate, and how systems connect, without having to master every detail themselves.",[56,9327,9328],{},"Full context beats full stack. Depth beats breadth. And a good platform beats self-managed infrastructure, not because infrastructure knowledge is worthless, but because cognitive bandwidth is finite.",{"title":490,"searchDepth":491,"depth":491,"links":9330},[9331,9332,9335,9336,9340,9341,9342,9343],{"id":9040,"depth":491,"text":9041},{"id":9055,"depth":491,"text":9056,"children":9333},[9334],{"id":9120,"depth":499,"text":9121},{"id":9136,"depth":491,"text":9137},{"id":9161,"depth":491,"text":9162,"children":9337},[9338,9339],{"id":9191,"depth":499,"text":9192},{"id":9204,"depth":499,"text":9205},{"id":9216,"depth":491,"text":9217},{"id":9256,"depth":491,"text":9257},{"id":9294,"depth":491,"text":9295},{"id":2101,"depth":491,"text":2102},"An honest look at what full-stack development means today, where the real problems lie, and how developers can navigate it without burning out.",{"src":9346},"\u002Fimages\u002Fblog\u002Ffull-stack-developer-reality.jpg",{},"\u002Fen\u002Fblog\u002Ffull-stack-developer-reality",{"title":9024,"description":9344},"en\u002F3.blog\u002F40.full-stack-developer-reality","DZXt9cmp9nFwL0ELgUOzTlGSE3HDSjvVHbVG_U19tN4",{"id":9353,"title":9354,"authors":9355,"badge":10,"body":9358,"date":10141,"description":10142,"extension":510,"image":10143,"lastUpdated":4932,"meta":10145,"navigation":14,"path":80,"published":14,"seo":10146,"stem":10147,"tags":10,"__hash__":10148},"posts\u002Fen\u002F3.blog\u002F38.what-is-paas.md","What Is PaaS? Platform as a Service Explained",[9356],{"name":43,"to":44,"avatar":9357},{"src":46},{"type":48,"value":9359,"toc":10108},[9360,9363,9367,9370,9374,9395,9419,9425,9440,9444,9451,9457,9463,9468,9471,9474,9478,9481,9485,9488,9494,9497,9501,9504,9507,9510,9513,9517,9520,9523,9529,9532,9536,9539,9543,9546,9549,9569,9572,9576,9579,9582,9588,9602,9605,9609,9620,9623,9649,9656,9660,9666,9669,9689,9692,9696,9702,9706,9709,9716,9719,9745,9748,9752,9755,9758,9769,9772,9776,9779,9783,9789,9795,9801,9807,9811,9820,9823,9834,9837,9851,9854,9858,9861,9867,9878,9881,9901,9907,9921,9924,9928,9942,9946,9957,9961,9987,9991,10003,10007,10013,10019,10025,10031,10037,10043,10047,10053,10059,10065,10071,10077,10083,10089,10095,10098,10101,10103],[56,9361,9362],{},"Modern applications require extensive infrastructure: servers, networks, databases, and monitoring. Platform as a Service (PaaS) abstracts this layer so development teams can focus on code. What matters is that a good platform relies on standards, self-service, and automation, enabling teams to avoid vendor lock-in while retaining governance and control. In this article, we explain how PaaS works, what benefits it offers, and why Kubernetes-based PaaS solutions are a fitting operational model for many teams.",[71,9364,9366],{"id":9365},"understanding-paas-in-the-cloud-computing-model","Understanding PaaS in the Cloud Computing Model",[56,9368,9369],{},"To understand what PaaS is, it helps to look at the different cloud service models. Cloud computing is typically divided into four main categories: Infrastructure as a Service (IaaS), DevOps as a Service (DaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Each model offers different levels of abstraction and responsibility.",[187,9371,9373],{"id":9372},"the-cloud-service-models-at-a-glance","The Cloud Service Models at a Glance",[56,9375,9376,9379,9380,557,9385,1842,9390,415],{},[109,9377,9378],{},"Infrastructure as a Service (IaaS)"," provides the most fundamental cloud resources: virtual machines, storage, and networks. The customer is responsible for the operating system, middleware, runtime environments, and applications. Examples include ",[60,9381,9384],{"href":9382,"rel":9383},"https:\u002F\u002Faws.amazon.com\u002Fpm\u002Fec2\u002F",[64],"Amazon EC2",[60,9386,9389],{"href":9387,"rel":9388},"https:\u002F\u002Fcloud.google.com\u002Fcompute",[64],"Google Compute Engine",[60,9391,9394],{"href":9392,"rel":9393},"https:\u002F\u002Fazure.microsoft.com\u002Fen-us\u002Fproducts\u002Fvirtual-machines",[64],"Azure Virtual Machines",[56,9396,9397,9402,9403,557,9406,557,9410,9415,9416,415],{},[109,9398,9399,9401],{},[60,9400,4894],{"href":486}," (DaaS)"," builds on IaaS by adding production-ready DevOps capabilities and platform services such as CI\u002FCD pipelines, automation, monitoring, logging, and security policies. Teams can deploy and operate faster without having to build and maintain the entire toolchain themselves. Examples include ",[60,9404,5303],{"href":5301,"rel":9405},[64],[60,9407,9409],{"href":5896,"rel":9408},[64],"GitLab CI\u002FCD",[60,9411,9414],{"href":9412,"rel":9413},"https:\u002F\u002Fazure.microsoft.com\u002Fen-us\u002Fproducts\u002Fdevops",[64],"Azure DevOps"," (depending on the scope of managed services used), and ",[60,9417,299],{"href":7506,"rel":9418},[64],[56,9420,9421,9424],{},[109,9422,9423],{},"Platform as a Service (PaaS)"," goes a step further: not only infrastructure resources but also the complete runtime environment, middleware, databases, and development tools are provided. Developers can focus entirely on their application code while the platform handles deployment, scaling, and operations.",[56,9426,9427,9430,9431,1829,9434,9439],{},[109,9428,9429],{},"Software as a Service (SaaS)"," represents the highest level of abstraction: finished software is delivered as a service that users simply consume, such as Gmail, ",[60,9432,97],{"href":95,"rel":9433},[64],[60,9435,9438],{"href":9436,"rel":9437},"https:\u002F\u002Fslack.com\u002F",[64],"Slack",". The customer has no access to the underlying infrastructure or platform.",[187,9441,9443],{"id":9442},"what-distinguishes-paas-daas-and-iaas","What Distinguishes PaaS, DaaS, and IaaS?",[56,9445,9446,9447,9450],{},"The key difference between ",[109,9448,9449],{},"IaaS, DaaS, and PaaS"," lies in the responsibility for operations and automation.",[56,9452,2493,9453,9456],{},[109,9454,9455],{},"IaaS",", you need to handle operating system updates, patches, security configurations, network setup, and much more yourself.",[56,9458,9459,9462],{},[109,9460,9461],{},"DaaS"," builds on top of that, delivering additional production-ready DevOps building blocks like CI\u002FCD, monitoring, logging, and policies, giving teams less toolchain overhead while still making some platform and runtime decisions themselves.",[56,9464,2493,9465,9467],{},[109,9466,8320],{},", the provider takes over the underlying infrastructure and additionally provides a standardized application platform.",[56,9469,9470],{},"An example: if you want to run a web application on IaaS, you need to create virtual machines, install an operating system, configure a web server, set up databases, configure load balancers, and implement backup strategies. With DaaS, many of these operational and automation tasks are covered by platform services and preconfigured pipelines. With PaaS, you simply deploy your code, and the platform automatically handles the essential aspects of deployment and operations.",[56,9472,9473],{},"This abstraction means less overhead, faster deployments, and more time for actual product development. At the same time, modern PaaS solutions give developers sufficient flexibility and control over their applications.",[71,9475,9477],{"id":9476},"core-features-of-a-platform-as-a-service","Core Features of a Platform as a Service",[56,9479,9480],{},"A PaaS solution is characterized by several central features that cover the entire application lifecycle — from development through deployment to production operations.",[187,9482,9484],{"id":9483},"automated-deployment-and-orchestration","Automated Deployment and Orchestration",[56,9486,9487],{},"One of the most important features of a PaaS is automated deployment. Instead of wrestling with complex deployment scripts, server configurations, and manual processes, developers push their code to a Git repository or use CI\u002FCD pipelines, and the platform takes care of the rest.",[56,9489,9490,9493],{},[109,9491,9492],{},"Modern Kubernetes-based PaaS solutions"," use container technology and orchestration to deploy applications reliably and reproducibly. The platform manages container images, creates deployments, configures services, and ensures the application runs with the right resources.",[56,9495,9496],{},"The deployment process can be fully automated: with every commit to the main branch, a new version is automatically built, tested, and deployed to the production environment — without manual intervention. This is continuous deployment in its most efficient form.",[187,9498,9500],{"id":9499},"scaling-and-resource-management","Scaling and Resource Management",[56,9502,9503],{},"A PaaS automatically handles the scaling of your applications. When load increases — for example, due to a sudden traffic spike — the platform automatically starts additional instances of your application. When load decreases, surplus instances are shut down.",[56,9505,9506],{},"This auto-scaling functionality is based on metrics like CPU utilization, memory consumption, or custom metrics (e.g., request rate). Kubernetes PaaS solutions use the Horizontal Pod Autoscaler (HPA) or the Vertical Pod Autoscaler (VPA) to optimally distribute resources.",[56,9508,9509],{},"Additionally, PaaS platforms provide load balancing to distribute incoming requests evenly across all available instances. This ensures high availability and optimal performance.",[56,9511,9512],{},"Another advantage: resource efficiency. Instead of provisioning oversized servers to handle peak loads, you only pay for the resources actually used. The PaaS ensures your application always gets exactly the resources it currently needs.",[187,9514,9516],{"id":9515},"monitoring-logging-and-observability","Monitoring, Logging, and Observability",[56,9518,9519],{},"Without visibility into the state of your applications, you can neither detect nor fix problems. That's why monitoring and logging are fundamental features of every PaaS.",[56,9521,9522],{},"A good PaaS solution automatically collects metrics like CPU usage, memory consumption, request latency, and error rates, displaying them in dashboards. Logs from all containers are centrally collected and made searchable. When critical events occur — such as an application crash or rising error rates — alerts can be triggered automatically.",[56,9524,9525,9528],{},[60,9526,1543],{"href":2164,"rel":9527},[64],"-based PaaS platforms frequently integrate tools like Prometheus for metrics, Grafana for visualization, and Loki or Elasticsearch for log management. These tools are available out-of-the-box and preconfigured, so developers can be productive immediately.",[56,9530,9531],{},"The concept of observability goes a step further: it's not just about collecting metrics but understanding the behavior of complex distributed systems. Distributed tracing, for example, helps trace requests through microservice architectures and identify bottlenecks.",[71,9533,9535],{"id":9534},"benefits-of-paas-for-development-teams","Benefits of PaaS for Development Teams",[56,9537,9538],{},"Using a Platform as a Service brings numerous concrete benefits for development and DevOps teams. These range from increased productivity to cost efficiency to better scalability.",[187,9540,9542],{"id":9541},"more-focus-on-business-logic-instead-of-infrastructure","More Focus on Business Logic Instead of Infrastructure",[56,9544,9545],{},"The greatest benefit of PaaS is that developers can focus on what truly matters: the application itself. Instead of spending time on server administration, network configuration, database tuning, and patch management, teams can channel all their energy into features and product improvements.",[56,9547,9548],{},"This shift in focus leads to several positive effects:",[103,9550,9551,9557,9563],{},[106,9552,9553,9556],{},[109,9554,9555],{},"Higher productivity",": Teams deliver more features in less time",[106,9558,9559,9562],{},[109,9560,9561],{},"Fewer error sources",": Infrastructure errors from manual configuration are avoided",[106,9564,9565,9568],{},[109,9566,9567],{},"Better developer experience",": Developers work with modern, developer-friendly tools instead of low-level infrastructure",[56,9570,9571],{},"This advantage is enormous especially for smaller teams or startups that don't have dedicated DevOps or platform engineering teams. But larger organizations also benefit from their developers working more efficiently.",[187,9573,9575],{"id":9574},"faster-time-to-market","Faster Time-to-Market",[56,9577,9578],{},"In modern digital markets, speed is a decisive competitive advantage. Those who can ship new features faster win. PaaS enables exactly that.",[56,9580,9581],{},"Through preconfigured environments, automated deployments, and integrated CI\u002FCD pipelines, the time from idea to production feature is dramatically shortened. What used to take days or weeks — setting up a new environment, configuring, and deploying — happens with PaaS in minutes.",[56,9583,9584,9587],{},[109,9585,9586],{},"Development cycles become shorter"," because:",[103,9589,9590,9593,9596,9599],{},[106,9591,9592],{},"New development environments can be created in seconds",[106,9594,9595],{},"Deployments run fully automatically",[106,9597,9598],{},"Testing environments are available on-demand",[106,9600,9601],{},"Rollbacks are immediately possible when problems arise",[56,9603,9604],{},"This means: more experiments, faster feedback, and ultimately better products.",[187,9606,9608],{"id":9607},"cost-efficiency-through-pay-per-use","Cost Efficiency Through Pay-per-Use",[56,9610,9611,9612,9615,9616,9619],{},"Traditionally, companies had to invest in hardware or rent long-term server capacity — often oversized to handle peak loads. ",[109,9613,9614],{},"PaaS solutions"," instead operate on a ",[109,9617,9618],{},"pay-per-use basis",": you only pay for the resources you actually use.",[56,9621,9622],{},"This cost efficiency results from several factors:",[103,9624,9625,9631,9637,9643],{},[106,9626,9627,9630],{},[109,9628,9629],{},"No overcapacity",": Auto-scaling ensures the right amount of resources is always available",[106,9632,9633,9636],{},[109,9634,9635],{},"No infrastructure investments",": Neither hardware nor datacenter costs",[106,9638,9639,9642],{},[109,9640,9641],{},"Efficient resource utilization",": Containers and Kubernetes enable significantly higher server utilization than traditional VMs",[106,9644,9645,9648],{},[109,9646,9647],{},"Less personnel overhead",": Teams don't need to employ infrastructure experts",[56,9650,9651,9652,9655],{},"Additionally, costs are ",[109,9653,9654],{},"transparent and predictable",". Good PaaS platforms offer detailed cost reports showing which applications consume how many resources.",[71,9657,9659],{"id":9658},"disadvantages-of-paas-vendor-lock-in-and-migration","Disadvantages of PaaS: Vendor Lock-in and Migration",[56,9661,9662,9663,9665],{},"A central disadvantage of many PaaS offerings is ",[60,9664,4986],{"href":333},". The more heavily a platform relies on proprietary buildpacks, runtimes, managed services, and specific APIs, the more tightly the application is bound to that particular environment.",[56,9667,9668],{},"This can become problematic when switching:",[103,9670,9671,9677,9683],{},[106,9672,9673,9676],{},[109,9674,9675],{},"Porting and rebuilding",": When exiting, deployments, configurations, observability, security policies, and often database setups must be rebuilt in a new environment.",[106,9678,9679,9682],{},[109,9680,9681],{},"Unexpected costs and downtime risks",": Migrations are time-intensive and increase the risk of operational disruptions.",[106,9684,9685,9688],{},[109,9686,9687],{},"Dependency on product decisions",": Changes to pricing, feature sets, or the platform roadmap directly impact operations.",[56,9690,9691],{},"In comparison, DaaS platforms are generally less \"all-in-one\" than traditional PaaS: they deliver DevOps building blocks like CI\u002FCD, monitoring, and policies without binding the application as tightly to a specific runtime platform. This makes switching easier because the application stays closer to standard deployments and portable artifacts.",[71,9693,9695],{"id":9694},"kubernetes-as-the-foundation-of-modern-paas-solutions","Kubernetes as the Foundation of Modern PaaS Solutions",[56,9697,9698,9699,9701],{},"In recent years, ",[60,9700,1543],{"href":1542}," has established itself as the standard for container orchestration and increasingly forms the technological foundation of modern PaaS solutions. But what makes Kubernetes an ideal foundation for Platform as a Service?",[187,9703,9705],{"id":9704},"from-container-orchestration-to-full-featured-paas","From Container Orchestration to Full-Featured PaaS",[56,9707,9708],{},"Kubernetes itself is initially \"just\" a container orchestration system. It manages containers, handles scaling, network communication, and self-healing. For developers, however, vanilla Kubernetes is complex: you need to write YAML manifests and deal with deployments, services, ingress, ConfigMaps, and many other concepts.",[56,9710,9711,9712,9715],{},"A Kubernetes PaaS abstracts this complexity and offers developers a simple, intuitive interface. Instead of writing YAML files, developers deploy with simple commands or via git push. The PaaS translates these high-level actions into the corresponding Kubernetes resources. Teams planning ",[60,9713,9714],{"href":2728},"their Kubernetes migration"," should account for this transition early to avoid common operational pitfalls.",[56,9717,9718],{},"At the same time, the advantages of Kubernetes are preserved:",[103,9720,9721,9727,9733,9739],{},[106,9722,9723,9726],{},[109,9724,9725],{},"Declarative configuration",": Infrastructure as Code",[106,9728,9729,9732],{},[109,9730,9731],{},"Self-healing",": Crashed pods are automatically restarted",[106,9734,9735,9738],{},[109,9736,9737],{},"Service discovery",": Automatic network configuration between services",[106,9740,9741,9744],{},[109,9742,9743],{},"Rolling updates",": Zero-downtime deployments",[56,9746,9747],{},"Modern Kubernetes PaaS platforms augment Kubernetes with additional developer tools: integrated CI\u002FCD pipelines, database services, message queues, object storage, and more — all available as a service.",[187,9749,9751],{"id":9750},"cloud-native-and-portable","Cloud-Native and Portable",[56,9753,9754],{},"A decisive advantage of Kubernetes-based PaaS solutions is their portability. Since Kubernetes has become a de facto standard, Kubernetes workloads run on virtually any infrastructure: on AWS, Google Cloud, Azure, but also on-premise or with specialized providers.",[56,9756,9757],{},"This means no dependency on a single hyperscaler. You're not bound to the proprietary services of a cloud provider but can move your workloads between different environments as needed.",[56,9759,9760,9761,9764,9765,9768],{},"For European companies, this is particularly relevant: instead of being forced to use US hyperscalers, they can choose European Kubernetes PaaS providers that ensure ",[60,9762,9763],{"href":5076},"digital sovereignty"," and GDPR compliance. A further evolution of this model is ",[60,9766,9767],{"href":413},"Bring Your Own Cloud",", where the PaaS vendor deploys into your own cloud account rather than shared infrastructure, giving regulated customers full data plane ownership without sacrificing managed operations.",[56,9770,9771],{},"Cloud-native development also means applications are designed for cloud environments from the start. They use microservice architectures, are stateless, scale horizontally, and are resilient against failures. Kubernetes PaaS platforms natively support these patterns.",[71,9773,9775],{"id":9774},"paas-vs-traditional-hosting-and-other-approaches","PaaS vs. Traditional Hosting and Other Approaches",[56,9777,9778],{},"To make the right decision for your infrastructure, it's important to understand the differences between PaaS and other deployment models.",[187,9780,9782],{"id":9781},"paas-vs-vm-based-hosting","PaaS vs. VM-Based Hosting",[56,9784,9785,9788],{},[109,9786,9787],{},"Traditional VM-based hosting"," means you rent virtual machines, install operating systems, and handle all administrative tasks yourself. This offers maximum control but also requires maximum effort.",[56,9790,9791,9792,9794],{},"In contrast, a ",[109,9793,8320],{}," handles all these administrative tasks. The platform manages operating systems, patches, security updates, and network configurations. You simply deploy your code.",[56,9796,9797,9800],{},[109,9798,9799],{},"Flexibility vs. convenience",": VMs offer more low-level control, for example when you need special kernel modules or exotic network configurations. For the vast majority of use cases, however, this control is unnecessary — and the convenience of a PaaS clearly outweighs it.",[56,9802,9803,9806],{},[109,9804,9805],{},"Resource efficiency",": Containers, as used in modern PaaS solutions, are significantly more resource-efficient than VMs. While a VM carries a complete operating system, containers share the host system's kernel. This means higher density, faster startup times, and lower costs.",[187,9808,9810],{"id":9809},"paas-vs-serverless-faas","PaaS vs. Serverless (FaaS)",[56,9812,9813,2283,9816,9819],{},[109,9814,9815],{},"Serverless",[109,9817,9818],{},"Function as a Service (FaaS)"," — such as AWS Lambda or Google Cloud Functions — represents yet another abstraction level. Here you don't deploy entire applications but individual functions that are executed in an event-driven manner.",[56,9821,9822],{},"Serverless excels for:",[103,9824,9825,9828,9831],{},[106,9826,9827],{},"Event-based workloads (e.g., image processing after upload)",[106,9829,9830],{},"APIs with sporadic traffic",[106,9832,9833],{},"Batch jobs and background tasks",[56,9835,9836],{},"PaaS is better suited for:",[103,9838,9839,9842,9845,9848],{},[106,9840,9841],{},"Long-running applications (e.g., web servers)",[106,9843,9844],{},"Complex microservice architectures",[106,9846,9847],{},"Applications with state or persistent connections",[106,9849,9850],{},"Workloads with predictable, continuous traffic",[56,9852,9853],{},"Another difference: vendor lock-in. Serverless offerings are usually tightly bound to a provider and use proprietary APIs. Kubernetes-based PaaS solutions, by contrast, are portable.",[187,9855,9857],{"id":9856},"paas-vs-self-managed-kubernetes","PaaS vs. Self-Managed Kubernetes",[56,9859,9860],{},"Many teams consider whether to operate Kubernetes themselves or use a PaaS solution. The answer depends on several factors:",[56,9862,9863,9866],{},[109,9864,9865],{},"Self-managed Kubernetes"," offers:",[103,9868,9869,9872,9875],{},[106,9870,9871],{},"Maximum control over all configurations",[106,9873,9874],{},"Ability to customize every aspect",[106,9876,9877],{},"No dependency on a PaaS provider",[56,9879,9880],{},"However, operating Kubernetes is complex. You need expertise for:",[103,9882,9883,9886,9889,9892,9895,9898],{},[106,9884,9885],{},"Cluster setup and maintenance",[106,9887,9888],{},"Networking (CNI plugins, ingress controllers)",[106,9890,9891],{},"Storage (CSI drivers, backup strategies)",[106,9893,9894],{},"Security (RBAC, network policies, pod security)",[106,9896,9897],{},"Monitoring and logging",[106,9899,9900],{},"Upgrades and patches",[56,9902,7445,9903,9906],{},[109,9904,9905],{},"Kubernetes PaaS"," takes all these tasks off your hands. You get a fully configured, secure, and maintained Kubernetes environment. This pays off especially when:",[103,9908,9909,9912,9915,9918],{},[106,9910,9911],{},"You don't have dedicated platform engineering teams",[106,9913,9914],{},"You want to focus on product development rather than infrastructure",[106,9916,9917],{},"You want to be productive quickly",[106,9919,9920],{},"You want to reduce operational costs",[56,9922,9923],{},"The trade-off is slightly less control (although good PaaS solutions still allow access to Kubernetes resources) versus significantly less overhead.",[71,9925,9927],{"id":9926},"paas-vs-daas","PaaS vs. DaaS",[56,9929,9930,9933,9934,9937,9938,9941],{},[60,9931,9932],{"href":8329},"PaaS and DaaS"," (DevOps as a Service) are often conflated in practice but pursue different goals. While PaaS provides an ",[2186,9935,9936],{},"application platform",", DaaS primarily delivers ",[2186,9939,9940],{},"DevOps capabilities"," on a platform. DaaS platforms are significantly more flexible than PaaS and prevent lock-in when switching.",[187,9943,9945],{"id":9944},"what-both-have-in-common","What Both Have in Common",[103,9947,9948,9951,9954],{},[106,9949,9950],{},"Both reduce operational overhead through automation.",[106,9952,9953],{},"Both standardize the path from code to deployment, including roles, policies, and self-service.",[106,9955,9956],{},"Both can build on Kubernetes and container technology.",[187,9958,9960],{"id":9959},"where-they-differ","Where They Differ",[103,9962,9963,9969,9975,9981],{},[106,9964,9965,9968],{},[109,9966,9967],{},"Abstraction level",": PaaS abstracts runtime and operations more strongly (e.g., deployments, scaling, routing, logs, metrics \"out of the box\"). DaaS abstracts tooling and processes (CI\u002FCD, observability, security checks, templates) but leaves more freedom in choosing the target platform.",[106,9970,9971,9974],{},[109,9972,9973],{},"Flexibility",": DaaS is often more modular. Teams can use individual building blocks and choose their target environment (Kubernetes, VMs, managed services, cloud providers) themselves.",[106,9976,9977,9980],{},[109,9978,9979],{},"Lock-in risk",": Traditional PaaS can bind more tightly when proprietary buildpacks, APIs, or managed services are central. DaaS can reduce lock-in when it relies on portable artifacts (container images, Helm, GitOps) and standards.",[106,9982,9983,9986],{},[109,9984,9985],{},"Ownership",": With PaaS, the provider takes on more responsibility for platform and runtime operations. With DaaS, more responsibility stays with the teams or the underlying infrastructure platform.",[187,9988,9990],{"id":9989},"when-does-each-make-sense","When Does Each Make Sense?",[103,9992,9993,9998],{},[106,9994,9995,9997],{},[109,9996,8320],{},", when teams need to be productive quickly and a consistent developer experience is more important than maximum platform freedom and sovereignty.",[106,9999,10000,10002],{},[109,10001,9461],{},", when teams already have or want to keep a target platform but want to reduce DevOps overhead and standardize governance.",[71,10004,10006],{"id":10005},"use-cases-when-does-paas-make-sense","Use Cases: When Does PaaS Make Sense?",[56,10008,10009,10012],{},[109,10010,10011],{},"Platform as a Service"," isn't the optimal solution for every use case, but it is for many. Here are some typical scenarios where PaaS is particularly well suited:",[56,10014,10015,10018],{},[109,10016,10017],{},"Web applications and APIs",": The classic PaaS scenario. Frontends can be easily deployed, scaled, and operated.",[56,10020,10021,10024],{},[109,10022,10023],{},"Continuous delivery and rapid iterations",": Teams that want to deploy frequently — multiple times a day or even per commit — benefit enormously from automated PaaS deployments.",[56,10026,10027,10030],{},[109,10028,10029],{},"Startups and fast-growing teams",": When you want to focus on your product rather than infrastructure, PaaS is the right choice.",[56,10032,10033,10036],{},[109,10034,10035],{},"Internal tools and developer platforms",": PaaS also makes sense for internal applications — dashboards, admin tools, internal APIs — to save development time.",[56,10038,10039,10042],{},[109,10040,10041],{},"Modernizing legacy applications",": When you want to containerize existing applications and migrate them to modern cloud environments, PaaS offers a low-barrier entry point.",[71,10044,10046],{"id":10045},"finding-the-right-paas-solution","Finding the Right PaaS Solution",[56,10048,10049,10050,10052],{},"Choosing the right ",[109,10051,7393],{}," depends on your specific requirements. Important criteria include:",[56,10054,10055,10058],{},[109,10056,10057],{},"Technology stack",": Does the PaaS support your preferred programming languages, frameworks, and tools?",[56,10060,10061,10064],{},[109,10062,10063],{},"Scalability and performance",": Does the platform offer sufficient capacity and performance for your workloads?",[56,10066,10067,10070],{},[109,10068,10069],{},"Cost and pricing model",": Is the pricing transparent and does it fit your budget?",[56,10072,10073,10076],{},[109,10074,10075],{},"Compliance and data protection",": Are your regulatory requirements met, particularly GDPR?",[56,10078,10079,10082],{},[109,10080,10081],{},"Sovereignty",": Do your data stay in Europe, or are you using US hyperscalers?",[56,10084,10085,10088],{},[109,10086,10087],{},"Support and community",": Is there good technical support and an active community?",[56,10090,10091,10094],{},[109,10092,10093],{},"Integration and ecosystem",": Can the PaaS integrate into your existing tools and workflows?",[56,10096,10097],{},"If you're looking for a Kubernetes-based DaaS solution that combines European digital sovereignty, GDPR compliance, and cutting-edge container technology, lowcloud delivers exactly that. The platform is built on Kubernetes and enables you to deploy applications quickly and securely — without vendor lock-in and with full control over your data. All infrastructure is located in German and European data centers.",[56,10099,10100],{},"With lowcloud, you get a full-featured Platform as a Service that takes the overhead of infrastructure management off your hands, allowing you to focus on what truly matters: your application. From automated deployments to integrated monitoring to flexible scaling options — lowcloud offers all the features modern development teams need.",[479,10102],{},[56,10104,10105,10107],{},[109,10106,2102],{},": Platform as a Service (PaaS) is the ideal solution for teams that want to focus on product development rather than infrastructure. Kubernetes-based PaaS solutions combine the flexibility of cloud-native technologies with the simplicity of a fully managed platform. For European companies, sovereign PaaS providers additionally offer the assurance that their data remains under European jurisdiction and is processed in a GDPR-compliant manner.",{"title":490,"searchDepth":491,"depth":491,"links":10109},[10110,10114,10119,10124,10125,10129,10134,10139,10140],{"id":9365,"depth":491,"text":9366,"children":10111},[10112,10113],{"id":9372,"depth":499,"text":9373},{"id":9442,"depth":499,"text":9443},{"id":9476,"depth":491,"text":9477,"children":10115},[10116,10117,10118],{"id":9483,"depth":499,"text":9484},{"id":9499,"depth":499,"text":9500},{"id":9515,"depth":499,"text":9516},{"id":9534,"depth":491,"text":9535,"children":10120},[10121,10122,10123],{"id":9541,"depth":499,"text":9542},{"id":9574,"depth":499,"text":9575},{"id":9607,"depth":499,"text":9608},{"id":9658,"depth":491,"text":9659},{"id":9694,"depth":491,"text":9695,"children":10126},[10127,10128],{"id":9704,"depth":499,"text":9705},{"id":9750,"depth":499,"text":9751},{"id":9774,"depth":491,"text":9775,"children":10130},[10131,10132,10133],{"id":9781,"depth":499,"text":9782},{"id":9809,"depth":499,"text":9810},{"id":9856,"depth":499,"text":9857},{"id":9926,"depth":491,"text":9927,"children":10135},[10136,10137,10138],{"id":9944,"depth":499,"text":9945},{"id":9959,"depth":499,"text":9960},{"id":9989,"depth":499,"text":9990},{"id":10005,"depth":491,"text":10006},{"id":10045,"depth":491,"text":10046},"2026-03-25","Learn how Platform as a Service works, its key benefits for development teams, and why Kubernetes-based PaaS solutions are ideal for modern applications.",{"src":10144},"\u002Fimages\u002Fblog\u002Fwhat-is-paas.jpg",{},{"title":9354,"description":10142},"en\u002F3.blog\u002F38.what-is-paas","2UBtUgo2PO6YnWP0xNnevSlBcwYMEBr9JHWC6WASi5k",{"id":10150,"title":10151,"authors":10152,"badge":10,"body":10155,"date":10596,"description":10597,"extension":510,"image":10598,"lastUpdated":3942,"meta":10600,"navigation":14,"path":10601,"published":14,"seo":10602,"stem":10603,"tags":10,"__hash__":10604},"posts\u002Fen\u002F3.blog\u002F37.devops-knowledge-documentation-bus-factor.md","Knowledge Documentation in DevOps Teams: How to Actually Reduce Your Bus Factor",[10153],{"name":43,"to":44,"avatar":10154},{"src":46},{"type":48,"value":10156,"toc":10578},[10157,10160,10164,10170,10177,10187,10191,10194,10198,10201,10204,10230,10233,10237,10240,10243,10269,10272,10276,10279,10293,10296,10300,10303,10306,10310,10313,10319,10322,10326,10329,10356,10359,10406,10410,10413,10416,10442,10445,10449,10454,10457,10477,10480,10484,10487,10490,10493,10519,10522,10526,10529,10536,10539,10542,10546,10549,10552,10555,10558,10562,10565,10568,10575],[56,10158,10159],{},"The bus factor is uncomfortable to measure because the result is rarely flattering. When one person leaves the company or is simply on vacation and a critical system becomes unmaintainable as a result, that's not bad luck. It's a structural problem. This article shows why knowledge documentation in DevOps teams fails so often and which approaches actually make a difference.",[71,10161,10163],{"id":10162},"what-the-bus-factor-really-measures","What the Bus Factor Really Measures",[56,10165,10166,10167,415],{},"The term sounds morbid, but it's precise: How many people would have to be unavailable at the same time for your team to lose the ability to operate a critical system? A number greater than two is considered solid. In many SMBs, the answer is one — one of the ",[60,10168,10169],{"href":7312},"most common DevOps problems in SMBs",[56,10171,10172,10173,10176],{},"This isn't a criticism of the individuals involved — it's a symptom of ",[60,10174,10175],{"href":9127},"how infrastructure evolves in small teams",". Someone builds the system, learns along the way, makes decisions. Those decisions rarely end up in a document. They end up in someone's head.",[56,10178,10179,10182,10183,10186],{},[109,10180,10181],{},"Why this is dangerous:"," A Kubernetes cluster has many moving parts. Which namespace belongs to which service? Why does the ingress controller run on that specific configuration? Why was ",[60,10184,10185],{"href":2108},"Helm chosen over Kustomize"," back then? If nobody knows the answers except one person, you have a knowledge monopoly — and knowledge monopolies are expensive risks.",[71,10188,10190],{"id":10189},"why-documentation-always-fails-in-small-teams","Why Documentation Always Fails in Small Teams",[56,10192,10193],{},"Documentation in small teams rarely fails due to a lack of willingness. It fails because it doesn't fit the reality: little time, fast pace, constantly shifting priorities. And that's exactly why two patterns almost always emerge.",[187,10195,10197],{"id":10196},"problem-1-documentation-is-treated-as-an-afterthought-and-always-loses","Problem 1: Documentation Is Treated as an Afterthought (and Always Loses)",[56,10199,10200],{},"In small teams, the day is packed with \"real\" work: finishing features, solving customer issues, keeping releases stable. Documentation automatically lands at the bottom of the priority chain — as a sticky note on a ticket or a \"we'll do it later.\"",[56,10202,10203],{},"This sounds harmless but has several systematic effects:",[103,10205,10206,10212,10218,10224],{},[106,10207,10208,10211],{},[109,10209,10210],{},"Motivation disappears once the problem is solved:"," As soon as an incident is resolved or a feature is shipped, documentation feels like bureaucracy. The pain is gone, so there's no pressure to write it down properly.",[106,10213,10214,10217],{},[109,10215,10216],{},"Context vanishes extremely fast:"," Why was a decision made? Which alternative was discarded? Which assumption was important at the time? After a few days, the knowledge is already \"approximate\" — after a few weeks, it's being reconstructed rather than documented.",[106,10219,10220,10223],{},[109,10221,10222],{},"The next task pushes in:"," Small teams rarely work with generous time buffers. When the next ticket is already waiting, documentation feels like a luxury. And luxury never wins against an urgent to-do.",[106,10225,10226,10229],{},[109,10227,10228],{},"Quality decreases the later you write:"," People who document after the fact tend to write vaguely (\"we did X this way\") instead of concretely (\"we did X for reason Y, with risk Z, and rollback is A\"). This vague documentation barely helps in an emergency.",[56,10231,10232],{},"The result is predictable: documentation either never gets created, or it becomes a \"snapshot\" of yesterday. But infrastructure isn't a snapshot — it changes. And when documentation isn't part of the normal workflow (e.g., review checklists, PR templates, definition of done, runbook updates on alerts), it becomes legacy debt.",[187,10234,10236],{"id":10235},"problem-2-the-wiki-grows-large-and-becomes-untrustworthy-information-entropy","Problem 2: The Wiki Grows Large and Becomes Untrustworthy (Information Entropy)",[56,10238,10239],{},"The second classic is the \"wiki paradox\": you try to solve the documentation problem by writing more documentation. This creates volume, but not automatically value.",[56,10241,10242],{},"Over time, the following happens:",[103,10244,10245,10251,10257,10263],{},[106,10246,10247,10250],{},[109,10248,10249],{},"Wikis grow faster than they can be maintained:"," Every new component creates new pages, every change creates new discrepancies. Maintenance is an ongoing task, but in daily practice it's treated as a one-time effort.",[106,10252,10253,10256],{},[109,10254,10255],{},"Nobody knows what's still accurate:"," Once a team has experienced 1–2 times that a wiki page was outdated or wrong, trust drops. And without trust, the wiki stops being consulted.",[106,10258,10259,10262],{},[109,10260,10261],{},"Search replaces structure — and fails:"," Instead of clear \"golden path\" documents, there are many individual pages. People search by keywords, get five results, and have to guess which one is valid.",[106,10264,10265,10268],{},[109,10266,10267],{},"Documentation becomes \"archaeology\":"," New team members read through historical entries without knowing what's relevant today. This costs time, creates uncertainty, and ultimately leads back to the same solution: asking someone.",[56,10270,10271],{},"The effect is paradoxical here too: there's \"a lot\" of documentation, but it barely reduces dependency on individuals because the team doesn't use it as a reliable source.",[187,10273,10275],{"id":10274},"why-these-two-problems-reinforce-each-other","Why These Two Problems Reinforce Each Other",[56,10277,10278],{},"Both patterns are connected:",[103,10280,10281,10284,10287,10290],{},[106,10282,10283],{},"Because documentation happens as an afterthought, it becomes irregular and fragmented.",[106,10285,10286],{},"Because it's fragmented, the wiki grows chaotically.",[106,10288,10289],{},"Because the wiki is chaotic, trust drops.",[106,10291,10292],{},"Because trust drops, people document even less (\"nobody reads it anyway\").",[56,10294,10295],{},"And once that happens, knowledge gets distributed verbally again: via Slack messages, in calls, on the fly. This is efficient in the short term — but it rebuilds the bus factor.",[187,10297,10299],{"id":10298},"what-this-means-in-practice","What This Means in Practice",[56,10301,10302],{},"If you're reading this chapter and thinking \"yes, that's exactly how it is for us,\" that's not individual failure. It's a signal that your documentation approach doesn't fit your team size and working mode.",[56,10304,10305],{},"The solution is therefore almost never: \"write more.\" The solution is: write less, but more integrated and reliable — and shift as much as possible into self-documenting artifacts (IaC in Git, traceable deployments, clear defaults, short runbooks), so that documentation doesn't have to work against reality, but with it.",[71,10307,10309],{"id":10308},"infrastructure-as-code-as-living-documentation","Infrastructure as Code as Living Documentation",[56,10311,10312],{},"The most effective step against knowledge silos isn't writing more documentation. It's building systems that document themselves.",[56,10314,10315,10318],{},[109,10316,10317],{},"Infrastructure as Code"," is exactly that. When your cluster setup lives in Git, the current state of the system is traceable at any time. Anyone who wants to know how a deployment is configured looks at the repository — not into a colleague's head.",[56,10320,10321],{},"This requires that IaC is actually the single source of truth. If configurations are manually overridden and the repository no longer reflects the real state, you lose the advantage immediately. Process discipline matters more here than tooling.",[187,10323,10325],{"id":10324},"comparing-terraform-helm-and-kustomize","Comparing Terraform, Helm, and Kustomize",[56,10327,10328],{},"Three approaches have established themselves for Kubernetes environments:",[103,10330,10331,10339,10346],{},[106,10332,10333,10338],{},[60,10334,10336],{"href":2879,"rel":10335},[64],[109,10337,2022],{}," offers templates with variables. The code is readable as long as the values files are maintained. A solid standard for recurring deployments.",[106,10340,10341,10345],{},[60,10342,10343],{"href":2137},[109,10344,1549],{}," works with overlays on base manifests. Less abstraction, but closer to native Kubernetes YAML. Good for teams that prefer working directly with manifests.",[106,10347,10348,10355],{},[60,10349,10352],{"href":10350,"rel":10351},"https:\u002F\u002Fdeveloper.hashicorp.com\u002Fterraform",[64],[109,10353,10354],{},"Terraform"," with the Kubernetes provider works well when infrastructure and applications should be managed from a single source. The learning curve is steeper, but consistency across multiple environments is hard to beat.",[56,10357,10358],{},"Which tool fits your team better depends less on features and more on how you work. What matters is: whatever you choose, it must live in Git, and the actual state must be reflected in it.",[598,10360,10362],{"className":600,"code":10361,"language":602,"meta":490,"style":490},"# Example: Helm deployment with explicit values for traceability\nhelm upgrade --install my-service .\u002Fchart \\\n --values .\u002Fenvironments\u002Fproduction\u002Fvalues.yaml \\\n --namespace production \\\n --atomic\n",[554,10363,10364,10369,10383,10393,10401],{"__ignoreMap":490},[606,10365,10366],{"class":608,"line":609},[606,10367,10368],{"class":612},"# Example: Helm deployment with explicit values for traceability\n",[606,10370,10371,10373,10375,10377,10379,10381],{"class":608,"line":491},[606,10372,3459],{"class":618},[606,10374,3508],{"class":622},[606,10376,3539],{"class":622},[606,10378,4848],{"class":622},[606,10380,3858],{"class":622},[606,10382,669],{"class":668},[606,10384,10385,10388,10391],{"class":608,"line":499},[606,10386,10387],{"class":622}," --values",[606,10389,10390],{"class":622}," .\u002Fenvironments\u002Fproduction\u002Fvalues.yaml",[606,10392,669],{"class":668},[606,10394,10395,10397,10399],{"class":608,"line":650},[606,10396,3865],{"class":622},[606,10398,3868],{"class":622},[606,10400,669],{"class":668},[606,10402,10403],{"class":608,"line":672},[606,10404,10405],{"class":622}," --atomic\n",[71,10407,10409],{"id":10408},"why-iac-isnt-always-the-best-answer-for-smbs","Why IaC Isn't Always the Best Answer for SMBs",[56,10411,10412],{},"Infrastructure as Code is a strong principle, but it has an often underestimated prerequisite: there must be someone who permanently \"owns\" the infrastructure as code.",[56,10414,10415],{},"Especially in SMBs, one (or several) of these problems frequently occurs:",[103,10417,10418,10424,10430,10436],{},[106,10419,10420,10423],{},[109,10421,10422],{},"High entry barrier and tool overhead:"," Terraform\u002FHelm\u002FKustomize, state handling, module structure, secrets, provider versions, testing, policy. This is valuable but not \"free.\" For small teams, IaC can quickly become a second product.",[106,10425,10426,10429],{},[109,10427,10428],{},"Maintenance is not optional:"," IaC only reduces drift if it's consistently the only way to make changes. In practice, hotfixes, manual interventions, provider updates, and breaking changes occur — creating documentation and operational work again.",[106,10431,10432,10435],{},[109,10433,10434],{},"The bus factor just shifts:"," Without clear standards and ownership, knowledge no longer lives \"in someone's head\" but in a set of scripts\u002Fmodules that only one person truly understands.",[106,10437,10438,10441],{},[109,10439,10440],{},"More degrees of freedom = more variance:"," IaC allows many ways to be \"correct.\" In small teams, this often leads to individual handwriting rather than a stable standard — and thus to exactly the onboarding problem you were trying to solve.",[56,10443,10444],{},"This doesn't mean \"IaC is bad.\" It just means: in SMBs, the question isn't \"can we do IaC?\" but \"can we operate IaC cleanly long-term — and is that the best use of our limited time?\"",[71,10446,10448],{"id":10447},"why-devops-as-a-service-can-help-here","Why DevOps as a Service Can Help Here",[56,10450,7445,10451,10453],{},[60,10452,487],{"href":486}," shifts the focus from \"we build and maintain our own IaC framework\" to \"we use standards that are already productized.\"",[56,10455,10456],{},"The practical benefit for SMBs:",[103,10458,10459,10465,10471],{},[106,10460,10461,10464],{},[109,10462,10463],{},"Standardized deployments and defaults:"," Less decision-making and maintenance overhead because central baseline patterns are already predefined.",[106,10466,10467,10470],{},[109,10468,10469],{},"Less to document:"," When ingress, observability, security basics, and deployment mechanics are standardized through the platform, teams primarily need to document application-specific knowledge.",[106,10472,10473,10476],{},[109,10474,10475],{},"Ownership stays with the team — without the ops overhead:"," Teams can work self-service without having to model every detail of Kubernetes\u002FIaC themselves.",[56,10478,10479],{},"In this model, IaC as a principle is preserved (versioning, traceability, repeatability), but the amount of self-maintained \"platform code\" decreases. For many SMBs, that's exactly the difference between \"we intend to document\" and \"our infrastructure is actually understandable and repeatable.\"",[71,10481,10483],{"id":10482},"runbooks-small-current-usable","Runbooks: Small, Current, Usable",[56,10485,10486],{},"A runbook isn't documentation in the traditional sense. It's an operational guide for a specific scenario: What to do when a pod crashes? How is a rollback performed? What are the first steps during a database outage?",[56,10488,10489],{},"Good runbooks are short. If a runbook is longer than one page, it's no longer a runbook — it's a manual that nobody reads in an emergency. The goal is: someone who doesn't know the system from the ground up can narrow down the problem in a few minutes.",[56,10491,10492],{},"What a useful runbook contains:",[103,10494,10495,10501,10507,10513],{},[106,10496,10497,10500],{},[109,10498,10499],{},"Symptom",": How do I recognize the problem?",[106,10502,10503,10506],{},[109,10504,10505],{},"Causes",": What are typical triggers?",[106,10508,10509,10512],{},[109,10510,10511],{},"Immediate actions",": What can I do right now to limit the damage?",[106,10514,10515,10518],{},[109,10516,10517],{},"Escalation",": Who do I contact if this doesn't help?",[56,10520,10521],{},"Runbooks must live where they can be found in an emergency — not in a nested wiki, but in a known, quickly accessible location. And they must stay current: a runbook pointing to a configuration from two years ago is worse than having none at all.",[71,10523,10525],{"id":10524},"how-a-daas-platform-reduces-documentation-overhead","How a DaaS Platform Reduces Documentation Overhead",[56,10527,10528],{},"An often underestimated lever is the platform layer itself. The more complexity is hidden behind an abstraction layer, the less there is to document.",[56,10530,10531,10532,10535],{},"On a DevOps-as-a-Service platform like ",[60,10533,299],{"href":7506,"rel":10534},[64],", developers deploy applications through standardized interfaces. The question \"How is our ingress configured?\" no longer arises in the same way — that's the platform's job. What the team needs to document shrinks to the application-specific parts.",[56,10537,10538],{},"This doesn't just reduce documentation overhead. It also increases quality: when the team focuses on a smaller, more clearly defined area, it's more realistic that documentation stays current.",[56,10540,10541],{},"Beyond that, managed platforms often come with built-in observability, audit logs, and traceable deployment histories. This doesn't replace documentation, but it provides context that would otherwise be lost.",[71,10543,10545],{"id":10544},"knowledge-transfer-during-personnel-changes","Knowledge Transfer During Personnel Changes",[56,10547,10548],{},"Offboarding is the moment when missing documentation becomes most expensive. A person leaves the company, and with them go decision backgrounds, undocumented configurations, and informal knowledge about system relationships.",[56,10550,10551],{},"No onboarding process in the world can compensate for this if the fundamentals are missing. What helps is a structured handover — not as a PDF document shortly before the last working day, but as a continuous process.",[56,10553,10554],{},"Pair sessions where knowledge is actively transferred are more effective than written documentation alone. Combined with a well-maintained IaC foundation and current runbooks, the bus factor drops noticeably — even without someone having to explain the entire system from scratch.",[56,10556,10557],{},"A simple test: Could a new team member, without asking questions, deploy an existing service, narrow down an error, and trace a configuration change? If not, you have a documentation problem — regardless of how many wiki pages exist.",[71,10559,10561],{"id":10560},"conclusion-documentation-that-lives","Conclusion: Documentation That Lives",[56,10563,10564],{},"Knowledge documentation in DevOps teams doesn't work as a separate process. It must be integrated into the workflow — through IaC that reflects system state, through readable pipelines, through short and current runbooks.",[56,10566,10567],{},"The goal isn't complete documentation. The goal is to lower the bus factor to an acceptable level and make onboarding realistic. This doesn't require extensive wikis. It requires discipline, clear responsibilities, and a platform layer that hides complexity where it doesn't need to be managed by the team itself.",[56,10569,10570,10571,10574],{},"If you haven't made the move to a DaaS platform yet: ",[60,10572,299],{"href":7506,"rel":10573},[64]," is a Kubernetes-based platform that helps teams reduce infrastructure complexity and focus on what really matters — their own code.",[1499,10576,10577],{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":490,"searchDepth":491,"depth":491,"links":10579},[10580,10581,10587,10590,10591,10592,10593,10594,10595],{"id":10162,"depth":491,"text":10163},{"id":10189,"depth":491,"text":10190,"children":10582},[10583,10584,10585,10586],{"id":10196,"depth":499,"text":10197},{"id":10235,"depth":499,"text":10236},{"id":10274,"depth":499,"text":10275},{"id":10298,"depth":499,"text":10299},{"id":10308,"depth":491,"text":10309,"children":10588},[10589],{"id":10324,"depth":499,"text":10325},{"id":10408,"depth":491,"text":10409},{"id":10447,"depth":491,"text":10448},{"id":10482,"depth":491,"text":10483},{"id":10524,"depth":491,"text":10525},{"id":10544,"depth":491,"text":10545},{"id":10560,"depth":491,"text":10561},"2026-03-24","Why documentation fails in small DevOps teams and how IaC, runbooks, and DaaS platforms actually lower the bus factor.",{"src":10599},"\u002Fimages\u002Fblog\u002Fdevops-knowledge-documentation-bus-factor.jpg",{},"\u002Fen\u002Fblog\u002Fdevops-knowledge-documentation-bus-factor",{"title":10151,"description":10597},"en\u002F3.blog\u002F37.devops-knowledge-documentation-bus-factor","Xkp5N2i9m_MYwtnl4S176PLBS-1yd_Cg1sXeMvAmlm0",{"id":10606,"title":10607,"authors":10608,"badge":10,"body":10611,"date":10753,"description":10754,"extension":510,"image":10755,"lastUpdated":3938,"meta":10757,"navigation":14,"path":10758,"published":14,"seo":10759,"stem":10760,"tags":10,"__hash__":10761},"posts\u002Fen\u002F3.blog\u002F33.ob7-case-study-lowcloud-deployment.md","OB7 Case Study: Website Deployment Without Infrastructure Overhead",[10609],{"name":13,"to":523,"avatar":10610},{"src":8},{"type":48,"value":10612,"toc":10746},[10613,10617,10622,10630,10633,10637,10640,10643,10646,10650,10653,10656,10660,10663,10666,10669,10672,10675,10678,10682,10685,10688,10694,10697,10700,10704,10707,10710,10713,10716,10719,10722,10725,10727,10735,10738,10743],[51,10614,10616],{"id":10615},"ob7-deployed-their-new-website-with-lowcloud-without-worrying-about-infrastructure","OB7 Deployed Their New Website with lowcloud. Without Worrying About Infrastructure.",[56,10618,10619],{},[109,10620,10621],{},"Why a team of experienced developers would rather build than configure servers",[56,10623,10624,10629],{},[60,10625,10628],{"href":10626,"rel":10627,"target":23},"https:\u002F\u002Fob7.com\u002F",[64],"OB7",", based in Dortmund, Germany, develops white-label EV charging software for utilities and charging infrastructure operators. The team has the expertise to set up their infrastructure entirely on their own. But that's exactly what they didn't want to do anymore.",[56,10631,10632],{},"\"We just wanted to deploy,\" says Jörn Depenbrock, founder of OB7. \"We know how to build containers. But why should I deal with SSL certificates, webhooks, and servers when I could be working on my product?\"",[71,10634,10636],{"id":10635},"the-real-pain-point-time-is-limited","The Real Pain Point: Time Is Limited",[56,10638,10639],{},"The team at OB7 has set up infrastructure plenty of times before. They know how it's done. But at some point, the question arose: Is this really the best use of our time?",[56,10641,10642],{},"Every hour spent on server configuration is an hour taken away from the product. Every SSL debugging session comes at the cost of new features. And every late-night maintenance window is a night not spent improving the platform.",[56,10644,10645],{},"The math is simple: building containers is part of the product — that makes sense. But everything around it? There are better solutions for that.",[71,10647,10649],{"id":10648},"container-image-and-you-handle-the-rest","\"Container Image, and You Handle the Rest\"",[56,10651,10652],{},"That's exactly the expectation Jörn had when he came to lowcloud. No interest in YAML files, Kubernetes configs, or late-night server maintenance. The requirement was crystal clear: OB7 delivers the finished container image, lowcloud does the rest.",[56,10654,10655],{},"And that's exactly how the workflow looks: connect the container registry, configure the webhook, deploy. That's it. No additional steps, no additional configs, no additional clicks.",[71,10657,10659],{"id":10658},"what-lowcloud-takes-care-of","What lowcloud Takes Care Of",[56,10661,10662],{},"lowcloud handles everything between \"code is done\" and \"website is live.\" Fully automated.",[56,10664,10665],{},"It starts with server provisioning: as soon as the container image is ready, the servers are too. No manual setup, no ticket to the cloud provider, no waiting for provisioning.",[56,10667,10668],{},"SSL certificates are automatically issued and renewed. No manual Let's Encrypt setup, no cron jobs for renewals, no monitoring whether the certificate is still valid.",[56,10670,10671],{},"With every GitHub push, a webhook fires and a new deployment rolls out. No custom CI\u002FCD pipeline, no infrastructure configs, no deployment scripts to maintain.",[56,10673,10674],{},"On top of that, there's load balancing and traffic routing. Just there, easily configured, just running.",[56,10676,10677],{},"\"SSL provisioning is flying, image pulls work, webhook is running — perfect!\" Jörn wrote after the first deployments.",[71,10679,10681],{"id":10680},"why-ob7-uses-the-managed-service","Why OB7 Uses the Managed Service",[56,10683,10684],{},"OB7 could have gone with Bring Your Own Cloud. Their own cloud accounts, their own provider relationship, full control over the infrastructure layer. For many teams, that's exactly the right approach.",[56,10686,10687],{},"But Jörn deliberately wanted the opposite: no Hetzner account to manage, no invoices from cloud providers, simply zero contact with the infrastructure layer.",[56,10689,10690,10691,10693],{},"That's why OB7 chose lowcloud's Managed Service. In practice, this means: lowcloud hosts on German and European providers — in this case, ",[60,10692,5136],{"href":5426},". OB7 doesn't have to worry about the account, provider contracts, or infrastructure compliance. lowcloud handles all of it.",[56,10695,10696],{},"The result is zero infrastructure overhead: no server maintenance, no provider communication, no on-call for infrastructure issues. OB7 focuses entirely on their product, and lowcloud takes care of everything else.",[56,10698,10699],{},"And it all stays GDPR-compliant and hosted in Europe. Exactly what matters in the regulated e-mobility sector. Just without the hassle.",[71,10701,10703],{"id":10702},"where-lowcloud-as-a-platform-is-headed","Where lowcloud as a Platform Is Headed",[56,10705,10706],{},"Deploying OB7's website in a container was just the beginning for lowcloud. Our goal is to become the standard for modern cloud infrastructure in Germany.",[56,10708,10709],{},"In concrete terms, that means: more scalability, more resilience, more automation. Kubernetes runs under the hood, but users only see what they need to. The complexity stays with us; the simplicity stays with the customer.",[56,10711,10712],{},"Long-term, we want to offer managed services for everything development teams need: not just container deployments, but also databases, monitoring, and logging. All managed, all GDPR-compliant, all in Europe.",[56,10714,10715],{},"At the same time, Bring Your Own Cloud remains an important option. For teams where full control over their infrastructure matters — their own cloud accounts, their own provider relationships, their own compliance documentation — BYOC is exactly the right fit. lowcloud orchestrates the deployments, but the infrastructure belongs to the team.",[56,10717,10718],{},"Both approaches have their place: Managed Service for teams like OB7 who don't want to worry about anything. BYOC for teams that need maximum control. Both on the same platform, both with the same workflow.",[56,10720,10721],{},"And then there's AI. Already, we're seeing more and more teams building AI-powered applications. Apps that work with LLMs. Services that run agents in the background. All of this requires infrastructure that scales, that's secure, and that doesn't come from the US.",[56,10723,10724],{},"lowcloud aims to be exactly that platform. For European teams that want to build modern software without having to worry about infrastructure.",[479,10726],{},[56,10728,10729],{},[109,10730,10731,10732],{},"About ",[60,10733,10628],{"href":10626,"rel":10734,"target":23},[64],[56,10736,10737],{},"OB7 develops white-label EV charging software for utilities and charge point operators. The platform enables ad-hoc charging without registration, white-label driver apps, and cross-charging networks. Currently in use at Stadtwerke Stuttgart and Energieversorgung Oberhausen.",[56,10739,10740],{},[109,10741,10742],{},"About lowcloud",[56,10744,10745],{},"lowcloud is a European DevOps platform for teams without dedicated DevOps engineers. Deploy containers on your own infrastructure, GDPR-compliant, without vendor lock-in. Long-term, the platform for AI-powered applications and services in Europe.",{"title":490,"searchDepth":491,"depth":491,"links":10747},[10748,10749,10750,10751,10752],{"id":10635,"depth":491,"text":10636},{"id":10648,"depth":491,"text":10649},{"id":10658,"depth":491,"text":10659},{"id":10680,"depth":491,"text":10681},{"id":10702,"depth":491,"text":10703},"2026-03-23","How OB7 deploys their new website with lowcloud – no server configuration, SSL setup, or provider management. A case study on managed container deployments.",{"src":10756},"\u002Fimages\u002Fblog\u002Fcustomer-case-study-ob7.jpg",{},"\u002Fen\u002Fblog\u002Fob7-case-study-lowcloud-deployment",{"title":10607,"description":10754},"en\u002F3.blog\u002F33.ob7-case-study-lowcloud-deployment","0aMBmzu07seBP2hvG1IJPPiO5ZnpqzpIxNVU-BG_yIY",{"id":10763,"title":10764,"authors":10765,"badge":10,"body":10768,"date":10753,"description":11059,"extension":510,"image":11060,"lastUpdated":9014,"meta":11062,"navigation":14,"path":11063,"published":14,"seo":11064,"stem":11065,"tags":10,"__hash__":11066},"posts\u002Fen\u002F3.blog\u002F36.collaborative-devops-teams.md","Collaborative DevOps: How Modern Teams Build Cloud Apps Together",[10766],{"name":43,"to":44,"avatar":10767},{"src":46},{"type":48,"value":10769,"toc":11040},[10770,10773,10776,10779,10783,10786,10789,10792,10796,10799,10806,10809,10813,10816,10819,10823,10830,10833,10837,10840,10851,10854,10874,10878,10892,10895,10899,10902,10905,10909,10917,10920,10924,10927,10930,10934,10937,10940,10944,10947,10950,10957,10961,10966,10969,10972,10979,10982,10986,10989,10995,11021,11024,11026,11029,11032,11035,11037],[51,10771,10764],{"id":10772},"collaborative-devops-how-modern-teams-build-cloud-apps-together",[56,10774,10775],{},"Most deployment problems don't originate in the code. They emerge in the gap — between the moment a developer merges their branch and the moment the change runs stably in production. That's exactly where responsibility is unclear, communication breaks down, and teams pursue different goals.",[56,10777,10778],{},"Collaborative DevOps is the attempt to close this gap structurally. Not with a new tool, but with shared responsibility, common processes, and infrastructure that doesn't hinder collaboration but actively enables it.",[71,10780,10782],{"id":10781},"why-traditional-devops-often-fails-at-organizational-boundaries","Why Traditional DevOps Often Fails at Organizational Boundaries",[56,10784,10785],{},"DevOps as a term has existed for almost twenty years. Yet in many organizations, development and operations still work largely in silos: Dev writes code and wants to release fast. Ops runs systems and wants stability. Both goals are legitimate — but without shared processes, they lead to a structural conflict.",[56,10787,10788],{},"The classic symptom: code gets \"thrown over the wall.\" Developers deploy to staging, the ops team takes over for production, and when something goes wrong, the finger-pointing begins. This isn't a failure of individuals. It's the predictable result of structures that cut off responsibility at a boundary.",[56,10790,10791],{},"The problem scales with team size. A two-person startup can do DevOps implicitly because everyone knows everything. A company with twenty development teams needs explicit structures — otherwise each team does DevOps its own way, which in practice often means: not at all.",[71,10793,10795],{"id":10794},"what-collaborative-devops-actually-means","What Collaborative DevOps Actually Means",[56,10797,10798],{},"Collaborative DevOps isn't a methodology with certification. It's a working model built on two core principles: shared ownership and transparent processes.",[56,10800,10801,10802,10805],{},"Shared ownership means a development team isn't just responsible for the code, but for the entire lifecycle of its application — from the first commit to running in production. This is the \"you build it, you run it\" approach that Werner Vogels of ",[60,10803,5914],{"href":5912,"rel":10804},[64]," described back in 2006, and that is still rarely implemented consistently in practice.",[56,10807,10808],{},"Transparent processes mean that infrastructure, deployment workflows, and operational parameters are visible and understandable to everyone involved. No knowledge locked in the heads of individual ops staff. No deployment that only one specific person can trigger.",[187,10810,10812],{"id":10811},"shared-responsibility-in-practice","Shared Responsibility in Practice",[56,10814,10815],{},"In day-to-day work, shared responsibility means developers participate in on-call rotations, set up monitoring themselves, and don't delegate incident response. In the short term, that's extra work. In the medium term, it leads to teams building software that's easier to operate — because the people who build it also bear the consequences of running it.",[56,10817,10818],{},"A side effect that's often underestimated: developers who've been woken up at night because of an incident write better logs afterward.",[187,10820,10822],{"id":10821},"observability-as-a-common-language","Observability as a Common Language",[56,10824,10825,10826,10829],{},"A central building block for Collaborative DevOps is ",[60,10827,10828],{"href":4125},"observability",". Logs, metrics, and traces must be equally accessible to both developers and ops teams. If only the ops team can access production data, genuine collaboration is structurally impossible. Developers never have a complete picture of how their applications behave at runtime.",[56,10831,10832],{},"This doesn't mean everyone needs to see everything everywhere. It means the tools for collaborative debugging exist: a dashboard both teams use, alerting rules both teams know, and a shared language for describing failures.",[71,10834,10836],{"id":10835},"gitops-as-the-technical-foundation-for-collaborative-devops","GitOps as the Technical Foundation for Collaborative DevOps",[56,10838,10839],{},"Cultural principles need technical tools that support them. For Collaborative DevOps, GitOps is currently the clearest concept.",[56,10841,10842,10843,2283,10846,10850],{},"The core idea: the desired state of the entire infrastructure and all applications is described in a Git repository. Changes are treated like code — as pull requests, with reviews, with versioning. An operator in the cluster (",[60,10844,7529],{"href":7527,"rel":10845},[64],[60,10847,5902],{"href":10848,"rel":10849},"https:\u002F\u002Fargo-cd.readthedocs.io\u002Fen\u002Fstable\u002F",[64]," are the most common) continuously reconciles the actual state with the target state from the repository.",[56,10852,10853],{},"This has several direct effects on collaboration:",[103,10855,10856,10862,10868],{},[106,10857,10858,10861],{},[109,10859,10860],{},"Traceability:"," Every infrastructure change is a commit. Who changed what and when is always traceable.",[106,10863,10864,10867],{},[109,10865,10866],{},"Collaboration:"," Infrastructure changes can be proposed by developers and reviewed by ops teams — and vice versa.",[106,10869,10870,10873],{},[109,10871,10872],{},"Self-healing:"," Manual changes to the cluster are automatically reverted because the operator restores the target state from Git. No configuration drift.",[187,10875,10877],{"id":10876},"infrastructure-as-code-making-infrastructure-readable","Infrastructure as Code — Making Infrastructure Readable",[56,10879,10880,10881,10884,10885,10887,10888,10891],{},"Infrastructure as Code is the foundation that enables developers to understand and co-shape infrastructure in the first place. When ",[60,10882,1543],{"href":2164,"rel":10883},[64]," manifests, ",[60,10886,2022],{"href":3634}," charts, or ",[60,10889,10354],{"href":10350,"rel":10890},[64]," configurations live in the same repository as the application code, a shared language emerges.",[56,10893,10894],{},"Ops teams can provide code reviews on application architecture. Developers can modify resource requirements and network configurations directly in a pull request. Knowledge spreads — instead of disappearing into silos and leaving the company along with employees.",[187,10896,10898],{"id":10897},"pull-requests-as-a-deployment-process","Pull Requests as a Deployment Process",[56,10900,10901],{},"A pull-request-based deployment process is more than a technical detail. It's a social structure: every change that goes to production has been seen by at least one other person. This creates a safety net while simultaneously forcing communication between teams.",[56,10903,10904],{},"In practice: a developer opens a pull request that references a new image version in the GitOps configuration files. Someone from the platform or ops team reviews, comments if needed, and merges. The operator in the cluster detects the change and deploys. No ticket, no handover meeting — the process is the pull request.",[71,10906,10908],{"id":10907},"platform-engineering-when-collaborative-devops-scales","Platform Engineering: When Collaborative DevOps Scales",[56,10910,10911,10912,10916],{},"Beyond a certain team size, the \"every team does everything itself\" model hits its limits. Not every development team can or should be deeply familiar with Kubernetes, monitoring stacks, and CI\u002FCD pipelines. This is where ",[60,10913,10915],{"href":10914},"\u002Fen\u002Fblog\u002Fplatform-engineering-vs-devops","platform engineering"," comes in.",[56,10918,10919],{},"The concept: a dedicated platform team builds and operates an internal development platform — an internal product that gives other teams the tools they need for autonomous work, without having to manage every detail of the infrastructure themselves.",[187,10921,10923],{"id":10922},"the-platform-team-as-an-internal-service-provider","The Platform Team as an Internal Service Provider",[56,10925,10926],{},"The crucial difference from a traditional ops team: the platform team is not a gatekeeper. It's a service provider. Its customers are the development teams. When a team needs a new environment, they should be able to create it themselves — not open a ticket and wait three days.",[56,10928,10929],{},"This requires the platform team to see its infrastructure as a product. With its own roadmap, its own feedback process, and a clear focus on developer experience.",[187,10931,10933],{"id":10932},"self-service-and-golden-paths","Self-Service and Golden Paths",[56,10935,10936],{},"The practical tools for this are self-service portals and golden paths: predefined, tested routes for setting up a standardized environment. Not the only way, but the easiest and best-supported one.",[56,10938,10939],{},"A golden path for a new microservice application could automatically create a Kubernetes namespace, a CI\u002FCD pipeline, a monitoring dashboard, and a staging environment — all from a template maintained by the platform team. Developers can get started without knowing how everything is wired internally.",[71,10941,10943],{"id":10942},"learning-culture-and-handling-failure","Learning Culture and Handling Failure",[56,10945,10946],{},"Collaborative DevOps only works if teams can learn from mistakes without fear of blame. This sounds obvious. In practice, it's one of the hardest requirements because it presupposes a specific organizational culture.",[56,10948,10949],{},"Blameless post-mortems are the concrete tool for this. After every significant incident, the team analyzes together: What happened? What circumstances contributed? What can we change systemically to prevent it from happening again? The question \"Who's at fault?\" is absent from the process — not because nobody makes mistakes, but because blame blocks learning and doesn't prevent future failures.",[56,10951,10952,10953,10956],{},"The result of a post-mortem isn't a scapegoat but an action plan: a modified alerting rule, a new deployment validation, an added runbook entry. Knowledge that was previously trapped in an incident becomes system knowledge — and stays with the team even when individual members leave the company. For the structural side of this — why documentation fails and how IaC and runbooks lower the ",[60,10954,10955],{"href":10601},"bus factor in DevOps teams"," — we cover that in a dedicated guide.",[71,10958,10960],{"id":10959},"collaborative-devops-on-kubernetes","Collaborative DevOps on Kubernetes",[56,10962,10963,10965],{},[60,10964,1543],{"href":1542}," is today's standard infrastructure for cloud-native applications — and at the same time a good example of what Collaborative DevOps can look like technically.",[56,10967,10968],{},"Kubernetes manifests are declarative: they describe the target state, not the steps to get there. This makes them readable for developers who want to understand how their application is deployed — without having to dive deep into shell scripts. At the same time, Kubernetes gives ops teams the control they need: resource quotas, network policies, access controls.",[56,10970,10971],{},"When both teams speak a common language in YAML and Kubernetes concepts, the technical foundation emerges for what Collaborative DevOps strives for culturally: everyone feels responsible for the overall system, not just their own area.",[56,10973,10974,10975,10978],{},"This does require, however, that Kubernetes complexity isn't simply dumped onto development teams. A common mistake when introducing DevOps: \"Everyone does ops now\" in practice means developers are supposed to become Kubernetes administrators on top of their actual work. This overwhelms teams and leads to poor outcomes on both sides. The ",[60,10976,10977],{"href":9348},"full-stack developer reality today"," illustrates exactly this problem — when the \"full-stack\" label quietly absorbs nine distinct engineering domains.",[56,10980,10981],{},"The better solution is a platform that abstracts Kubernetes complexity where it doesn't add value, and makes it accessible where it's relevant. Developers should understand what a Deployment and a Service is. They don't need to administer etcd clusters.",[71,10983,10985],{"id":10984},"how-lowcloud-fits-into-collaborative-devops","How lowcloud Fits into Collaborative DevOps",[56,10987,10988],{},"Collaborative DevOps describes a target state: shared responsibility, transparent deployments, and operations that don't happen \"somewhere else.\" In reality, this target often fails on two fronts: too much operational overhead for development teams and too little standardization across many services. This is exactly the gap lowcloud fills.",[56,10990,10991,10992,10994],{},"lowcloud is designed as Kubernetes ",[60,10993,5264],{"href":486}," to make Collaborative DevOps practical rather than replace it:",[103,10996,10997,11003,11009,11015],{},[106,10998,10999,11002],{},[109,11000,11001],{},"GitOps-based workflows instead of \"ClickOps\":"," Changes become cleanly versionable and reviewable, so deployments and infrastructure aren't tied to individual people.",[106,11004,11005,11008],{},[109,11006,11007],{},"Self-service instead of ticket queues:"," Teams can spin up environments, deployments, and standard services themselves, without an ops gatekeeper becoming a bottleneck.",[106,11010,11011,11014],{},[109,11012,11013],{},"Standardized building blocks (Golden Paths):"," Recurring patterns for build, deploy, observability, and operations reduce variance and make \"the right way\" easier than \"any way.\"",[106,11016,11017,11020],{},[109,11018,11019],{},"Platform as a product:"," lowcloud is the platform layer that abstracts Kubernetes complexity while keeping concepts relevant to teams (deployments, resources, logs, metrics) accessible.",[56,11022,11023],{},"This creates a setup where development teams can take ownership without becoming full-time Kubernetes administrators on the side — and where ops\u002Fplatform know-how flows into reusable standards rather than ad-hoc support.",[71,11025,2102],{"id":2101},[56,11027,11028],{},"Collaborative DevOps is less a toolset than an organizational approach: responsibility doesn't end at the merge, but encompasses operations, stability, and learning from incidents. GitOps, Infrastructure as Code, and solid observability give this aspiration a technical form.",[56,11030,11031],{},"For this to scale in day-to-day work, you need standardization and self-service. Platform engineering provides the model — and a platform like lowcloud can accelerate implementation by providing the operational foundations out of the box.",[56,11033,11034],{},"Anyone who takes Collaborative DevOps seriously should therefore talk not just about culture, but about the structures that enable culture: clear processes, shared visibility, and a platform that makes teams faster instead of slowing them down.",[479,11036],{},[56,11038,11039],{},"If you want to implement Collaborative DevOps on Kubernetes without starting from scratch, you can build on platforms that already provide these foundations: GitOps workflows, self-service environments, integrated monitoring. lowcloud is a Kubernetes DaaS platform built for exactly this use case — with the goal that teams can build fast without having to manage the full operational complexity themselves. If you want to see what this looks like in practice, it's worth taking a look at the platform.",{"title":490,"searchDepth":491,"depth":491,"links":11041},[11042,11043,11047,11051,11055,11056,11057,11058],{"id":10781,"depth":491,"text":10782},{"id":10794,"depth":491,"text":10795,"children":11044},[11045,11046],{"id":10811,"depth":499,"text":10812},{"id":10821,"depth":499,"text":10822},{"id":10835,"depth":491,"text":10836,"children":11048},[11049,11050],{"id":10876,"depth":499,"text":10877},{"id":10897,"depth":499,"text":10898},{"id":10907,"depth":491,"text":10908,"children":11052},[11053,11054],{"id":10922,"depth":499,"text":10923},{"id":10932,"depth":499,"text":10933},{"id":10942,"depth":491,"text":10943},{"id":10959,"depth":491,"text":10960},{"id":10984,"depth":491,"text":10985},{"id":2101,"depth":491,"text":2102},"How shared ownership, GitOps, and platform engineering bridge the gap between development and operations for faster, more reliable deployments.",{"src":11061},"\u002Fimages\u002Fblog\u002Fcollaborative-devops-teams.jpg",{},"\u002Fen\u002Fblog\u002Fcollaborative-devops-teams",{"title":10764,"description":11059},"en\u002F3.blog\u002F36.collaborative-devops-teams","HCS3WJdTvPqFLKBgyFo9vh3L7kXvelyHQmO4w7DZ4tg",{"id":11068,"title":11069,"authors":11070,"badge":10,"body":11073,"date":11658,"description":11659,"extension":510,"image":11660,"lastUpdated":3942,"meta":11662,"navigation":14,"path":2108,"published":14,"seo":11663,"stem":11664,"tags":10,"__hash__":11665},"posts\u002Fen\u002F3.blog\u002F35.simplify-kubernetes-configuration.md","Simplify Kubernetes Configuration: The Path to Human-Readable Cloud",[11071],{"name":43,"to":44,"avatar":11072},{"src":46},{"type":48,"value":11074,"toc":11641},[11075,11081,11085,11088,11091,11095,11134,11137,11141,11144,11155,11158,11162,11165,11169,11181,11192,11266,11269,11273,11278,11281,11285,11288,11294,11447,11450,11454,11461,11464,11471,11475,11478,11507,11510,11514,11517,11523,11529,11535,11541,11547,11552,11563,11567,11574,11580,11583,11609,11612,11614,11619,11630,11638],[56,11076,11077,11078,11080],{},"If you've ever debugged a ",[60,11079,1543],{"href":1542}," deployment error in a 300-line YAML file, you know: the problem isn't Kubernetes itself — it's how we talk to it. A wrong indentation, a missing hyphen, a label that doesn't match somewhere, and the pod won't start. The gap between what a platform can do and what a developer understands isn't an immutable fate. It's a solvable engineering problem.",[71,11082,11084],{"id":11083},"why-yaml-is-the-problem-not-kubernetes","Why YAML Is the Problem, Not Kubernetes",[56,11086,11087],{},"YAML became the standard configuration format in Kubernetes because it's more human-readable than JSON. That's true for small files. With real Kubernetes infrastructure, that readability ends quickly.",[56,11089,11090],{},"The fundamental issue: YAML is a serialization format, not a configuration language. It has no types, no comment formats for validation, no built-in abstractions. Anything beyond flat key-value pairs becomes unwieldy. Kubernetes doesn't help: the API has grown organically, different resource types have inconsistent structures, and the same logical intent — \"start this application with three instances\" — requires different fields and nesting levels depending on context.",[187,11092,11094],{"id":11093},"the-most-common-yaml-error-classes-in-kubernetes","The Most Common YAML Error Classes in Kubernetes",[103,11096,11097,11105,11119,11125],{},[106,11098,11099,11102,11103],{},[109,11100,11101],{},"Indentation errors"," are invisible and lead to syntax errors that only surface during ",[554,11104,1935],{},[106,11106,11107,11110,11111,11114,11115,11118],{},[109,11108,11109],{},"Type errors",": ",[554,11112,11113],{},"\"true\""," (string) vs. ",[554,11116,11117],{},"true"," (boolean) — both valid in YAML, but interpreted differently by Kubernetes",[106,11120,11121,11124],{},[109,11122,11123],{},"Copy-paste errors"," in namespaces, labels, or selector definitions that silently slip through",[106,11126,11127,11110,11130,11133],{},[109,11128,11129],{},"Deprecated API versions",[554,11131,11132],{},"apps\u002Fv1beta1"," has long been deprecated but still appears in many guides",[56,11135,11136],{},"None of these errors are due to human failure. They are structural consequences of a format that wasn't built for this use case.",[71,11138,11140],{"id":11139},"what-human-readable-actually-means","What \"Human-Readable\" Actually Means",[56,11142,11143],{},"\"Human-readable\" isn't a marketing term for \"less YAML.\" It's a design property: a configuration is human-readable when someone who understands the domain (i.e., Kubernetes, cloud deployments, microservices) can immediately read and verify the intent behind a configuration without having to look up the schema first.",[56,11145,11146,11147,11150,11151,11154],{},"This doesn't mean configuration has to be simple or short. A CRD that describes a ",[554,11148,11149],{},"PostgresCluster"," with a field ",[554,11152,11153],{},"replicas: 3"," is human-readable, even if an operator underneath generates dozens of YAML resources. The developer sees what they want; the system knows how to implement it.",[56,11156,11157],{},"Human-readable configuration is fundamentally domain-oriented — it speaks the language of the problem, not the language of the implementation.",[71,11159,11161],{"id":11160},"simplifying-kubernetes-configuration-the-key-approaches","Simplifying Kubernetes Configuration: The Key Approaches",[56,11163,11164],{},"There's no universal answer, but there is a spectrum of proven approaches.",[187,11166,11168],{"id":11167},"helm-templating-with-pitfalls","Helm — Templating with Pitfalls",[56,11170,11171,11173,11174,11177,11178,11180],{},[60,11172,2022],{"href":2021}," is the most widely used package manager for Kubernetes. For a practical example, see how to ",[60,11175,11176],{"href":3634},"deploy PostgreSQL with Helm",". Charts allow you to write parameterizable YAML templates controlled by ",[554,11179,2986],{},". For reusability of deployment definitions, Helm works well.",[56,11182,11183,11184,11187,11188,11191],{},"The problem: Helm templates are Go templates with YAML content. As soon as the logic gets more complex — conditionals, loops, nested values — the templates themselves become unreadable. Anyone who has debugged ",[554,11185,11186],{},"- if .Values.ingress.enabled"," with three levels of indentation and an ",[554,11189,11190],{},"- end"," somewhere below knows what this means.",[598,11193,11195],{"className":1592,"code":11194,"language":1594,"meta":490,"style":490},"# Example: A typical Helm template fragment\n- if .Values.autoscaling.enabled\napiVersion: autoscaling\u002Fv2\nkind: HorizontalPodAutoscaler\nmetadata:\n name: include \"myapp.fullname\" .\nspec:\n minReplicas: .Values.autoscaling.minReplicas\n- end\n",[554,11196,11197,11202,11210,11219,11228,11234,11243,11249,11259],{"__ignoreMap":490},[606,11198,11199],{"class":608,"line":609},[606,11200,11201],{"class":612},"# Example: A typical Helm template fragment\n",[606,11203,11204,11207],{"class":608,"line":491},[606,11205,11206],{"class":629},"-",[606,11208,11209],{"class":622}," if .Values.autoscaling.enabled\n",[606,11211,11212,11214,11216],{"class":608,"line":499},[606,11213,1602],{"class":1601},[606,11215,1605],{"class":629},[606,11217,11218],{"class":622}," autoscaling\u002Fv2\n",[606,11220,11221,11223,11225],{"class":608,"line":650},[606,11222,1613],{"class":1601},[606,11224,1605],{"class":629},[606,11226,11227],{"class":622}," HorizontalPodAutoscaler\n",[606,11229,11230,11232],{"class":608,"line":672},[606,11231,1790],{"class":1601},[606,11233,1630],{"class":629},[606,11235,11236,11238,11240],{"class":608,"line":688},[606,11237,1797],{"class":1601},[606,11239,1605],{"class":629},[606,11241,11242],{"class":622}," include \"myapp.fullname\" .\n",[606,11244,11245,11247],{"class":608,"line":699},[606,11246,1807],{"class":1601},[606,11248,1630],{"class":629},[606,11250,11251,11254,11256],{"class":608,"line":709},[606,11252,11253],{"class":1601}," minReplicas",[606,11255,1605],{"class":629},[606,11257,11258],{"class":622}," .Values.autoscaling.minReplicas\n",[606,11260,11261,11263],{"class":608,"line":720},[606,11262,11206],{"class":629},[606,11264,11265],{"class":622}," end\n",[56,11267,11268],{},"Helm solves the distribution problem, not the readability problem.",[187,11270,11272],{"id":11271},"kustomize-overlays-instead-of-templates","Kustomize — Overlays Instead of Templates",[56,11274,11275,11277],{},[60,11276,1549],{"href":2137}," takes a different approach: no templating, but structured patches. A base configuration is adapted through overlays for different environments (dev, staging, prod). The advantage: the base remains valid YAML, and overlays are surgical modifications.",[56,11279,11280],{},"Kustomize works well for manageable environment variations but hits its limits when configurations become more complex or when the differences between environments are large.",[187,11282,11284],{"id":11283},"crds-and-operators-domain-specific-apis","CRDs and Operators — Domain-Specific APIs",[56,11286,11287],{},"Custom Resource Definitions (CRDs) are the most powerful tool for readable configuration. They allow you to define your own Kubernetes resource types — and thus your own domain-specific API.",[56,11289,11290,11291,11293],{},"An operator that responds to a ",[554,11292,11149],{}," resource can generate all necessary Deployments, Services, PersistentVolumeClaims, and ConfigMaps from it. The developer writes:",[598,11295,11297],{"className":1592,"code":11296,"language":1594,"meta":490,"style":490},"apiVersion: postgres-operator.crunchydata.com\u002Fv1beta1\nkind: PostgresCluster\nmetadata:\n name: my-database\nspec:\n instances:\n - replicas: 3\n backups:\n pgbackrest:\n repos:\n - name: repo1\n volume:\n volumeClaimSpec:\n accessModes: [\"ReadWriteOnce\"]\n resources:\n requests:\n storage: 10Gi\n",[554,11298,11299,11308,11317,11323,11332,11338,11345,11356,11363,11370,11377,11388,11395,11402,11423,11430,11437],{"__ignoreMap":490},[606,11300,11301,11303,11305],{"class":608,"line":609},[606,11302,1602],{"class":1601},[606,11304,1605],{"class":629},[606,11306,11307],{"class":622}," postgres-operator.crunchydata.com\u002Fv1beta1\n",[606,11309,11310,11312,11314],{"class":608,"line":491},[606,11311,1613],{"class":1601},[606,11313,1605],{"class":629},[606,11315,11316],{"class":622}," PostgresCluster\n",[606,11318,11319,11321],{"class":608,"line":499},[606,11320,1790],{"class":1601},[606,11322,1630],{"class":629},[606,11324,11325,11327,11329],{"class":608,"line":650},[606,11326,1797],{"class":1601},[606,11328,1605],{"class":629},[606,11330,11331],{"class":622}," my-database\n",[606,11333,11334,11336],{"class":608,"line":672},[606,11335,1807],{"class":1601},[606,11337,1630],{"class":629},[606,11339,11340,11343],{"class":608,"line":688},[606,11341,11342],{"class":1601}," instances",[606,11344,1630],{"class":629},[606,11346,11347,11349,11352,11354],{"class":608,"line":699},[606,11348,5659],{"class":629},[606,11350,11351],{"class":1601}," replicas",[606,11353,1605],{"class":629},[606,11355,1819],{"class":1237},[606,11357,11358,11361],{"class":608,"line":709},[606,11359,11360],{"class":1601}," backups",[606,11362,1630],{"class":629},[606,11364,11365,11368],{"class":608,"line":720},[606,11366,11367],{"class":1601}," pgbackrest",[606,11369,1630],{"class":629},[606,11371,11372,11375],{"class":608,"line":859},[606,11373,11374],{"class":1601}," repos",[606,11376,1630],{"class":629},[606,11378,11379,11381,11383,11385],{"class":608,"line":875},[606,11380,3203],{"class":629},[606,11382,1871],{"class":1601},[606,11384,1605],{"class":629},[606,11386,11387],{"class":622}," repo1\n",[606,11389,11390,11393],{"class":608,"line":889},[606,11391,11392],{"class":1601}," volume",[606,11394,1630],{"class":629},[606,11396,11397,11400],{"class":608,"line":898},[606,11398,11399],{"class":1601}," volumeClaimSpec",[606,11401,1630],{"class":629},[606,11403,11404,11407,11409,11412,11415,11418,11420],{"class":608,"line":912},[606,11405,11406],{"class":1601}," accessModes",[606,11408,1605],{"class":629},[606,11410,11411],{"class":629}," [",[606,11413,11414],{"class":629},"\"",[606,11416,11417],{"class":622},"ReadWriteOnce",[606,11419,11414],{"class":629},[606,11421,11422],{"class":629},"]\n",[606,11424,11425,11428],{"class":608,"line":917},[606,11426,11427],{"class":1601}," resources",[606,11429,1630],{"class":629},[606,11431,11432,11435],{"class":608,"line":923},[606,11433,11434],{"class":1601}," requests",[606,11436,1630],{"class":629},[606,11438,11439,11442,11444],{"class":608,"line":939},[606,11440,11441],{"class":1601}," storage",[606,11443,1605],{"class":629},[606,11445,11446],{"class":622}," 10Gi\n",[56,11448,11449],{},"It's not perfectly readable yet, but it describes what is desired — not how it's technically implemented. The operator handles the rest. This pattern is the foundation for real abstractions in Kubernetes.",[71,11451,11453],{"id":11452},"platform-engineering-as-the-answer","Platform Engineering as the Answer",[56,11455,11456,11457,11460],{},"Individual tools solve individual problems. ",[60,11458,11459],{"href":10914},"Platform Engineering"," as a discipline solves the overarching problem: how do you build an internal developer platform that enables developers to use cloud resources without being Kubernetes experts?",[56,11462,11463],{},"The answer lies in abstraction layers. Platform Engineering teams define the abstractions — which resource types exist, which parameters developers may set, what is configured by default. Development teams work against these abstractions, not against raw Kubernetes YAML.",[56,11465,11466,11467,11470],{},"Tools like Crossplane go particularly far: with Composite Resources, you can define cloud-agnostic abstractions that provision AWS, GCP, or Azure resources under the hood. A developer describes an ",[554,11468,11469],{},"AppDatabase","; the Composite Resource Controller handles provider-specific details.",[187,11472,11474],{"id":11473},"what-makes-a-good-abstraction","What Makes a Good Abstraction",[56,11476,11477],{},"A good abstraction:",[103,11479,11480,11486,11495,11501],{},[106,11481,11482,11485],{},[109,11483,11484],{},"hits the right level"," — neither too low (then it's just a thin layer over YAML) nor too high (then necessary configuration options are missing)",[106,11487,11488,11491,11492],{},[109,11489,11490],{},"has stable defaults"," that fit the most common use case — a principle we explore in depth in our article on ",[60,11493,11494],{"href":8155},"zero-config Kubernetes",[106,11496,11497,11500],{},[109,11498,11499],{},"offers escape hatches"," when standard defaults aren't sufficient",[106,11502,11503,11506],{},[109,11504,11505],{},"is internally consistent"," — the same concepts are expressed the same way",[56,11508,11509],{},"An abstraction is bad when it introduces new complexity that is greater than what it solves. Many internal platform projects fail precisely because of this: they hide YAML behind a proprietary DSL that nobody knows and for which there's no tooling support.",[71,11511,11513],{"id":11512},"simplifying-kubernetes-configuration-in-practice-a-realistic-path","Simplifying Kubernetes Configuration in Practice: A Realistic Path",[56,11515,11516],{},"The shift from raw YAML to readable configuration doesn't happen overnight. A sensible path:",[56,11518,11519,11522],{},[109,11520,11521],{},"1. Take inventory:"," Which Kubernetes resources are currently maintained manually? Where do the most errors occur? Which parts are most frequently copied and adapted?",[56,11524,11525,11528],{},[109,11526,11527],{},"2. Identify candidates:"," Resources that repeat often and are always structured the same way (deployments for microservices, similar database setups) are good candidates for abstraction.",[56,11530,11531,11534],{},[109,11532,11533],{},"3. Choose your tool:"," For package reuse: Helm. For environment variations based on stable manifests: Kustomize. For true domain-specific APIs: CRDs with an Operator or Crossplane. For a complete internal platform: Backstage as the frontend, Crossplane or custom Operators as the backend.",[56,11536,11537,11540],{},[109,11538,11539],{},"4. Start small:"," An abstraction for a clearly defined problem (e.g., \"how do we deploy a microservice\") is more valuable than a half-finished platform framework. Iterating is easier when the foundation works.",[56,11542,11543,11546],{},[109,11544,11545],{},"5. Incorporate developer feedback:"," The target audience is developers who work with the platform daily. Their feedback about what they understand, what confuses them, and what they're missing is more important than technical elegance.",[56,11548,11549],{},[109,11550,11551],{},"Common pitfalls:",[103,11553,11554,11557,11560],{},[106,11555,11556],{},"Abstractions that internally generate YAML that nobody can debug anymore",[106,11558,11559],{},"Platform teams that don't have the capacity to maintain the platform — creating a new legacy system",[106,11561,11562],{},"Premature generalization: abstractions built for problems that aren't yet understood will be built wrong",[71,11564,11566],{"id":11565},"how-lowcloud-positions-itself-and-concretely-relieves-teams","How lowcloud Positions Itself and Concretely Relieves Teams",[56,11568,11569,11570,11573],{},"Many teams feel the problem before they can name it: Kubernetes is powerful, but its ",[2186,11571,11572],{},"user interface"," (manifests, tool combos, expert knowledge) scales poorly with team size and daily demands. This is exactly where lowcloud positions itself: as a \"digital DevOps\" — a platform-oriented alternative to the classic \"build your own Internal Developer Platform\" strategy.",[56,11575,11576,11577,11579],{},"lowcloud targets teams that want (or need) to use Kubernetes but don't have the time or people to permanently build, operate, and harden a platform. As a ",[60,11578,6248],{"href":486},", lowcloud delivers exactly this operational relief.",[56,11581,11582],{},"What this means in practice:",[103,11584,11585,11591,11597,11603],{},[106,11586,11587,11590],{},[109,11588,11589],{},"Less decision and tool chaos:"," Instead of a growing collection of Helm charts, Kustomize overlays, CI scripts, and \"this is how we do it here\" wiki pages, there's a consistent path.",[106,11592,11593,11596],{},[109,11594,11595],{},"Standardization without lock-in:"," The platform delivers standards (security, updates, observability, deployments) — while leaving room for edge cases when they're technically necessary.",[106,11598,11599,11602],{},[109,11600,11601],{},"Speed in the delivery funnel:"," Teams get from \"runs locally\" to \"runs reliably in the cloud\" faster, without every change turning into a Kubernetes debugging workshop.",[106,11604,11605,11608],{},[109,11606,11607],{},"Operations as a product, not a project:"," Platform Engineering often becomes a never-ending project. lowcloud turns it into a product: standards, guardrails, and operational experience are built in and continuously maintained.",[56,11610,11611],{},"This means lowcloud supports exactly the migration described above: first bring order to repetitions, then introduce abstractions — without every team having to invent this platform work themselves and carry it long-term.",[71,11613,2102],{"id":2101},[56,11615,11616,11617,415],{},"Simplifying Kubernetes configuration isn't a one-size-fits-all problem. It's a series of decisions about which complexity to hide, which to keep visible, and how to ensure the result remains maintainable. For the broader architectural perspective on why fewer components lead to more stability, see our guide to ",[60,11618,8234],{"href":8182},[56,11620,11621,11622,11625,11626,11629],{},"The common denominator of successful approaches: they separate ",[2186,11623,11624],{},"what"," from ",[2186,11627,11628],{},"how",". Developers describe what they want. Platforms and operators handle the how. This isn't a new idea — it's the fundamental principle of every good abstraction. With Kubernetes, it just takes a bit more effort because the default interface happens to be YAML.",[56,11631,11632,11633,11637],{},"If you want to take this path for your team without starting from scratch: ",[60,11634,11636],{"href":11635},"\u002Fen\u002Fdocs\u002Fgetting-started\u002Fhow-it-works","lowcloud is built on exactly this principle",". The platform provides a managed Kubernetes environment where developers work through structured, readable interfaces — without being confronted with cluster configuration on a daily basis.",[1499,11639,11640],{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}",{"title":490,"searchDepth":491,"depth":491,"links":11642},[11643,11646,11647,11652,11655,11656,11657],{"id":11083,"depth":491,"text":11084,"children":11644},[11645],{"id":11093,"depth":499,"text":11094},{"id":11139,"depth":491,"text":11140},{"id":11160,"depth":491,"text":11161,"children":11648},[11649,11650,11651],{"id":11167,"depth":499,"text":11168},{"id":11271,"depth":499,"text":11272},{"id":11283,"depth":499,"text":11284},{"id":11452,"depth":491,"text":11453,"children":11653},[11654],{"id":11473,"depth":499,"text":11474},{"id":11512,"depth":491,"text":11513},{"id":11565,"depth":491,"text":11566},{"id":2101,"depth":491,"text":2102},"2026-03-22","YAML is the real problem, not Kubernetes. How Helm, Kustomize, CRDs, and Platform Engineering make cluster configuration readable and maintainable.",{"src":11661},"\u002Fimages\u002Fblog\u002Fsimplify-kubernetes-configuration.jpg",{},{"title":11069,"description":11659},"en\u002F3.blog\u002F35.simplify-kubernetes-configuration","MAG8t9CpXm05c3pOeciG3UvMsksLCKaFxA3g1XsL0B8",{"id":11667,"title":11668,"authors":11669,"badge":10,"body":11672,"date":11901,"description":11902,"extension":510,"image":11903,"lastUpdated":9014,"meta":11905,"navigation":14,"path":9127,"published":14,"seo":11906,"stem":11907,"tags":10,"__hash__":11908},"posts\u002Fen\u002F3.blog\u002F34.missing-devops-roles-smb.md","DevOps in SMBs: Why Missing Roles Become a Real Risk",[11670],{"name":43,"to":44,"avatar":11671},{"src":46},{"type":48,"value":11673,"toc":11890},[11674,11677,11684,11689,11693,11696,11699,11702,11705,11709,11712,11715,11718,11722,11732,11735,11749,11752,11755,11759,11762,11765,11779,11786,11789,11793,11796,11799,11825,11828,11832,11835,11838,11843,11847,11850,11855,11861,11869,11873,11876,11879,11882],[51,11675,11668],{"id":11676},"devops-in-smbs-why-missing-roles-become-a-real-risk",[56,11678,11679,11680,11683],{},"Most SMBs don't have a DevOps engineer. Instead, there's a developer who \"also handles\" the infrastructure — on top of their actual job, squeezed in between tickets and releases. It sounds pragmatic. In practice, it's one of the most common sources of technical debt, outages, and knowledge loss. For a deeper look at why the ",[60,11681,11682],{"href":9348},"full-stack developer title masks this structural overload",", see our dedicated analysis.",[56,11685,11686,11687,415],{},"This article explores why this situation develops, what it actually costs, and which approaches genuinely help. It complements our broader look at the ",[60,11688,10169],{"href":7312},[71,11690,11692],{"id":11691},"how-this-situation-develops","How This Situation Develops",[56,11694,11695],{},"The question of why SMBs don't have a dedicated DevOps role rarely has a dramatic answer. It usually just evolves that way.",[56,11697,11698],{},"In the beginning, there are two developers and a small server. One of them sets it up. It works. As the team grows, the same person keeps doing \"the infrastructure stuff\" because they already know it. Nobody seriously questions whether that scales.",[56,11700,11701],{},"On top of that: an experienced DevOps engineer is expensive. Not just in salary, but also in terms of expectations around processes, tools, and working conditions. Many SMBs assume they only need to address this problem once it's big enough to justify the cost. Until then, things are running somehow.",[56,11703,11704],{},"And that's exactly where the problem lies.",[71,11706,11708],{"id":11707},"what-this-actually-means","What This Actually Means",[56,11710,11711],{},"When infrastructure is handled on the side, certain patterns reliably emerge — regardless of how competent the person is. It's rarely about individual skill, but about the conditions: someone who is simultaneously building features, handling support, and managing releases can only operate infrastructure reactively. Things get \"somehow\" working, but they're not built to be stable, traceable, and repeatable.",[56,11713,11714],{},"It usually starts with small frictions: deployments take longer than they should, access rights are unclear, warnings get ignored because there are too many. Over time, this turns into a system that heavily depends on habits and gut feelings. And the more services, environments, and customers come in, the faster this setup tips from \"working\" to \"constantly under tension.\"",[56,11716,11717],{},"The following points are typical consequences that appear in almost every SMB as soon as infrastructure doesn't have its own mandate, clear ownership, and dedicated time.",[187,11719,11721],{"id":11720},"deployments-depend-on-one-person","Deployments Depend on One Person",[56,11723,11724,11725,733,11728,11731],{},"When the one developer who knows the deployment gets sick, goes on vacation, or leaves the company, the team faces a problem. It's not just that nobody can deploy. In practice, the ability to quickly ",[2186,11726,11727],{},"diagnose",[2186,11729,11730],{},"decide"," is also missing.",[56,11733,11734],{},"Typical symptoms include:",[103,11736,11737,11740,11743,11746],{},[106,11738,11739],{},"Nobody knows which environment variables are actually active or where they were set.",[106,11741,11742],{},"Cron jobs are running somewhere, undocumented and without ownership.",[106,11744,11745],{},"That one \"special port\" or custom ingress route exists because it was \"the fastest way\" at the time.",[106,11747,11748],{},"The CI\u002FCD pipeline is full of exceptions: a manual step here, a secret token there.",[56,11750,11751],{},"At the latest during an incident, this becomes a business risk: MTTR (Mean Time To Recovery) increases because the system needs to be understood before the problem can be fixed. And even if the outage \"only\" lasts a few hours — it costs focus, trust, and money.",[56,11753,11754],{},"A single point of failure in infrastructure isn't a theoretical risk. It's a matter of when, not if.",[187,11756,11758],{"id":11757},"knowledge-nobody-wrote-down","Knowledge Nobody Wrote Down",[56,11760,11761],{},"Infrastructure run on the side rarely has good documentation. The person who built it carries the knowledge in their head. Why was this approach chosen? Where are the secrets actually stored? What happens when this pod crashes? Where is the backup process documented? And most importantly: how would you set up the entire system from scratch if you had to start from zero tomorrow?",[56,11763,11764],{},"What's often missing isn't just nice wikis, but very specific artifacts:",[103,11766,11767,11770,11773,11776],{},[106,11768,11769],{},"Runbooks (\"If X happens, check Y, then do Z\")",[106,11771,11772],{},"Architecture overviews (networking, ingress, data flows, dependencies)",[106,11774,11775],{},"Access and role models (who can do what, where are the credentials)",[106,11777,11778],{},"Decision documents (\"Why did we choose this tool and not that one?\")",[56,11780,11781,11782,11785],{},"When that person leaves, the knowledge leaves with them. What remains are configurations without context and colleagues who have to carefully work their way forward to avoid breaking things. For a systematic approach to making this knowledge durable, see our guide on ",[60,11783,11784],{"href":10601},"documentation strategies that reduce bus factor",". This often ends in a mix of fear of changes and a \"hands-off\" area that nobody wants to touch anymore.",[56,11787,11788],{},"This isn't a criticism of the person involved. It's the natural result of a role that was never given dedicated time.",[187,11790,11792],{"id":11791},"infrastructure-that-somehow-works","Infrastructure That \"Somehow Works\"",[56,11794,11795],{},"The third effect is more subtle, but more expensive. When someone only manages infrastructure on the side, problems get solved but not sustainably fixed. The workaround that worked once stays. The script that should have been refactored stays. The monitoring that should be properly set up stays on the to-do list.",[56,11797,11798],{},"This leads to typical \"standstill costs\":",[103,11800,11801,11807,11813,11819],{},[106,11802,11803,11806],{},[109,11804,11805],{},"Security drift:"," Patches, Kubernetes versions, and container base images get updated too late.",[106,11808,11809,11812],{},[109,11810,11811],{},"Lacking observability:"," No clear picture of latencies, error rates, or resource utilization. Alerts are either noisy or missing entirely.",[106,11814,11815,11818],{},[109,11816,11817],{},"Poor capacity planning:"," Oversized nodes \"for safety\" or limits set too tight, causing sporadic OOM kills.",[106,11820,11821,11824],{},[109,11822,11823],{},"Fragile deployments:"," Releases only work when \"everything is exactly as always\" because there are no clear standards and checks.",[56,11826,11827],{},"Technical debt in infrastructure is particularly dangerous because it stays invisible for a long time. It usually only surfaces when things are already on fire: during growth, the first real incident, an audit, or when onboarding new team members.",[71,11829,11831],{"id":11830},"why-this-doesnt-get-better-as-infrastructure-grows","Why This Doesn't Get Better as Infrastructure Grows",[56,11833,11834],{},"You might assume the problem solves itself as the company grows. In practice, the opposite happens.",[56,11836,11837],{},"With more services, more deployments, and more complexity, the load on the one person who \"handles the infrastructure\" also grows. At the same time, the pressure to deliver quickly increases — meaning there's even less time for proper infrastructure work.",[56,11839,11840,11842],{},[60,11841,1543],{"href":1542}," doesn't make this easier. The platform is powerful, but it's no self-service for someone without experience. Cluster networking, resource limits, RBAC, storage classes, ingress configuration — these aren't topics you solve \"real quick.\" And when you do solve them \"real quick,\" you see the consequences later.",[71,11844,11846],{"id":11845},"what-makes-devops-work-for-smbs","What Makes DevOps Work for SMBs",[56,11848,11849],{},"There's no simple solution that fits every SMB. But there are approaches that systematically help:",[56,11851,11852,11854],{},[109,11853,10317],{}," is the first step. When configurations live in Git, implicit knowledge is at least partially made explicit. Changes are traceable, rollbacks are possible.",[56,11856,11857,11860],{},[109,11858,11859],{},"Standardized platforms"," reduce complexity. Instead of deciding from scratch how to set something up every time, there's a template that works. This lowers the barrier to entry and the error rate.",[56,11862,11863,11868],{},[109,11864,11865],{},[60,11866,11867],{"href":486},"Managed services"," go a step further. Instead of running infrastructure yourself, you consume it as a service. This doesn't mean losing control — it means someone else is responsible for operations, updates, and incident response, while your team focuses on the application.",[71,11870,11872],{"id":11871},"how-lowcloud-solves-this-problem","How lowcloud Solves This Problem",[56,11874,11875],{},"lowcloud is a Kubernetes DevOps-as-a-Service platform built exactly for this scenario. Not for enterprises with a platform engineering team, but for SMBs and startups that want to run Kubernetes workloads without building in-house infrastructure expertise.",[56,11877,11878],{},"The platform handles cluster management, updates, monitoring, and security hardening. Development teams deploy their applications through standardized workflows — without having to worry about the underlying Kubernetes. The operational knowledge no longer lives with a single person but within the platform.",[56,11880,11881],{},"This solves the core problem: the dependency on a single person who happens to know the infrastructure is replaced by a platform designed from the ground up for exactly this situation.",[56,11883,11884,11885,415],{},"If you work at an SMB that's currently in this situation, or you're wondering how to run Kubernetes properly without a dedicated DevOps role — ",[60,11886,11889],{"href":11887,"rel":11888},"https:\u002F\u002Flowcloud.io\u002Fen",[64],"take a look at what lowcloud offers",{"title":490,"searchDepth":491,"depth":491,"links":11891},[11892,11893,11898,11899,11900],{"id":11691,"depth":491,"text":11692},{"id":11707,"depth":491,"text":11708,"children":11894},[11895,11896,11897],{"id":11720,"depth":499,"text":11721},{"id":11757,"depth":499,"text":11758},{"id":11791,"depth":499,"text":11792},{"id":11830,"depth":491,"text":11831},{"id":11845,"depth":491,"text":11846},{"id":11871,"depth":491,"text":11872},"2026-03-21","SMBs without a dedicated DevOps role risk outages, knowledge loss, and technical debt. Learn why this happens and what actually helps.",{"src":11904},"\u002Fimages\u002Fblog\u002Fmissing-devops-roles-smb.jpg",{},{"title":11668,"description":11902},"en\u002F3.blog\u002F34.missing-devops-roles-smb","2AkGzp5KSkODHJtYoYTp3TEkyTUB4eHOIL07i5YAu5s",{"id":11910,"title":11911,"authors":11912,"badge":10,"body":11915,"date":12154,"description":12155,"extension":510,"image":12156,"lastUpdated":10,"meta":12158,"navigation":14,"path":8037,"published":14,"seo":12159,"stem":12160,"tags":10,"__hash__":12161},"posts\u002Fen\u002F3.blog\u002F31.devops-tool-sprawl.md","DevOps Tool Sprawl: How It Happens and How to Stop It",[11913],{"name":43,"to":44,"avatar":11914},{"src":46},{"type":48,"value":11916,"toc":12139},[11917,11924,11928,11945,11964,11971,11975,11978,11982,11985,11988,11992,11995,11998,12002,12005,12008,12015,12019,12022,12026,12029,12034,12045,12048,12052,12055,12058,12067,12071,12076,12079,12083,12090,12093,12100,12104,12107,12112,12115,12120,12123,12128,12131,12134,12136],[56,11918,11919,11920,11923],{},"DevOps tool chaos rarely starts with a single bad decision. It's the result of ",[60,11921,11922],{"href":7312},"dozens of pragmatic choices"," that each made sense on their own but together create a system no one fully understands anymore. This article shows how tool sprawl happens in practice, what it really costs, and how targeted standardization makes teams effective again.",[71,11925,11927],{"id":11926},"how-tool-sprawl-starts-in-devops-teams","How Tool Sprawl Starts in DevOps Teams",[56,11929,11930,11931,11936,11937,11940,11941,11944],{},"The pattern is almost always the same: A new project kicks off, the developer who takes it on knows Jenkins well, so ",[60,11932,11935],{"href":11933,"rel":11934},"https:\u002F\u002Fwww.jenkins.io\u002F",[64],"Jenkins"," gets set up. Six months later, another developer joins who prefers ",[60,11938,5308],{"href":5896,"rel":11939},[64],". The next project runs on ",[60,11942,5303],{"href":5301,"rel":11943},[64]," because the repo is already hosted there. Two years in, the company has three CI systems, and no one knows which project deploys where anymore.",[56,11946,11947,11948,11951,11952,11957,11958,11963],{},"The same thing happens with monitoring: ",[60,11949,6288],{"href":6286,"rel":11950},[64]," here, ",[60,11953,11956],{"href":11954,"rel":11955},"https:\u002F\u002Fwww.datadoghq.com\u002F",[64],"Datadog"," there, ",[60,11959,11962],{"href":11960,"rel":11961},"https:\u002F\u002Faws.amazon.com\u002Fcloudwatch\u002F",[64],"CloudWatch"," for the AWS services, and somewhere an old Nagios setup that nobody actually touches anymore. Tool sprawl isn't a sign of bad planning — it's the natural result of growth without active consolidation.",[56,11965,11966,11967,11970],{},"The problem isn't choosing a tool. The problem is never deciding ",[2186,11968,11969],{},"against"," the old one once something new comes in.",[71,11972,11974],{"id":11973},"what-tool-chaos-really-costs","What Tool Chaos Really Costs",[56,11976,11977],{},"The obvious cost factor is licensing and maintenance. But that's almost never the real problem. The actual costs come from somewhere else.",[187,11979,11981],{"id":11980},"cognitive-load-as-an-underestimated-factor","Cognitive Load as an Underestimated Factor",[56,11983,11984],{},"Every tool brings its own configuration syntax, its own concepts, its own error patterns. Developers who have to switch daily between Terraform HCL, Helm templates, Jenkins pipeline Groovy syntax, and Prometheus alerting YAML pay a mental price for it. Cognitive load accumulates, even when you don't notice it directly.",[56,11986,11987],{},"It shows up in small things: you write a pipeline and have to look up which syntax this particular system uses. You debug a deployment error and need ten minutes to remember which monitoring tool is responsible for this service. Individually it's nothing, but it adds up to hours per week per person.",[187,11989,11991],{"id":11990},"onboarding-the-hidden-cost","Onboarding: The Hidden Cost",[56,11993,11994],{},"Getting new team members up to speed in tool-heavy environments takes longer than it should. Not because of the complexity of individual tools, but because of the sheer number. Someone joining a team with five different CI setups doesn't have to learn one system — they have to learn five. On top of that come the undocumented quirks of each setup that only the person who originally configured it knows about.",[56,11996,11997],{},"This hits small teams especially hard. When someone is unavailable or leaves the company, the knowledge about a specific setup is often gone for good.",[71,11999,12001],{"id":12000},"the-difference-between-useful-diversity-and-actual-chaos","The Difference Between Useful Diversity and Actual Chaos",[56,12003,12004],{},"Not all tool diversity is a problem. Some specialization is justified: a security team with different requirements than the delivery team is allowed to use its own tools. A data engineering setup looks different from a backend deployment pipeline. That's normal.",[56,12006,12007],{},"DevOps tool chaos happens when diversity reflects habits rather than requirements. When the same problem (CI\u002FCD for a standard web app) is solved with three different solutions because there was never a decision about which one should be the standard.",[56,12009,12010,12011,12014],{},"The test is simple: can everyone on the team explain ",[2186,12012,12013],{},"why"," a particular tool was chosen for each use case? If the answer is regularly \"it was just already there,\" that's not a conscious architecture decision — that's organic chaos.",[71,12016,12018],{"id":12017},"devops-standardization-in-practice","DevOps Standardization in Practice",[56,12020,12021],{},"Standardization sounds like bureaucracy but is pragmatism at its core. Using the same pipeline template for every new service means no time wasted on setup. Using the same monitoring setup for all services means finding problems faster because you know the dashboards. Standardization is an upfront investment that pays off with every additional service.",[187,12023,12025],{"id":12024},"one-ci-system-for-all-how-to-migrate","One CI System for All: How to Migrate",[56,12027,12028],{},"The first step is choosing one system. It sounds trivial, but in practice this decision is often avoided because it implies that other systems need to be replaced. But that's exactly the point.",[56,12030,12031],{},[109,12032,12033],{},"Criteria for the choice:",[103,12035,12036,12039,12042],{},[106,12037,12038],{},"Which system is used most frequently?",[106,12040,12041],{},"Which offers the best integration with your repository hosting?",[106,12043,12044],{},"Where does the most internal expertise lie?",[56,12046,12047],{},"The migration itself doesn't have to be big-bang. A pragmatic approach: the new system becomes the standard for all new projects. Existing setups get migrated when changes are needed anyway. Within six to twelve months, the tool landscape is consolidated without ever having to launch a major migration project.",[187,12049,12051],{"id":12050},"gitops-git-as-the-single-source-of-truth","GitOps: Git as the Single Source of Truth",[56,12053,12054],{},"GitOps isn't a tool — it's a principle: the desired state of infrastructure and deployments is fully described in Git. What's in Git is deployed. What's not in Git doesn't exist.",[56,12056,12057],{},"It sounds simple, but the consequences are far-reaching. No more manual deployments that need to be documented somewhere. No drift between what's running in monitoring and what the team believes is deployed. And a clear audit trail for every change.",[56,12059,7363,12060,2283,12063,12066],{},[60,12061,7524],{"href":5900,"rel":12062},[64],[60,12064,7529],{"href":7527,"rel":12065},[64]," implement this principle at the Kubernetes level. But even without dedicated GitOps tools, the principle helps: pipeline configurations, Helm charts, infrastructure as code — all in Git, with review processes for changes.",[187,12068,12070],{"id":12069},"kubernetes-as-a-standardization-layer","Kubernetes as a Standardization Layer",[56,12072,12073,12075],{},[60,12074,1543],{"href":1542}," isn't just an orchestrator — it's a shared language for deployments. Using Kubernetes as a foundation automatically gives you standardized concepts: Deployments, Services, ConfigMaps, Secrets, Namespaces. Helm charts enable reusable, parameterizable deployment templates.",[56,12077,12078],{},"This significantly reduces tool diversity at the deployment level. Instead of writing a custom deployment script per project, there's a shared Helm chart library used for all standard services. New services follow the same pattern. Setup and debugging effort drops.",[71,12080,12082],{"id":12081},"platform-engineering-as-the-solution-for-devops-tool-chaos","Platform Engineering as the Solution for DevOps Tool Chaos",[56,12084,12085,12086,12089],{},"DevOps standardization can be introduced manually, but it takes time and requires disciplined maintenance. The next step is transitioning to a ",[60,12087,12088],{"href":10914},"platform engineering approach",": instead of letting each team maintain its own setup, a central platform team provides an internal developer platform.",[56,12091,12092],{},"This platform bundles standardized tools, pipelines, and deployment patterns and makes them available as self-service. Developers no longer need to deal with CI configuration or Kubernetes manifests. They use the platform and can focus on their actual work.",[56,12094,12095,12096,12099],{},"For smaller teams that can't or don't want to build their own platform team, Platform-as-a-Service (PaaS) and ",[60,12097,12098],{"href":486},"DevOps-as-a-Service (DaaS) solutions"," like lowcloud offer this approach as a managed service. The platform comes with the standards built in: standardized deployment workflows on a Kubernetes basis, integrated monitoring, unified CI\u002FCD integration. Teams don't have to build and maintain their own toolchain. They deploy on a platform that has already solved this for them.",[71,12101,12103],{"id":12102},"structuring-tool-decisions-a-simple-framework","Structuring Tool Decisions: A Simple Framework",[56,12105,12106],{},"Before introducing a new tool, ask three questions:",[56,12108,12109],{},[109,12110,12111],{},"1. Does this tool solve a problem we actually have, or one we anticipate?",[56,12113,12114],{},"Many tools end up in the toolchain because they sounded interesting in a blog post. If there's no concrete problem behind it, the chances are high that the tool won't be actively used after six months — but will still need to be maintained.",[56,12116,12117],{},[109,12118,12119],{},"2. Do we already have a tool that solves this problem?",[56,12121,12122],{},"Sometimes the answer to a problem isn't a new tool but better use of an existing one. If you already have Prometheus, you don't need a second alerting system — you need better alerting rules.",[56,12124,12125],{},[109,12126,12127],{},"3. Who is responsible for operations, updates, and documentation?",[56,12129,12130],{},"A tool without a clear owner is a future problem. If nobody specifically takes responsibility, it will sooner or later become part of the chaos.",[56,12132,12133],{},"These three questions don't prevent good tool decisions. They prevent impulsive ones.",[479,12135],{},[56,12137,12138],{},"Tool chaos in DevOps is solvable — but not with yet another tool. It requires a conscious decision for less: fewer systems, more depth, clearer standards. Building on a platform that already brings these standards means skipping the painful consolidation work and focusing on what matters: software that works and can be deployed without everyone needing to know exactly how.",{"title":490,"searchDepth":491,"depth":491,"links":12140},[12141,12142,12146,12147,12152,12153],{"id":11926,"depth":491,"text":11927},{"id":11973,"depth":491,"text":11974,"children":12143},[12144,12145],{"id":11980,"depth":499,"text":11981},{"id":11990,"depth":499,"text":11991},{"id":12000,"depth":491,"text":12001},{"id":12017,"depth":491,"text":12018,"children":12148},[12149,12150,12151],{"id":12024,"depth":499,"text":12025},{"id":12050,"depth":499,"text":12051},{"id":12069,"depth":499,"text":12070},{"id":12081,"depth":491,"text":12082},{"id":12102,"depth":491,"text":12103},"2026-03-20","Tool sprawl costs more than licenses: cognitive load, slow onboarding, lost knowledge. Here is how to bring order to your DevOps setup.",{"src":12157},"\u002Fimages\u002Fblog\u002Fdevops-tool-sprawl.jpg",{},{"title":11911,"description":12155},"en\u002F3.blog\u002F31.devops-tool-sprawl","22IHMhi726lBRWXbUFOdWB7OkDhwkVp2I4j3eEYNm6s",{"id":12163,"title":12164,"authors":12165,"badge":10,"body":12168,"date":12154,"description":12541,"extension":510,"image":12542,"lastUpdated":4932,"meta":12544,"navigation":14,"path":4125,"published":14,"seo":12545,"stem":12546,"tags":10,"__hash__":12547},"posts\u002Fen\u002F3.blog\u002F32.kubernetes-monitoring-logs-metrics.md","Kubernetes Monitoring: Using Logs and Metrics Effectively",[12166],{"name":43,"to":44,"avatar":12167},{"src":46},{"type":48,"value":12169,"toc":12528},[12170,12173,12177,12180,12186,12192,12201,12204,12208,12211,12229,12234,12240,12244,12254,12257,12275,12278,12282,12285,12305,12309,12315,12318,12332,12335,12355,12358,12362,12369,12372,12397,12400,12404,12407,12410,12413,12419,12425,12431,12437,12441,12444,12447,12479,12482,12485,12489,12492,12502,12509,12517,12519],[56,12171,12172],{},"A Kubernetes cluster is running, deployments are green, and yet problems arise that nobody catches early enough. The reason is usually not faulty code but missing or poorly configured Kubernetes monitoring. If you don't know what's happening inside your pods, you're flying blind — reacting to outages instead of predicting them. This article shows how logs and metrics work together, where they differ, and what a solid monitoring stack needs to deliver in practice.",[71,12174,12176],{"id":12175},"logs-vs-metrics-two-tools-two-jobs","Logs vs. Metrics: Two Tools, Two Jobs",[56,12178,12179],{},"Logs and metrics are often mentioned in the same breath, but they solve different problems.",[56,12181,12182,12185],{},[109,12183,12184],{},"Metrics"," are numerical time-series data: CPU utilization, memory consumption, request rate, error rate. They're well suited for spotting trends, monitoring thresholds, and detecting anomalies quickly. Metrics are compact and can be aggregated efficiently.",[56,12187,12188,12191],{},[109,12189,12190],{},"Logs",", on the other hand, are event-based text messages. They contain the context that metrics lack: Which user triggered which request? What error occurred on which line? What exactly happened before the application crashed?",[56,12193,12194,12195,12198,12199,415],{},"The simple rule of thumb: Metrics tell you ",[2186,12196,12197],{},"that"," something is wrong. Logs tell you ",[2186,12200,12013],{},[56,12202,12203],{},"If you only have metrics, you see the alert but not the cause. If you only have logs, you drown in text and can't find patterns. Both together paint the full picture.",[71,12205,12207],{"id":12206},"the-three-pillars-of-observability","The Three Pillars of Observability",[56,12209,12210],{},"Observability is more than just monitoring. The term describes the ability to understand a system's internal state from its outputs. In practice, this rests on three pillars:",[3976,12212,12213,12218,12223],{},[106,12214,12215,12217],{},[109,12216,12184],{}," — aggregated numbers over time",[106,12219,12220,12222],{},[109,12221,12190],{}," — structured or unstructured event records",[106,12224,12225,12228],{},[109,12226,12227],{},"Traces"," — distributed tracing across multiple services",[56,12230,12231,12233],{},[60,12232,1543],{"href":1542}," monitoring primarily covers the first two pillars. Tracing comes into play once multiple microservices communicate with each other and you need to understand which service in a request chain took how long.",[56,12235,12236,12237,415],{},"For most teams, the pragmatic starting point is: get metrics and logs under control first, add tracing later as microservice complexity grows — or when ",[60,12238,12239],{"href":4193},"AI agent workloads bring their own observability requirements",[71,12241,12243],{"id":12242},"kubernetes-monitoring-with-prometheus","Kubernetes Monitoring with Prometheus",[56,12245,12246,12249,12250,12253],{},[60,12247,6288],{"href":6286,"rel":12248},[64]," is the de facto standard for metrics in Kubernetes environments. The principle is simple: Prometheus scrapes HTTP endpoints (",[554,12251,12252],{},"\u002Fmetrics",") at defined intervals and stores the data as time series in its own database.",[56,12255,12256],{},"Two components provide the bulk of Kubernetes metrics:",[103,12258,12259,12267],{},[106,12260,12261,12266],{},[109,12262,12263],{},[554,12264,12265],{},"node_exporter"," — hardware and OS metrics from the node: CPU, RAM, disk I\u002FO, network",[106,12268,12269,12274],{},[109,12270,12271],{},[554,12272,12273],{},"kube-state-metrics"," — Kubernetes-specific metrics: pod status, deployment replicas, job successes, resource requests vs. limits",[56,12276,12277],{},"On top of that come application-specific metrics. If you're running a Go or Java application, you can expose custom metrics using a Prometheus library: request latencies, queue sizes, business metrics.",[187,12279,12281],{"id":12280},"label-cardinality-the-underestimated-performance-problem","Label Cardinality: The Underestimated Performance Problem",[56,12283,12284],{},"Prometheus metrics are qualified by labels. This is powerful but can get expensive. If you use a user ID or session ID as a label, the number of time series explodes. Thousands or millions of distinct label values mean thousands or millions of separate time series — memory consumption and query performance suffer significantly.",[56,12286,12287,12288,557,12291,557,12294,12297,12298,557,12301,12304],{},"The rule: labels should have a manageable, bounded set of possible values. Status code (",[554,12289,12290],{},"200",[554,12292,12293],{},"404",[554,12295,12296],{},"500","), HTTP method (",[554,12299,12300],{},"GET",[554,12302,12303],{},"POST","), service name — these are sensible labels. User IDs or request IDs belong in logs, not in metrics.",[71,12306,12308],{"id":12307},"log-aggregation-in-kubernetes","Log Aggregation in Kubernetes",[56,12310,12311,12314],{},[554,12312,12313],{},"kubectl logs \u003Cpod>"," is fine for development. In production, it's a crutch.",[56,12316,12317],{},"Pods can be restarted at any time, and their old logs disappear with them. When a pod crashes and restarts, you lose exactly the logs you'd need for root cause analysis. On top of that, manual log queries don't scale across many pods.",[56,12319,12320,12321,2283,12326,12331],{},"The solution is log aggregation: all logs are collected by a log collector (e.g., ",[60,12322,12325],{"href":12323,"rel":12324},"https:\u002F\u002Ffluentbit.io\u002F",[64],"Fluent Bit",[60,12327,12330],{"href":12328,"rel":12329},"https:\u002F\u002Fwww.fluentd.org\u002F",[64],"Fluentd","), forwarded, and stored centrally.",[56,12333,12334],{},"For central storage, there are two common options:",[103,12336,12337,12349],{},[106,12338,12339,12344,12345,12348],{},[60,12340,12342],{"href":6297,"rel":12341},[64],[109,12343,6299],{}," (by ",[60,12346,6293],{"href":6291,"rel":12347},[64]," Labs): lightweight, indexes only metadata (labels), stores log content compressed. Well integrated with Grafana, significantly cheaper to operate than Elasticsearch.",[106,12350,12351,12354],{},[109,12352,12353],{},"Elasticsearch",": powerful full-text index, more complex queries possible, but more resource-intensive and operationally demanding.",[56,12356,12357],{},"For most Kubernetes teams already using Grafana, Loki is the natural choice. Elasticsearch makes sense when complex full-text search or advanced analytics are needed.",[187,12359,12361],{"id":12360},"log-level-discipline-in-production","Log Level Discipline in Production",[56,12363,12364,12365,12368],{},"A frequent source of problems: applications running in production with log level ",[554,12366,12367],{},"DEBUG",". The result is gigabytes of logs per day that nobody reads, but that cost storage and make finding real errors harder.",[56,12370,12371],{},"Clear conventions:",[103,12373,12374,12379,12385,12391],{},[106,12375,12376,12378],{},[109,12377,12367],{}," — development only, or for targeted troubleshooting",[106,12380,12381,12384],{},[109,12382,12383],{},"INFO"," — important events that document normal operations",[106,12386,12387,12390],{},[109,12388,12389],{},"WARN"," — something unexpected happened, operations continue",[106,12392,12393,12396],{},[109,12394,12395],{},"ERROR"," — a failure occurred that needs attention",[56,12398,12399],{},"And: structured logging is always preferable to unstructured logging. Writing logs as JSON makes them efficient to filter and query in Loki or Elasticsearch. Free-text logs are hard for machines to process.",[71,12401,12403],{"id":12402},"alerting-what-actually-deserves-an-alert","Alerting: What Actually Deserves an Alert",[56,12405,12406],{},"An alert that nobody pays attention to anymore is worse than no alert at all. Alert fatigue is a real problem. Teams that receive dozens of notifications daily get used to them and eventually miss the critical one.",[56,12408,12409],{},"Prometheus Alertmanager is the standard tool for receiving, grouping, deduplicating, and routing alerts (Slack, PagerDuty, email, etc.).",[56,12411,12412],{},"Principles for effective alerting:",[56,12414,12415,12418],{},[109,12416,12417],{},"Alert on symptoms, not causes."," An alert on \"high CPU\" is often useless. High CPU isn't a problem as long as the application is responding. Better: alert on response time > 2 seconds or error rate > 1%.",[56,12420,12421,12424],{},[109,12422,12423],{},"Use the four golden signals"," (from the Google SRE book): latency, traffic, errors, saturation. These are the signals that actually indicate user-facing problems.",[56,12426,12427,12430],{},[109,12428,12429],{},"Define alerting tiers."," Not every alert needs to wake someone up at 3 AM. Critical alerts go to PagerDuty, warnings go to a Slack channel.",[56,12432,12433,12436],{},[109,12434,12435],{},"Test your alerts."," An alert that has never fired may have never had the chance — or it might be broken.",[71,12438,12440],{"id":12439},"dashboards-with-grafana","Dashboards with Grafana",[56,12442,12443],{},"Grafana is the standard tool for visualizing Prometheus metrics and Loki logs. A good dashboard answers at a glance: Is everything okay?",[56,12445,12446],{},"What belongs on every team dashboard:",[103,12448,12449,12455,12461,12467,12473],{},[106,12450,12451,12454],{},[109,12452,12453],{},"Request rate"," — how many requests is the service handling right now?",[106,12456,12457,12460],{},[109,12458,12459],{},"Error rate"," — how many of those are failing?",[106,12462,12463,12466],{},[109,12464,12465],{},"Latency"," — P50, P95, P99 response times (not just averages)",[106,12468,12469,12472],{},[109,12470,12471],{},"Pod status"," — are all replicas running, are there restarts?",[106,12474,12475,12478],{},[109,12476,12477],{},"Resource utilization"," — CPU and memory vs. defined limits",[56,12480,12481],{},"A common mistake: dashboards that show too much. When 40 graphs are on one screen, nobody sees anything anymore. Less is more — a focused overview dashboard, with links to detail dashboards for specific analysis.",[56,12483,12484],{},"Grafana also offers annotations: when was a new deployment rolled out? These markers on graphs are enormously helpful for correlating performance changes with deployments.",[71,12486,12488],{"id":12487},"kubernetes-monitoring-on-a-devops-as-a-service-platform","Kubernetes Monitoring on a DevOps-as-a-Service Platform",[56,12490,12491],{},"Building and running your own monitoring stack is possible but labor-intensive. Prometheus, Alertmanager, Loki, Fluent Bit, Grafana: each component needs to be configured, secured, updated, and scaled. That's operational overhead that doesn't directly contribute to your product.",[56,12493,12494,12495,12498,12499,12501],{},"On a Kubernetes ",[60,12496,12497],{"href":486},"DaaS platform"," like ",[109,12500,299],{},", monitoring infrastructure is part of the platform. This means: metrics for all workloads are collected automatically, logs are aggregated and made searchable, basic alerts are preconfigured. Teams can focus on configuring their own metrics and alerts instead of running the stack themselves.",[56,12503,12504,12505,12508],{},"This is especially relevant for ",[60,12506,12507],{"href":7312},"smaller teams that handle DevOps on the side",". Getting Kubernetes monitoring right takes time — time that can be invested in product development when the platform handles the fundamentals.",[56,12510,12511,12512,415],{},"Teams running Kubernetes workloads on lowcloud get Prometheus and Grafana as integrated services — configurable, but without the initial infrastructure overhead. Learn more at ",[60,12513,12516],{"href":12514,"rel":12515},"http:\u002F\u002Flowcloud.de",[64],"lowcloud.de",[479,12518],{},[56,12520,12521],{},[2186,12522,12523,12524,12527],{},"Monitoring isn't a one-time project you check off a list. It's an ongoing process: sharpening alerts, adjusting dashboards, instrumenting new services. Those who ",[60,12525,12526],{"href":2728},"set up monitoring before migrating to Kubernetes"," have a clear advantage when incidents happen — and sleep better at night.",{"title":490,"searchDepth":491,"depth":491,"links":12529},[12530,12531,12532,12535,12538,12539,12540],{"id":12175,"depth":491,"text":12176},{"id":12206,"depth":491,"text":12207},{"id":12242,"depth":491,"text":12243,"children":12533},[12534],{"id":12280,"depth":499,"text":12281},{"id":12307,"depth":491,"text":12308,"children":12536},[12537],{"id":12360,"depth":499,"text":12361},{"id":12402,"depth":491,"text":12403},{"id":12439,"depth":491,"text":12440},{"id":12487,"depth":491,"text":12488},"How logs and metrics work together in Kubernetes, where they differ, and what a solid monitoring stack needs to deliver in practice.",{"src":12543},"\u002Fimages\u002Fblog\u002Fkubernetes-monitoring-logs-metrics.jpg",{},{"title":12164,"description":12541},"en\u002F3.blog\u002F32.kubernetes-monitoring-logs-metrics","jjpvtddq_dR5jSY0qzfWAiaFocnmuIt3aMi4K0DKEJg",{"id":12549,"title":12550,"authors":12551,"badge":10,"body":12554,"date":12811,"description":12812,"extension":510,"image":12813,"lastUpdated":10,"meta":12815,"navigation":14,"path":5059,"published":14,"seo":12816,"stem":12817,"tags":10,"__hash__":12818},"posts\u002Fen\u002F3.blog\u002F29.data-residency-vs-data-sovereignty.md","Data Residency vs. Data Sovereignty: What Really Matters",[12552],{"name":43,"to":44,"avatar":12553},{"src":46},{"type":48,"value":12555,"toc":12799},[12556,12559,12566,12570,12576,12579,12582,12586,12591,12594,12620,12623,12627,12630,12633,12637,12644,12650,12653,12657,12660,12664,12667,12670,12676,12682,12685,12711,12715,12718,12724,12730,12735,12739,12742,12747,12758,12763,12788,12791,12793],[51,12557,12550],{"id":12558},"data-residency-vs-data-sovereignty-what-really-matters",[56,12560,12561,12562,12565],{},"Many teams believe they're on the safe side because their data sits in Frankfurt. What they overlook: data residency and data sovereignty are ",[60,12563,12564],{"href":325},"two different things"," — and only one of them actually protects you from unwanted foreign access. Confusing these terms leads to infrastructure decisions built on a false premise.",[71,12567,12569],{"id":12568},"what-is-data-residency","What Is Data Residency?",[56,12571,12572,12575],{},[109,12573,12574],{},"Data residency"," simply describes the physical or geographic location where data is stored. When you select \"Region: eu-central-1 (Frankfurt)\" in your cloud dashboard, you're ensuring your data lives in German data centers — not in the US, not in Asia.",[56,12577,12578],{},"This isn't a trivial detail. Many regulated industries — financial services, healthcare, public administration — have explicit requirements about where data must be physically stored. The GDPR itself doesn't prescribe a specific storage location, but it sets high barriers for transfers to third countries (Art. 44 ff. GDPR). Data residency helps meet these requirements.",[56,12580,12581],{},"The problem: data residency says nothing about who can legally access that data. And that's exactly where its protective effect ends.",[71,12583,12585],{"id":12584},"what-is-data-sovereignty","What Is Data Sovereignty?",[56,12587,12588,12590],{},[109,12589,5060],{}," goes a step further. It describes who has legal and operational control over data — who decides who gets access, who may process it, and most importantly: who must hand it over.",[56,12592,12593],{},"Data sovereignty isn't a technical property of a data center. It's a legal and architectural property of your entire setup. It depends on:",[103,12595,12596,12602,12608,12614],{},[106,12597,1701,12598,12601],{},[109,12599,12600],{},"legal framework"," under which your provider operates",[106,12603,1701,12604,12607],{},[109,12605,12606],{},"corporate structure"," of the provider (parent company in which country?)",[106,12609,1701,12610,12613],{},[109,12611,12612],{},"encryption model"," and who holds the cryptographic keys",[106,12615,1701,12616,12619],{},[109,12617,12618],{},"access protocols"," and who can review them",[56,12621,12622],{},"A company can have full data sovereignty without its data being in its own country — and conversely, a company can store data in Germany without having any sovereignty over it whatsoever.",[71,12624,12626],{"id":12625},"why-eu-regions-arent-a-free-pass","Why EU Regions Aren't a Free Pass",[56,12628,12629],{},"This is where many teams take a wrong turn. The assumption goes: \"We use AWS Frankfurt, so we're GDPR-compliant and sovereign.\" Neither is automatically true.",[56,12631,12632],{},"AWS, Google Cloud, and Microsoft Azure are US companies. Their European subsidiaries and data centers are still subject to access by their American parent corporations — and therefore to US law.",[187,12634,12636],{"id":12635},"the-cloud-act-problem-in-practice","The CLOUD Act Problem in Practice",[56,12638,1701,12639,12643],{},[109,12640,12641],{},[60,12642,6823],{"href":6023}," (Clarifying Lawful Overseas Use of Data Act) of 2018 obligates US companies to hand over data on request from American authorities — even when that data is physically stored in Europe. An agency in Washington can theoretically demand access to data sitting in an AWS data center in Frankfurt, because AWS Inc. is a US company.",[56,12645,1701,12646,12649],{},[109,12647,12648],{},"Schrems II ruling"," by the ECJ in 2020 drove this point home: the ECJ struck down the Privacy Shield precisely because US intelligence laws (FISA Section 702, Executive Order 12333) enable a level of protection that doesn't meet GDPR standards. Data residency in the EU doesn't protect against access by US authorities when the provider is a US company.",[56,12651,12652],{},"This isn't a theoretical problem. It affects everyone who processes personal data of EU citizens with US hyperscalers, regardless of which region they've selected.",[71,12654,12656],{"id":12655},"implementing-data-sovereignty-technically","Implementing Data Sovereignty Technically",[56,12658,12659],{},"If you're aiming for real data sovereignty, choosing the right region isn't enough. You need an architecture that structurally ensures sovereignty.",[187,12661,12663],{"id":12662},"who-holds-the-keys","Who Holds the Keys?",[56,12665,12666],{},"Encryption is the first building block — but it only protects you if you retain control over the cryptographic keys.",[56,12668,12669],{},"Most hyperscalers offer managed encryption by default: the provider manages the keys, and the provider could hand them over on request. That's better than no encryption, but it's not real sovereignty.",[56,12671,12672,12675],{},[109,12673,12674],{},"Bring Your Own Key (BYOK)"," is a step further: you bring your own key, and the provider uses it for encryption. The problem: the key resides in the provider's infrastructure and can theoretically be compromised or surrendered there.",[56,12677,12678,12681],{},[109,12679,12680],{},"Hold Your Own Key (HYOK)"," is the most rigorous approach: the keys never leave your own infrastructure at any point. Decryption happens only under your control. This means the cloud provider has no technical ability to hand over data in plaintext — even if compelled to do so.",[56,12683,12684],{},"Additional technical measures for data sovereignty:",[103,12686,12687,12693,12699,12705],{},[106,12688,12689,12692],{},[109,12690,12691],{},"Access control and IAM",": Strict separation of permissions, no broad admin access for provider support teams",[106,12694,12695,12698],{},[109,12696,12697],{},"Audit logs",": Complete, immutable logging of all access — including by the provider",[106,12700,12701,12704],{},[109,12702,12703],{},"Tenant isolation",": Physical or cryptographic separation of customer data, no shared infrastructure at the database level",[106,12706,12707,12710],{},[109,12708,12709],{},"Network segmentation",": Kubernetes namespaces and network policies that prevent unwanted data flows",[71,12712,12714],{"id":12713},"sovereign-cloud-as-a-solution","Sovereign Cloud as a Solution",[56,12716,12717],{},"The concept of the sovereign cloud addresses exactly this gap between data residency and real sovereignty. A sovereign cloud isn't simply a European region of a US hyperscaler — it's infrastructure operated entirely under European law and without dependency on US corporations.",[56,12719,12720,12721,12723],{},"Initiatives like Gaia-X are working to create a European data space with defined sovereignty standards. The EU's new ",[60,12722,8918],{"href":8917}," now provides formal, verifiable criteria for what qualifies as sovereign. This isn't just about storage location, but about technical and legal certifications: Who operates the infrastructure? Who has access? Which authorities can make which demands?",[56,12725,7863,12726,12729],{},[60,12727,12728],{"href":5076},"Kubernetes workloads and digital sovereignty",", this means concretely: managed Kubernetes on a European provider without a US parent company offers a different starting point than EKS or GKE, even though both have technically similar features. The question is which legal system the provider is subject to and what contractual and technical guarantees it can offer.",[56,12731,12732,12734],{},[109,12733,299],{}," is built as a Kubernetes DevOps-as-a-Service platform explicitly for this use case: operated in German data centers, without a US parent corporation, with clear data protection agreements under GDPR. This addresses not just data residency, but also structural sovereignty — which authorities could demand access and what legal levers are available to a provider, or not.",[71,12736,12738],{"id":12737},"a-decision-guide-for-architects","A Decision Guide for Architects",[56,12740,12741],{},"Not every application needs the same level of sovereignty. Here's a pragmatic orientation:",[56,12743,12744],{},[109,12745,12746],{},"Data residency is sufficient when:",[103,12748,12749,12752,12755],{},[106,12750,12751],{},"You process no personal data or only non-critical internal data",[106,12753,12754],{},"Your compliance requirements are limited to the physical storage location",[106,12756,12757],{},"You operate in a sector with no special requirements around access control",[56,12759,12760],{},[109,12761,12762],{},"Data sovereignty is necessary when:",[103,12764,12765,12768,12782,12785],{},[106,12766,12767],{},"You process sensitive personal data of EU citizens (healthcare, finance, government)",[106,12769,12770,12771,557,12776,12781],{},"You process data that falls under ",[60,12772,12775],{"href":12773,"rel":12774},"https:\u002F\u002Fwww.bsi.bund.de\u002FDE\u002FThemen\u002FRegulierte-Wirtschaft\u002FNIS-2-regulierte-Unternehmen\u002Fnis-2-regulierte-unternehmen_node.html",[64],"NIS2",[60,12777,12780],{"href":12778,"rel":12779},"https:\u002F\u002Fwww.bsi.bund.de\u002FDE\u002FThemen\u002FRegulierte-Wirtschaft\u002FKritische-Infrastrukturen\u002Fkritis_node.html",[64],"KRITIS",", or similar regulations",[106,12783,12784],{},"Your threat model includes government access by third-country authorities",[106,12786,12787],{},"Your customers or partners explicitly require sovereignty certifications",[56,12789,12790],{},"The decisive question isn't just \"Where does my data live?\" but: \"Who could theoretically compel access to my data — and through which legal pathway?\"",[479,12792],{},[56,12794,12795,12798],{},[109,12796,12797],{},"Running Kubernetes workloads on a sovereignly operated platform"," isn't a technical overhead. The question is which infrastructure you deploy on. lowcloud offers managed Kubernetes on European infrastructure without US dependencies. If you have concrete data sovereignty requirements, it's worth taking a look at the platform and having a direct conversation about your setup.",{"title":490,"searchDepth":491,"depth":491,"links":12800},[12801,12802,12803,12806,12809,12810],{"id":12568,"depth":491,"text":12569},{"id":12584,"depth":491,"text":12585},{"id":12625,"depth":491,"text":12626,"children":12804},[12805],{"id":12635,"depth":499,"text":12636},{"id":12655,"depth":491,"text":12656,"children":12807},[12808],{"id":12662,"depth":499,"text":12663},{"id":12713,"depth":491,"text":12714},{"id":12737,"depth":491,"text":12738},"2026-03-19","Data residency isn",{"src":12814},"\u002Fimages\u002Fblog\u002Fdata-residency-vs-data-sovereignty.jpg",{},{"title":12550,"description":12812},"en\u002F3.blog\u002F29.data-residency-vs-data-sovereignty","kQXMBspNDMkVZc6lEqsSD8qyGmwU4YPqqQor6ZQmb7g",{"id":12820,"title":12821,"authors":12822,"badge":10,"body":12825,"date":12811,"description":13041,"extension":510,"image":13042,"lastUpdated":7615,"meta":13044,"navigation":14,"path":7300,"published":14,"seo":13045,"stem":13046,"tags":10,"__hash__":13047},"posts\u002Fen\u002F3.blog\u002F30.manual-deployment-risks.md","Manual Deployments: An Underestimated Risk for SMBs",[12823],{"name":43,"to":44,"avatar":12824},{"src":46},{"type":48,"value":12826,"toc":13027},[12827,12830,12834,12837,12844,12848,12851,12854,12857,12861,12864,12867,12871,12874,12880,12886,12895,12899,12906,12909,12912,12916,12919,12925,12931,12934,12938,12941,12944,12970,12976,12980,12985,12988,12999,13002,13006,13009,13012,13015,13017],[56,12828,12829],{},"Many mid-sized companies haven't fundamentally changed their software delivery in years. Manual deployment works — until it doesn't. And then it usually breaks at the worst possible time.",[71,12831,12833],{"id":12832},"what-goes-wrong-with-manual-deployments","What Goes Wrong with Manual Deployments",[56,12835,12836],{},"A deployment that consists of a list of steps in a Word document or lives in a single developer's head isn't a process. It's a hope.",[56,12838,12839,12840,12843],{},"That sounds harsh, but it reflects the reality of many ",[60,12841,12842],{"href":7312},"mid-sized IT departments",". The typical scenarios: A developer forgets to update a configuration file. Another executes the steps in the wrong order because the instructions haven't been updated since a system migration. Or a new colleague takes over deployment for the first time and discovers that her predecessor's implicit knowledge was never documented.",[187,12845,12847],{"id":12846},"the-human-factor","The Human Factor",[56,12849,12850],{},"The problem isn't that people are careless. It's that manual processes are inherently variable. No human executes the same step exactly the same way twice — especially not under time pressure or after a long day.",[56,12852,12853],{},"Checklists help but don't fundamentally solve the problem. They reduce the error rate; they don't eliminate it. And they only work when consistently maintained and kept up to date — which rarely happens in practice.",[56,12855,12856],{},"On top of that, manual deployments lack any form of automated validation. Whether the application actually runs correctly after deployment is often only discovered when users start complaining.",[187,12858,12860],{"id":12859},"no-rollback-no-plan-b","No Rollback, No Plan B",[56,12862,12863],{},"What happens when a manual deployment fails? In automated pipelines, a rollback takes seconds. The previous state is simply restored. With manual processes, a rollback is often just as complex as the deployment itself — sometimes more so.",[56,12865,12866],{},"This leads to a dangerous reflex: errors are patched directly on the live production environment instead of rolling back cleanly. This worsens outages and extends downtime.",[71,12868,12870],{"id":12869},"the-hidden-costs-of-manual-processes","The Hidden Costs of Manual Processes",[56,12872,12873],{},"The obvious costs of a failed deployment — downtime, lost transactions, frustrated customers — are the easy part. The truly expensive consequences build up over time.",[56,12875,12876,12879],{},[109,12877,12878],{},"Technical Debt:"," Because every developer deploys slightly differently, inconsistencies creep into the production environment. Eventually, nobody knows why the production server is running a library version that should have been updated long ago.",[56,12881,12882,12885],{},[109,12883,12884],{},"Security Risks:"," Patches and security updates aren't consistently applied because deployment is cumbersome. This makes manual processes a direct security problem — especially in industries with heightened compliance requirements.",[56,12887,12888,12891,12892,415],{},[109,12889,12890],{},"Slowed Development:"," Teams afraid of deployment deploy less frequently. This leads to larger, riskier releases instead of small, manageable changes – a pattern that ",[60,12893,12894],{"href":7292},"deepens the deployment bottleneck",[187,12896,12898],{"id":12897},"the-bus-factor","The Bus Factor",[56,12900,12901,12902,12905],{},"A term that should come up in every serious conversation about deployment processes: the ",[60,12903,12904],{"href":10601},"bus factor",". It describes how many people a company could lose before critical knowledge is irretrievably gone.",[56,12907,12908],{},"With manual deployments, the bus factor is alarmingly often just one. A single developer knows the process in all its details. When that person gets sick, leaves the company, or goes on vacation, the team faces a real problem.",[56,12910,12911],{},"This isn't a hypothetical risk. It's a structural problem that automation directly addresses.",[71,12913,12915],{"id":12914},"what-deployment-automation-actually-means","What Deployment Automation Actually Means",[56,12917,12918],{},"CI\u002FCD — Continuous Integration and Continuous Delivery — sounds like a concept for large tech companies with dedicated DevOps teams. That's no longer true.",[56,12920,12921,12924],{},[109,12922,12923],{},"Continuous Integration"," means, at its core: every code change is automatically built, tested, and validated. Errors are caught before they reach production.",[56,12926,12927,12930],{},[109,12928,12929],{},"Continuous Delivery"," goes a step further: the path from a verified code change to production is automated and reproducible. The deployment itself can be triggered at the push of a button or fully automatically.",[56,12932,12933],{},"The result: deployments become routine operations, not risky interventions. The team can release more frequently, more safely, and with greater confidence.",[187,12935,12937],{"id":12936},"cicd-for-mid-sized-companies-where-to-start","CI\u002FCD for Mid-Sized Companies: Where to Start?",[56,12939,12940],{},"The most common mistake when getting started with deployment automation is trying to implement the perfect solution right away. This leads to months of planning phases without tangible results.",[56,12942,12943],{},"A pragmatic approach works better:",[3976,12945,12946,12952,12958,12964],{},[106,12947,12948,12951],{},[109,12949,12950],{},"Document the current deployment process"," — even if it's chaotic. Only what's documented can be automated.",[106,12953,12954,12957],{},[109,12955,12956],{},"Automate a simple build step"," — for example, building a container image on every git push.",[106,12959,12960,12963],{},[109,12961,12962],{},"Add automated tests"," — even simple smoke tests are better than no tests.",[106,12965,12966,12969],{},[109,12967,12968],{},"Automate deployment to a staging environment"," — production comes later.",[56,12971,12972,12973,415],{},"Each of these steps delivers immediate value and builds the team's confidence in automated processes. For a complete roadmap from containerization to GitOps, see our ",[60,12974,12975],{"href":7620},"SMB deployment guide",[71,12977,12979],{"id":12978},"kubernetes-and-devops-as-a-service-as-accelerators","Kubernetes and DevOps-as-a-Service as Accelerators",[56,12981,12982,12984],{},[60,12983,1543],{"href":1542}," has established itself as the de facto standard for container orchestration — including in mid-sized companies. The technology offers exactly what manual deployments cannot: declarative configuration, automatic rollback, health checks, and scaling.",[56,12986,12987],{},"The challenge: Kubernetes itself is complex. Setting up, operating, and maintaining the cluster requires expertise that many mid-sized teams don't have in-house.",[56,12989,12990,12991,12994,12995,12998],{},"This is where ",[60,12992,12993],{"href":486},"DaaS platforms"," come in. They abstract away Kubernetes complexity and offer structured deployment workflows without requiring the team to dive deep into cluster management. ",[60,12996,299],{"href":5869,"rel":12997},[64]," is one such platform — built for teams that want the benefits of Kubernetes without building their own platform engineering department.",[56,13000,13001],{},"In practice, this means: deployments are triggered through a defined pipeline, rollbacks are automated, and the application's state is traceable at all times. Developers focus on code, not deployment infrastructure.",[71,13003,13005],{"id":13004},"conclusion-when-is-the-right-time","Conclusion: When Is the Right Time?",[56,13007,13008],{},"The most common answer to when a company should start with deployment automation is: \"When we have more time\" or \"When the current project is finished.\"",[56,13010,13011],{},"That time never comes. Manual processes continuously generate overhead that delays other projects. The right time was yesterday — the second-best time is today.",[56,13013,13014],{},"The entry point doesn't have to be big. An automated build step, a simple test, a reproducible deployment to staging. That's enough to start. What's not enough is continuing as before and hoping the next manual deployment goes smoothly.",[479,13016],{},[56,13018,13019,13022,13023],{},[109,13020,13021],{},"Ready to take deployments out of the risk zone?"," lowcloud offers a Kubernetes-based PaaS platform that makes deployment automation accessible to mid-sized teams — without months of infrastructure setup. ",[60,13024,13026],{"href":5869,"rel":13025},[64],"Learn more",{"title":490,"searchDepth":491,"depth":491,"links":13028},[13029,13033,13036,13039,13040],{"id":12832,"depth":491,"text":12833,"children":13030},[13031,13032],{"id":12846,"depth":499,"text":12847},{"id":12859,"depth":499,"text":12860},{"id":12869,"depth":491,"text":12870,"children":13034},[13035],{"id":12897,"depth":499,"text":12898},{"id":12914,"depth":491,"text":12915,"children":13037},[13038],{"id":12936,"depth":499,"text":12937},{"id":12978,"depth":491,"text":12979},{"id":13004,"depth":491,"text":13005},"Why manual software deployments cause outages, security gaps, and technical debt in mid-sized companies – and how CI\u002FCD automation solves it.",{"src":13043},"\u002Fimages\u002Fblog\u002Fmanual-deployment-risks.jpg",{},{"title":12821,"description":13041},"en\u002F3.blog\u002F30.manual-deployment-risks","x2k1ZvfwGg2wVoSxTo8eMiKlKGI8RetYbjP1xvl65v4",{"id":13049,"title":13050,"authors":13051,"badge":10,"body":13054,"date":13304,"description":13305,"extension":510,"image":13306,"lastUpdated":9014,"meta":13308,"navigation":14,"path":13309,"published":14,"seo":13310,"stem":13311,"tags":10,"__hash__":13312},"posts\u002Fen\u002F3.blog\u002F27.dora-compliance-devops.md","DORA Compliance for DevOps: What the EU Resilience Act Means",[13052],{"name":43,"to":44,"avatar":13053},{"src":46},{"type":48,"value":13055,"toc":13285},[13056,13060,13063,13067,13076,13079,13091,13095,13098,13118,13121,13125,13128,13132,13138,13142,13145,13149,13152,13156,13159,13163,13166,13170,13173,13177,13180,13183,13197,13200,13204,13207,13210,13214,13217,13220,13224,13236,13242,13245,13249,13256,13259,13262,13266,13269,13272,13275,13277,13282],[51,13057,13059],{"id":13058},"dora-compliance-for-devops-what-the-digital-operational-resilience-act-actually-means","DORA Compliance for DevOps: What the Digital Operational Resilience Act Actually Means",[56,13061,13062],{},"Since January 2025, DORA has been mandatory for all financial enterprises in the EU — and by extension, for their cloud infrastructure, deployment processes, and external IT service providers. If you think this is a topic only for compliance departments, think again: DORA imposes concrete technical requirements that directly affect day-to-day DevOps operations. This article breaks down what's behind it, who it applies to, and what needs to change in practice.",[71,13064,13066],{"id":13065},"what-is-dora-and-why-now","What Is DORA and Why Now?",[56,13068,13069,13070,13075],{},"DORA stands for Digital Operational Resilience Act, ",[60,13071,13074],{"href":13072,"rel":13073},"https:\u002F\u002Fwww.bafin.de\u002FDE\u002FAufsicht\u002FDORA\u002FDORA_node.html",[64],"EU Regulation No. 2022\u002F2554",". It was adopted in late 2022, giving companies two years to prepare. Since January 17, 2025, it is binding.",[56,13077,13078],{},"The goal is clear: make the European financial sector more resilient against cyberattacks, IT outages, and operational disruptions. DORA doesn't prescribe specific technologies — instead, it defines requirements for processes, documentation, testing, and contracts. That sounds abstract, but it has very concrete implications for operations.",[56,13080,13081,13082,13086,13087,13090],{},"The regulatory framework complements existing requirements such as the EBA Guidelines on ICT risk and the ",[60,13083,13085],{"href":13084},"\u002Fen\u002Fblog\u002Fnis2-compliance-devops","NIS2 Directive",". For organizations deploying AI systems, the ",[60,13088,13089],{"href":4149},"EU AI Act adds further obligations"," around documentation, logging, and risk classification. However, DORA is significantly more specific and applies directly as a regulation, meaning there is no room for national interpretation.",[71,13092,13094],{"id":13093},"who-does-dora-apply-to","Who Does DORA Apply To?",[56,13096,13097],{},"The scope is broader than many initially assume. Clearly affected are:",[103,13099,13100,13103,13106,13109,13112,13115],{},[106,13101,13102],{},"Credit institutions and banks",[106,13104,13105],{},"Insurance companies and reinsurers",[106,13107,13108],{},"Payment service providers and e-money institutions",[106,13110,13111],{},"Investment firms and fund managers",[106,13113,13114],{},"Crypto-asset service providers (under MiCA)",[106,13116,13117],{},"Trading venues and central counterparties",[56,13119,13120],{},"Particularly relevant for cloud providers and ICT service providers: DORA also covers critical ICT third-party service providers. If you operate as a cloud provider, data center, or SaaS vendor delivering essential services to financial enterprises, you may be directly supervised by the European Supervisory Authorities (ESAs). This can also apply to Kubernetes platforms running core business processes.",[71,13122,13124],{"id":13123},"the-five-core-obligations-at-a-glance","The Five Core Obligations at a Glance",[56,13126,13127],{},"DORA structures its requirements into five main areas.",[187,13129,13131],{"id":13130},"ict-risk-management","ICT Risk Management",[56,13133,13134,13135,415],{},"Financial enterprises must build and document a comprehensive ICT risk management framework. This includes identifying critical systems, assessing dependencies (both internal and external), and implementing protection and recovery measures. Crucially, responsibility lies with the management body — at ",[60,13136,13137],{"href":6827},"board level, not just within IT",[187,13139,13141],{"id":13140},"incident-reporting","Incident Reporting",[56,13143,13144],{},"Significant ICT-related incidents must be reported within defined timeframes. The initial notification must be submitted within four hours of classifying the incident, followed by an intermediate report after 72 hours, and a final report after one month. What qualifies as \"significant\" is defined by Regulatory Technical Standards (RTS) from the ESAs.",[187,13146,13148],{"id":13147},"resilience-testing","Resilience Testing",[56,13150,13151],{},"All enterprises must conduct regular resilience tests — ranging from basic vulnerability assessments to TLPT (Threat-Led Penetration Testing) for systemically important institutions. TLPT is demanding: it simulates real attacker scenarios against production systems and must be performed by accredited test providers.",[187,13153,13155],{"id":13154},"third-party-risk-management","Third-Party Risk Management",[56,13157,13158],{},"Contracts with ICT third-party service providers must include specific clauses: exit rights, audit and access rights for regulators, minimum standards for security and availability, and clear provisions on data location. If these clauses are missing, contracts must be amended — which is often cumbersome with large cloud providers.",[187,13160,13162],{"id":13161},"information-sharing","Information Sharing",[56,13164,13165],{},"DORA actively promotes the voluntary exchange of threat intelligence between financial enterprises. This is less an operational obligation and more a regulatory framework for collective defense measures.",[71,13167,13169],{"id":13168},"what-dora-concretely-means-for-devops","What DORA Concretely Means for DevOps",[56,13171,13172],{},"This is where it gets practical. DORA compliance for DevOps isn't an abstract concept — it changes how teams set up, document, and test their pipelines.",[187,13174,13176],{"id":13175},"auditable-deployment-pipelines","Auditable Deployment Pipelines",[56,13178,13179],{},"DORA requires traceability. In concrete terms: every change to production-relevant systems must be documented, traceable, and demonstrable to supervisory authorities if needed.",[56,13181,13182],{},"For CI\u002FCD pipelines, this means:",[103,13184,13185,13188,13191,13194],{},[106,13186,13187],{},"Complete logs of all deployments including timestamps, the person who triggered them, and the components changed",[106,13189,13190],{},"Mandatory code reviews and approval workflows for production deployments",[106,13192,13193],{},"Clear separation between test and production environments with documented handover processes",[106,13195,13196],{},"Change management following ITIL-like principles — even if the term sometimes causes discomfort in DevOps circles",[56,13198,13199],{},"This isn't rocket science, but it requires teams to deliberately align their toolchain for this purpose — not only when an auditor comes knocking.",[187,13201,13203],{"id":13202},"recovery-objectives-rto-and-rpo-under-regulatory-pressure","Recovery Objectives: RTO and RPO Under Regulatory Pressure",[56,13205,13206],{},"DORA requires defined and tested RTO (Recovery Time Objective) and RPO (Recovery Point Objective) for critical systems. The regulation doesn't prescribe specific values — but they must be documented, regularly tested, and demonstrably met.",[56,13208,13209],{},"For DevOps teams, this means disaster recovery scenarios can no longer exist only in concept papers. They must be regularly rehearsed, preferably in an automated fashion. Those running Kubernetes have structural advantages here: automatic failover, rolling updates, and declarative state management help make recovery processes reproducible.",[71,13211,13213],{"id":13212},"concentration-risk-why-three-hyperscalers-are-a-problem","Concentration Risk: Why Three Hyperscalers Are a Problem",[56,13215,13216],{},"One of the most notable aspects of DORA is its explicit focus on concentration risk. Supervisory authorities acknowledge what has long been unspoken in the industry: when virtually the entire European financial infrastructure runs on the same two or three US-based cloud platforms, a systemic risk emerges.",[56,13218,13219],{},"If AWS goes down in a region — or becomes subject to a US government access request — hundreds of financial service providers are simultaneously affected. DORA doesn't demand an immediate move away from the major providers, but it does require companies to actively manage this risk: through diversification, exit scenarios, and an honest assessment of their dependencies.",[71,13221,13223],{"id":13222},"cloud-in-germany-and-europe-dora-compliance-through-location","Cloud in Germany and Europe: DORA Compliance Through Location",[56,13225,13226,13227,733,13231,13235],{},"One area where local and European cloud providers have a structural advantage is third-party risk management. DORA requires audit rights that are difficult to enforce with large hyperscalers in practice. ",[60,13228,5914],{"href":13229,"rel":13230},"https:\u002F\u002Faws.amazon.com\u002Fde\u002F",[64],[60,13232,5924],{"href":13233,"rel":13234},"https:\u002F\u002Fazure.microsoft.com\u002Fde-de",[64]," have standardized contracts — individual negotiations over access rights for regulators are the exception, not the rule.",[56,13237,13238,13239,13241],{},"With European providers operating out of German or European data centers, the situation is different. Contracts can be individually tailored. Audit access can be arranged in a concrete and legally sound manner. And physical control over data and infrastructure lies — unlike offerings under the ",[60,13240,6823],{"href":6023}," — exclusively within the European legal framework.",[56,13243,13244],{},"For companies that need to be DORA-compliant, this isn't a minor detail. It's a structural difference in risk assessment.",[71,13246,13248],{"id":13247},"exit-strategies-as-a-mandatory-exercise","Exit Strategies as a Mandatory Exercise",[56,13250,13251,13252,13255],{},"DORA explicitly requires companies to develop and document exit strategies for their ICT service providers. This sounds like administrative overhead, but it's technically challenging: those deeply integrated into ",[60,13253,13254],{"href":333},"proprietary cloud services"," can't simply switch.",[56,13257,13258],{},"This is where container-based infrastructure pays off. Workloads running on standardized Kubernetes manifests are more portable than those built deeply on proprietary managed services from a single provider. This isn't an argument against using managed services per se — but it is an argument for treating portability as a design principle, not an afterthought.",[56,13260,13261],{},"In practical terms: those already using Helm charts, GitOps workflows, and cloud-agnostic storage abstractions today will have fewer problems actually executing a regulatorily required exit plan tomorrow.",[71,13263,13265],{"id":13264},"conclusion-dora-is-not-a-bureaucracy-issue","Conclusion: DORA Is Not a Bureaucracy Issue",[56,13267,13268],{},"DORA forces the financial sector to do something many teams should have done long ago: seriously document, test, and diversify their IT resilience. The regulation doesn't create new effort from nothing — it makes gaps visible.",[56,13270,13271],{},"For DevOps teams, this is an opportunity. Those who make their deployment processes auditable, regularly test their recovery scenarios, and consciously manage their cloud dependencies are building better systems anyway. DORA now provides a regulatory framework for exactly that.",[56,13273,13274],{},"The real work lies in the details: contract clauses, documentation processes, testing frequencies, service provider selection. Those who approach this strategically — rather than just ticking off a compliance checklist — come out stronger.",[479,13276],{},[56,13278,13279],{},[109,13280,13281],{},"Kubernetes-native European infrastructure for regulated environments",[56,13283,13284],{},"If you're looking for a cloud platform that structurally supports DORA requirements — with clear audit rights, a German data center, and full Kubernetes portability — the lowcloud platform provides a practical foundation. No lock-in mechanisms, no gray areas in data sovereignty.",{"title":490,"searchDepth":491,"depth":491,"links":13286},[13287,13288,13289,13296,13300,13301,13302,13303],{"id":13065,"depth":491,"text":13066},{"id":13093,"depth":491,"text":13094},{"id":13123,"depth":491,"text":13124,"children":13290},[13291,13292,13293,13294,13295],{"id":13130,"depth":499,"text":13131},{"id":13140,"depth":499,"text":13141},{"id":13147,"depth":499,"text":13148},{"id":13154,"depth":499,"text":13155},{"id":13161,"depth":499,"text":13162},{"id":13168,"depth":491,"text":13169,"children":13297},[13298,13299],{"id":13175,"depth":499,"text":13176},{"id":13202,"depth":499,"text":13203},{"id":13212,"depth":491,"text":13213},{"id":13222,"depth":491,"text":13223},{"id":13247,"depth":491,"text":13248},{"id":13264,"depth":491,"text":13265},"2026-03-18","DORA has been mandatory since January 2025. What the EU regulation changes for CI\u002FCD pipelines, cloud strategies, and DevOps teams in the financial sector.",{"src":13307},"\u002Fimages\u002Fblog\u002Fdora-compliance-devops.jpg",{},"\u002Fen\u002Fblog\u002Fdora-compliance-devops",{"title":13050,"description":13305},"en\u002F3.blog\u002F27.dora-compliance-devops","xa3KYxtnhjYuhzThA9ig0yZOqromikXRIIyg8HKO7Js",{"id":13314,"title":13315,"authors":13316,"badge":10,"body":13319,"date":13304,"description":13607,"extension":510,"image":13608,"lastUpdated":3938,"meta":13610,"navigation":14,"path":5335,"published":14,"seo":13611,"stem":13612,"tags":10,"__hash__":13613},"posts\u002Fen\u002F3.blog\u002F28.cloud-tco-hidden-costs.md","Cloud TCO: Hidden Costs AWS, Azure & GCP Don't Show You",[13317],{"name":43,"to":44,"avatar":13318},{"src":46},{"type":48,"value":13320,"toc":13593},[13321,13325,13328,13332,13338,13341,13361,13364,13368,13379,13385,13388,13392,13396,13411,13414,13418,13421,13425,13428,13432,13441,13444,13448,13451,13454,13457,13464,13468,13478,13481,13484,13488,13491,13494,13497,13506,13510,13513,13518,13535,13540,13554,13559,13570,13573,13582,13584,13590],[51,13322,13324],{"id":13323},"cloud-tco-what-the-cloud-really-costs-and-what-companies-systematically-underestimate","Cloud TCO: What the Cloud Really Costs and What Companies Systematically Underestimate",[56,13326,13327],{},"Cloud budgets are regularly exceeded — not because the planning was poor, but because many cost factors are simply missing from the TCO model. The monthly AWS or GCP invoice surprises teams time and again, even though resources were carefully calculated. The problem rarely lies with the compute costs that everyone keeps an eye on. It lies with everything around them.",[71,13329,13331],{"id":13330},"what-tco-means-in-the-cloud","What TCO Means in the Cloud",[56,13333,13334,13337],{},[109,13335,13336],{},"Total Cost of Ownership"," describes the full costs associated with operating an infrastructure over a defined period. In traditional IT, this includes hardware, electricity, cooling, rent, and personnel. In the cloud, the picture shifts. Some cost categories disappear, new ones emerge, and many are significantly harder to capture.",[56,13339,13340],{},"A cloud TCO model must cover three layers:",[3976,13342,13343,13349,13355],{},[106,13344,13345,13348],{},[109,13346,13347],{},"Direct infrastructure costs:"," what appears on the cloud invoice",[106,13350,13351,13354],{},[109,13352,13353],{},"Indirect operational costs:"," engineering hours, tools, processes",[106,13356,13357,13360],{},[109,13358,13359],{},"Opportunity costs and lock-in:"," what it costs to stay with a provider — or to switch",[56,13362,13363],{},"Anyone who only considers layer 1 has an incomplete picture. And an incomplete picture leads to flawed decisions.",[71,13365,13367],{"id":13366},"the-obvious-costs-and-why-theyre-only-half-the-story","The Obvious Costs — and Why They're Only Half the Story",[56,13369,13370,13371,13374,13375,13378],{},"Compute, storage, databases, load balancers. These are the line items everyone enters into their cloud budget. Cloud providers make it easy to estimate these costs with their pricing calculators. The problem: the calculators show what a resource ",[2186,13372,13373],{},"costs",", not what ",[2186,13376,13377],{},"operating"," that resource costs.",[56,13380,13381,13382,13384],{},"A single ",[60,13383,1543],{"href":1542}," node on a managed cluster is inexpensive. But what does the cluster cost as a whole — including the control plane, network plugin, logging stack, monitoring, alerting, and the three engineers who configure and maintain it all? This question is asked too rarely. At least not early enough.",[56,13386,13387],{},"Furthermore, cloud costs are variable. Fixed monthly costs are easy to plan for. Variably scaled resources — auto-scaling groups, serverless functions, managed databases with usage-based pricing — can produce surprises during traffic spikes that aren't in the budget.",[71,13389,13391],{"id":13390},"hidden-cost-drivers-in-cloud-tco","Hidden Cost Drivers in Cloud TCO",[187,13393,13395],{"id":13394},"egress-costs","Egress Costs",[56,13397,13398,13399,13402,13403,13406,13407,13410],{},"Data transfer ",[2186,13400,13401],{},"into"," the cloud is typically free or cheap. Data transfer ",[2186,13404,13405],{},"out"," of the cloud — to end users, to other cloud regions, or to on-premises systems — is expensive. Depending on the region, AWS charges between $0.08 and $0.09 per GB of outbound traffic. For data-intensive applications, this quickly adds up to four-figure monthly amounts. For a detailed breakdown of ",[60,13408,13409],{"href":7124},"egress fee pricing models"," across AWS, Azure, and GCP, see our dedicated analysis.",[56,13412,13413],{},"If you don't explicitly account for egress costs during architecture design, you're building yourself a silent cost problem. This is especially true for applications with high data volumes, video streaming, backups to other regions, or multi-cloud scenarios where data flows between providers.",[187,13415,13417],{"id":13416},"support-tier-costs","Support Tier Costs",[56,13419,13420],{},"A cloud provider's standard support is usually insufficient for production workloads. Business or enterprise support at AWS costs between 10% of the monthly bill (minimum $100) and significantly more, depending on the SLA. With a monthly infrastructure bill of $20,000, that quickly adds $2,000 or more for support alone — a line item missing from many initial calculations.",[187,13422,13424],{"id":13423},"third-party-licenses-on-cloud-instances","Third-Party Licenses on Cloud Instances",[56,13426,13427],{},"Managed services often don't fully replace third-party software. If you're running a commercial database or proprietary monitoring tool on an EC2 instance, you pay the license costs on top. Some licenses scale with the number of vCPUs or RAM, which can lead to significantly higher license costs on cloud instances compared to equivalent on-premises hardware.",[187,13429,13431],{"id":13430},"idle-resources-and-over-provisioning","Idle Resources and Over-Provisioning",[56,13433,13434,13435,13440],{},"Studies from FinOps providers consistently show that 30–40% of cloud resources in production environments are either running ",[60,13436,13439],{"href":13437,"rel":13438},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FIdle_(CPU)",[64],"idle"," or significantly over-provisioned. Development environments that aren't shut down at night. Reservations that weren't adjusted after an architecture change. Load balancers for services that no longer exist.",[56,13442,13443],{},"This isn't a criticism of teams. It's a structural problem. Cloud resources are easy to create and rarely actively decommissioned.",[71,13445,13447],{"id":13446},"operational-costs-what-engineering-hours-really-cost","Operational Costs: What Engineering Hours Really Cost",[56,13449,13450],{},"This is the line item most frequently missing from cloud TCO: the time of your own employees.",[56,13452,13453],{},"A self-managed Kubernetes cluster on bare metal or in the cloud requires maintenance. Updates, security patches, node issues, network debugging, storage configuration. Someone has to do this. For a senior DevOps engineer with an annual salary of €90,000, two hours per week of cluster maintenance already amounts to roughly €4,500 per year. That sounds manageable. But it's rarely just two hours, and it's rarely just one person.",[56,13455,13456],{},"Add to that: incident response (who answers alerts at night?), onboarding new team members to the infrastructure, documentation, security reviews, and the regular work of addressing technical debt.",[56,13458,13459,13460,11683],{},"Operational costs belong in every TCO model — as their own line item, with a realistic hourly rate and an honest assessment of the effort involved. For strategies on how ",[60,13461,13463],{"href":13462},"\u002Fen\u002Fblog\u002Freduce-it-costs-automation","IT automation reduces these costs",[71,13465,13467],{"id":13466},"lock-in-and-migration-costs-as-part-of-tco","Lock-in and Migration Costs as Part of TCO",[56,13469,13470,13471,13474,13475,415],{},"Cloud providers create incentives to invest deeply in their ecosystem: managed services, proprietary APIs, specific network architectures. This isn't inherently bad — managed services often save real operational costs. But they increase migration costs when a ",[60,13472,13473],{"href":333},"switch becomes necessary"," — a process the ",[60,13476,13477],{"href":6637},"EU Data Act now regulates",[56,13479,13480],{},"What does it cost to migrate an application built on AWS DynamoDB to another provider? What does it cost to rewrite an architecture based on Azure Functions to GCP Cloud Run? The answer is: more than expected, and usually more than the cost savings that triggered the switch.",[56,13482,13483],{},"Lock-in isn't an argument against cloud offerings. But it belongs transparently in the TCO calculation — as an implicit commitment to a provider over the coming years.",[71,13485,13487],{"id":13486},"managed-services-vs-self-hosted-which-is-cheaper","Managed Services vs. Self-Hosted: Which Is Cheaper?",[56,13489,13490],{},"The answer depends on the situation, but the trend surprises many teams.",[56,13492,13493],{},"A managed Kubernetes service (EKS, GKE, AKS) costs between $70 and $150 per month for the control plane, depending on the provider. Self-hosted on your own infrastructure or on bare-metal nodes looks cheaper at first glance. On second look, often not: the operational costs for etcd backups, API server updates, CNI configuration, and node issues quickly add up to more than the saved management fee.",[56,13495,13496],{},"The same applies to databases: a self-managed PostgreSQL on a VM is cheap in infrastructure but expensive to operate. Automated backups, high availability, point-in-time recovery, monitoring — someone has to configure and oversee all of that.",[56,13498,7445,13499,13501,13502,13505],{},[60,13500,5264],{"href":486}," platform like lowcloud takes a different approach: it fully abstracts away Kubernetes complexity, offers managed workloads without cluster management overhead, and makes operational costs predictable. When you compare the actual TCO — including engineering hours — you'll often find that a platform is cheaper than expected. Our ",[60,13503,13504],{"href":5345},"managed services ROI analysis"," provides a concrete cost model showing how managed services can reduce total costs by approximately 60%.",[71,13507,13509],{"id":13508},"what-a-realistic-cloud-tco-model-looks-like","What a Realistic Cloud TCO Model Looks Like",[56,13511,13512],{},"A robust TCO model needs at least these categories:",[56,13514,13515],{},[109,13516,13517],{},"Infrastructure Costs (Direct)",[103,13519,13520,13523,13526,13529,13532],{},[106,13521,13522],{},"Compute (reserved instances, on-demand, spot)",[106,13524,13525],{},"Storage (block, object, file)",[106,13527,13528],{},"Network (ingress, egress, inter-region)",[106,13530,13531],{},"Managed services (databases, queues, CDN, DNS)",[106,13533,13534],{},"Support tier",[56,13536,13537],{},[109,13538,13539],{},"Operational Costs (Indirect)",[103,13541,13542,13545,13548,13551],{},[106,13543,13544],{},"Engineering hours for operations and maintenance (estimate realistically)",[106,13546,13547],{},"Monitoring and observability tools",[106,13549,13550],{},"Security tools and compliance audits",[106,13552,13553],{},"Incident response capacity",[56,13555,13556],{},[109,13557,13558],{},"Strategic Costs",[103,13560,13561,13564,13567],{},[106,13562,13563],{},"Lock-in assessment: how high would migration costs be?",[106,13565,13566],{},"Scaling scenarios: what does 3× traffic cost?",[106,13568,13569],{},"License costs at scale",[56,13571,13572],{},"The FinOps approach helps keep these models current. FinOps doesn't mean cutting cloud costs at any price — it means consciously steering cloud spending, clearly assigning responsibilities, and treating cost transparency as a shared team goal.",[56,13574,13575,13576,13581],{},"Tools like AWS Cost Explorer, Google Cloud Billing, ",[60,13577,13580],{"href":13578,"rel":13579},"https:\u002F\u002Fgithub.com\u002Fkubecost",[64],"Kubecost"," (for Kubernetes), or Cloudability help capture cost data. But the real work is organizational: teams need to take ownership of their infrastructure costs.",[479,13583],{},[56,13585,13586,13589],{},[109,13587,13588],{},"Cloud costs are manageable — but only when you see them in full."," Anyone who takes TCO seriously doesn't just calculate the infrastructure bill but includes operational costs, license fees, egress charges, and lock-in risks. The result isn't a pessimistic view of the cloud — it's a realistic one that enables better decisions.",[56,13591,13592],{},"If you want to know how the TCO of a lowcloud DaaS environment compares to a self-managed Kubernetes cluster, take a look at our platform. We help make actual operational costs transparent — with no hidden line items.",{"title":490,"searchDepth":491,"depth":491,"links":13594},[13595,13596,13597,13603,13604,13605,13606],{"id":13330,"depth":491,"text":13331},{"id":13366,"depth":491,"text":13367},{"id":13390,"depth":491,"text":13391,"children":13598},[13599,13600,13601,13602],{"id":13394,"depth":499,"text":13395},{"id":13416,"depth":499,"text":13417},{"id":13423,"depth":499,"text":13424},{"id":13430,"depth":499,"text":13431},{"id":13446,"depth":491,"text":13447},{"id":13466,"depth":491,"text":13467},{"id":13486,"depth":491,"text":13487},{"id":13508,"depth":491,"text":13509},"Egress fees, support tiers, idle resources, engineering hours — the cost factors missing from every cloud pricing calculator. A complete TCO breakdown.",{"src":13609},"\u002Fimages\u002Fblog\u002Fcloud-tco-hidden-costs.jpg",{},{"title":13315,"description":13607},"en\u002F3.blog\u002F28.cloud-tco-hidden-costs","mqFgqfVCKLTlhK7FerNX8qp3rKGS3GgeE2d7IWoTfiY",{"id":13615,"title":13616,"authors":13617,"badge":10,"body":13620,"date":13848,"description":13849,"extension":510,"image":13850,"lastUpdated":12811,"meta":13852,"navigation":14,"path":13462,"published":14,"seo":13853,"stem":13854,"tags":10,"__hash__":13855},"posts\u002Fen\u002F3.blog\u002F24.reduce-it-costs-automation.md","Cut IT Costs with Automation: The Biggest Lever",[13618],{"name":43,"to":44,"avatar":13619},{"src":46},{"type":48,"value":13621,"toc":13834},[13622,13625,13629,13636,13639,13642,13646,13650,13653,13656,13660,13666,13672,13675,13684,13690,13693,13696,13698,13701,13704,13708,13713,13716,13721,13725,13728,13734,13737,13741,13744,13747,13773,13776,13779,13783,13786,13795,13801,13807,13813,13823,13826,13828],[56,13623,13624],{},"When companies want to cut IT costs, they usually think about cheaper cloud plans or headcount reduction first. Both miss the point. The biggest lever is automating manual operational tasks — and most teams have barely touched it.",[71,13626,13628],{"id":13627},"why-manual-it-is-so-expensive","Why Manual IT Is So Expensive",[56,13630,13631,13632,13635],{},"Look at how an ",[60,13633,13634],{"href":7312},"average ops team spends its time",": triggering deployments, adjusting configurations, renewing certificates, creating user accounts, maintaining monitoring rules, applying patches. None of these tasks are complex, but they all eat time. And time in IT is expensive.",[56,13637,13638],{},"The real problem isn't that these tasks need to be done. It's that they're done manually, over and over again. Each time with the risk of an error. Each time with the opportunity cost of someone not contributing to actual problem-solving.",[56,13640,13641],{},"On top of that: manual processes don't scale. A team managing ten services today can't simply manage a hundred services tomorrow with the same processes. More services mean more manual work — which means more headcount or more overtime. Both cost money.",[71,13643,13645],{"id":13644},"cutting-it-costs-through-automation-the-four-levers","Cutting IT Costs Through Automation: The Four Levers",[187,13647,13649],{"id":13648},"less-operational-overhead","Less Operational Overhead",[56,13651,13652],{},"The most obvious lever: tasks that take hours today take seconds after automation. An automated deployment process runs without anyone babysitting it. Automated onboarding creates user accounts without generating a ticket. An automated backup process runs overnight without supervision.",[56,13654,13655],{},"This doesn't necessarily mean positions get cut. In most teams, it means existing staff can finally do the work they were hired for: solving problems, improving architecture, enabling new features.",[187,13657,13659],{"id":13658},"fewer-incidents-from-fewer-manual-errors","Fewer Incidents from Fewer Manual Errors",[56,13661,13662,13663,415],{},"A major, often underestimated cost driver: incidents caused by human error. Miscopied configurations, forgotten rollbacks, overlooked dependencies during updates. These mistakes don't happen because of incompetence — they happen because ",[60,13664,13665],{"href":7300},"manual processes are inherently error-prone",[56,13667,13668,13671],{},[109,13669,13670],{},"Automated deployments"," via GitOps pipelines eliminate this source of failure. When a configuration change can only reach production through a versioned pull request, there's no \"manual step\" that can be forgotten or executed incorrectly. The change is traceable, testable, and instantly revertable if something goes wrong.",[56,13673,13674],{},"The cost of a single serious incident — downtime, customer communication, follow-up work — often exceeds months of investment in automation.",[187,13676,13678,13679,5903],{"id":13677},"more-efficient-resource-usage-finops","More Efficient Resource Usage (",[60,13680,13683],{"href":13681,"rel":13682},"https:\u002F\u002Fwww.finops.org\u002Fintroduction\u002Fwhat-is-finops\u002F",[64],"FinOps",[56,13685,13686,13687,415],{},"Cutting IT costs through automation also means: no more blanket over-provisioning of cloud resources. Without automation, teams size infrastructure for worst-case scenarios because nobody manually scales at 3 AM. The result: instances running at under 20% load 80% of the time — a problem we quantify in our ",[60,13688,13689],{"href":5335},"cloud TCO analysis",[56,13691,13692],{},"Automatic scaling changes this fundamentally. Kubernetes' Horizontal Pod Autoscaler (HPA) scales workloads up and down based on actual load. The Vertical Pod Autoscaler (VPA) automatically adjusts resource requests to match real consumption. For non-production environments, automatic shutdown schedulers can shut down clusters at night or on weekends.",[56,13694,13695],{},"These aren't theoretical savings. Teams regularly report 20–40% reduced cloud costs from consistent autoscaling and automated resource rightsizing alone.",[187,13697,9575],{"id":9574},[56,13699,13700],{},"A less directly visible but very real cost factor: slow deployment cycles. When a feature release needs two weeks of lead time because of manual coordination, approvals, and deployment steps, that costs money. Developers wait, customers wait, feedback loops stretch out.",[56,13702,13703],{},"Automated CI\u002FCD pipelines compress this process. Code goes into the branch, tests run automatically, on success it's deployed to staging, release happens with a click or fully automatically. What used to take days now takes hours.",[71,13705,13707],{"id":13706},"kubernetes-as-an-automation-platform","Kubernetes as an Automation Platform",[56,13709,13710,13712],{},[60,13711,1543],{"href":1542}," didn't become the standard for container infrastructure by accident. It comes with a complete automation layer designed for exactly the problems described above.",[56,13714,13715],{},"Operators automate complex stateful workloads: databases, message queues, monitoring stacks that previously required manual knowledge and regular intervention. Admission controllers and tools like OPA\u002FGatekeeper automatically enforce policies without someone having to review every deployment request. Self-healing through readiness and liveness probes ensures faulty pods are automatically restarted before a user even notices an error.",[56,13717,9305,13718,13720],{},[109,13719,299],{}," build on these Kubernetes primitives and make them team-ready — without every team having to build the mechanisms themselves.",[71,13722,13724],{"id":13723},"developer-self-service-relieving-ops-teams","Developer Self-Service: Relieving Ops Teams",[56,13726,13727],{},"An underestimated cost factor: the ticket overhead between development and operations. Every time a developer needs a new environment, wants to change a DNS entry, or needs a new database, a ticket lands with the ops team. The ops team prioritizes, processes, communicates back. Hours or days are lost.",[56,13729,13730,13733],{},[60,13731,13732],{"href":10914},"Developer self-service platforms"," solve this problem structurally. Developers get the ability to request and manage standard resources themselves — within defined boundaries that the ops team has set up in advance. The ops team works once on the guardrails instead of a hundred times on individual tickets.",[56,13735,13736],{},"The result: developers move faster, ops teams can focus on more complex tasks, and the entire system scales without additional headcount.",[71,13738,13740],{"id":13739},"measuring-automation-calculating-roi-concretely","Measuring Automation: Calculating ROI Concretely",[56,13742,13743],{},"Many teams shy away from investing in automation because the ROI seems hard to grasp. But the math is usually straightforward.",[56,13745,13746],{},"A practical framework:",[3976,13748,13749,13755,13761,13767],{},[106,13750,13751,13754],{},[109,13752,13753],{},"Time tracking:"," How many hours per week does the team spend on a specific manual task?",[106,13756,13757,13760],{},[109,13758,13759],{},"Cost rate:"," What's the average hourly rate (internal or with overhead)?",[106,13762,13763,13766],{},[109,13764,13765],{},"Implementation effort:"," How long does automating this task take as a one-time investment?",[106,13768,13769,13772],{},[109,13770,13771],{},"Break-even:"," When does the investment pay for itself?",[56,13774,13775],{},"Example: A team spends 4 hours per week on manual deployment steps. At an internal cost rate of €80\u002Fh, that's €320 per week or nearly €17,000 per year. An automation effort costing two weeks of development time pays for itself in less than a month.",[56,13777,13778],{},"Add to that the harder-to-measure but very real factors: reduced incident costs, better developer satisfaction, lower error rates.",[71,13780,13782],{"id":13781},"where-to-start-practical-priorities","Where to Start: Practical Priorities",[56,13784,13785],{},"Not everything can be automated at once — and it doesn't need to be. The sensible order:",[56,13787,13788,13794],{},[109,13789,13790,13791,1605],{},"1. ",[60,13792,13793],{"href":7292},"Deployment processes"," The biggest lever for most teams. CI\u002FCD pipelines can be introduced incrementally and pay off immediately.",[56,13796,13797,13800],{},[109,13798,13799],{},"2. Infrastructure provisioning:"," Terraform or Pulumi for reproducible infrastructure. No more manual clicks in the cloud console.",[56,13802,13803,13806],{},[109,13804,13805],{},"3. Scaling:"," Set up HPA and VPA in Kubernetes. Clear FinOps effect, low initial effort.",[56,13808,13809,13812],{},[109,13810,13811],{},"4. Monitoring and alerting:"," Automated alerts based on defined SLOs instead of manual dashboard monitoring.",[56,13814,13815,13818,13819,13822],{},[109,13816,13817],{},"5. Self-service:"," Developer portals and ",[60,13820,13821],{"href":486},"automated onboarding"," once the fundamentals are stable.",[56,13824,13825],{},"The most important principle: automation isn't a project with a beginning and an end. It's a continuous practice. Teams that regularly identify and automate a manual task build a significant advantage over months — in costs, reliability, and speed.",[479,13827],{},[56,13829,13830,13831,13833],{},"If you're looking for a platform that brings these automation mechanisms out-of-the-box — from Kubernetes-native autoscaling to GitOps deployments to developer self-service — ",[109,13832,299],{}," is built for that. The platform handles the infrastructure layer so your team can focus on what actually creates value.",{"title":490,"searchDepth":491,"depth":491,"links":13835},[13836,13837,13844,13845,13846,13847],{"id":13627,"depth":491,"text":13628},{"id":13644,"depth":491,"text":13645,"children":13838},[13839,13840,13841,13843],{"id":13648,"depth":499,"text":13649},{"id":13658,"depth":499,"text":13659},{"id":13677,"depth":499,"text":13842},"More Efficient Resource Usage (FinOps)",{"id":9574,"depth":499,"text":9575},{"id":13706,"depth":491,"text":13707},{"id":13723,"depth":491,"text":13724},{"id":13739,"depth":491,"text":13740},{"id":13781,"depth":491,"text":13782},"2026-03-17","Manual IT processes cost more than they should. Learn how automation from CI\u002FCD to Kubernetes cuts operational costs and frees your team for real work.",{"src":13851},"\u002Fimages\u002Fblog\u002Freduce-it-costs-automation.jpg",{},{"title":13616,"description":13849},"en\u002F3.blog\u002F24.reduce-it-costs-automation","jPKmnCkB00lOUBkwgYi-JoUwkQLY0UovZ2NmzOK1SeQ",{"id":13857,"title":13858,"authors":13859,"badge":10,"body":13862,"date":13848,"description":14280,"extension":510,"image":14281,"lastUpdated":1520,"meta":14283,"navigation":14,"path":14284,"published":14,"seo":14285,"stem":14286,"tags":10,"__hash__":14287},"posts\u002Fen\u002F3.blog\u002F26.self-hosted-eu-alternatives.md","Self-Hosted EU Alternatives: Host LibreOffice & More",[13860],{"name":43,"to":44,"avatar":13861},{"src":46},{"type":48,"value":13863,"toc":14267},[13864,13868,13871,13875,13883,13892,13899,13902,13906,13909,13913,13922,13930,13938,13941,13945,13953,13956,13973,13980,13984,13987,14033,14036,14040,14043,14046,14068,14071,14075,14078,14081,14112,14115,14118,14122,14220,14224,14227,14233,14239,14248,14251,14255,14258,14261],[51,13865,13867],{"id":13866},"self-hosted-eu-alternatives-how-to-easily-host-libreoffice-co-with-lowcloud","Self-Hosted EU Alternatives: How to Easily Host LibreOffice & Co. with lowcloud",[56,13869,13870],{},"If you want to break free from Microsoft 365 or Google Workspace, you're in a good position today. The open-source productivity stack has matured. The real challenge is no longer the software itself — it's the operations. This article covers which EU-compliant self-hosted alternatives exist and how to run them productively without infrastructure overhead.",[71,13872,13874],{"id":13873},"why-self-hosted-eu-alternatives-make-sense-again","Why Self-Hosted EU Alternatives Make Sense Again",[56,13876,13877,13878,13882],{},"After the ",[60,13879,12648],{"href":13880,"rel":13881},"https:\u002F\u002Fwww.bfdi.bund.de\u002FDE\u002FFachthemen\u002FInhalte\u002FEuropa-Internationales\u002FAuswirkungen-Schrems-II-Urteil.html",[64]," by the CJEU in 2020, there was a brief moment of panic — then most companies just carried on as before. That was understandable, because alternatives were still clunkier back then. That has changed.",[56,13884,13885,13886,13891],{},"US cloud services fall under the ",[109,13887,13888],{},[60,13889,13890],{"href":6023},"Cloud Act",", which fundamentally grants US authorities access to stored data — even when servers are located in Europe. This is no longer a theoretical risk but a concrete compliance problem for companies handling personal data or sensitive business information.",[56,13893,13894,13895,13898],{},"On top of that, the political uncertainty around transatlantic data agreements persists. Investing in ",[60,13896,13897],{"href":325},"sovereign IT infrastructure"," now is a strategic decision, not a reactive one.",[56,13900,13901],{},"Self-hosting doesn't necessarily mean running your own server room. It means retaining control over your data and software. What infrastructure it runs on is a separate question.",[71,13903,13905],{"id":13904},"key-self-hosted-eu-alternatives-at-a-glance","Key Self-Hosted EU Alternatives at a Glance",[56,13907,13908],{},"The market for open-source productivity software has matured significantly in recent years. For most use cases, there are robust alternatives ready for production use.",[187,13910,13912],{"id":13911},"libreoffice-the-classic-reimagined","LibreOffice — The Classic, Reimagined",[56,13914,13915,13916,13921],{},"Most people know ",[60,13917,13920],{"href":13918,"rel":13919},"https:\u002F\u002Fwww.libreoffice.org\u002F",[64],"LibreOffice"," as a desktop application. What many don't realize: there are server-based variants that enable collaborative work directly in the browser.",[56,13923,13924,13929],{},[60,13925,13928],{"href":13926,"rel":13927},"https:\u002F\u002Fwww.collaboraonline.com\u002F",[64],"Collabora Online"," is the commercially supported, enterprise-grade version of LibreOffice as a web editor. It integrates directly with Nextcloud and offers real-time collaboration on documents, spreadsheets, and presentations — functionally comparable to Google Docs, but on your own infrastructure.",[56,13931,13932,13937],{},[60,13933,13936],{"href":13934,"rel":13935},"https:\u002F\u002Fwww.onlyoffice.com\u002F",[64],"ONLYOFFICE"," is another server-based office solution with a similar feature set. ONLYOFFICE sometimes offers better compatibility with Microsoft Office formats, which can matter for mixed teams.",[56,13939,13940],{},"Both solutions run as container applications and integrate well with existing platforms.",[187,13942,13944],{"id":13943},"nextcloud-more-than-just-file-storage","Nextcloud — More Than Just File Storage",[56,13946,13947,13952],{},[60,13948,13951],{"href":13949,"rel":13950},"https:\u002F\u002Fnextcloud.com\u002F",[64],"Nextcloud"," is the backbone of many self-hosted setups. The platform started as a Dropbox alternative but has evolved into a full collaboration platform.",[56,13954,13955],{},"Key features for enterprise use:",[103,13957,13958,13961,13964,13967,13970],{},[106,13959,13960],{},"File sync and sharing with access controls",[106,13962,13963],{},"Integration with Collabora Online or ONLYOFFICE for browser-based document editing",[106,13965,13966],{},"Calendar, contacts, and tasks (CalDAV\u002FCardDAV compatible)",[106,13968,13969],{},"Video calls via Nextcloud Talk",[106,13971,13972],{},"User management with LDAP\u002FAD integration",[56,13974,13975,13976,13979],{},"Nextcloud runs as a PHP application, requires a database (MySQL\u002FPostgreSQL), and needs object storage for production environments — self-hosted options like SeaweedFS or Garage work well here (see the ",[60,13977,13978],{"href":1525},"comparison of MinIO alternatives","). Running it on Kubernetes is possible but requires configuration effort, especially around persistent storage and session handling.",[187,13981,13983],{"id":13982},"more-tools-jitsi-mailcow-gitea","More Tools: Jitsi, Mailcow, Gitea",[56,13985,13986],{},"A complete self-hosted stack goes beyond office tools:",[103,13988,13989,13999,14016],{},[106,13990,13991,13998],{},[60,13992,13995],{"href":13993,"rel":13994},"https:\u002F\u002Fjitsi.org\u002F",[64],[109,13996,13997],{},"Jitsi Meet"," for video conferencing — open source, no account required, GDPR-compliant when self-hosted",[106,14000,14001,2283,14008,14015],{},[60,14002,14005],{"href":14003,"rel":14004},"https:\u002F\u002Fmailcow.email\u002F",[64],[109,14006,14007],{},"Mailcow",[60,14009,14012],{"href":14010,"rel":14011},"https:\u002F\u002Fstalw.art\u002F",[64],[109,14013,14014],{},"Stalwart"," as a full email server solution with web interface",[106,14017,14018,2283,14025,14032],{},[60,14019,14022],{"href":14020,"rel":14021},"https:\u002F\u002Fabout.gitea.com\u002F",[64],[109,14023,14024],{},"Gitea",[60,14026,14029],{"href":14027,"rel":14028},"https:\u002F\u002Fforgejo.org\u002F",[64],[109,14030,14031],{},"Forgejo"," as self-hosted alternatives to GitHub. Ideal for teams that don't want their code on US services",[56,14034,14035],{},"Each of these solutions runs containerized and can be deployed in modern Kubernetes environments.",[71,14037,14039],{"id":14038},"the-real-problem-with-self-hosting","The Real Problem with Self-Hosting",[56,14041,14042],{},"The software isn't the problem. Operations is.",[56,14044,14045],{},"Running Nextcloud or Collabora yourself requires:",[103,14047,14048,14053,14056,14059,14062,14065],{},[106,14049,7445,14050,14052],{},[60,14051,1543],{"href":1542}," or Docker environment with sufficient resources",[106,14054,14055],{},"Persistent storage that survives restarts",[106,14057,14058],{},"TLS certificates with automatic renewal",[106,14060,14061],{},"Regular backups that actually work",[106,14063,14064],{},"Update processes that don't cause downtime",[106,14066,14067],{},"Monitoring and alerting",[56,14069,14070],{},"This is manageable if someone on the team knows these topics and has time. In many small and medium-sized businesses, neither is consistently guaranteed. And that's exactly where the dilemma arises: self-hosting sounds like control but quickly becomes a maintenance burden.",[71,14072,14074],{"id":14073},"running-self-hosted-eu-alternatives-with-lowcloud","Running Self-Hosted EU Alternatives with lowcloud",[56,14076,14077],{},"lowcloud is a Kubernetes DaaS platform that runs on EU infrastructure and simplifies the operation of open-source applications. Instead of setting up and maintaining your own Kubernetes environment, you use a managed platform that handles the infrastructure layer.",[56,14079,14080],{},"For the self-hosted scenario, this means:",[103,14082,14083,14088,14094,14100,14106],{},[106,14084,14085,14087],{},[109,14086,2755],{}," of Nextcloud, Collabora Online, or ONLYOFFICE via standardized Helm charts or container images",[106,14089,14090,14093],{},[109,14091,14092],{},"Persistent storage"," through the platform, without needing to configure your own storage classes",[106,14095,14096,14099],{},[109,14097,14098],{},"TLS and ingress"," provided by the platform",[106,14101,14102,14105],{},[109,14103,14104],{},"Backups"," included as part of the platform",[106,14107,14108,14111],{},[109,14109,14110],{},"EU data center"," — data never leaves Europe",[56,14113,14114],{},"The difference from a VPS where you configure everything yourself: you get a platform layer that abstracts Kubernetes complexity while preserving full container flexibility.",[56,14116,14117],{},"For teams that want to run open-source applications in production without building in-house Kubernetes expertise, this is a pragmatic path.",[71,14119,14121],{"id":14120},"self-hosting-on-your-own-infrastructure-vs-lowcloud-vs-us-saas","Self-Hosting on Your Own Infrastructure vs. lowcloud vs. US SaaS",[1305,14123,14124,14146],{},[1308,14125,14126],{},[1311,14127,14128,14132,14137,14141],{},[1314,14129,14130],{},[109,14131,1318],{},[1314,14133,14134],{},[109,14135,14136],{},"Own Infrastructure",[1314,14138,14139],{},[109,14140,299],{},[1314,14142,14143],{},[109,14144,14145],{},"US SaaS",[1335,14147,14148,14160,14170,14183,14194,14208],{},[1311,14149,14150,14152,14154,14157],{},[1340,14151,5060],{},[1340,14153,4380],{},[1340,14155,14156],{},"Full (EU)",[1340,14158,14159],{},"Limited (Cloud Act)",[1311,14161,14162,14164,14166,14168],{},[1340,14163,1423],{},[1340,14165,1442],{},[1340,14167,1426],{},[1340,14169,6124],{},[1311,14171,14172,14175,14178,14180],{},[1340,14173,14174],{},"GDPR compliance",[1340,14176,14177],{},"Achievable",[1340,14179,14177],{},[1340,14181,14182],{},"Difficult",[1311,14184,14185,14187,14190,14192],{},[1340,14186,9973],{},[1340,14188,14189],{},"Maximum",[1340,14191,1442],{},[1340,14193,1426],{},[1311,14195,14196,14199,14202,14205],{},[1340,14197,14198],{},"Cost",[1340,14200,14201],{},"Variable \u002F high",[1340,14203,14204],{},"Predictable",[1340,14206,14207],{},"Per user, scales steeply",[1311,14209,14210,14213,14215,14217],{},[1340,14211,14212],{},"Onboarding effort",[1340,14214,1442],{},[1340,14216,1426],{},[1340,14218,14219],{},"Very low",[71,14221,14223],{"id":14222},"compliance-benefits-what-changes-legally","Compliance Benefits: What Changes Legally",[56,14225,14226],{},"Running open-source tools on EU infrastructure gives you clear advantages over US SaaS providers:",[56,14228,14229,14232],{},[109,14230,14231],{},"No third-country transfer."," Data stored on servers in Germany or the EU, operated by an EU company, is not subject to third-country data transfers under GDPR. Standard contractual clauses or adequacy decisions — which can be invalidated at any time — are not a concern.",[56,14234,14235,14238],{},[109,14236,14237],{},"Clear data processing agreements."," With an EU platform provider, a data processing agreement under Art. 28 GDPR can be concluded straightforwardly, without legal uncertainties.",[56,14240,14241,14244,14245,14247],{},[109,14242,14243],{},"No Cloud Act risk."," US authorities cannot compel the handover of data on EU infrastructure from EU providers — at least not through the US Cloud Act. The EU's ",[60,14246,8918],{"href":8917}," now provides a formal standard for verifying these protections.",[56,14249,14250],{},"This doesn't mean that self-hosting is automatically GDPR-compliant. Technical and organizational measures (TOMs) still need to be implemented and documented. But the structural compliance risks that come with US services are eliminated.",[71,14252,14254],{"id":14253},"lowcloud-as-the-foundation-for-your-eu-stack","lowcloud as the Foundation for Your EU Stack",[56,14256,14257],{},"Self-hosting with open-source software is no longer a workaround. LibreOffice-based web editors, Nextcloud, and the surrounding tools are production-ready. The question is no longer whether, but how to run them.",[56,14259,14260],{},"If you don't want to maintain infrastructure yourself but also don't want to move to a US hyperscaler, lowcloud offers a third path: a Kubernetes DaaS platform on EU infrastructure that simplifies running open-source applications without giving up control over your data and software.",[56,14262,14263,14264,415],{},"If you're planning to get started or want to put an existing self-hosted environment on a more stable foundation, take a look at ",[60,14265,299],{"href":5869,"rel":14266},[64],{"title":490,"searchDepth":491,"depth":491,"links":14268},[14269,14270,14275,14276,14277,14278,14279],{"id":13873,"depth":491,"text":13874},{"id":13904,"depth":491,"text":13905,"children":14271},[14272,14273,14274],{"id":13911,"depth":499,"text":13912},{"id":13943,"depth":499,"text":13944},{"id":13982,"depth":499,"text":13983},{"id":14038,"depth":491,"text":14039},{"id":14073,"depth":491,"text":14074},{"id":14120,"depth":491,"text":14121},{"id":14222,"depth":491,"text":14223},{"id":14253,"depth":491,"text":14254},"Run Nextcloud, Collabora, and other open-source tools on EU infrastructure without the ops overhead. A practical guide to sovereign self-hosting.",{"src":14282},"\u002Fimages\u002Fblog\u002Fself-hosted-eu-alternatives.jpg",{},"\u002Fen\u002Fblog\u002Fself-hosted-eu-alternatives",{"title":13858,"description":14280},"en\u002F3.blog\u002F26.self-hosted-eu-alternatives","Rs8LnWqhMBOcv6iQ4iDv1aGK3sk5FSSXF2K_gjo-Lyc",{"id":14289,"title":14290,"authors":14291,"badge":10,"body":14294,"date":14932,"description":14933,"extension":510,"image":14934,"lastUpdated":3942,"meta":14936,"navigation":14,"path":3634,"published":14,"seo":14937,"stem":14938,"tags":10,"__hash__":14939},"posts\u002Fen\u002F3.blog\u002F21.postgresql-helm-chart-kubernetes.md","PostgreSQL Helm Chart: How to Deploy Postgres on Kubernetes",[14292],{"name":13,"to":523,"avatar":14293},{"src":8},{"type":48,"value":14295,"toc":14916},[14296,14302,14306,14319,14322,14326,14330,14333,14352,14356,14359,14449,14459,14463,14466,14472,14535,14538,14591,14594,14625,14628,14632,14635,14645,14648,14651,14655,14659,14662,14669,14689,14693,14696,14760,14763,14767,14770,14773,14791,14842,14849,14869,14876,14880,14883,14896,14899,14901,14904,14907,14913],[56,14297,14298,14299,14301],{},"Running PostgreSQL on ",[60,14300,1543],{"href":1542}," has become standard practice for many teams. Helm has established itself as the go-to tool for making these deployments reproducible. What's often underestimated: stateful workloads like databases are far less forgiving of configuration mistakes than stateless services — and those who have blindly relied on Bitnami charts now face an unexpected decision since 2025.",[71,14303,14305],{"id":14304},"what-helm-actually-does-here","What Helm actually does here",[56,14307,14308,14311,14312,14315,14316,14318],{},[60,14309,14310],{"href":2021},"Helm is a package manager for Kubernetes",". A ",[109,14313,14314],{},"Helm Chart"," bundles all the Kubernetes manifests you need for a deployment. That includes Deployments, Services, ConfigMaps, Secrets, and PersistentVolumeClaims — all wrapped into a versioned, configurable package. Instead of manually maintaining dozens of YAML files, you define your deviations from the defaults in a ",[554,14317,2986],{}," and let the chart handle the rest.",[56,14320,14321],{},"For PostgreSQL, this means the chart takes care of StatefulSets, Headless Services for peer communication, Persistent Volume integration, and optional replication configurations. You don't need to reinvent the wheel — but you should understand what's happening under the hood.",[71,14323,14325],{"id":14324},"postgresql-helm-chart-deployment-the-direct-path","PostgreSQL Helm Chart deployment — the direct path",[187,14327,14329],{"id":14328},"prerequisites","Prerequisites",[56,14331,14332],{},"Before you deploy, make sure you have the following in place:",[103,14334,14335,14338,14343,14349],{},[106,14336,14337],{},"Helm 3.x installed",[106,14339,14340,14342],{},[554,14341,1570],{}," access to your cluster",[106,14344,7445,14345,14348],{},[109,14346,14347],{},"StorageClass"," configured that can dynamically provision Persistent Volumes",[106,14350,14351],{},"A Kubernetes version compatible with the chosen chart",[187,14353,14355],{"id":14354},"installing-the-chart","Installing the chart",[56,14357,14358],{},"Using a community-compatible chart (more on choosing one in the next section), the basic command looks like this:",[598,14360,14362],{"className":600,"code":14361,"language":602,"meta":490,"style":490},"helm repo add \u003Crepo-name> \u003Crepo-url>\nhelm repo update\n\nhelm install my-postgres \u003Crepo-name>\u002Fpostgresql \\\n --namespace databases \\\n --create-namespace \\\n -f values.yaml\n",[554,14363,14364,14393,14401,14405,14427,14436,14442],{"__ignoreMap":490},[606,14365,14366,14368,14370,14372,14374,14377,14380,14383,14385,14388,14391],{"class":608,"line":609},[606,14367,3459],{"class":618},[606,14369,3651],{"class":622},[606,14371,3654],{"class":622},[606,14373,1241],{"class":629},[606,14375,14376],{"class":622},"repo-nam",[606,14378,14379],{"class":668},"e",[606,14381,14382],{"class":629},">",[606,14384,1241],{"class":629},[606,14386,14387],{"class":622},"repo-ur",[606,14389,14390],{"class":668},"l",[606,14392,1250],{"class":629},[606,14394,14395,14397,14399],{"class":608,"line":491},[606,14396,3459],{"class":618},[606,14398,3651],{"class":622},[606,14400,3669],{"class":622},[606,14402,14403],{"class":608,"line":499},[606,14404,647],{"emptyLinePlaceholder":14},[606,14406,14407,14409,14411,14414,14416,14418,14420,14422,14425],{"class":608,"line":650},[606,14408,3459],{"class":618},[606,14410,1987],{"class":622},[606,14412,14413],{"class":622}," my-postgres",[606,14415,1241],{"class":629},[606,14417,14376],{"class":622},[606,14419,14379],{"class":668},[606,14421,14382],{"class":629},[606,14423,14424],{"class":622},"\u002Fpostgresql",[606,14426,669],{"class":668},[606,14428,14429,14431,14434],{"class":608,"line":672},[606,14430,3865],{"class":622},[606,14432,14433],{"class":622}," databases",[606,14435,669],{"class":668},[606,14437,14438,14440],{"class":608,"line":688},[606,14439,3875],{"class":622},[606,14441,669],{"class":668},[606,14443,14444,14446],{"class":608,"line":699},[606,14445,3892],{"class":622},[606,14447,14448],{"class":622}," values.yaml\n",[56,14450,14451,14452,14455,14456,14458],{},"Rather than passing every parameter as ",[554,14453,14454],{},"--set"," flags, use a proper ",[554,14457,2986],{},". This keeps the deployment traceable, version-controlled, and reproducible.",[187,14460,14462],{"id":14461},"key-configuration-parameters","Key configuration parameters",[56,14464,14465],{},"Three areas are most critical in practice:",[56,14467,14468,14469,14471],{},"Passwords don't belong directly in your ",[554,14470,2986],{},". Instead, create Kubernetes Secrets upfront and reference them in the chart:",[598,14473,14475],{"className":1592,"code":14474,"language":1594,"meta":490,"style":490},"auth:\n existingSecret: 'my-postgres-secret'\n secretKeys:\n adminPasswordKey: 'postgres-password'\n userPasswordKey: 'user-password'\n",[554,14476,14477,14484,14500,14507,14521],{"__ignoreMap":490},[606,14478,14479,14482],{"class":608,"line":609},[606,14480,14481],{"class":1601},"auth",[606,14483,1630],{"class":629},[606,14485,14486,14489,14491,14494,14497],{"class":608,"line":491},[606,14487,14488],{"class":1601}," existingSecret",[606,14490,1605],{"class":629},[606,14492,14493],{"class":629}," '",[606,14495,14496],{"class":622},"my-postgres-secret",[606,14498,14499],{"class":629},"'\n",[606,14501,14502,14505],{"class":608,"line":499},[606,14503,14504],{"class":1601}," secretKeys",[606,14506,1630],{"class":629},[606,14508,14509,14512,14514,14516,14519],{"class":608,"line":650},[606,14510,14511],{"class":1601}," adminPasswordKey",[606,14513,1605],{"class":629},[606,14515,14493],{"class":629},[606,14517,14518],{"class":622},"postgres-password",[606,14520,14499],{"class":629},[606,14522,14523,14526,14528,14530,14533],{"class":608,"line":672},[606,14524,14525],{"class":1601}," userPasswordKey",[606,14527,1605],{"class":629},[606,14529,14493],{"class":629},[606,14531,14532],{"class":622},"user-password",[606,14534,14499],{"class":629},[56,14536,14537],{},"The default persistence configuration works for testing but isn't suitable for production. Define size and StorageClass explicitly:",[598,14539,14541],{"className":1592,"code":14540,"language":1594,"meta":490,"style":490},"primary:\n persistence:\n enabled: true\n size: 50Gi\n storageClass: 'fast-ssd'\n",[554,14542,14543,14550,14557,14567,14577],{"__ignoreMap":490},[606,14544,14545,14548],{"class":608,"line":609},[606,14546,14547],{"class":1601},"primary",[606,14549,1630],{"class":629},[606,14551,14552,14555],{"class":608,"line":491},[606,14553,14554],{"class":1601}," persistence",[606,14556,1630],{"class":629},[606,14558,14559,14562,14564],{"class":608,"line":499},[606,14560,14561],{"class":1601}," enabled",[606,14563,1605],{"class":629},[606,14565,14566],{"class":1908}," true\n",[606,14568,14569,14572,14574],{"class":608,"line":650},[606,14570,14571],{"class":1601}," size",[606,14573,1605],{"class":629},[606,14575,14576],{"class":622}," 50Gi\n",[606,14578,14579,14582,14584,14586,14589],{"class":608,"line":672},[606,14580,14581],{"class":1601}," storageClass",[606,14583,1605],{"class":629},[606,14585,14493],{"class":629},[606,14587,14588],{"class":622},"fast-ssd",[606,14590,14499],{"class":629},[56,14592,14593],{},"If you need high availability, a read replica setup is worth considering:",[598,14595,14597],{"className":1592,"code":14596,"language":1594,"meta":490,"style":490},"architecture: replication\nreadReplicas:\n replicaCount: 2\n",[554,14598,14599,14609,14616],{"__ignoreMap":490},[606,14600,14601,14604,14606],{"class":608,"line":609},[606,14602,14603],{"class":1601},"architecture",[606,14605,1605],{"class":629},[606,14607,14608],{"class":622}," replication\n",[606,14610,14611,14614],{"class":608,"line":491},[606,14612,14613],{"class":1601},"readReplicas",[606,14615,1630],{"class":629},[606,14617,14618,14621,14623],{"class":608,"line":499},[606,14619,14620],{"class":1601}," replicaCount",[606,14622,1605],{"class":629},[606,14624,3004],{"class":1237},[56,14626,14627],{},"Without explicit replication configuration, you're deploying a single instance. That works — but it's not production-grade.",[71,14629,14631],{"id":14630},"the-bitnami-problem-and-what-it-means-for-your-setup","The Bitnami problem and what it means for your setup",[56,14633,14634],{},"For years, Bitnami delivered the de facto standard for Helm Charts. Their charts were easy to use, well-documented, and backed by a broad community. That has changed.",[56,14636,14637,14638,14640,14641,14644],{},"Since VMware acquired Bitnami, the repository model has been gradually restructured — a concrete example of ",[60,14639,4986],{"href":333},". As of August 2025, direct access to the public Bitnami repository is restricted for commercial users. If you're running ",[554,14642,14643],{},"helm repo update"," in your CI\u002FCD pipeline without adjustments, you risk deployment failures — not because of a cluster issue, but because the chart repository is no longer accessible as expected.",[56,14646,14647],{},"For existing setups, this means: check which of your Helm Charts come from Bitnami. Determine whether you're affected — and if so, when your currently cached chart was last successfully pulled.",[56,14649,14650],{},"No reason to panic, but it does require concrete action.",[71,14652,14654],{"id":14653},"alternatives-to-the-bitnami-postgresql-helm-chart","Alternatives to the Bitnami PostgreSQL Helm Chart",[187,14656,14658],{"id":14657},"open-source-alternatives-at-a-glance","Open-source alternatives at a glance",[56,14660,14661],{},"There are fully functional alternatives that are actively maintained:",[56,14663,14664,14665,415],{},"For a hands-on walkthrough of deploying PostgreSQL with the Cloudpirates Helm Chart on lowcloud, check out our ",[60,14666,14668],{"href":14667},"\u002Fen\u002Fdocs\u002Fhelm-releases\u002Fdeploy-postgresql","step-by-step guide",[103,14670,14671,14677,14683],{},[106,14672,14673,14676],{},[109,14674,14675],{},"Cloudpirates Open Source Helm Charts",": lowcloud provides its own open-source charts as a direct response to the Bitnami situation. The charts are designed with practical defaults and are actively maintained.",[106,14678,14679,14682],{},[109,14680,14681],{},"Zalando Postgres Operator",": An operator approach controlled via CRDs. More powerful than a simple chart, but also more complex to set up.",[106,14684,14685,14688],{},[109,14686,14687],{},"CloudNativePG Operator",": The CNCF-maintained Postgres operator with a strong focus on Kubernetes-native features like streaming replication, point-in-time recovery, and automatic failover.",[187,14690,14692],{"id":14691},"criteria-for-choosing-the-right-chart","Criteria for choosing the right chart",[56,14694,14695],{},"The choice depends on your requirements:",[1305,14697,14698,14710],{},[1308,14699,14700],{},[1311,14701,14702,14704,14707],{},[1314,14703,1318],{},[1314,14705,14706],{},"Simple Chart",[1314,14708,14709],{},"Operator Approach",[1335,14711,14712,14721,14729,14739,14750],{},[1311,14713,14714,14717,14719],{},[1340,14715,14716],{},"Barrier to entry",[1340,14718,1426],{},[1340,14720,1429],{},[1311,14722,14723,14725,14727],{},[1340,14724,9973],{},[1340,14726,1399],{},[1340,14728,1442],{},[1311,14730,14731,14734,14737],{},[1340,14732,14733],{},"Automatic failover",[1340,14735,14736],{},"Manually configured",[1340,14738,1404],{},[1311,14740,14741,14744,14747],{},[1340,14742,14743],{},"Replication management",[1340,14745,14746],{},"Static",[1340,14748,14749],{},"Dynamic",[1311,14751,14752,14754,14757],{},[1340,14753,2665],{},[1340,14755,14756],{},"Good for small setups",[1340,14758,14759],{},"Recommended for critical DBs",[56,14761,14762],{},"For teams running PostgreSQL in production with high-availability requirements, an operator is the more robust choice in the medium term. For smaller services or development environments, a well-configured chart is sufficient.",[71,14764,14766],{"id":14765},"dont-forget-persistence-backups-and-monitoring","Don't forget persistence, backups, and monitoring",[56,14768,14769],{},"Once the deployment is running, the real operational work begins.",[56,14771,14772],{},"Make sure your PersistentVolumeClaim is bound to a StorageClass that actually delivers fast I\u002FO. Slow disks are a common PostgreSQL performance killer that only shows up under load.",[56,14774,14775,14776,14779,14780,14783,14784,1829,14787,14790],{},"For backups, ",[554,14777,14778],{},"pg_dump"," remains a valid solution for smaller databases. In Kubernetes-native setups, consider ",[109,14781,14782],{},"Velero"," for snapshot-based backups of the Persistent Volume on ",[60,14785,14786],{"href":1467},"S3-compatible object storage",[109,14788,14789],{},"Barman"," for WAL archiving and point-in-time recovery.",[598,14792,14794],{"className":600,"code":14793,"language":602,"meta":490,"style":490},"# Simple pg_dump from a running pod\nkubectl exec -it my-postgres-0 -n databases -- \\\n pg_dump -U postgres mydb > backup.sql\n",[554,14795,14796,14801,14823],{"__ignoreMap":490},[606,14797,14798],{"class":608,"line":609},[606,14799,14800],{"class":612},"# Simple pg_dump from a running pod\n",[606,14802,14803,14805,14807,14810,14813,14816,14818,14821],{"class":608,"line":491},[606,14804,1570],{"class":618},[606,14806,1187],{"class":622},[606,14808,14809],{"class":622}," -it",[606,14811,14812],{"class":622}," my-postgres-0",[606,14814,14815],{"class":622}," -n",[606,14817,14433],{"class":622},[606,14819,14820],{"class":622}," --",[606,14822,669],{"class":668},[606,14824,14825,14828,14831,14834,14837,14839],{"class":608,"line":499},[606,14826,14827],{"class":622}," pg_dump",[606,14829,14830],{"class":622}," -U",[606,14832,14833],{"class":622}," postgres",[606,14835,14836],{"class":622}," mydb",[606,14838,1017],{"class":629},[606,14840,14841],{"class":622}," backup.sql\n",[56,14843,14844,14845,14848],{},"For monitoring, ",[109,14846,14847],{},"postgres_exporter"," is the standard way to export PostgreSQL metrics to Prometheus. Key metrics to watch:",[103,14850,14851,14857,14863],{},[106,14852,14853,14856],{},[554,14854,14855],{},"pg_stat_activity"," — active connections and running queries",[106,14858,14859,14862],{},[554,14860,14861],{},"pg_replication_lag"," — replication delay for read replicas",[106,14864,14865,14868],{},[554,14866,14867],{},"pg_database_size_bytes"," — database growth over time",[56,14870,14871,14872,14875],{},"A ready-made Grafana dashboard is available for import — search for Dashboard ID ",[554,14873,14874],{},"9628"," in the Grafana repository.",[71,14877,14879],{"id":14878},"when-a-managed-approach-is-the-better-choice","When a managed approach is the better choice",[56,14881,14882],{},"Running PostgreSQL on Kubernetes is solvable, but it takes time. Someone has to update the charts, monitor backups, test failover scenarios, and ensure storage classes still work correctly after cluster upgrades.",[56,14884,14885,14886,12498,14889,14891,14892,14895],{},"For teams that want to focus on their application rather than database infrastructure, a ",[60,14887,14888],{"href":486},"DevOps as a Service platform",[109,14890,299],{}," is a pragmatic alternative. PostgreSQL is provided as a managed service — built on the same ",[60,14893,14894],{"href":5076},"sovereign Kubernetes infrastructure",", but without the operational overhead. You don't need to maintain your own Helm Charts, set up manual backup configurations, or build a monitoring setup from scratch.",[56,14897,14898],{},"This isn't a replacement for every use case. If you need specific PostgreSQL configurations, custom extensions, or full control over every parameter, self-hosting is the better path. For everything else, it's worth asking: is this really a differentiating advantage for your team, or just necessary overhead?",[71,14900,2102],{"id":2101},[56,14902,14903],{},"Deploying PostgreSQL with Helm on Kubernetes works. The steps are manageable, the configuration options well-documented. What has changed: choosing the right chart is no longer a given. If you've been relying on Bitnami, you should review your CI\u002FCD pipeline and evaluate an alternative — whether that's a community chart, an operator, or a managed service depends on your own requirements.",[56,14905,14906],{},"The infrastructure decisions you make today directly impact maintainability twelve months from now.",[56,14908,14909,14910,415],{},"To deploy PostgreSQL on lowcloud in minutes, follow our ",[60,14911,14912],{"href":14667},"PostgreSQL guide in the documentation",[1499,14914,14915],{},"html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sfNiH, html code.shiki .sfNiH{--shiki-light:#FF5370;--shiki-default:#FF9CAC;--shiki-dark:#FF9CAC}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}",{"title":490,"searchDepth":491,"depth":491,"links":14917},[14918,14919,14924,14925,14929,14930,14931],{"id":14304,"depth":491,"text":14305},{"id":14324,"depth":491,"text":14325,"children":14920},[14921,14922,14923],{"id":14328,"depth":499,"text":14329},{"id":14354,"depth":499,"text":14355},{"id":14461,"depth":499,"text":14462},{"id":14630,"depth":491,"text":14631},{"id":14653,"depth":491,"text":14654,"children":14926},[14927,14928],{"id":14657,"depth":499,"text":14658},{"id":14691,"depth":499,"text":14692},{"id":14765,"depth":491,"text":14766},{"id":14878,"depth":491,"text":14879},{"id":2101,"depth":491,"text":2102},"2026-03-16","Learn how to deploy PostgreSQL with Helm on Kubernetes, why Bitnami charts have become problematic, and what alternatives are available.",{"src":14935},"\u002Fimages\u002Fblog\u002Fpostgresql-helm-chart-kubernetes.jpg",{},{"title":14290,"description":14933},"en\u002F3.blog\u002F21.postgresql-helm-chart-kubernetes","ks0GplQqWS4R2ZkDrLtFdo1GAquLLqwBjrO_Yv_lLnY",{"id":14941,"title":14942,"authors":14943,"badge":10,"body":14946,"date":14932,"description":15224,"extension":510,"image":15225,"lastUpdated":9014,"meta":15227,"navigation":14,"path":13084,"published":14,"seo":15228,"stem":15229,"tags":10,"__hash__":15230},"posts\u002Fen\u002F3.blog\u002F25.nis2-compliance-devops.md","NIS2 Compliance for DevOps Teams: What You Need to Do",[14944],{"name":43,"to":44,"avatar":14945},{"src":46},{"type":48,"value":14947,"toc":15211},[14948,14951,14955,14972,14975,14978,14992,14995,14999,15002,15005,15009,15012,15018,15023,15029,15035,15041,15047,15051,15062,15065,15069,15072,15075,15107,15110,15114,15117,15120,15157,15161,15164,15170,15177,15181,15184,15187,15190,15193,15195,15198],[56,14949,14950],{},"NIS2 isn't some abstract regulation being cooked up in Brussels that might become relevant someday. It's binding law with concrete technical requirements, hard deadlines, and personal liability for executives. Organizations still running legacy infrastructure will find that retrofitting often costs more than migrating to a compliance-ready cloud environment — and those who miss the window will pay for it in more ways than one.",[71,14952,14954],{"id":14953},"what-is-nis2-and-who-is-affected","What Is NIS2 and Who Is Affected?",[56,14956,14957,14961,14962,14965,14966,14971],{},[60,14958,12775],{"href":14959,"rel":14960},"https:\u002F\u002Fwww.bsi.bund.de\u002FDE\u002FThemen\u002FRegulierte-Wirtschaft\u002FNIS-2-regulierte-Unternehmen\u002FNIS-2-Starterpaket\u002Fnis-2-start_node.html",[64]," stands for the second version of the EU Directive on Network and Information Security (",[2186,14963,14964],{},"Network and Information Security Directive","). It replaces the original NIS Directive from 2016 and significantly tightens cybersecurity requirements for businesses and public institutions. In Germany, it was transposed into national law through the NIS2 Implementation Act (",[60,14967,14970],{"href":14968,"rel":14969},"https:\u002F\u002Fwww.recht.bund.de\u002Fbgbl\u002F1\u002F2025\u002F301\u002FVO.html",[64],"NIS2UmsuCG",").",[56,14973,14974],{},"The most important change from NIS1: the scope of affected organizations has expanded dramatically. While the first version mainly targeted critical infrastructure operators, NIS2 now covers many mid-sized companies across a wide range of sectors — including digital infrastructure, IT service providers, hosting companies, healthcare, energy, transport, and financial services.",[56,14976,14977],{},"The directive distinguishes between two categories:",[103,14979,14980,14986],{},[106,14981,14982,14985],{},[109,14983,14984],{},"Essential entities",": Organizations in particularly critical sectors with more than 250 employees or more than €50M in annual revenue.",[106,14987,14988,14991],{},[109,14989,14990],{},"Important entities",": Organizations in other relevant sectors with more than 50 employees or more than €10M in annual revenue.",[56,14993,14994],{},"Essential entities face stricter oversight obligations and higher fines. But important entities are also subject to concrete security requirements that must be implemented both technically and organizationally.",[187,14996,14998],{"id":14997},"important-vs-essential-entities","Important vs. Essential Entities",[56,15000,15001],{},"The difference primarily lies in the intensity of supervision and potential sanctions. For essential entities, authorities can proactively audit without an incident being reported. For important entities, controls are primarily reactive — but the technical implementation requirements are comparable in both cases.",[56,15003,15004],{},"For DevOps teams, the categorization matters less than the question: what actually needs to be implemented technically?",[71,15006,15008],{"id":15007},"what-nis2-compliance-demands-from-devops-teams-technically","What NIS2 Compliance Demands from DevOps Teams Technically",[56,15010,15011],{},"The directive specifies concrete areas of measures that must be implemented. In practice, this means for DevOps teams:",[56,15013,15014,15017],{},[109,15015,15016],{},"Patch management and vulnerability handling:"," Systems must be patched promptly. This sounds trivial but is a real problem in many environments — especially when production systems can't be updated automatically and patch cycles require manual coordination.",[56,15019,15020,15022],{},[109,15021,451],{}," NIS2 requires that security-relevant events are logged and monitorable. This means: centralized log management, traceable audit trails, and the ability to produce complete log data in case of an incident. Many existing environments lack a centralized SIEM or have insufficiently structured logs.",[56,15024,15025,15028],{},[109,15026,15027],{},"Incident response:"," There must be a defined process for handling security incidents, including reporting obligations. Significant incidents must be reported to the competent authority (in Germany, the BSI) within 24 hours, with a full report following within 72 hours.",[56,15030,15031,15034],{},[109,15032,15033],{},"Access controls and network segmentation:"," Principle of least privilege, separation of network segments, multi-factor authentication for privileged access. Organizations still working with shared admin passwords or flat networks have structural catching up to do.",[56,15036,15037,15040],{},[109,15038,15039],{},"Encryption and data protection:"," Data must be encrypted in transit and at rest. This sounds obvious but is frequently not consistently implemented in legacy infrastructures.",[56,15042,15043,15046],{},[109,15044,15045],{},"Business continuity:"," Backup concepts, disaster recovery plans, and their regular testing are mandatory. Not a paper concept that was never tested, but demonstrably functioning recovery processes.",[187,15048,15050],{"id":15049},"documentation-and-accountability-requirements","Documentation and Accountability Requirements",[56,15052,15053,15054,15057,15058,15061],{},"What many underestimate: NIS2 doesn't just require that these measures ",[2186,15055,15056],{},"exist"," — it requires that they're ",[2186,15059,15060],{},"demonstrable",". Authorities can request documentation, and in case of an incident, they'll verify whether the organization fulfilled its duty of care.",[56,15063,15064],{},"This means: configuration management, change logs, patch records, and access reports must not only exist but be retrievable and structured. In Kubernetes-based environments, this can be automated far more easily than in heterogeneous on-prem landscapes.",[71,15066,15068],{"id":15067},"the-problem-with-existing-data-centers","The Problem with Existing Data Centers",[56,15070,15071],{},"On-prem infrastructure isn't inherently NIS2-incompatible. But many existing data centers were built at a time when compliance requirements of this kind weren't a priority — and the architectural decisions from back then make retrofitting expensive today.",[56,15073,15074],{},"Specific weaknesses that DevOps teams regularly encounter in legacy environments:",[103,15076,15077,15083,15089,15095,15101],{},[106,15078,15079,15082],{},[109,15080,15081],{},"No centralized identity and access management."," User accounts are spread across different systems without unified policy enforcement.",[106,15084,15085,15088],{},[109,15086,15087],{},"Manual patch management."," Many systems can't be updated automatically because dependencies are unclear or changes could have production-critical impacts.",[106,15090,15091,15094],{},[109,15092,15093],{},"Incomplete or unstructured logs."," Logs exist but not centrally, not in a uniform format, and not with sufficient retention periods.",[106,15096,15097,15100],{},[109,15098,15099],{},"Flat networks."," Internal systems communicate without segmentation, making lateral movement by attackers easier.",[106,15102,15103,15106],{},[109,15104,15105],{},"No systematic vulnerability scanning."," Without continuous scanning, you don't know which CVEs are active in your environment.",[56,15108,15109],{},"Retrofitting these points is possible, but the effort is substantial. Every tool must be evaluated, integrated, operated, and documented. And unlike cloud platforms that already include many of these capabilities, the integration must be built manually.",[71,15111,15113],{"id":15112},"why-cloud-infrastructure-makes-nis2-compliance-easier","Why Cloud Infrastructure Makes NIS2 Compliance Easier",[56,15115,15116],{},"Modern cloud platforms — especially those built on Kubernetes — address many NIS2 requirements structurally. This doesn't mean a cloud migration automatically creates compliance, but the starting point is significantly better.",[56,15118,15119],{},"What Kubernetes platforms typically already provide:",[103,15121,15122,15128,15133,15139,15145,15151],{},[106,15123,15124,15127],{},[109,15125,15126],{},"RBAC (Role-Based Access Control)"," as a native concept, with the ability to manage permissions granularly and traceably.",[106,15129,15130,15132],{},[109,15131,12697],{}," for API calls and configuration changes — machine-readable, centralized, timestamped.",[106,15134,15135,15138],{},[109,15136,15137],{},"Automated patch management"," through rolling updates of node images and container base images, without manual coordination.",[106,15140,15141,15144],{},[109,15142,15143],{},"Network policies"," for segmentation at the pod level, enforcing the principle of minimal communication.",[106,15146,15147,15150],{},[109,15148,15149],{},"Secrets management"," with integration options for external vault systems.",[106,15152,15153,15156],{},[109,15154,15155],{},"Encryption"," in service-to-service communication via mTLS (e.g., through a service mesh).",[187,15158,15160],{"id":15159},"sovereignty-as-a-technical-requirement","Sovereignty as a Technical Requirement",[56,15162,15163],{},"One point that German companies in particular should keep in mind under NIS2: the question of where logs, data, and configurations are stored isn't just a GDPR question — it's also NIS2-relevant.",[56,15165,15166,15167,15169],{},"US hyperscalers are subject to the ",[60,15168,6823],{"href":6023},", which under certain circumstances grants US authorities access to data regardless of where that data is physically stored. For organizations processing NIS2-regulated data, this can represent a real legal risk.",[56,15171,15172,15173,15176],{},"European cloud infrastructure operated exclusively in Germany or the EU, combined with certifications like BSI C5 or ISO 27001, has a ",[60,15174,15175],{"href":8917},"structural sovereignty advantage"," here.",[71,15178,15180],{"id":15179},"nis2-compliance-for-devops-first-concrete-steps","NIS2 Compliance for DevOps: First Concrete Steps",[56,15182,15183],{},"If you're unsure whether and to what extent NIS2 applies to your organization, start with a structured applicability assessment. The BSI provides guidance for this. Many industry associations and law firms also offer compact checklists.",[56,15185,15186],{},"After the applicability assessment comes the gap analysis: which of the required measures are already implemented? Where is documentation missing? Where are there technical gaps?",[56,15188,15189],{},"This analysis produces a prioritized roadmap. It makes sense to start with the items that carry the highest risk and require the least implementation effort — for example, introducing MFA for privileged access or centralizing logs.",[56,15191,15192],{},"For teams already considering a migration to a cloud platform, NIS2 can be the trigger to plan that step concretely. A platform that structurally includes compliance requirements significantly reduces ongoing effort because less needs to be manually configured, maintained, and documented.",[479,15194],{},[56,15196,15197],{},"lowcloud operates a Kubernetes DaaS platform hosted in Germany, designed for GDPR-compliant, sovereign cloud infrastructure.",[56,15199,15200,15201,15203,15204,15207,15208,15210],{},"NIS2 isn't a topic that resolves itself by waiting — and it requires ",[60,15202,6828],{"href":6827},", not just technical fixes. For financial sector organizations, ",[60,15205,15206],{"href":13309},"DORA imposes additional requirements"," on top of NIS2. The ",[60,15209,13089],{"href":4149}," for anyone deploying AI workloads. The requirements are defined, deadlines are running, and the question isn't whether but how quickly and with what infrastructure implementation succeeds. Existing data centers can be retrofitted, but anyone making a platform decision now should treat compliance as an architectural requirement — not a retrofit project.",{"title":490,"searchDepth":491,"depth":491,"links":15212},[15213,15216,15219,15220,15223],{"id":14953,"depth":491,"text":14954,"children":15214},[15215],{"id":14997,"depth":499,"text":14998},{"id":15007,"depth":491,"text":15008,"children":15217},[15218],{"id":15049,"depth":499,"text":15050},{"id":15067,"depth":491,"text":15068},{"id":15112,"depth":491,"text":15113,"children":15221},[15222],{"id":15159,"depth":499,"text":15160},{"id":15179,"depth":491,"text":15180},"NIS2 sets concrete technical requirements for DevOps teams. Learn what the directive demands and why legacy data centers are under pressure.",{"src":15226},"\u002Fimages\u002Fblog\u002Fnis2-compliance-devops.jpg",{},{"title":14942,"description":15224},"en\u002F3.blog\u002F25.nis2-compliance-devops","ZR__zlT6TcXdOZ_Pl1i__iy7Ft0S6n6mQfLKVLitJtY",{"id":15232,"title":15233,"authors":15234,"badge":10,"body":15237,"date":15468,"description":15469,"extension":510,"image":15470,"lastUpdated":9014,"meta":15472,"navigation":14,"path":6023,"published":14,"seo":15473,"stem":15474,"tags":10,"__hash__":15475},"posts\u002Fen\u002F3.blog\u002F23.cloud-act-vs-gdpr.md","Cloud Act vs. GDPR: The Risk for EU Businesses",[15235],{"name":43,"to":44,"avatar":15236},{"src":46},{"type":48,"value":15238,"toc":15456},[15239,15254,15256,15260,15270,15273,15276,15278,15282,15285,15293,15297,15300,15303,15307,15310,15313,15315,15319,15322,15325,15328,15331,15345,15347,15351,15354,15357,15363,15369,15372,15374,15378,15381,15388,15391,15405,15407,15411,15418,15421,15438,15441,15443,15447,15453],[56,15240,15241,15242,557,15245,1829,15249,15253],{},"Any European company running applications on ",[60,15243,5914],{"href":5912,"rel":15244},[64],[60,15246,15248],{"href":5922,"rel":15247},[64],"Microsoft Azure",[60,15250,15252],{"href":5917,"rel":15251},[64],"Google Cloud"," today is operating under two legal systems — and they contradict each other. The US Cloud Act compels American providers to hand over data to US authorities. The GDPR prohibits exactly that. Ignoring this conflict means accepting real legal risk. This article explains why standard compliance measures aren't enough and which technical decisions actually make a difference.",[479,15255],{},[71,15257,15259],{"id":15258},"what-the-cloud-act-actually-requires","What the Cloud Act actually requires",[56,15261,15262,15263,15266,15267,415],{},"The Clarifying Lawful Overseas Use of Data Act, or Cloud Act, was passed in the United States in 2018. The law allows US authorities to request data stored by American companies, regardless of where that data physically resides. A server in Frankfurt, Amsterdam, or Dublin ",[60,15264,15265],{"href":325},"offers no protection"," against such access — because ",[60,15268,15269],{"href":5059},"data residency is not data sovereignty",[56,15271,15272],{},"This is not a theoretical threat. US law enforcement agencies like the FBI can use court orders to request data directly from providers like Microsoft or Amazon — without going through international mutual legal assistance treaties. The Cloud Act has accelerated and formalized this process.",[56,15274,15275],{},"US companies have little room to maneuver. They can challenge orders when there is a clear conflict with the law of the country where the data is stored, but that is a lengthy legal process, and the default outcome is compliance with the US authority's request.",[479,15277],{},[71,15279,15281],{"id":15280},"what-the-gdpr-says-about-this","What the GDPR says about this",[56,15283,15284],{},"The General Data Protection Regulation, in Articles 44 ff., governs the conditions under which personal data may be transferred to third countries. A third country must offer an adequate level of protection, or a valid mechanism must be in place to substitute for that level of protection.",[56,15286,15287,15288,15292],{},"For the United States, this was the Privacy Shield for years. Then came ",[60,15289,15291],{"href":13880,"rel":15290},[64],"Schrems"," II.",[187,15294,15296],{"id":15295},"schrems-ii-and-the-end-of-the-privacy-shield","Schrems II and the end of the Privacy Shield",[56,15298,15299],{},"In July 2020, the European Court of Justice invalidated the Privacy Shield. The reasoning was unambiguous: US surveillance laws, including Section 702 FISA and Executive Order 12333, enable mass surveillance against which EU citizens have no effective legal recourse. This eliminated the legal basis for data transfers to the United States.",[56,15301,15302],{},"Standard Contractual Clauses (SCCs) can still be used since then, but only if it is verified on a case-by-case basis that the recipient can actually comply with the agreed-upon safeguards. For US providers subject to the Cloud Act, that is precisely what is called into question.",[187,15304,15306],{"id":15305},"the-trans-atlantic-data-privacy-framework-better-but-not-bulletproof","The Trans-Atlantic Data Privacy Framework. Better, but not bulletproof",[56,15308,15309],{},"In 2023, the Trans-Atlantic Data Privacy Framework (TADPF) came into force — the new agreement between the EU and the United States. It brings improvements: an ombudsman mechanism is intended to give EU citizens legal recourse against US surveillance, and certain data access practices have been restricted.",[56,15311,15312],{},"Whether this is sufficient remains disputed among legal experts. Max Schrems and noyb have already announced plans to challenge the agreement. \"Schrems III\" is considered likely. Anyone building their infrastructure on the TADPF is building on a foundation that could crumble again.",[479,15314],{},[71,15316,15318],{"id":15317},"cloud-act-vs-gdpr-the-conflict-in-practice","Cloud Act vs. GDPR. The conflict in practice",[56,15320,15321],{},"The core problem can be reduced to a single sentence: A US cloud provider cannot defy the Cloud Act without breaking the law, and it cannot fully comply with the GDPR as long as the Cloud Act applies.",[56,15323,15324],{},"If a US authority makes a lawful request for data that an EU company has stored with AWS, AWS has no legally safe option. Handing over the data potentially violates the GDPR. Refusing violates US law. The provider is caught in the middle — and in practice, home-country law usually wins.",[56,15326,15327],{},"For the EU company, this means: data can flow to US authorities without the company being notified, without its involvement, and without a European court having been involved. That constitutes a GDPR violation — regardless of whether the provider has a data center in Germany.",[56,15329,15330],{},"The potential consequences are concrete:",[103,15332,15333,15336,15339,15342],{},[106,15334,15335],{},"Fines under Art. 83 GDPR of up to 4% of annual global turnover",[106,15337,15338],{},"Orders to cease data processing issued by data protection authorities",[106,15340,15341],{},"Civil claims from affected individuals",[106,15343,15344],{},"Reputational damage, particularly in regulated industries such as healthcare, law, or financial services",[479,15346],{},[71,15348,15350],{"id":15349},"what-encryption-can-and-cannot-do","What encryption can and cannot do",[56,15352,15353],{},"Technically proficient teams often reach for client-side encryption as a solution. The idea: if data is stored encrypted with a US provider and the keys remain exclusively with the European company, the provider can only hand over unreadable ciphertext in response to authority requests.",[56,15355,15356],{},"That is not a bad approach, but it has limits.",[56,15358,15359,15362],{},[109,15360,15361],{},"What encryption protects",": File contents, database contents, messages — provided key management is properly implemented and the keys never leave the company's own systems.",[56,15364,15365,15368],{},[109,15366,15367],{},"What encryption does not protect",": Metadata. Who communicated with whom and when, which IP addresses were involved, what file sizes were transferred, which services were used. All of this can be of interest to authorities and often remains unencrypted. Access logs, usage statistics, configuration data — likewise frequently stored in plaintext.",[56,15370,15371],{},"Furthermore, encryption only shifts the problem technically. Legally, the assessment remains possible that using a provider subject to the Cloud Act itself constitutes a risk decision — regardless of whether the provider could deliver readable data in an actual case.",[479,15373],{},[71,15375,15377],{"id":15376},"why-european-cloud-providers-stand-on-different-legal-ground","Why European cloud providers stand on different legal ground",[56,15379,15380],{},"The Cloud Act applies to US persons and US companies. A European cloud provider with no US subsidiary and no US parent company is simply not subject to this law. This is not a marketing argument. It is a legal reality.",[56,15382,15383,15384,15387],{},"A company like lowcloud, which operates as a European provider exclusively on European infrastructure and has no structural ties to US legal entities, can legitimately say: we cannot receive Cloud Act requests because the law does not apply to us. For a practical look at which ",[60,15385,15386],{"href":14284},"self-hosted EU alternatives"," are production-ready today, see our guide.",[56,15389,15390],{},"This does not, of course, exclude the possibility that European authorities may request data under European law — but then the GDPR's protective mechanisms apply, there are legal recourse guarantees, and the process is transparent and contestable for the affected company.",[56,15392,15393,15394,15396,15397,15400,15401,15404],{},"For companies working in regulated sectors — healthcare, public administration, legal services, financial services — this distinction is not optional. It is a compliance requirement. The EU's new ",[60,15395,8918],{"href":8917}," now provides a formal, verifiable standard for these requirements, ",[60,15398,15399],{"href":13084},"NIS2 adds concrete technical obligations"," that DevOps teams must implement, and the ",[60,15402,15403],{"href":4149},"EU AI Act introduces deployer obligations"," for anyone running AI workloads.",[479,15406],{},[71,15408,15410],{"id":15409},"what-this-means-for-your-infrastructure-decisions","What this means for your infrastructure decisions",[56,15412,15413,15414,15417],{},"The legal situation cannot be resolved through contract design alone — and the structural risk is compounded by ",[60,15415,15416],{"href":333},"cloud vendor lock-in"," that makes switching providers difficult even when the legal case is clear. Of course, Data Processing Agreements (DPAs), Standard Contractual Clauses, and Transfer Impact Assessments are sensible and necessary. But they are not enough when the infrastructure itself is structurally vulnerable to Cloud Act access.",[56,15419,15420],{},"A few concrete questions that teams should ask when making infrastructure decisions:",[103,15422,15423,15426,15429,15432,15435],{},[106,15424,15425],{},"Is the provider or its parent company a US entity?",[106,15427,15428],{},"Does the provider have offices or employees in the United States?",[106,15430,15431],{},"Is the infrastructure located exclusively in the EU?",[106,15433,15434],{},"Where are encryption keys managed?",[106,15436,15437],{},"Who has technical access to metadata and logs?",[56,15439,15440],{},"If any of these questions reveals a connection to the United States, the Cloud Act risk is real and should be evaluated legally — not just once, but continuously, as the legal landscape continues to evolve.",[479,15442],{},[71,15444,15446],{"id":15445},"kubernetes-on-european-infrastructure-without-cloud-act-risk","Kubernetes on European infrastructure. Without Cloud Act risk",[56,15448,5261,15449,15452],{},[60,15450,15451],{"href":5076},"Kubernetes DaaS platform"," operated exclusively in Europe and fully subject to European law. No US parent company, no Cloud Act exposure, no structural dependencies on US hyperscalers.",[56,15454,15455],{},"For teams that want to run their applications cloud-natively without being caught between two legal systems, this is not a complicated decision. The platform handles Kubernetes operations, takes care of scaling, monitoring, and updates — and does so on infrastructure that is clean from a data protection perspective.",{"title":490,"searchDepth":491,"depth":491,"links":15457},[15458,15459,15463,15464,15465,15466,15467],{"id":15258,"depth":491,"text":15259},{"id":15280,"depth":491,"text":15281,"children":15460},[15461,15462],{"id":15295,"depth":499,"text":15296},{"id":15305,"depth":499,"text":15306},{"id":15317,"depth":491,"text":15318},{"id":15349,"depth":491,"text":15350},{"id":15376,"depth":491,"text":15377},{"id":15409,"depth":491,"text":15410},{"id":15445,"depth":491,"text":15446},"2026-03-15","US cloud services force European companies into a legal conflict. Why compliance measures fall short and what infrastructure decisions actually help.",{"src":15471},"\u002Fimages\u002Fblog\u002Fcloud-act-vs-gdpr.jpg",{},{"title":15233,"description":15469},"en\u002F3.blog\u002F23.cloud-act-vs-gdpr","qdOydAUhCueExVV6mgWNFfwVDVuYnWzPncmFZXM_nnA",{"id":15477,"title":15478,"authors":15479,"badge":10,"body":15482,"date":15743,"description":15744,"extension":510,"image":15745,"lastUpdated":9014,"meta":15747,"navigation":14,"path":10914,"published":14,"seo":15748,"stem":15749,"tags":10,"__hash__":15750},"posts\u002Fen\u002F3.blog\u002F22.platform-engineering-vs-devops.md","Platform Engineering vs. DevOps – What",[15480],{"name":43,"to":44,"avatar":15481},{"src":46},{"type":48,"value":15483,"toc":15731},[15484,15487,15491,15498,15505,15508,15512,15515,15533,15536,15540,15547,15550,15553,15557,15566,15569,15573,15576,15663,15666,15670,15675,15682,15685,15693,15697,15700,15703,15717,15720,15722,15725,15728],[56,15485,15486],{},"DevOps is a household term in almost every company today, but what it actually means often remains unclear. Platform Engineering is showing up more and more, adding to the confusion. This article clarifies what both approaches mean, where they overlap, and why the distinction matters in practice for development and infrastructure teams.",[71,15488,15490],{"id":15489},"what-is-devops-really","What Is DevOps, Really?",[56,15492,15493,15494,15497],{},"DevOps is not a role and not a tool. It's a culture — a way for development and operations teams to work together. For a detailed comparison of building your own DevOps practice versus outsourcing it, see our article on ",[60,15495,15496],{"href":5984},"DevOps vs. DevOps as a Service",". The core principle: break down the traditional silos between Dev and Ops so that software can be delivered faster and more reliably.",[56,15499,15500,15501,15504],{},"In practice, DevOps usually means CI\u002FCD pipelines, automated testing, Infrastructure as Code, and shared responsibility for operations. A team that lives DevOps builds and runs its own software: \"you build it, you run it.\" For a deeper look at how ",[60,15502,15503],{"href":11063},"collaborative DevOps bridges Dev and Ops",", see our dedicated article.",[56,15506,15507],{},"This works well for teams that operate autonomously. But DevOps has a weakness that only becomes visible as complexity grows.",[187,15509,15511],{"id":15510},"the-problem-with-devops-in-large-teams","The Problem with DevOps in Large Teams",[56,15513,15514],{},"When every development team has to set up its own infrastructure, configure Kubernetes clusters, implement monitoring, and maintain deployment pipelines, a problem emerges: cognitive load.",[56,15516,15517,15518,15521,15522,15525,15526,15529,15530,15532],{},"Developers spend a growing share of their time solving infrastructure problems instead of building features — a cost problem that can be ",[60,15519,15520],{"href":13462},"reduced through targeted IT automation",". These are among the most common ",[60,15523,15524],{"href":7312},"DevOps problems in SMBs",". This is also the core tension explored in ",[60,15527,15528],{"href":9348},"what full-stack development really demands today"," — where one title absorbs an entire team's worth of responsibility. At the same time, each department ends up with slightly different solutions for the same problems — different CI\u002FCD setups, different Helm chart structures, inconsistent logging — a pattern known as ",[60,15531,8038],{"href":8037},". This increases onboarding time, raises the risk of errors, and makes platform-wide changes expensive.",[56,15534,15535],{},"DevOps scales well up to a certain team size and complexity. Beyond that, you need a layer on top.",[71,15537,15539],{"id":15538},"what-is-platform-engineering","What Is Platform Engineering?",[56,15541,15542,15543,15546],{},"Platform Engineering builds on DevOps principles but goes a step further. The goal is to build an ",[109,15544,15545],{},"Internal Developer Platform (IDP)"," — an internal product that gives development teams self-service access to infrastructure, deployments, and operational tools.",[56,15548,15549],{},"The difference from traditional infrastructure operations: the platform is treated like a product, with real users (the development teams), feedback loops, and a clear API. Developers can provision environments, deploy applications, and view logs without opening an Ops ticket.",[56,15551,15552],{},"A central concept here is Golden Paths: pre-built, recommended workflows for common tasks like deploying a new application. Anyone using a Golden Path automatically gets best practices baked in — correct RBAC configuration, integrated monitoring, standardized pipeline structure.",[187,15554,15556],{"id":15555},"the-platform-team-as-a-product-team","The Platform Team as a Product Team",[56,15558,15559,15560,15565],{},"Conceptually, Platform Engineering comes from the book ",[60,15561,15564],{"href":15562,"rel":15563},"https:\u002F\u002Fteamtopologies.com\u002F",[64],"Team Topologies"," by Matthew Skelton and Manuel Pais. It describes \"Platform Teams\" as a distinct team type whose job is to reduce the cognitive demands on other teams.",[56,15567,15568],{},"The development teams — so-called stream-aligned teams — are the platform's customers. The Platform Team builds tooling, abstractions, and documentation so that stream-aligned teams can work quickly and independently. The platform isn't a bottleneck — it's an enabler.",[71,15570,15572],{"id":15571},"platform-engineering-vs-devops-the-concrete-differences","Platform Engineering vs. DevOps: The Concrete Differences",[56,15574,15575],{},"Both approaches pursue the same goal: delivering software faster and more reliably. But they go about it differently.",[1305,15577,15578,15596],{},[1308,15579,15580],{},[1311,15581,15582,15587,15592],{},[1314,15583,15584],{},[109,15585,15586],{},"Dimension",[1314,15588,15589],{},[109,15590,15591],{},"DevOps",[1314,15593,15594],{},[109,15595,11459],{},[1335,15597,15598,15609,15620,15630,15641,15652],{},[1311,15599,15600,15603,15606],{},[1340,15601,15602],{},"Approach",[1340,15604,15605],{},"Culture & practices",[1340,15607,15608],{},"Product & tooling",[1311,15610,15611,15614,15617],{},[1340,15612,15613],{},"Target audience",[1340,15615,15616],{},"Individual Dev\u002FOps teams",[1340,15618,15619],{},"All development teams in the organization",[1311,15621,15622,15624,15627],{},[1340,15623,7422],{},[1340,15625,15626],{},"Good for small to mid-sized teams",[1340,15628,15629],{},"Designed for large organizations",[1311,15631,15632,15635,15638],{},[1340,15633,15634],{},"Infrastructure ownership",[1340,15636,15637],{},"Each team handles its own",[1340,15639,15640],{},"Centralized in the Platform Team",[1311,15642,15643,15646,15649],{},[1340,15644,15645],{},"Self-service",[1340,15647,15648],{},"Limited, often manual",[1340,15650,15651],{},"Core principle, automated",[1311,15653,15654,15657,15660],{},[1340,15655,15656],{},"Outcome",[1340,15658,15659],{},"CI\u002FCD pipeline, faster releases",[1340,15661,15662],{},"Internal Developer Platform, Golden Paths",[56,15664,15665],{},"Important: Platform Engineering does not replace DevOps. DevOps principles are a prerequisite for Platform Engineering. If you don't yet have a functioning CI\u002FCD culture, you shouldn't invest directly in platform products.",[71,15667,15669],{"id":15668},"kubernetes-as-the-foundation-for-platform-engineering","Kubernetes as the Foundation for Platform Engineering",[56,15671,15672,15674],{},[60,15673,1543],{"href":1542}," is the de facto operating system for cloud-native Platform Engineering. The platform abstraction layer typically sits on top of Kubernetes: developers deploy an application without directly touching Helm charts or RBAC configurations.",[56,15676,15677,15678,15681],{},"The Platform Team defines how Kubernetes is used — what abstraction sits above raw API access, how namespaces are structured, which admission controllers are active. Development teams see none of this; they interact through the platform API or a portal. For a deep dive into how these abstraction layers ",[60,15679,15680],{"href":2108},"simplify Kubernetes configuration"," in practice, see our dedicated article.",[56,15683,15684],{},"This isn't a luxury — it's a necessity. As clusters multiply and more teams come on board, uncontrolled Kubernetes usage becomes a source of inconsistency and security gaps.",[56,15686,15687,12498,15689,15692],{},[60,15688,5819],{"href":486},[60,15690,299],{"href":5869,"rel":15691},[64]," solve exactly this problem: they provide a ready-made abstraction layer over Kubernetes so that teams don't have to start from scratch.",[71,15694,15696],{"id":15695},"when-does-platform-engineering-make-sense","When Does Platform Engineering Make Sense?",[56,15698,15699],{},"An honest answer: not from the start. For a team of five developers, a dedicated Internal Developer Platform is overengineering.",[56,15701,15702],{},"Rules of thumb:",[103,15704,15705,15708,15711,15714],{},[106,15706,15707],{},"With 3–5 development teams deploying independently, coordination overhead becomes noticeable.",[106,15709,15710],{},"When infrastructure setup takes more than an hour and is regularly done manually, self-service makes sense.",[106,15712,15713],{},"When onboarding new developers keeps getting harder because there are too many different setups.",[106,15715,15716],{},"When security and compliance requirements demand consistent configurations.",[56,15718,15719],{},"Small teams can still benefit from Platform Engineering principles — not through a full-blown IDP, but through standardized deployment templates, a shared CI\u002FCD structure, and clear responsibilities.",[71,15721,2102],{"id":2101},[56,15723,15724],{},"DevOps and Platform Engineering are not competitors. DevOps lays the cultural foundation: Dev and Ops work together, feedback loops are short, deployments are automated. Platform Engineering takes that foundation and adds a product layer that frees development teams from infrastructure complexity.",[56,15726,15727],{},"The decisive moment comes when DevOps alone no longer scales — when coordination overhead between teams grows, cognitive load gets too high, and inconsistencies between environments become the norm. That's when Platform Engineering is the logical next step.",[56,15729,15730],{},"If you want to take that step, you don't have to build everything yourself. A Kubernetes-native DaaS like lowcloud gives teams a solid platform foundation right away — without spending years building your own Internal Developer Platform.",{"title":490,"searchDepth":491,"depth":491,"links":15732},[15733,15736,15739,15740,15741,15742],{"id":15489,"depth":491,"text":15490,"children":15734},[15735],{"id":15510,"depth":499,"text":15511},{"id":15538,"depth":491,"text":15539,"children":15737},[15738],{"id":15555,"depth":499,"text":15556},{"id":15571,"depth":491,"text":15572},{"id":15668,"depth":491,"text":15669},{"id":15695,"depth":491,"text":15696},{"id":2101,"depth":491,"text":2102},"2026-03-14","DevOps and Platform Engineering compared: key differences, overlap, and when it makes sense to invest in an Internal Developer Platform.",{"src":15746},"\u002Fimages\u002Fblog\u002Fplatform-engineering-vs-devops.jpg",{},{"title":15478,"description":15744},"en\u002F3.blog\u002F22.platform-engineering-vs-devops","YSvJ3u1FvAdBGkK9RWrjJ8_-B5IlGYQkzOP-t_Phlhg",{"id":15752,"title":15753,"authors":15754,"badge":10,"body":15757,"date":15988,"description":15989,"extension":510,"image":15990,"lastUpdated":7615,"meta":15992,"navigation":14,"path":7312,"published":14,"seo":15993,"stem":15994,"tags":10,"__hash__":15995},"posts\u002Fen\u002F3.blog\u002F20.devops-problems-smb.md","The 7 Biggest DevOps Problems in SMBs – And How to Fix Them",[15755],{"name":43,"to":44,"avatar":15756},{"src":46},{"type":48,"value":15758,"toc":15976},[15759,15763,15766,15770,15773,15776,15779,15783,15798,15801,15807,15811,15814,15821,15827,15836,15840,15843,15846,15853,15858,15862,15865,15868,15871,15876,15880,15883,15886,15889,15894,15898,15901,15907,15910,15915,15919,15922,15925,15928,15937,15941,15944,15950,15956,15960,15963,15966,15973],[51,15760,15762],{"id":15761},"the-7-biggest-devops-problems-in-smbs-and-how-to-fix-them","The 7 Biggest DevOps Problems in SMBs and How to Fix Them",[56,15764,15765],{},"DevOps promises faster releases, more stable systems, and less manual work. In practice, things often look different for small and medium-sized businesses: resources are tight, the team is small, and the infrastructure has grown organically over the years. If you know these seven problems, you can address them head-on — instead of stumbling over the same issues again and again.",[71,15767,15769],{"id":15768},"why-devops-in-smbs-is-different-from-enterprise","Why DevOps in SMBs Is Different from Enterprise",[56,15771,15772],{},"When large companies adopt DevOps, they typically have a dedicated platform team, their own tooling strategy, and a budget that allows for experimentation. SMBs operate under different conditions: one developer manages the infrastructure on the side, deployments follow a manual step described in a wiki article that only one person truly understands.",[56,15774,15775],{},"That's not failure — it's a structural reality. The methods that work in enterprise settings can't simply be scaled down. Ignoring this leads to buying tools nobody uses and introducing processes that create more overhead than they eliminate.",[56,15777,15778],{},"The good news: most of the problems that cause DevOps to fail in SMBs are well-known and solvable — if you call them by name.",[71,15780,15782],{"id":15781},"problem-1-no-dedicated-devops-role","Problem 1 – No Dedicated DevOps Role",[56,15784,15785,15786,15789,15790,15793,15794,15797],{},"Many SMBs don't have a ",[60,15787,15788],{"href":5984},"DevOps engineer",". Instead, there's a developer who \"also handles infrastructure\" — on top of their actual responsibilities. It sounds pragmatic, but it reliably leads to problems — a pattern we analyze in depth in our article on ",[60,15791,15792],{"href":9127},"missing DevOps roles in SMBs",". For a broader look at what ",[60,15795,15796],{"href":9348},"full-stack responsibility actually demands today",", and why the title has become a semantic minefield, see our dedicated post.",[56,15799,15800],{},"When that person is sick, deployments stop. When they leave the company, implicit knowledge walks out the door. And as long as the infrastructure \"somehow works,\" nobody will invest the time to set it up properly.",[56,15802,15803,15806],{},[109,15804,15805],{},"What helps:"," Clarity, not headcount. Even without a dedicated position, you can define who is responsible for CI\u002FCD, monitoring, and deployments — and give that person dedicated time for it, not tasks on top. A platform that abstracts much of this work can make the difference between \"works somehow\" and \"works reliably.\"",[71,15808,15810],{"id":15809},"problem-2-manual-deployments-as-the-permanent-state","Problem 2 – Manual Deployments as the Permanent State",[56,15812,15813],{},"\"We know we need CI\u002FCD. We just never get around to it.\" This sentence comes up in many SMB conversations about DevOps.",[56,15815,15816,15817,15820],{},"The problem isn't a lack of knowledge — it's a lack of entry point. A full CI\u002FCD pipeline sounds like a project that takes weeks. So ",[60,15818,15819],{"href":7292},"manual deployment stays"," — with all its consequences: copy-paste errors, long deployment windows, no rollback strategy.",[56,15822,1701,15823,15826],{},[60,15824,15825],{"href":7300},"risks of manual deployments"," are well documented: the less frequently you deploy, the larger the batches become, and the higher the risk per release. Small, frequent deployments are more stable than large, infrequent ones. That's not an opinion — it's one of the core findings from \"Accelerate.\"",[56,15828,15829,15831,15832,15835],{},[109,15830,15805],{}," Not the perfect pipeline, but a working one. A simple trigger that automatically builds and tests on every push to the main branch is better than nothing. Our guide to ",[60,15833,15834],{"href":7620},"software deployment for SMBs"," walks through the steps. You can expand from there.",[71,15837,15839],{"id":15838},"problem-3-monitoring-when-users-complain-well-know","Problem 3 – Monitoring? When Users Complain, We'll Know",[56,15841,15842],{},"Missing observability is the silent problem. Systems run — until they don't. And then the team finds out through a user, a Slack message, or a phone call.",[56,15844,15845],{},"This isn't a technical problem — it's a prioritization problem. Monitoring doesn't feel productive while everything is running. It only pays off when things break — and by then it's too late to set it up.",[56,15847,15848,15849,15852],{},"Good monitoring in an SMB context doesn't have to be complex: an application performance monitoring tool, an alert on elevated error rates, a dashboard with the most important metrics. Our guide to ",[60,15850,15851],{"href":4125},"Kubernetes monitoring with logs and metrics"," covers what a practical setup looks like. If you don't know whether your system is healthy right now, you can't do DevOps — you can only react.",[56,15854,15855,15857],{},[109,15856,15805],{}," Start with three metrics: error rate, latency, availability. Set up alerts for them. Expand from there. Working on a platform that provides observability out of the box saves significant time.",[71,15859,15861],{"id":15860},"problem-4-works-on-my-machine-inconsistent-environments","Problem 4 – \"Works on My Machine\" – Inconsistent Environments",[56,15863,15864],{},"The classic. A bug appears in production but can't be reproduced locally. This costs hours, sometimes days.",[56,15866,15867],{},"The cause is usually a drift between the development environment and production: different configurations, different dependencies, different OS versions. In teams without clear agreements on development environments, this drift grows with every person who joins.",[56,15869,15870],{},"Containers solve a large part of the problem — when used consistently. Infrastructure as Code ensures that staging and production are truly identical. That's not gold-plating — it's a prerequisite for reliable deployments.",[56,15872,15873,15875],{},[109,15874,15805],{}," Containerize the application, use IaC for infrastructure, and establish a clear dev environment setup that can onboard new team members in minutes.",[71,15877,15879],{"id":15878},"problem-5-security-gaps-in-the-pipeline","Problem 5 – Security Gaps in the Pipeline",[56,15881,15882],{},"DevSecOps is often not even a term in SMBs, let alone a practice. Yet the typical security issues in DevOps pipelines are well known: secrets in Git repositories, missing vulnerability scans for container images, no RBAC strategy for the Kubernetes cluster.",[56,15884,15885],{},"These are not theoretical risks. Exposed secrets in public repositories are found and exploited within minutes. An unscanned container image with known CVEs is an open gateway.",[56,15887,15888],{},"SMBs often underestimate their own risk. \"We're too small to be interesting\" — that's simply not true. Automated attacks scan the entire internet, not just well-known targets.",[56,15890,15891,15893],{},[109,15892,15805],{}," Secrets management from the start (no secret belongs in an environment variable in the repository), automatic image scans in the CI pipeline, minimal RBAC configuration in the cluster. This can be introduced step by step.",[71,15895,15897],{"id":15896},"problem-6-tool-chaos-and-lack-of-standardization","Problem 6 – Tool Chaos and Lack of Standardization",[56,15899,15900],{},"With every new project comes a new tool: a different CI system, a different monitoring solution, a different deployment tool. After two years, there are five different setups that nobody fully understands.",[56,15902,15903,15906],{},[60,15904,15905],{"href":8037},"Tool sprawl"," is a real productivity problem. Every tool has its own configuration syntax, its own quirks, its own failure scenarios. If you have to operate all of them, you can't be truly good at any of them.",[56,15908,15909],{},"Standardization feels restrictive but creates reliability. When the team uses the same pipeline template, the same monitoring setup, and the same deployment pattern for every new service, the cognitive overhead drops significantly.",[56,15911,15912,15914],{},[109,15913,15805],{}," Fewer tools, used well. One CI platform for everything is better than three different ones. One observability solution with standard configurations beats ad-hoc setups per project.",[71,15916,15918],{"id":15917},"problem-7-knowledge-silos-and-missing-documentation","Problem 7 – Knowledge Silos and Missing Documentation",[56,15920,15921],{},"The bus factor is the most honest measure of team resilience: how many people would have to leave the company before a critical system becomes unmaintainable? In many SMBs, the answer is: one.",[56,15923,15924],{},"The knowledge of how deployments work, how the cluster is built, which configuration lives where — it's all in the heads of the people who built the system. Documentation is created after the fact, if at all.",[56,15926,15927],{},"That's not a character flaw — it's a symptom of time pressure. Yet it's one of the most expensive problems in operations: slow onboarding, dependency on individuals, costly outages when the wrong person is on vacation.",[56,15929,15930,15932,15933,15936],{},[109,15931,15805],{}," Infrastructure that documents itself — through IaC, through readable pipeline configurations, through runbooks that are kept short and up to date. For a deeper look at why documentation fails and how to fix it, see our guide on ",[60,15934,15935],{"href":10601},"reducing bus factor through documentation",". Not an encyclopedia, but a reliable foundation.",[71,15938,15940],{"id":15939},"the-common-denominator-missing-platform-abstraction","The Common Denominator: Missing Platform Abstraction",[56,15942,15943],{},"When you lay these seven problems side by side, a pattern emerges: it's not that SMB teams are worse than enterprise teams. It's that they have to solve the same tasks with a fraction of the capacity.",[56,15945,15946,15947,15949],{},"The structural answer is platform abstraction: a layer that automates and standardizes routine tasks — deployment, monitoring, secrets management, scaling — to a degree that lets the development team focus on the product, not the infrastructure. This concept is formalized as a ",[60,15948,11459],{"href":10914}," approach, where a dedicated team builds an Internal Developer Platform for self-service access.",[56,15951,15952,15953,15955],{},"That's exactly the approach behind lowcloud: a ",[60,15954,487],{"href":486}," that provides this abstraction for SMBs — without enterprise complexity, without lock-in to proprietary tools. If you don't want to build a platform team but simply want to deploy, this is a solid foundation.",[71,15957,15959],{"id":15958},"conclusion-and-next-steps","Conclusion and Next Steps",[56,15961,15962],{},"These seven problems won't be solved overnight. But they can be prioritized.",[56,15964,15965],{},"If you want to start today, ask yourself one question: which of these problems is currently costing us the most time or creating the biggest risk? That's your entry point.",[56,15967,15968,15969,15972],{},"For most teams, it's problem 2 or 3 — missing automation or missing monitoring. Both can be tackled with manageable effort, provided the infrastructure supports it — and as our ",[60,15970,15971],{"href":13462},"IT cost reduction analysis"," shows, the ROI is often faster than expected.",[56,15974,15975],{},"DevOps in SMBs isn't a state you reach at some point. It's a continuous process that favors small, reliable improvements over big leaps. The upside: you don't have to solve all seven problems at once.",{"title":490,"searchDepth":491,"depth":491,"links":15977},[15978,15979,15980,15981,15982,15983,15984,15985,15986,15987],{"id":15768,"depth":491,"text":15769},{"id":15781,"depth":491,"text":15782},{"id":15809,"depth":491,"text":15810},{"id":15838,"depth":491,"text":15839},{"id":15860,"depth":491,"text":15861},{"id":15878,"depth":491,"text":15879},{"id":15896,"depth":491,"text":15897},{"id":15917,"depth":491,"text":15918},{"id":15939,"depth":491,"text":15940},{"id":15958,"depth":491,"text":15959},"2026-03-13","DevOps in SMBs often fails for the same reasons: missing roles, manual deployments, no monitoring. Here is how to tackle the 7 most common pitfalls.",{"src":15991},"\u002Fimages\u002Fblog\u002Fdevops-problems-smb.jpg",{},{"title":15753,"description":15989},"en\u002F3.blog\u002F20.devops-problems-smb","2IW04RWHzqYkgvcMCQtIxjBhq_ykW-Z5LhaXHAHGDpM",{"id":15997,"title":15998,"authors":15999,"badge":10,"body":16002,"date":16383,"description":16384,"extension":510,"image":16385,"lastUpdated":3938,"meta":16387,"navigation":14,"path":5984,"published":14,"seo":16388,"stem":16389,"tags":10,"__hash__":16390},"posts\u002Fen\u002F3.blog\u002F19.devops-vs-devops-as-a-service.md","DevOps vs. DevOps as a Service – Which One Fits Your Team?",[16000],{"name":43,"to":44,"avatar":16001},{"src":46},{"type":48,"value":16003,"toc":16370},[16004,16008,16011,16015,16018,16021,16050,16053,16057,16064,16082,16085,16089,16190,16194,16201,16204,16218,16224,16228,16235,16238,16252,16255,16259,16262,16265,16282,16285,16299,16302,16306,16311,16314,16317,16321,16324,16327,16330,16338,16342,16345,16348,16350,16357,16360,16363],[51,16005,16007],{"id":16006},"devops-vs-devops-as-a-service-whats-the-difference-and-which-one-fits-your-team","DevOps vs. DevOps as a Service – What's the Difference and Which One Fits Your Team?",[56,16009,16010],{},"DevOps is more than a buzzword – it's a way of working that brings development and operations together. But there's a significant difference between building your own DevOps practice and using DevOps as a Service. This article explains what's behind both models, how they differ, and when each one makes sense for your team.",[71,16012,16014],{"id":16013},"what-is-devops","What Is DevOps?",[56,16016,16017],{},"DevOps is a combination of cultural principles, practices, and tools aimed at improving collaboration between development (Dev) and operations (Ops). The goal: shorter development cycles, more frequent releases, and higher software quality.",[56,16019,16020],{},"In practice, that means:",[103,16022,16023,16029,16035,16041],{},[106,16024,16025,16028],{},[109,16026,16027],{},"CI\u002FCD pipelines"," that automatically build, test, and deploy code",[106,16030,16031,16034],{},[109,16032,16033],{},"Infrastructure as Code (IaC)"," to manage infrastructure in a reproducible, version-controlled way",[106,16036,16037,16040],{},[109,16038,16039],{},"Monitoring and observability"," to quickly detect and resolve issues",[106,16042,16043,16046,16047],{},[109,16044,16045],{},"Collaboration"," where developers take ownership of running their own services — an approach explored in depth in our article on ",[60,16048,16049],{"href":11063},"collaborative DevOps teams",[56,16051,16052],{},"Building such a practice isn't a one-time project. It's a continuous process that requires knowledge, time, and dedicated resources. For small teams or companies without specialized ops staff, this quickly becomes a challenge.",[71,16054,16056],{"id":16055},"what-is-devops-as-a-service","What Is DevOps as a Service?",[56,16058,16059,16063],{},[109,16060,16061],{},[60,16062,4894],{"href":486}," refers to an operating model where DevOps capabilities – tooling, pipelines, infrastructure, and operational processes – are provided by an external vendor or platform.",[56,16065,16066,16067,16071,16072,557,16075,557,16078,16081],{},"Instead of building and maintaining your own toolchain internally (",[60,16068,25],{"href":16069,"rel":16070},"https:\u002F\u002Fgithub.com\u002F",[64]," Actions, ",[60,16073,5902],{"href":5900,"rel":16074},[64],[60,16076,6288],{"href":6286,"rel":16077},[64],[60,16079,6293],{"href":6291,"rel":16080},[64],", Vault, ...), the development team uses a ready-made, managed environment. The provider handles operations, updates, security patches, and often scaling as well.",[56,16083,16084],{},"This isn't outsourcing in the traditional sense. The development team retains control over its applications and pipelines. What gets offloaded is the complexity underneath: the infrastructure everything runs on.",[71,16086,16088],{"id":16087},"head-to-head-devops-vs-devops-as-a-service","Head-to-Head: DevOps vs. DevOps as a Service",[1305,16090,16091,16108],{},[1308,16092,16093],{},[1311,16094,16095,16099,16104],{},[1314,16096,16097],{},[109,16098,1318],{},[1314,16100,16101],{},[109,16102,16103],{},"DevOps (Build Your Own)",[1314,16105,16106],{},[109,16107,4894],{},[1335,16109,16110,16120,16128,16139,16149,16158,16168,16179],{},[1311,16111,16112,16115,16117],{},[1340,16113,16114],{},"Control",[1340,16116,4380],{},[1340,16118,16119],{},"Limited (depends on provider)",[1311,16121,16122,16124,16126],{},[1340,16123,6101],{},[1340,16125,1442],{},[1340,16127,1426],{},[1311,16129,16130,16133,16136],{},[1340,16131,16132],{},"Ongoing operations",[1340,16134,16135],{},"Your team",[1340,16137,16138],{},"The provider",[1311,16140,16141,16143,16146],{},[1340,16142,14198],{},[1340,16144,16145],{},"Personnel-intensive",[1340,16147,16148],{},"Service fee, more predictable",[1311,16150,16151,16153,16155],{},[1340,16152,6160],{},[1340,16154,6166],{},[1340,16156,16157],{},"Often automated",[1311,16159,16160,16162,16165],{},[1340,16161,6132],{},[1340,16163,16164],{},"None",[1340,16166,16167],{},"Possible",[1311,16169,16170,16173,16176],{},[1340,16171,16172],{},"Compliance",[1340,16174,16175],{},"Your responsibility",[1340,16177,16178],{},"Often pre-configured by provider",[1311,16180,16181,16184,16187],{},[1340,16182,16183],{},"Onboarding speed",[1340,16185,16186],{},"Weeks to months",[1340,16188,16189],{},"Days to weeks",[187,16191,16193],{"id":16192},"when-does-building-your-own-make-sense","When Does Building Your Own Make Sense?",[56,16195,16196,16197,16200],{},"If you have a large, specialized team that's deeply experienced with ",[60,16198,1543],{"href":2164,"rel":16199},[64],", CI\u002FCD, and infrastructure topics, building your own setup makes sense. You get maximum flexibility: you choose every component yourself, integrate it to your requirements, and stay independent from any provider.",[56,16202,16203],{},"This pays off especially when:",[103,16205,16206,16209,16212,16215],{},[106,16207,16208],{},"Your infrastructure requirements are very specific or unusual",[106,16210,16211],{},"You need full control over the toolstack for regulatory reasons",[106,16213,16214],{},"You want to strategically build internal know-how",[106,16216,16217],{},"You already have a strong ops team that can fill the gaps",[56,16219,16220,16221,16223],{},"The cost is real, though: someone has to build the pipelines, upgrade Kubernetes clusters, maintain monitoring dashboards, and get paged at night when something goes down. That ties up developer time that could otherwise go into the product -- a cost differential our ",[60,16222,13504],{"href":5345}," quantifies at roughly 60%.",[187,16225,16227],{"id":16226},"when-does-devops-as-a-service-make-more-sense","When Does DevOps as a Service Make More Sense?",[56,16229,16230,16231,16234],{},"For most teams – especially startups, scale-ups, and SMBs facing ",[60,16232,16233],{"href":7312},"common DevOps challenges"," – DevOps as a Service is the more pragmatic choice. Not because building your own is inherently worse, but because the cost-benefit ratio in many situations clearly favors a platform solution.",[56,16236,16237],{},"Typical scenarios:",[103,16239,16240,16243,16246,16249],{},[106,16241,16242],{},"The team is small and has no dedicated ops staff",[106,16244,16245],{},"Time-to-market is critical and you can't afford weeks of infrastructure configuration",[106,16247,16248],{},"The application landscape is container-based and maps well onto a PaaS platform",[106,16250,16251],{},"Compliance requirements (e.g., GDPR, industry-specific standards) should come pre-configured by the provider",[56,16253,16254],{},"The key question isn't \"control or convenience\" – it's: which complexity do you want to carry yourself?",[71,16256,16258],{"id":16257},"what-devops-as-a-service-means-in-practice","What DevOps as a Service Means in Practice",[56,16260,16261],{},"A common misconception: DevOps as a Service doesn't mean you don't need to understand DevOps. It means you don't have to build and manage the operational layer yourself.",[56,16263,16264],{},"What a good DevOps-as-a-Service offering typically handles:",[103,16266,16267,16270,16273,16276,16279],{},[106,16268,16269],{},"Provisioning and operating Kubernetes clusters",[106,16271,16272],{},"Pre-configured CI\u002FCD pipelines you can use and customize",[106,16274,16275],{},"Centralized logging, monitoring, and alerting",[106,16277,16278],{},"Automated security updates and patch management",[106,16280,16281],{},"Network and storage configuration",[56,16283,16284],{},"What stays with the development team:",[103,16286,16287,16290,16293,16296],{},[106,16288,16289],{},"Application code and business logic",[106,16291,16292],{},"Deployment configuration (e.g., Helm charts, Kubernetes manifests)",[106,16294,16295],{},"Decisions about scaling behavior and resource limits",[106,16297,16298],{},"Testing strategy and quality assurance",[56,16300,16301],{},"That's a sensible division of labor. The provider takes care of operational stability; you take care of your product.",[71,16303,16305],{"id":16304},"kubernetes-and-devops-as-a-service-a-natural-fit","Kubernetes and DevOps as a Service – A Natural Fit",[56,16307,16308,16310],{},[60,16309,1543],{"href":1542}," has established itself as the standard for container-based workloads. At the same time, Kubernetes is complex: cluster management, networking, storage, RBAC, ingress controllers, secrets management – each of these topics is a discipline in its own right.",[56,16312,16313],{},"This is exactly where Kubernetes DaaS platforms bridge the gap. They provide Kubernetes as a production-ready environment, complemented by DevOps tooling, so development teams can get started right away.",[56,16315,16316],{},"Platforms like lowcloud take this a step further: they combine the DevOps-as-a-Service model with sovereign infrastructure – meaning operations in German or European data centers under European law. This is particularly relevant for companies that don't want to treat GDPR compliance or specific data protection requirements as an afterthought.",[71,16318,16320],{"id":16319},"devops-as-a-service-vs-devops-as-a-service-platform-whats-the-difference","DevOps as a Service vs. DevOps-as-a-Service Platform – What's the Difference?",[56,16322,16323],{},"DevOps as a Service primarily describes an operating and responsibility model: an external provider takes over (fully or partially) the setup and operation of your DevOps capabilities – tooling, platform operations, updates, security patches, monitoring setup, incident handling, etc. The key point: it's about people and processes (who does what, with which SLAs), not necessarily a specific product.",[56,16325,16326],{},"A DevOps-as-a-Service platform, on the other hand, is the technical implementation of this model: a platform bundles the typical building blocks (e.g., Kubernetes, CI\u002FCD, registry, secrets, observability, policies) and makes them available as a standardized, repeatable self-service experience. It reduces complexity through automation, guardrails, and opinionated defaults.",[56,16328,16329],{},"In practice, this means:",[103,16331,16332,16335],{},[106,16333,16334],{},"DevOps as a Service can also be \"traditional\": a service provider runs your toolchain and infrastructure, with a lot happening through tickets and manual work.",[106,16336,16337],{},"A DevOps-as-a-Service platform is more productized: fewer tickets, more self-service – with clearly defined responsibilities.",[71,16339,16341],{"id":16340},"where-does-lowcloud-fit-in","Where Does lowcloud Fit In?",[56,16343,16344],{},"lowcloud isn't simply \"a service provider that does DevOps\" – it's a DevOps-as-a-Service platform built on Kubernetes that delivers DevOps capabilities as a product, including the automation and standards that would otherwise consume significant internal engineering effort.",[56,16346,16347],{},"Importantly, lowcloud combines this platform approach with a sovereign setup. By focusing on operations in German\u002FEuropean environments (and depending on the setup, also in your own infrastructure\u002Fprovider account), you get the benefits of DevOps as a Service without giving up control entirely.",[71,16349,2102],{"id":2101},[56,16351,16352,16353,16356],{},"DevOps and DevOps as a Service aren't competing concepts. They're two different paths to the same goal: delivering software faster, more reliably, and more sustainably. As organizations scale, the distinction between ",[60,16354,16355],{"href":10914},"DevOps and Platform Engineering"," becomes equally important.",[56,16358,16359],{},"Building your own makes sense if you have the resources, knowledge, and strategic motivation to control your DevOps infrastructure yourself. DevOps as a Service is the better choice if you want to ship fast without overwhelming your team with infrastructure concerns.",[56,16361,16362],{},"For many teams, the decision is less about conviction and more about pragmatism. The time a small team spends on Kubernetes cluster management is time taken away from other priorities. A platform that absorbs that complexity isn't a compromise – it's a deliberate choice to focus.",[56,16364,16365,16366,16369],{},"If you want to learn more about how a Kubernetes DaaS platform can take the load off your team, take a look at what lowcloud offers. For a direct comparison of ",[60,16367,16368],{"href":6202},"lowcloud vs. external DevOps providers",", see our detailed breakdown. No sales pitch – just an honest answer to which problems we solve, and which ones we don't.",{"title":490,"searchDepth":491,"depth":491,"links":16371},[16372,16373,16374,16378,16379,16380,16381,16382],{"id":16013,"depth":491,"text":16014},{"id":16055,"depth":491,"text":16056},{"id":16087,"depth":491,"text":16088,"children":16375},[16376,16377],{"id":16192,"depth":499,"text":16193},{"id":16226,"depth":499,"text":16227},{"id":16257,"depth":491,"text":16258},{"id":16304,"depth":491,"text":16305},{"id":16319,"depth":491,"text":16320},{"id":16340,"depth":491,"text":16341},{"id":2101,"depth":491,"text":2102},"2026-03-12","Build your own DevOps practice or use it as a service? A practical comparison of both models to help you decide what works best for your team.",{"src":16386},"\u002Fimages\u002Fblog\u002Fdevops-vs-devops-as-a-service.jpg",{},{"title":15998,"description":16384},"en\u002F3.blog\u002F19.devops-vs-devops-as-a-service","EVu4Duo5Q5VeS4QesNwTZbvNVBuJh_H5EoVxNJXX918",{"id":16392,"title":16393,"authors":16394,"badge":10,"body":16397,"date":16861,"description":16862,"extension":510,"image":16863,"lastUpdated":7912,"meta":16865,"navigation":14,"path":7727,"published":14,"seo":16866,"stem":16867,"tags":10,"__hash__":16868},"posts\u002Fen\u002F3.blog\u002F18.sovereign-cloud-saas-data-control.md","Sovereign Cloud: Can SaaS Really Maintain Control Over Your Data?",[16395],{"name":43,"to":44,"avatar":16396},{"src":46},{"type":48,"value":16398,"toc":16844},[16399,16402,16405,16407,16411,16420,16440,16443,16445,16449,16452,16459,16466,16469,16473,16476,16501,16504,16506,16510,16513,16516,16530,16533,16547,16552,16556,16559,16561,16565,16571,16575,16582,16585,16588,16592,16597,16603,16606,16626,16630,16633,16640,16643,16669,16676,16682,16684,16688,16691,16705,16708,16711,16713,16717,16720,16725,16756,16761,16788,16793,16814,16816,16820,16823,16829,16835,16841],[56,16400,16401],{},"The question sounds simple, but the answer isn't. SaaS services have become indispensable in daily work, and at the same time, pressure on companies to prove control over their data is growing. Data protection authorities, compliance requirements, and not least internal IT security strategies demand a clear answer to the question: who's actually in charge here?",[56,16403,16404],{},"The honest answer: it depends. Not every SaaS is the same, not every provider carries the same risks, and not every use case requires the maximum level of control. This article shows how to recognize how sovereign a SaaS provider really is, and when you're better off with self-hosting or a sovereign PaaS or DaaS solution.",[479,16406],{},[71,16408,16410],{"id":16409},"what-does-data-sovereignty-in-the-cloud-actually-mean","What Does Data Sovereignty in the Cloud Actually Mean?",[56,16412,16413,16415,16416,16419],{},[109,16414,5060],{}," is not a uniformly defined term — and that's exactly what makes it so susceptible to marketing abuse. In a technical and legal context, ",[60,16417,16418],{"href":8917},"three dimensions"," can be distinguished:",[103,16421,16422,16428,16434],{},[106,16423,16424,16427],{},[109,16425,16426],{},"Legal immunity:"," Which law applies? Can the provider or an authority access your data without your knowledge or consent?",[106,16429,16430,16433],{},[109,16431,16432],{},"Data control:"," Do you have actual control over where and how your data is stored and processed?",[106,16435,16436,16439],{},[109,16437,16438],{},"Operational control:"," Can you take over, migrate, or shut down a service in an emergency without being stuck in a dependency you can't escape?",[56,16441,16442],{},"Many discussions about sovereign cloud focus on only one dimension. That's not enough. If you only look at the data center in Frankfurt but don't check whether the provider has a US parent company or runs on AWS, you haven't really solved the problem.",[479,16444],{},[71,16446,16448],{"id":16447},"eu-vs-usa-why-the-providers-location-matters","EU vs. USA: Why the Provider's Location Matters",[56,16450,16451],{},"The legal basis is decisive. Two regulatory frameworks shape the debate particularly strongly:",[56,16453,16454,16455,16458],{},"GDPR stipulates that personal data of EU citizens must meet certain protection standards — including when transferred to third countries. Transfers to the USA have been legally precarious since the ",[60,16456,12648],{"href":13880,"rel":16457},[64]," by the ECJ (2020), because American authorities can demand access to data from US companies under the CLOUD Act — regardless of where that data physically resides.",[56,16460,16461,16462,16465],{},"This means: ",[60,16463,16464],{"href":325},"a data center in Germany alone"," says nothing about whether your data is protected from access by US authorities. What matters is the corporate structure of the provider, not the server location.",[56,16467,16468],{},"European SaaS providers without a US entity, US investors, or dependencies offer a structurally different starting point. This doesn't automatically mean superior security, but less regulatory risk.",[187,16470,16472],{"id":16471},"what-an-eu-provider-alone-doesnt-guarantee","What an EU Provider Alone Doesn't Guarantee",[56,16474,16475],{},"Even a purely European SaaS provider can have problematic dependencies:",[103,16477,16478,16481,16495,16498],{},[106,16479,16480],{},"Sub-processors based in the USA (e.g., for analytics, support tools, monitoring)",[106,16482,16483,16484,557,16487,1829,16490,16494],{},"Hosting on infrastructure from ",[60,16485,5914],{"href":5912,"rel":16486},[64],[60,16488,5924],{"href":5922,"rel":16489},[64],[60,16491,16493],{"href":5917,"rel":16492},[64],"Google"," — hyperscalers with US headquarters",[106,16496,16497],{},"Missing or weak certifications (ISO 27001, BSI C5, SOC 2)",[106,16499,16500],{},"Data processing agreements (DPA) that use standard contractual clauses without adequate technical measures",[56,16502,16503],{},"A thorough review of data processing records and the sub-processor list is therefore not bureaucratic overhead — it's the actual substance check.",[479,16505],{},[71,16507,16509],{"id":16508},"self-hosting-and-open-source-when-is-it-the-right-choice","Self-Hosting and Open Source: When Is It the Right Choice?",[56,16511,16512],{},"Self-hosting is often touted as the ultimate \"sovereign\" solution. And it's true: if you run an application on your own infrastructure, you have maximum control. At the same time, that means: maximum responsibility.",[56,16514,16515],{},"In favor of self-hosting:",[103,16517,16518,16521,16524,16527],{},[106,16519,16520],{},"Highly sensitive data (healthcare, finance, critical infrastructure)",[106,16522,16523],{},"Strict regulatory requirements that don't allow third-party providers",[106,16525,16526],{},"Internal DevOps capacity and security know-how available",[106,16528,16529],{},"Lower long-term costs with large data volumes",[56,16531,16532],{},"Against self-hosting in practice:",[103,16534,16535,16538,16541,16544],{},[106,16536,16537],{},"Significant operational effort (updates, security patches, monitoring, high availability)",[106,16539,16540],{},"Security competence must be built and maintained internally",[106,16542,16543],{},"Slow provisioning of new features",[106,16545,16546],{},"TCO (Total Cost of Ownership) underestimated — especially for small teams",[56,16548,16549,16550,415],{},"Open source only solves the sovereignty problem halfway: you have access to the code and no dependency on the provider, but someone has to handle operations. If you don't have a team for operations, you're trading independence for operational risk. For a practical overview of production-ready open-source tools and how to run them without the ops burden, see our guide to ",[60,16551,15386],{"href":14284},[187,16553,16555],{"id":16554},"tco-and-operational-reality-of-self-hosting","TCO and Operational Reality of Self-Hosting",[56,16557,16558],{},"An honest comparison must include all costs: infrastructure, personnel, licenses for supplementary tools, audit effort, downtime, and the time developers spend on operational tasks instead of product development. For most mid-sized companies, this effort exceeds the benefit — unless the protection requirement makes it absolutely necessary.",[479,16560],{},[71,16562,16564],{"id":16563},"paas-and-daas-platforms-control-without-full-operations","PaaS and DaaS Platforms: Control Without Full Operations",[56,16566,16567,16568,16570],{},"Between complete SaaS trust and running your own data center, there are two pragmatic middle grounds: PaaS and DaaS on controlled, European infrastructure. A third model increasingly used in regulated industries is ",[60,16569,9767],{"href":413},", where the vendor deploys into your own cloud account rather than hosting your data themselves.",[187,16572,16574],{"id":16573},"paas-your-own-deployments-less-operational-overhead","PaaS: Your Own Deployments, Less Operational Overhead",[56,16576,16577,16578,16581],{},"With Platform-as-a-Service, you run your applications without having to maintain the platform yourself. The provider takes care of infrastructure, scaling, and operations. You retain control over deployments, configuration, and workloads. ",[2186,16579,16580],{},"Important:"," Many PaaS offerings technically or legally fall under US influence (e.g., through hyperscaler infrastructure or US parent companies). For sovereignty, you therefore explicitly need European hosting, European contracts, and a transparent sub-processor list.",[56,16583,16584],{},"At the same time, a structural risk remains: if your applications are deeply coupled to the platform mechanics, you're bound to the PaaS provider as a user. Switching is often not \"just like that,\" because then not just a tool disappears, but the entire operating environment.",[56,16586,16587],{},"Without a clearly documented exit strategy (portability, migration path, data export, time window after contract end), that's not really sovereign — just a more controlled dependency model.",[187,16589,16591],{"id":16590},"devops-as-a-service-platform-comfort-without-losing-control","DevOps-as-a-Service: Platform Comfort Without Losing Control",[56,16593,16594,16596],{},[109,16595,5264],{}," (like lowcloud) aims to significantly reduce your operational burden without forcing you completely into proprietary platform mechanics. You deploy your own applications and work with familiar standards (e.g., containers, Kubernetes, GitOps), while platform operations, security basics, updates, and scaling are managed by the provider.",[56,16598,16599,16602],{},[109,16600,16601],{},"Why this can be more sovereign than classic PaaS\u002FSaaS:"," Lock-in often doesn't arise from \"cloud\" itself, but from tightly coupled toolchains and proprietary managed services (buildpacks, CI\u002FCD, observability, add-ons, APIs). A DevOps-as-a-Service approach is particularly strong when it relies on open interfaces, portable artifacts, and clear exit paths.",[56,16604,16605],{},"This gives you:",[103,16607,16608,16614,16620],{},[106,16609,16610,16613],{},[109,16611,16612],{},"Less lock-in"," through standardized deployments and portable workloads",[106,16615,16616,16619],{},[109,16617,16618],{},"Legal clarity"," through European infrastructure and contracts",[106,16621,16622,16625],{},[109,16623,16624],{},"Operational relief"," without full self-hosting",[187,16627,16629],{"id":16628},"why-daas-platforms-are-often-even-stronger-than-paas","Why DaaS Platforms Are Often Even Stronger Than PaaS",[56,16631,16632],{},"DaaS platforms operate at an even higher level than classic PaaS because not only is \"a platform provided,\" but ongoing operations are also organized as a service.",[56,16634,16635,16636,16639],{},"This is especially advantageous when you want sovereignty ",[2186,16637,16638],{},"and"," speed but can't or don't want to build your own team for 24\u002F7 operations, security hardening, and platform maintenance.",[56,16641,16642],{},"Typical advantages over PaaS:",[103,16644,16645,16651,16657,16663],{},[106,16646,16647,16650],{},[109,16648,16649],{},"Fewer platform specifics in daily work:"," When build, deploy, and operations are based on standards, you depend less on proprietary workflow details.",[106,16652,16653,16656],{},[109,16654,16655],{},"Better operational reality:"," Patching, hardening, backups, monitoring, and incident handling aren't \"your problem\" — they're contractually defined services.",[106,16658,16659,16662],{},[109,16660,16661],{},"Sovereignty is verifiable:"," Transparent processes, clear responsibilities, and documented exit paths make compliance and audits easier.",[106,16664,16665,16668],{},[109,16666,16667],{},"Faster to a productive environment:"," You use a proven operating environment without having to build it yourself first.",[56,16670,16671,16672,16675],{},"In short: DaaS and DaaS platforms are often the most pragmatic way to scale ",[2186,16673,16674],{},"in a controlled manner"," without trading sovereignty for team burnout or risk.",[56,16677,16678,16679,415],{},"lowcloud offers this middle ground for teams that don't want to choose between comfort and control. If you want to know how that feels in practice, you'll find an entry point at ",[60,16680,12516],{"href":12514,"rel":16681},[64],[479,16683],{},[71,16685,16687],{"id":16686},"exit-strategy-sensible-pragmatism-or-false-compromise","Exit Strategy: Sensible Pragmatism or False Compromise?",[56,16689,16690],{},"An exit strategy is no substitute for sovereignty, but it's better than no consideration at all. Anyone introducing a SaaS provider should clarify in advance:",[103,16692,16693,16696,16699,16702],{},[106,16694,16695],{},"In what format can data be exported? (CSV, JSON, open protocols, or proprietary formats?)",[106,16697,16698],{},"Is there a documented migration API?",[106,16700,16701],{},"How long is data accessible after contract termination?",[106,16703,16704],{},"What dependencies arise through integrations with other systems?",[56,16706,16707],{},"Vendor lock-in rarely results from a single big decision — it creeps in through a hundred small integrations, proprietary workflows, and the sheer effort of migration. Keeping this in mind can at least ensure that switching remains possible.",[56,16709,16710],{},"An exit strategy makes sense for applications with low to medium protection requirements where the operational costs of a more sovereign model exceed the benefit. It's not a substitute for a well-thought-out data strategy, but a reasonable pragmatism.",[479,16712],{},[71,16714,16716],{"id":16715},"sovereignty-criteria-for-saas-selection","Sovereignty Criteria for SaaS Selection",[56,16718,16719],{},"Here's a practical checklist for evaluation:",[56,16721,16722],{},[109,16723,16724],{},"Legal:",[103,16726,16729,16738,16744,16750],{"className":16727},[16728],"contains-task-list",[106,16730,16733,16737],{"className":16731},[16732],"task-list-item",[16734,16735],"input",{"disabled":14,"type":16736},"checkbox"," No US company or US parent company",[106,16739,16741,16743],{"className":16740},[16732],[16734,16742],{"disabled":14,"type":16736}," No sub-processors with CLOUD Act risk",[106,16745,16747,16749],{"className":16746},[16732],[16734,16748],{"disabled":14,"type":16736}," Valid data processing agreement (DPA) per Art. 28 GDPR",[106,16751,16753,16755],{"className":16752},[16732],[16734,16754],{"disabled":14,"type":16736}," Data processing records available on request",[56,16757,16758],{},[109,16759,16760],{},"Technical:",[103,16762,16764,16770,16776,16782],{"className":16763},[16728],[106,16765,16767,16769],{"className":16766},[16732],[16734,16768],{"disabled":14,"type":16736}," Data center in the EU (preferably Germany\u002FAustria)",[106,16771,16773,16775],{"className":16772},[16732],[16734,16774],{"disabled":14,"type":16736}," Certifications: ISO 27001, BSI C5, or equivalent",[106,16777,16779,16781],{"className":16778},[16732],[16734,16780],{"disabled":14,"type":16736}," Encryption at rest and in transit documented",[106,16783,16785,16787],{"className":16784},[16732],[16734,16786],{"disabled":14,"type":16736}," Access controls and audit logs available",[56,16789,16790],{},[109,16791,16792],{},"Operational:",[103,16794,16796,16802,16808],{"className":16795},[16728],[106,16797,16799,16801],{"className":16798},[16732],[16734,16800],{"disabled":14,"type":16736}," Data export in open, machine-readable formats",[106,16803,16805,16807],{"className":16804},[16732],[16734,16806],{"disabled":14,"type":16736}," Clear SLAs and incident response processes",[106,16809,16811,16813],{"className":16810},[16732],[16734,16812],{"disabled":14,"type":16736}," No forced dependency through proprietary APIs",[479,16815],{},[71,16817,16819],{"id":16818},"conclusion-no-one-size-fits-all-but-a-clear-tiered-model","Conclusion: No One-Size-Fits-All, but a Clear Tiered Model",[56,16821,16822],{},"Sovereign cloud is not an all-or-nothing question. What applies to a hospital with patient data doesn't have to apply to a startup with internal project management data. A pragmatic tiered model based on protection requirements:",[56,16824,16825,16828],{},[109,16826,16827],{},"Low protection requirement"," (e.g., marketing tools, internal wikis): European SaaS providers with a clean DPA and exit strategy are sufficient.",[56,16830,16831,16834],{},[109,16832,16833],{},"Medium protection requirement"," (e.g., customer data, business processes): European provider without US dependencies, strong certifications, or sovereign PaaS.",[56,16836,16837,16840],{},[109,16838,16839],{},"High protection requirement"," (e.g., healthcare data, critical infrastructure): Self-hosting on own or dedicated infrastructure, open-source stack, full control.",[56,16842,16843],{},"The question isn't whether SaaS can be sovereign. Some providers and models come very close. The question is whether that's sufficient for your specific use case and protection requirement — and whether you can prove it when someone asks.",{"title":490,"searchDepth":491,"depth":491,"links":16845},[16846,16847,16850,16853,16858,16859,16860],{"id":16409,"depth":491,"text":16410},{"id":16447,"depth":491,"text":16448,"children":16848},[16849],{"id":16471,"depth":499,"text":16472},{"id":16508,"depth":491,"text":16509,"children":16851},[16852],{"id":16554,"depth":499,"text":16555},{"id":16563,"depth":491,"text":16564,"children":16854},[16855,16856,16857],{"id":16573,"depth":499,"text":16574},{"id":16590,"depth":499,"text":16591},{"id":16628,"depth":499,"text":16629},{"id":16686,"depth":491,"text":16687},{"id":16715,"depth":491,"text":16716},{"id":16818,"depth":491,"text":16819},"2026-03-11","SaaS services are indispensable in daily work, yet pressure is growing to prove control over data. This article shows how to assess how sovereign a SaaS provider really is.",{"src":16864},"\u002Fimages\u002Fblog\u002Fsovereign-cloud-saas-data-control.jpg",{},{"title":16393,"description":16862},"en\u002F3.blog\u002F18.sovereign-cloud-saas-data-control","CQHGckDvDtbYo7x__uv9XNxBltEtsUb_MkGF9wyU66w",{"id":16870,"title":16871,"authors":16872,"badge":10,"body":16875,"date":17270,"description":17271,"extension":510,"image":17272,"lastUpdated":3942,"meta":17274,"navigation":14,"path":8329,"published":14,"seo":17275,"stem":17276,"tags":10,"__hash__":17277},"posts\u002Fen\u002F3.blog\u002F17.paas-vs-daas.md","PaaS vs. DaaS: What",[16873],{"name":43,"to":44,"avatar":16874},{"src":46},{"type":48,"value":16876,"toc":17253},[16877,16880,16884,16889,16892,16896,16915,16918,16932,16935,16939,16942,16945,16949,16956,16959,16996,16999,17003,17006,17009,17013,17016,17019,17051,17055,17058,17065,17068,17079,17082,17086,17089,17097,17100,17105,17108,17112,17120,17124,17127,17219,17222,17226,17229,17235,17242,17245,17247,17250],[56,16878,16879],{},"PaaS (Platform-as-a-Service) and DaaS (DevOps-as-a-Service) often come up in the same conversation but mean fundamentally different things. One takes infrastructure off your plate, the other handles DevOps processes. Knowing the difference leads to better architecture decisions and prevents wasting budget on services that solve the wrong problem.",[71,16881,16883],{"id":16882},"what-is-paas","What Is PaaS?",[56,16885,16886,16888],{},[60,16887,10011],{"href":80}," means a provider gives you a complete runtime environment for your applications. You write code, you push code, and the platform takes care of the rest.",[56,16890,16891],{},"In practice, that means: no server provisioning, no operating system configuration, no managing runtime versions. The provider handles infrastructure, networking, storage, load balancing, and automatic scaling. You work at an abstraction level where deployment and operations are virtually invisible.",[187,16893,16895],{"id":16894},"typical-paas-providers","Typical PaaS Providers",[56,16897,16898,16899,557,16902,1842,16905,16910,16911,16914],{},"The best-known representatives are ",[60,16900,65],{"href":62,"rel":16901},[64],[60,16903,367],{"href":8271,"rel":16904},[64],[60,16906,16909],{"href":16907,"rel":16908},"https:\u002F\u002Fazure.microsoft.com\u002Fen-us\u002Fproducts\u002Fapp-service",[64],"Azure App Service."," Beyond these, there are ",[60,16912,16913],{"href":514},"countless others",". They all follow the same basic principle: you define your application, everything else runs automatically.",[56,16916,16917],{},"The typical PaaS workflow looks like this:",[3976,16919,16920,16923,16926,16929],{},[106,16921,16922],{},"Push code to a repository",[106,16924,16925],{},"The platform detects the framework, builds a container or runtime environment",[106,16927,16928],{},"The app is deployed and immediately accessible",[106,16930,16931],{},"Scaling happens rule-based or manually via a slider",[56,16933,16934],{},"This works well for standardized workloads. Node.js apps, Python services, containerized microservices — as long as you stay within the framework the provider prescribes, the developer experience is genuinely pleasant.",[187,16936,16938],{"id":16937},"when-paas-is-the-right-choice","When PaaS Is the Right Choice",[56,16940,16941],{},"PaaS makes sense when your team is small, wants to iterate quickly, and doesn't have a dedicated ops role. For early-stage products, internal tools, or standardized web applications, PaaS is often the fastest and most cost-effective option.",[56,16943,16944],{},"The limits show when you have individual requirements: special network configurations, complex multi-service architectures, compliance requirements, or simply more control over your deployment environment. That's when the \"opinionated\" approach of most PaaS providers quickly hits its boundaries.",[71,16946,16948],{"id":16947},"what-is-daas","What Is DaaS?",[56,16950,16951,16955],{},[109,16952,16953],{},[60,16954,4894],{"href":486}," operates on a different level. It's not about where your application runs, but how it's built, tested, and deployed. DaaS providers take over the automation of your development and operations processes.",[56,16957,16958],{},"In practice, this includes:",[103,16960,16961,16967,16972,16978,16984,16990],{},[106,16962,16963,16966],{},[109,16964,16965],{},"CI\u002FCD Pipelines",": Automatic build, test, and deployment workflows",[106,16968,16969,16971],{},[109,16970,10317],{},": Managing your infrastructure through versioned code (Terraform, Ansible, Helm)",[106,16973,16974,16977],{},[109,16975,16976],{},"Monitoring and Alerting",": Setting up and running observability stacks",[106,16979,16980,16983],{},[109,16981,16982],{},"Container Orchestration",": Setting up, operating, and updating Kubernetes clusters",[106,16985,16986,16989],{},[109,16987,16988],{},"Server Updating & Patching",": OS updates, security patches, maintenance windows, and rollouts without downtime (where possible)",[106,16991,16992,16995],{},[109,16993,16994],{},"Security Scanning",": Automatic inspection of images and dependencies",[56,16997,16998],{},"DaaS is therefore not a replacement for a deployment platform, but a wrapper around your existing processes. You bring the code, DaaS brings the pipeline.",[187,17000,17002],{"id":17001},"what-daas-actually-delivers","What DaaS Actually Delivers",[56,17004,17005],{},"A DaaS provider typically sets up a GitLab or GitHub infrastructure with ready-made pipelines, connects it to a Kubernetes cluster, provides monitoring dashboards, and takes over the ongoing operation of these tools. As a team, you no longer have to build and maintain the pipeline yourself — you just use it.",[56,17007,17008],{},"That sounds appealing, but there's a catch: the dependency on the provider is real. If you don't understand what's happening in your pipeline, you're lost when troubleshooting.",[71,17010,17012],{"id":17011},"daas-platform-when-devops-as-a-service-gets-productized","DaaS Platform: When DevOps-as-a-Service Gets Productized",[56,17014,17015],{},"DaaS often doesn't just mean \"a service provider who sets up Jenkins for you,\" but rather a DaaS platform: a standardized product that offers recurring DevOps tasks as self-service (or as a heavily guided process).",[56,17017,17018],{},"Typical building blocks of a DaaS platform:",[103,17020,17021,17027,17033,17039,17045],{},[106,17022,17023,17026],{},[109,17024,17025],{},"Golden Paths"," for build, test, release (predefined pipeline templates)",[106,17028,17029,17032],{},[109,17030,17031],{},"Standardized Environments"," (dev\u002Fstaging\u002Fprod), including policies and secrets handling",[106,17034,17035,17038],{},[109,17036,17037],{},"Observability Out of the Box"," (logs, metrics, traces, alerts)",[106,17040,17041,17044],{},[109,17042,17043],{},"Security & Compliance"," as default (scanning, SBOM, signatures, role models)",[106,17046,17047,17050],{},[109,17048,17049],{},"Automated Platform Operations"," (updates, backups, drift detection, patch management)",[71,17052,17054],{"id":17053},"dependency-lock-in-often-lower-with-daas-than-with-paas","Dependency (Lock-in): Often Lower with DaaS Than with PaaS",[56,17056,17057],{},"An important difference is what happens when you switch providers.",[56,17059,17060,17061,17064],{},"With a PaaS, the hosting model is often tightly coupled to proprietary building blocks (buildpacks, add-ons, routing\u002Fconfig models, platform APIs). When you leave, you don't just lose \"convenience\" — you often lose a large part of your app's ",[2186,17062,17063],{},"operational capability"," and have to completely rebuild deployment, scaling, logging, secrets, etc.",[56,17066,17067],{},"With a DaaS platform, the dependency is often lower because it typically relies on tools and automation that you could operate yourself if needed:",[103,17069,17070,17073,17076],{},[106,17071,17072],{},"You can continue using the CI\u002FCD pipelines, IaC repos, and deploy scripts.",[106,17074,17075],{},"You can fall back to \"manual\" mode (more effort, but functionally possible) until you've found a new platform\u002Fpartner.",[106,17077,17078],{},"The transition is then more of an operational pain (time\u002Fknow-how), not necessarily a complete architecture restart.",[56,17080,17081],{},"This doesn't mean DaaS is automatically lock-in-free (templates, policies, proprietary pipeline DSLs can still create binding), but you generally have a clearer exit path than with a strongly opinionated PaaS. This exit path is an important building block for companies with a digital sovereignty strategy.",[71,17083,17085],{"id":17084},"combining-paas-daas-platform-for-apps-platform-for-delivery","Combining PaaS + DaaS: Platform for Apps, Platform for Delivery",[56,17087,17088],{},"In practice, you almost always need both:",[103,17090,17091,17094],{},[106,17092,17093],{},"A PaaS layer that simplifies deployments, routing, scaling, and runtime standards.",[106,17095,17096],{},"A DaaS layer that standardizes the delivery process (CI\u002FCD, policies, security, observability).",[56,17098,17099],{},"When you combine PaaS and DaaS well, you get an end-to-end chain:",[56,17101,17102,415],{},[109,17103,17104],{},"Git Push → Build\u002FTest → Policy\u002FSecurity Checks → Deploy → Observability\u002FAlerting → Rollback\u002FScaling",[56,17106,17107],{},"Kubernetes is often the connecting element: it can be the runtime foundation (for the PaaS) and simultaneously the target of your pipelines (for the DaaS).",[187,17109,17111],{"id":17110},"when-daas-makes-sense","When DaaS Makes Sense",[56,17113,17114,17115,17117,17118,415],{},"DaaS is a good fit for teams that have strong development output but don't want to or can't employ their own DevOps specialists. Mid-sized companies that want to use Kubernetes without building a full ",[60,17116,11459],{"href":10914}," team are classic DaaS customers. A detailed comparison of building your own DevOps practice versus using it as a service can be found in our article ",[60,17119,15496],{"href":5984},[71,17121,17123],{"id":17122},"paas-vs-daas-the-direct-comparison","PaaS vs. DaaS — the Direct Comparison",[56,17125,17126],{},"The fundamental difference lies in the abstraction level:",[1305,17128,17129,17139],{},[1308,17130,17131],{},[1311,17132,17133,17135,17137],{},[1314,17134],{},[1314,17136,8320],{},[1314,17138,9461],{},[1335,17140,17141,17154,17167,17180,17193,17206],{},[1311,17142,17143,17148,17151],{},[1340,17144,17145],{},[109,17146,17147],{},"What is provided?",[1340,17149,17150],{},"Runtime environment for applications",[1340,17152,17153],{},"DevOps processes and automation",[1311,17155,17156,17161,17164],{},[1340,17157,17158],{},[109,17159,17160],{},"Primary goal",[1340,17162,17163],{},"Deploy applications quickly",[1340,17165,17166],{},"Automate development and operations processes",[1311,17168,17169,17174,17177],{},[1340,17170,17171],{},[109,17172,17173],{},"Primary users",[1340,17175,17176],{},"Developers",[1340,17178,17179],{},"Developers, DevOps teams, engineering management",[1311,17181,17182,17187,17190],{},[1340,17183,17184],{},[109,17185,17186],{},"Provider responsibility",[1340,17188,17189],{},"Infrastructure, runtime, scaling",[1340,17191,17192],{},"CI\u002FCD, IaC, monitoring, cluster operations",[1311,17194,17195,17200,17203],{},[1340,17196,17197],{},[109,17198,17199],{},"Team responsibility",[1340,17201,17202],{},"Application code",[1340,17204,17205],{},"Code + deployment configuration",[1311,17207,17208,17213,17216],{},[1340,17209,17210],{},[109,17211,17212],{},"Typical examples",[1340,17214,17215],{},"Heroku, Google App Engine",[1340,17217,17218],{},"Managed GitLab CI, CircleCI, AWS CodePipeline, lowcloud",[56,17220,17221],{},"An important observation: the boundaries are increasingly blurring. Modern PaaS providers integrate CI\u002FCD features, and some DaaS offerings include a hosting substrate. When evaluating an offering, it's worth asking precisely: where does the provider's responsibility end, and where does mine begin?",[71,17223,17225],{"id":17224},"what-if-you-need-both","What If You Need Both?",[56,17227,17228],{},"The reality in many engineering teams looks like this: you don't want to manage raw infrastructure, nor do you want to lock yourself into a rigid PaaS model. You want a platform that hosts applications and brings the automation along with it.",[56,17230,17231,17232,17234],{},"This is exactly where Kubernetes-based DaaS platforms come into play. ",[60,17233,1543],{"href":1542}," itself is neither PaaS nor DaaS. It's the foundation on which both can be built. A well-configured K8s platform gives you the deployment abstraction of a PaaS without taking away your DevOps control.",[56,17236,17237,17238,17241],{},"lowcloud is such a platform. It runs on Kubernetes with ",[60,17239,17240],{"href":8155},"zero-configuration defaults",", gives you ready-made deployment workflows, and simultaneously leaves you the freedom to design pipelines, configurations, and processes yourself. No lock-in to proprietary abstractions, no black box. You know what's running, and you can customize it.",[56,17243,17244],{},"That's the difference between a service you use and a platform you understand and control.",[71,17246,2102],{"id":2101},[56,17248,17249],{},"PaaS and DaaS are not alternatives to each other. They solve different problems. PaaS takes infrastructure management off your hands. DaaS takes the building and operation of DevOps processes off your hands. Both models have their place, and many teams benefit from elements of both.",[56,17251,17252],{},"If you take Kubernetes as your foundation and build a platform on top that combines both, you don't even have to make that choice anymore. lowcloud does exactly that — as a sovereign, Kubernetes-native platform that serves developers and DevOps teams equally.",{"title":490,"searchDepth":491,"depth":491,"links":17254},[17255,17259,17262,17263,17264,17267,17268,17269],{"id":16882,"depth":491,"text":16883,"children":17256},[17257,17258],{"id":16894,"depth":499,"text":16895},{"id":16937,"depth":499,"text":16938},{"id":16947,"depth":491,"text":16948,"children":17260},[17261],{"id":17001,"depth":499,"text":17002},{"id":17011,"depth":491,"text":17012},{"id":17053,"depth":491,"text":17054},{"id":17084,"depth":491,"text":17085,"children":17265},[17266],{"id":17110,"depth":499,"text":17111},{"id":17122,"depth":491,"text":17123},{"id":17224,"depth":491,"text":17225},{"id":2101,"depth":491,"text":2102},"2026-03-10","PaaS and DaaS often come up in the same conversation but mean fundamentally different things. One takes infrastructure off your plate, the other handles DevOps processes. Knowing the difference leads to better architecture decisions.",{"src":17273},"\u002Fimages\u002Fblog\u002Fpaas-vs-daas.jpg",{},{"title":16871,"description":17271},"en\u002F3.blog\u002F17.paas-vs-daas","PuZa9214SCGpojSJ5Ee8BSDBwufZUIQlxh0MIOeyYNA",{"id":17279,"title":17280,"authors":17281,"badge":10,"body":17284,"date":17573,"description":17288,"extension":510,"image":17574,"lastUpdated":6920,"meta":17576,"navigation":14,"path":6827,"published":14,"seo":17577,"stem":17578,"tags":10,"__hash__":17579},"posts\u002Fen\u002F3.blog\u002F16.cloud-sovereignty-governance.md","Cloud Sovereignty Governance: Why This Topic Belongs in the Boardroom, Not the Server Room",[17282],{"name":43,"to":44,"avatar":17283},{"src":46},{"type":48,"value":17285,"toc":17562},[17286,17289,17293,17300,17303,17322,17332,17335,17340,17344,17347,17362,17365,17368,17372,17379,17393,17399,17403,17406,17409,17413,17416,17421,17424,17429,17432,17437,17440,17445,17448,17453,17456,17460,17463,17466,17469,17472,17475,17479,17482,17485,17517,17521,17524,17527,17532,17535,17540,17543,17548,17551,17554,17556,17559],[56,17287,17288],{},"If you are still delegating cloud sovereignty to your IT lead in 2026, you have not understood the regulatory risk. NIS2, DORA, and growing geopolitical uncertainties make a demonstrable sovereign cloud policy mandatory. The responsibility lies not in the server room, but in the boardroom.",[71,17290,17292],{"id":17291},"what-cloud-sovereignty-really-means-in-2026","What Cloud Sovereignty Really Means in 2026",[56,17294,17295,17296,17299],{},"The misconception runs through many organizations: you host GDPR-compliantly, the data sits somewhere in Frankfurt, so you are sovereign. ",[60,17297,17298],{"href":5059},"That is not true"," — data residency and data sovereignty are fundamentally different concepts.",[56,17301,17302],{},"Cloud sovereignty is more than data localization. It describes who actually has control over data, infrastructure, and access — and who does not. Three dimensions are critical:",[103,17304,17305,17311,17317],{},[106,17306,17307,17310],{},[109,17308,17309],{},"Data sovereignty:"," Who defines, classifies, and controls data usage (including key\u002Frights management and data flows)?",[106,17312,17313,17316],{},[109,17314,17315],{},"Operational sovereignty:"," Who operates the platform day-to-day, and who can technically enforce changes, admin access, or support access?",[106,17318,17319,17321],{},[109,17320,16426],{}," To what extent is the provider (corporate structure\u002Flegal jurisdiction) protected from extraterritorial access rights, or can exclude such access?",[56,17323,17324,17325,17328,17329,415],{},"A detailed breakdown of these three concepts can be found in our ",[60,17326,17327],{"href":8917},"Cloud Sovereignty Framework article",". What sovereignty means technically, we described in our ",[60,17330,17331],{"href":333},"cloud vendor lock-in analysis",[56,17333,17334],{},"A hyperscaler with a German data center can organizationally support data sovereignty and operational sovereignty, but legal immunity depends significantly on the provider's corporate structure and legal jurisdiction. And that is where it gets complicated.",[56,17336,1701,17337,17339],{},[60,17338,6823],{"href":6023}," (Clarifying Lawful Overseas Use of Data Act) allows US authorities to access data from US companies, regardless of where the data is physically stored. A data center in Munich does not protect you from a CLOUD Act request if the operator has a US parent company. This is not theory — it is current US federal law.",[71,17341,17343],{"id":17342},"why-many-companies-are-repositioning-this-topic","Why Many Companies Are Repositioning This Topic",[56,17345,17346],{},"Cloud sovereignty is no longer viewed as an IT project in many organizations, but as part of risk management — comparable to fire safety or compliance management. This is a paradigm shift, and it has concrete reasons.",[56,17348,17349,17350,17353,17354,17357,17358,17361],{},"The first reason is regulatory pressure. ",[60,17351,12775],{"href":14959,"rel":17352},[64]," has been transposed into German law since October 2024. ",[60,17355,17356],{"href":13309},"DORA"," has been in effect since January 2025 for the financial sector. The ",[60,17359,17360],{"href":6925},"Data Governance Act adds further obligations"," around data sharing and intermediation. All these regulatory frameworks require not statements of intent, but demonstrable measures including documented cloud governance.",[56,17363,17364],{},"The second reason is geopolitical. Recent years have shown that dependencies on non-European cloud infrastructures are a strategic risk. What sounded like an abstract scenario has materialized in concrete supply chain problems and political tensions.",[56,17366,17367],{},"The third reason is economic. Companies operating in the public sector or in sensitive B2B areas lose contracts if they cannot demonstrate a credible cloud sovereignty strategy. This is not a future scenario — it is happening today in procurement processes.",[71,17369,17371],{"id":17370},"nis2-and-dora-what-is-concretely-required-of-you","NIS2 and DORA: What Is Concretely Required of You",[56,17373,17374,17375,17378],{},"NIS2 targets companies in critical and important sectors: energy, transport, healthcare, digital infrastructure, financial services, and more. For a detailed breakdown of what ",[60,17376,17377],{"href":13084},"NIS2 demands from DevOps teams"," technically, see our compliance guide. The requirements are specific:",[103,17380,17381,17384,17387,17390],{},[106,17382,17383],{},"Risk analysis and documentation of IT security measures",[106,17385,17386],{},"Demonstrable security policies for the use of cloud services",[106,17388,17389],{},"Reporting obligations for security incidents",[106,17391,17392],{},"Management liability — board members and managing directors can be held personally responsible",[56,17394,17395,17398],{},[60,17396,17397],{"href":13309},"DORA goes even further for financial institutions",". The Digital Operational Resilience Act requires comprehensive ICT risk management that explicitly covers cloud dependencies. Third-party contracts must contain exit strategies, critical service providers must be audited, and all of this must be documented and auditable.",[187,17400,17402],{"id":17401},"what-is-missing-in-an-audit-when-no-policy-exists","What Is Missing in an Audit When No Policy Exists",[56,17404,17405],{},"Imagine a NIS2 audit. The auditor asks for your cloud governance documentation. You show your AWS contract. The auditor asks for the documented risk analysis regarding third-country access. You do not have one. They ask about the exit strategy. Also missing.",[56,17407,17408],{},"This is not a niche scenario. This is the reality in many mid-sized companies that use cloud services productively but have never developed a formal sovereign cloud policy. The consequences range from fines to personal liability of the management.",[71,17410,17412],{"id":17411},"what-a-sovereign-cloud-policy-must-contain","What a Sovereign Cloud Policy Must Contain",[56,17414,17415],{},"A sovereign cloud policy is not a 50-page rulebook. It is a clear, living document that answers five core questions:",[56,17417,17418],{},[109,17419,17420],{},"1. Data Categorization and Localization Rules",[56,17422,17423],{},"Which data may reside in which cloud environments? Personal data, IP-sensitive data, and regulatory-relevant data require different treatment.",[56,17425,17426],{},[109,17427,17428],{},"2. Provider Qualification",[56,17430,17431],{},"By what criteria do you select cloud providers? Provider's legal jurisdiction, certifications (BSI C5, ISO 27001, SOC 2), sub-processors. This must be defined and regularly reviewed.",[56,17433,17434],{},[109,17435,17436],{},"3. Access Control and Monitoring",[56,17438,17439],{},"Who has access to production data? How is access logged? Are there technical measures against unauthorized third-country access (e.g., end-to-end encryption with self-managed keys)?",[56,17441,17442],{},[109,17443,17444],{},"4. Exit Strategy",[56,17446,17447],{},"How do you migrate data and workloads if a provider fails or no longer meets your requirements? What timelines, formats, and costs are realistic?",[56,17449,17450],{},[109,17451,17452],{},"5. Responsibilities and Review Cycle",[56,17454,17455],{},"Who is internally responsible for the policy? When is it reviewed? Which changes in the regulatory environment trigger a revision?",[71,17457,17459],{"id":17458},"why-this-is-not-a-one-person-decision","Why This Is Not a One-Person Decision",[56,17461,17462],{},"The CTO can be responsible for the technical implementation. But a sovereign cloud policy has dimensions that go beyond IT.",[56,17464,17465],{},"The CFO must understand the economic dependencies: What does a forced provider switch cost? What does a compliance violation cost? What does a data breach cost that resulted from missing sovereignty measures?",[56,17467,17468],{},"The Head of Legal \u002F General Counsel must know the contract architecture: Which clauses in provider contracts are non-negotiable for DORA-compliant companies? Which third-country clauses are currently being silently accepted?",[56,17470,17471],{},"And the CEO or the board bears the ultimate responsibility. Under NIS2, explicitly and personally.",[56,17473,17474],{},"This is the real reason why cloud sovereignty is becoming a C-level issue: not because the topic is complex, but because liability is moving upward.",[71,17476,17478],{"id":17477},"european-alternatives-what-matters-in-provider-comparisons","European Alternatives: What Matters in Provider Comparisons",[56,17480,17481],{},"The market for sovereign cloud solutions has developed significantly over the past two years. There are more options than in 2023, but also more ambiguity about what \"sovereign\" actually means for a provider.",[56,17483,17484],{},"Pay attention to the following criteria:",[103,17486,17487,17493,17499,17505,17511],{},[106,17488,17489,17492],{},[109,17490,17491],{},"Legal jurisdiction:"," Is the provider a European company without a US parent company?",[106,17494,17495,17498],{},[109,17496,17497],{},"Operations:"," Are the data centers operated by the provider themselves or rented from a hyperscaler?",[106,17500,17501,17504],{},[109,17502,17503],{},"Certifications:"," BSI C5 Type 2 is the relevant standard for the German market. ISO 27001 alone is not sufficient.",[106,17506,17507,17510],{},[109,17508,17509],{},"Key management:"," Who controls the encryption keys? Do you have the option to use BYOK (Bring Your Own Key)?",[106,17512,17513,17516],{},[109,17514,17515],{},"Contractual safeguards:"," Are there explicit clauses that exclude or make third-country access subject to documentation requirements?",[71,17518,17520],{"id":17519},"first-steps-how-to-start-today","First Steps: How to Start Today",[56,17522,17523],{},"You do not need to start with a complete policy document. But you need to start.",[56,17525,17526],{},"A pragmatic approach in three phases:",[56,17528,17529],{},[109,17530,17531],{},"Phase 1: Inventory (2–4 weeks)",[56,17533,17534],{},"Map all cloud services in use. Note for each service: provider, legal jurisdiction, data class, contractual basis. This sounds trivial but is not documented in most companies.",[56,17536,17537],{},[109,17538,17539],{},"Phase 2: Risk Assessment (2–3 weeks)",[56,17541,17542],{},"Identify the three to five most critical dependencies. Where would a forced switch hurt the most? Which services process the most sensitive data?",[56,17544,17545],{},[109,17546,17547],{},"Phase 3: Policy Draft (4–6 weeks)",[56,17549,17550],{},"Write a first version of the sovereign cloud policy. Get legal feedback. Approve the document at management level. Schedule the first review date.",[56,17552,17553],{},"This is not a large project. It is a manageable process that must be actively initiated — preferably before the first NIS2 audit is on the calendar.",[479,17555],{},[56,17557,17558],{},"Cloud sovereignty is a leadership task, not an infrastructure question. The companies that understand this in 2026 will face audits with confidence and score points in procurement processes. The others will learn the hard way.",[56,17560,17561],{},"If you want to run sovereign Kubernetes workloads on a European DaaS platform (DevOps as a Service) that is designed from the ground up for data control and compliance, take a look at lowcloud. No dependency on US hyperscalers, no CLOUD Act risk, no hidden third-country transfers — a platform that technically implements your sovereign cloud policy, not undermines it.",{"title":490,"searchDepth":491,"depth":491,"links":17563},[17564,17565,17566,17569,17570,17571,17572],{"id":17291,"depth":491,"text":17292},{"id":17342,"depth":491,"text":17343},{"id":17370,"depth":491,"text":17371,"children":17567},[17568],{"id":17401,"depth":499,"text":17402},{"id":17411,"depth":491,"text":17412},{"id":17458,"depth":491,"text":17459},{"id":17477,"depth":491,"text":17478},{"id":17519,"depth":491,"text":17520},"2026-03-09",{"src":17575},"\u002Fimages\u002Fblog\u002Fcloud-souveraenitaet-governance.jpg",{},{"title":17280,"description":17288},"en\u002F3.blog\u002F16.cloud-sovereignty-governance","Y-DokpUHBQneEEgD8aHs-OALQe1BYMpxaGEbegYhiko",{"id":17581,"title":17582,"authors":17583,"badge":10,"body":17586,"date":17919,"description":17590,"extension":510,"image":17920,"lastUpdated":3938,"meta":17922,"navigation":14,"path":486,"published":14,"seo":17923,"stem":17924,"tags":10,"__hash__":17925},"posts\u002Fen\u002F3.blog\u002F15.devops-as-a-service.md","What Is DevOps as a Service and When Does It Actually Make Sense?",[17584],{"name":43,"to":44,"avatar":17585},{"src":46},{"type":48,"value":17587,"toc":17903},[17588,17591,17595,17598,17601,17610,17614,17617,17620,17624,17631,17636,17640,17643,17646,17649,17652,17679,17682,17686,17689,17704,17715,17718,17722,17729,17732,17735,17739,17742,17745,17765,17771,17775,17778,17787,17793,17799,17805,17809,17812,17818,17824,17830,17836,17841,17845,17848,17854,17860,17866,17872,17876,17879,17882,17885,17896,17898],[56,17589,17590],{},"DevOps as a Service sounds like yet another buzzword. But behind it lies a concrete model that can take real work off development teams, when applied correctly. This article explains what DaaS means, what a provider actually delivers, and where the limits of the model lie.",[71,17592,17594],{"id":17593},"what-devops-as-a-service-means","What DevOps as a Service Means",[56,17596,17597],{},"DevOps as a Service (DaaS for short) is a service model in which companies outsource their DevOps processes, tools, and infrastructure to an external provider. The provider takes over the setup and operation of CI\u002FCD pipelines, infrastructure automation, container orchestration, and monitoring. Everything that would otherwise require a dedicated internal team.",[56,17599,17600],{},"This is not a new idea, but the term has gained clarity in recent years. The reason: the complexity of modern software delivery has increased significantly. Managing Kubernetes clusters, setting up GitOps workflows, running observability stacks — all of this requires time and expertise that many teams simply don't have.",[56,17602,17603,17604,17606,17607,17609],{},"DevOps as a Service is not a replacement for DevOps culture, but a way to create the technical prerequisites for it faster and with less internal effort. For how ",[60,17605,16049],{"href":11063}," build shared ownership in practice, see our guide. For organizations that have outgrown basic DevOps, ",[60,17608,11459],{"href":10914}," takes these foundations further by building an Internal Developer Platform.",[187,17611,17613],{"id":17612},"how-it-differs-from-classic-devops","How It Differs from Classic DevOps",[56,17615,17616],{},"Classic DevOps is a way of working: development and operations collaborate, processes are automated, feedback loops get shorter. It's a matter of team organization and company culture. Not a product you can buy.",[56,17618,17619],{},"DaaS picks up exactly there: the external provider delivers the tools, platforms, and automations needed for modern DevOps processes. The internal team doesn't have to build and maintain them themselves.",[187,17621,17623],{"id":17622},"how-it-differs-from-paas","How It Differs from PaaS",[56,17625,17626,17630],{},[109,17627,17628],{},[60,17629,10011],{"href":80}," (PaaS) provides a runtime environment. The provider takes care of servers, operating systems, and often middleware as well. The developer deploys their application, and the provider handles the rest.",[56,17632,17633,17634,415],{},"DaaS goes a step further. It covers not just the platform, but also the processes around it: pipeline design, deployment strategies, incident management, infrastructure automation. When a PaaS provider integrates these workflows, it approaches a DaaS model. A detailed comparison of DaaS vs. PaaS can be found in our article ",[60,17635,9927],{"href":8329},[71,17637,17639],{"id":17638},"what-a-daas-provider-actually-delivers","What a DaaS Provider Actually Delivers",[56,17641,17642],{},"The offering varies by provider, but most cover four core technical areas.",[187,17644,16965],{"id":17645},"cicd-pipelines",[56,17647,17648],{},"Continuous Integration and Continuous Delivery are the heart of modern software delivery. CI\u002FCD pipelines automatically build the code, run tests, and deploy to the target environment — without manual intervention.",[56,17650,17651],{},"A DaaS provider sets up and operates these pipelines. This typically includes:",[103,17653,17654,17670,17673,17676],{},[106,17655,17656,17657,557,17660,557,17665,5903],{},"Integration with the existing Git repository (",[60,17658,25],{"href":16069,"rel":17659},[64],[60,17661,17664],{"href":17662,"rel":17663},"https:\u002F\u002Fabout.gitlab.com\u002F",[64],"GitLab",[60,17666,17669],{"href":17667,"rel":17668},"https:\u002F\u002Fbitbucket.org\u002Fproduct\u002Fde",[64],"Bitbucket",[106,17671,17672],{},"Automatic build and test stages",[106,17674,17675],{},"Deployment to staging and production based on defined rules",[106,17677,17678],{},"Rollback mechanisms for failed deployments",[56,17680,17681],{},"Tools like GitLab CI, GitHub Actions, or Tekton are commonly used. The provider handles configuration, maintenance, and updates, while the team defines what gets deployed and when.",[187,17683,17685],{"id":17684},"infrastructure-automation","Infrastructure Automation",[56,17687,17688],{},"Manual server configuration is a relic. With Infrastructure as Code (IaC), the entire infrastructure is described as code, versioned, and provisioned automatically.",[56,17690,17691,17692,17695,17696,2283,17701,17703],{},"DaaS providers use tools like ",[60,17693,10354],{"href":10350,"rel":17694},[64]," for cloud infrastructure and ",[60,17697,17700],{"href":17698,"rel":17699},"https:\u002F\u002Fdocs.ansible.com\u002F",[64],"Ansible",[60,17702,2022],{"href":3634}," for configuration. This means:",[103,17705,17706,17709,17712],{},[106,17707,17708],{},"New environments can be set up in minutes instead of days",[106,17710,17711],{},"Infrastructure changes are traceable and reversible",[106,17713,17714],{},"No \"snowflake\" problem. Every environment is reproducibly identical",[56,17716,17717],{},"For teams that have been managing infrastructure manually or with unversioned scripts, this is a noticeable quality improvement.",[187,17719,17721],{"id":17720},"containers-and-kubernetes","Containers and Kubernetes",[56,17723,17724,17725,17728],{},"Containers are today's standard for packaging applications. They run the same everywhere: on the developer's laptop, in staging, in production. ",[60,17726,1543],{"href":2164,"rel":17727},[64]," orchestrates these containers: it manages deployments, automatically scales pods up and down, and ensures high availability.",[56,17730,17731],{},"However, running Kubernetes is not a self-runner. Cluster upgrades, network configuration, secrets management, RBAC — operating a production-ready cluster demands constant attention.",[56,17733,17734],{},"A DaaS provider takes over exactly that: it operates the Kubernetes cluster, keeps it up to date, and gives the development team a clean interface to deploy applications. The team deploys, the provider ensures the platform runs.",[187,17736,17738],{"id":17737},"monitoring-and-observability","Monitoring and Observability",[56,17740,17741],{},"Anyone running applications needs to know what's happening inside them. Monitoring captures metrics like CPU usage, response times, and error rates. Observability goes further: logs, traces, and metrics together provide a complete picture of why a system behaves the way it does.",[56,17743,17744],{},"DaaS providers typically set up a complete observability stack:",[103,17746,17747,17753,17759,17762],{},[106,17748,17749,17752],{},[60,17750,6288],{"href":6286,"rel":17751},[64]," for metrics",[106,17754,17755,17758],{},[60,17756,6293],{"href":6291,"rel":17757},[64]," for dashboards and visualization",[106,17760,17761],{},"Loki or Elasticsearch for log aggregation",[106,17763,17764],{},"Alerting rules that notify the team of anomalies",[56,17766,17767,17768,17770],{},"For a deeper look at how these components work together, see our guide on ",[60,17769,15851],{"href":4125},". The advantage: the team doesn't have to build, configure, and maintain this stack themselves. They get dashboards and alerts that work right away.",[71,17772,17774],{"id":17773},"who-devops-as-a-service-is-right-for","Who DevOps as a Service Is Right For",[56,17776,17777],{},"DaaS is not a model for everyone. It pays off especially when one or more of the following apply:",[56,17779,17780,17783,17784,17786],{},[109,17781,17782],{},"No dedicated ops team available."," When developers also handle infrastructure on the side, both suffer — a pattern we explore in detail in our article on ",[60,17785,15792],{"href":9127},". DaaS gives the development team the tools without anyone needing to become a full-time ops engineer.",[56,17788,17789,17792],{},[109,17790,17791],{},"Rapid growth."," Startups and scale-ups often need to quickly set up new environments, deploy new services, and scale infrastructure alongside. An external provider can deliver this faster than an internal team could be built.",[56,17794,17795,17798],{},[109,17796,17797],{},"Focus on the product, not infrastructure."," For many teams, infrastructure is not a core differentiator. They want to build great software, not debug Kubernetes clusters. DaaS enables exactly that.",[56,17800,17801,17804],{},[109,17802,17803],{},"Limited budget for specialized staff."," Senior DevOps engineers are expensive and scarce. A DaaS provider bundles this know-how and makes it accessible to teams that couldn't or wouldn't afford it internally.",[71,17806,17808],{"id":17807},"what-devops-as-a-service-costs-build-vs-buy","What DevOps as a Service Costs: Build vs. Buy",[56,17810,17811],{},"The honest answer to the question \"What does DaaS cost?\" is: it depends. But the meaningful comparison is not price alone, but build vs. buy.",[56,17813,17814,17817],{},[109,17815,17816],{},"Building your own DevOps team"," means: recruiting (3–6 months if it goes well), onboarding, tooling decisions, license costs, ongoing maintenance, and internal knowledge silos. It often takes months before the first production system runs stably.",[56,17819,17820,17823],{},[109,17821,17822],{},"Buying DaaS"," means: the provider has already built it. The team can become productive in weeks, not months. In return, you pay a monthly fee — and give up some control.",[56,17825,17826,17827,17829],{},"The break-even depends on team size, requirements, and internal capacity. For many teams under 20 people, DaaS pays off quickly -- our ",[60,17828,13504],{"href":5345}," shows concrete numbers. For larger organizations with the necessary know-how, the calculation looks different.",[56,17831,17832,17833,17835],{},"One factor that's often underestimated: the opportunity cost. The time a senior developer invests in infrastructure is missing from the product. That's rarely directly measurable, but real — our ",[60,17834,13689],{"href":5335}," breaks down exactly how these hidden costs add up.",[56,17837,17838,17839,415],{},"A detailed comparison of build vs. buy can be found in our article ",[60,17840,15496],{"href":5984},[71,17842,17844],{"id":17843},"what-to-look-for-when-choosing-a-provider","What to Look for When Choosing a Provider",[56,17846,17847],{},"Not all DaaS providers are the same. A few points deserve special attention:",[56,17849,17850,17853],{},[109,17851,17852],{},"Data sovereignty and GDPR."," Where does your data reside? On which servers, in which data center, in which country? For many companies in the DACH region, this is not an abstract compliance question but a concrete requirement. Providers that build on AWS, Azure, or GCP in the US automatically raise questions about data transfers to third countries.",[56,17855,17856,17859],{},[109,17857,17858],{},"Vendor lock-in."," How proprietary are the tools and abstractions used? A provider that uses standard Kubernetes manifests and open tools is easier to switch away from than one that uses a proprietary deployment system. This is not a disqualifier, but something to decide consciously.",[56,17861,17862,17865],{},[109,17863,17864],{},"SLAs and support."," What happens when something doesn't work? How quickly does the provider respond? SLAs are paper — what often matters more is how the provider handles incidents in practice.",[56,17867,17868,17871],{},[109,17869,17870],{},"Transparency about the tools used."," A good DaaS provider explains which tools it uses and why. Black-box solutions where the team has no insight create dependencies that become painful in a crisis.",[71,17873,17875],{"id":17874},"how-lowcloud-implements-devops-as-a-service","How lowcloud Implements DevOps as a Service",[56,17877,17878],{},"lowcloud is a DaaS platform operated on sovereign infrastructure in Germany. This means: data resides on servers that fall under German and European law. No data transfers to the US, no dependency on US hyperscalers.",[56,17880,17881],{},"Technically, lowcloud runs on standard Kubernetes with integrated CI\u002FCD workflows, automated infrastructure provisioning, and a pre-installed monitoring stack. Development teams can deploy their applications directly from their Git repository without worrying about cluster operations.",[56,17883,17884],{},"That is the core promise of DevOps as a Service, implemented on a platform that also takes compliance requirements seriously. For teams that need both — fast DevOps workflows and GDPR-compliant infrastructure — this is a combination that's otherwise hard to build yourself.",[56,17886,17887,17888,17891,17892,17895],{},"If you want to see what this could look like for your team, you'll find an easy entry point at ",[60,17889,17890],{"href":741},"lowcloud.io"," — no lengthy onboarding process required. For a detailed comparison of ",[60,17893,17894],{"href":6202},"lowcloud vs. external DaaS providers",", including cost models and compliance criteria, see our dedicated analysis.",[479,17897],{},[56,17899,17900],{},[2186,17901,17902],{},"DevOps as a Service is no silver bullet, but for many teams it's the most pragmatic way to establish modern software delivery processes without building a dedicated ops team. The key question is not whether, but which provider fits your own requirements — both technically and from a regulatory perspective.",{"title":490,"searchDepth":491,"depth":491,"links":17904},[17905,17909,17915,17916,17917,17918],{"id":17593,"depth":491,"text":17594,"children":17906},[17907,17908],{"id":17612,"depth":499,"text":17613},{"id":17622,"depth":499,"text":17623},{"id":17638,"depth":491,"text":17639,"children":17910},[17911,17912,17913,17914],{"id":17645,"depth":499,"text":16965},{"id":17684,"depth":499,"text":17685},{"id":17720,"depth":499,"text":17721},{"id":17737,"depth":499,"text":17738},{"id":17773,"depth":491,"text":17774},{"id":17807,"depth":491,"text":17808},{"id":17843,"depth":491,"text":17844},{"id":17874,"depth":491,"text":17875},"2026-03-06",{"src":17921},"\u002Fimages\u002Fblog\u002Fdevops-as-a-service.jpg",{},{"title":17582,"description":17590},"en\u002F3.blog\u002F15.devops-as-a-service","MfA9d5VY3vrm0q0WpY5vMqTbPW1_hpUOhNg3kiIPaHA",{"id":17927,"title":17928,"authors":17929,"badge":10,"body":17932,"date":18145,"description":18146,"extension":510,"image":18147,"lastUpdated":4932,"meta":18149,"navigation":14,"path":5076,"published":14,"seo":18150,"stem":18151,"tags":10,"__hash__":18152},"posts\u002Fen\u002F3.blog\u002F14.kubernetes-digital-sovereignty.md","Digital Sovereignty with Kubernetes: When Is Open Source Truly Sovereign?",[17930],{"name":43,"to":44,"avatar":17931},{"src":46},{"type":48,"value":17933,"toc":18132},[17934,17939,17942,17946,17949,17969,17972,17982,17986,17995,17998,18002,18005,18008,18012,18015,18018,18022,18025,18028,18031,18035,18038,18044,18054,18064,18068,18074,18077,18081,18084,18115,18118,18121,18123],[56,17935,17936,17938],{},[60,17937,1543],{"href":1542}," was created by Google. Yet European companies and government agencies use it as the foundation for their sovereign cloud strategy. This is not a contradiction, if you understand which dimension of sovereignty really matters.",[56,17940,17941],{},"The debate often revolves around the wrong question. The relevant question is not \"Was the code written in the EU?\" but rather: \"Who controls access to my data and systems at runtime?\" This article explains the difference, why it matters in practice, and what Kubernetes has to do with it.",[71,17943,17945],{"id":17944},"what-digital-sovereignty-actually-means","What digital sovereignty actually means",[56,17947,17948],{},"The term is widely used but rarely clearly defined. In the context of cloud infrastructure, three dimensions can be distinguished:",[103,17950,17951,17959,17964],{},[106,17952,17953,17955,17956,11683],{},[109,17954,17309],{}," Control over where data resides, who can access it, and how it is processed. For a detailed breakdown of why ",[60,17957,17958],{"href":5059},"data residency differs from data sovereignty",[106,17960,17961,17963],{},[109,17962,17315],{}," Control over platform operations (admin access, updates, incident handling, key management).",[106,17965,17966,17968],{},[109,17967,16426],{}," Protection through applicable law and jurisdiction (e.g., EU\u002FGerman law, protection against extraterritorial access claims).",[56,17970,17971],{},"These three dimensions are related but not identical. A tool can be strong in dimension three while simultaneously failing in dimension one or two, depending on how it is deployed.",[56,17973,17974,17975,17979,17980,415],{},"In a previous blog post, we described the ",[60,17976,8918],{"href":17977,"rel":17978},"https:\u002F\u002Fcommission.europa.eu\u002Fdocument\u002Fdownload\u002F09579818-64a6-4dd5-9577-446ab6219113_en",[64],", where data sovereignty, operational sovereignty, legal immunity, and how sovereignty is defined and measured play a central role. You can find it in our ",[60,17981,17327],{"href":8917},[71,17983,17985],{"id":17984},"kubernetes-and-its-roots-at-google","Kubernetes and its roots at Google",[56,17987,17988,17989,17994],{},"Google released Kubernetes as an open-source project in 2014, based on internal systems like Borg. In 2016, the project was handed over to the Cloud Native Computing Foundation (",[60,17990,17993],{"href":17991,"rel":17992},"https:\u002F\u002Fwww.cncf.io\u002F",[64],"CNCF","), which is part of the Linux Foundation. Today, Kubernetes is one of the most active open-source projects worldwide, with maintainers from dozens of companies and organizations.",[56,17996,17997],{},"The code is licensed under the Apache 2.0 license, one of the most permissive open-source licenses available. This means any organization can use, modify, distribute, and commercially deploy Kubernetes without paying license fees or being required to contribute source code back.",[187,17999,18001],{"id":18000},"the-cncf-as-a-governance-model","The CNCF as a governance model",[56,18003,18004],{},"What many don't know: Google no longer has formal veto power over the direction of Kubernetes. CNCF governance regulates how decisions are made. The Kubernetes Steering Committee and the Technical Oversight Committee are composed of members from various companies. No single corporation determines the roadmap.",[56,18006,18007],{},"This is a relevant characteristic for sovereignty questions because it means the continuity and development of the project are not tied to the fate of a single company.",[71,18009,18011],{"id":18010},"open-source-as-a-sovereignty-factor-but-not-the-sole-deciding-one","Open source as a sovereignty factor, but not the sole deciding one",[56,18013,18014],{},"Open-source code offers real advantages for digital sovereignty: The code is auditable. Security vulnerabilities can be found and reported by the community. There is no vendor lock-in at the license level. Anyone who wants to can fork.",[56,18016,18017],{},"Yet open source is not a free pass. The decisive question is not where the code comes from, but where it runs.",[187,18019,18021],{"id":18020},"the-crucial-distinction-where-does-the-code-run","The crucial distinction: Where does the code run?",[56,18023,18024],{},"A Kubernetes cluster running on AWS, GCP, or Azure in a US region is subject to US law, even if Kubernetes itself is open source. The CLOUD Act of 2018 obliges US companies, under certain circumstances, to grant authorities access to data, regardless of where that data is physically stored.",[56,18026,18027],{},"This means: Running Kubernetes on a US hyperscaler may leave a gap in data sovereignty, not because of Kubernetes, but because of the operating model.",[56,18029,18030],{},"Turn it around: Kubernetes, operated on your own hardware or in an EU data center by a European provider, with no contractual relationship to a US company, is a substantially different starting point.",[71,18032,18034],{"id":18033},"digital-sovereignty-with-kubernetes-in-practice","Digital sovereignty with Kubernetes in practice",[56,18036,18037],{},"What does this mean for architecture decisions? Some guidelines that make the difference in practice:",[56,18039,18040,18043],{},[109,18041,18042],{},"Location of operations:"," Kubernetes clusters should run in data centers that are exclusively subject to EU law. ISO 27001 certification and no parent company in the US are sensible minimum requirements.",[56,18045,18046,18049,18050,18053],{},[109,18047,18048],{},"Managed vs. self-managed:"," Running Kubernetes yourself gives maximum control but carries the operational burden — ",[60,18051,18052],{"href":2728},"migrating to Kubernetes"," for the first time adds significant preparation overhead on top of that. Managed Kubernetes offerings from European providers can be a good balance, provided the operators meet the requirements mentioned above.",[56,18055,18056,18059,18060,18063],{},[109,18057,18058],{},"Supply chain:"," Which container images, ",[60,18061,18062],{"href":3634},"Helm charts",", and operator deployments are being used? Here too: open source is more auditable than proprietary software, but it is no automatic guarantee of security.",[187,18065,18067],{"id":18066},"the-cloud-act-and-its-implications","The CLOUD Act and its implications",[56,18069,18070,18071,18073],{},"The Clarifying Lawful Overseas Use of Data Act (",[60,18072,6823],{"href":6023},", 2018) allows US authorities to demand that US companies hand over data stored outside the United States. This directly affects AWS, Microsoft, Google, and other hyperscalers.",[56,18075,18076],{},"For European organizations processing sensitive data, such as health data, government data, or data subject to NIS2 or GDPR, this is a real risk. It has nothing to do with whether Kubernetes is open source or not. It is about who holds the operating contract.",[71,18078,18080],{"id":18079},"when-is-kubernetes-truly-sovereign","When is Kubernetes truly sovereign?",[56,18082,18083],{},"A pragmatic checklist for teams that want to clarify this question for their organization:",[103,18085,18086,18092,18098,18104,18109],{},[106,18087,18088,18091],{},[109,18089,18090],{},"Operator:"," Is the operator a company headquartered exclusively in the EU, with no US parent company?",[106,18093,18094,18097],{},[109,18095,18096],{},"Data center:"," Is the infrastructure located in an EU data center that is exclusively subject to EU law?",[106,18099,18100,18103],{},[109,18101,18102],{},"Contractual situation:"," Are there no contractual relationships that could enable US authorities to access data?",[106,18105,18106,18108],{},[109,18107,8913],{}," Are only open-source components used whose code is publicly accessible?",[106,18110,18111,18114],{},[109,18112,18113],{},"Portability:"," Is the architecture designed so that switching operators is possible without data loss?",[56,18116,18117],{},"If you can answer yes to all five points, you are running Kubernetes sovereignly, regardless of the fact that the code originally came from Google.",[56,18119,18120],{},"The origin of the code is a question of history. Control over operations is a question of the present.",[479,18122],{},[56,18124,18125,18126,18131],{},"If you want to run Kubernetes in a sovereign environment without the effort of fully self-managed operations, ",[60,18127,18129],{"href":5869,"rel":18128},[64],[109,18130,299],{}," is the right choice: a Kubernetes-based PaaS, operated exclusively in German data centers under EU law. No US hyperscaler, no dependencies that undermine operational sovereignty.",{"title":490,"searchDepth":491,"depth":491,"links":18133},[18134,18135,18138,18141,18144],{"id":17944,"depth":491,"text":17945},{"id":17984,"depth":491,"text":17985,"children":18136},[18137],{"id":18000,"depth":499,"text":18001},{"id":18010,"depth":491,"text":18011,"children":18139},[18140],{"id":18020,"depth":499,"text":18021},{"id":18033,"depth":491,"text":18034,"children":18142},[18143],{"id":18066,"depth":499,"text":18067},{"id":18079,"depth":491,"text":18080},"2026-03-05","Kubernetes was created by Google. Yet European companies and government agencies use it as the foundation for their sovereign cloud strategy. This is not a contradiction, if you understand which dimension of sovereignty really matters.",{"src":18148},"\u002Fimages\u002Fblog\u002Fkubernetes-digital-sovereignty.jpg",{},{"title":17928,"description":18146},"en\u002F3.blog\u002F14.kubernetes-digital-sovereignty","YU9ajM6LW-M48AXLrUFv7_QVjMmpUDrrrkHFKp8EMMc",{"id":18154,"title":18155,"authors":18156,"badge":10,"body":18159,"date":18390,"description":18391,"extension":510,"image":18392,"lastUpdated":3942,"meta":18394,"navigation":14,"path":333,"published":14,"seo":18395,"stem":18396,"tags":10,"__hash__":18397},"posts\u002Fen\u002F3.blog\u002F13.cloud-vendor-lock-in.md","Avoiding Cloud Vendor Lock-in: What Real Sovereignty Means Technically",[18157],{"name":43,"to":44,"avatar":18158},{"src":46},{"type":48,"value":18160,"toc":18373},[18161,18164,18168,18171,18175,18178,18181,18185,18202,18216,18220,18223,18226,18229,18232,18236,18239,18245,18249,18255,18258,18262,18265,18268,18271,18274,18278,18281,18285,18288,18295,18298,18312,18315,18319,18322,18325,18328,18331,18335,18338,18341,18344,18347,18350,18357,18361,18364,18367,18370],[56,18162,18163],{},"Vendor lock-in is the unspoken business model of many cloud platforms. Once you're deeply enough integrated, you don't switch anymore. Not because the tool is particularly good, but because switching is too expensive, too complex, and too risky. This article shows why that's not a law of nature, what avoiding cloud vendor lock-in actually looks like, and how lowcloud architecturally breaks this pattern.",[71,18165,18167],{"id":18166},"what-vendor-lock-in-really-means","What Vendor Lock-in Really Means",[56,18169,18170],{},"Most developers think of price increases first when they hear vendor lock-in. The provider doubles their rates, and you're stuck because migration would be too costly. That's real, but it's only the surface.",[187,18172,18174],{"id":18173},"more-than-price-increases-structural-dependency","More Than Price Increases: Structural Dependency",[56,18176,18177],{},"Real lock-in goes deeper. It happens when the infrastructure your services run on doesn't belong to you. When your data sits on servers you have no direct access to. When your deployments are controlled through proprietary APIs that no other provider understands.",[56,18179,18180],{},"In this state, you're not a customer. You're a hostage.",[187,18182,18184],{"id":18183},"why-migration-with-traditional-paas-is-so-expensive","Why Migration With Traditional PaaS Is So Expensive",[56,18186,18187,18188,557,18191,1829,18194,18197,18198,18201],{},"With platforms like ",[60,18189,65],{"href":62,"rel":18190},[64],[60,18192,190],{"href":195,"rel":18193},[64],[60,18195,219],{"href":8275,"rel":18196},[64],", your infrastructure runs on the provider's server accounts. You see a clean abstraction layer: push to Git, app runs. That's convenient. But when you want to switch because of prices, features, or a company shutting down, you start from scratch. A ",[60,18199,18200],{"href":514},"comparison of modern Heroku alternatives"," shows how widely this switching cost can vary.",[56,18203,18204,18205,18208,18209,18212,18213,18215],{},"Re-provision. Migrate data. Update DNS. Reconfigure all dependent services. That takes days to weeks and costs significantly during ongoing operations — migration costs, including substantial ",[60,18206,18207],{"href":7124},"cloud egress fees",", that are often missing from ",[60,18210,18211],{"href":5335},"cloud TCO calculations",". The ",[60,18214,6945],{"href":6637}," now requires providers to actively reduce these barriers. The providers know this. And that's exactly why the model is so widespread.",[71,18217,18219],{"id":18218},"how-traditional-paas-platforms-structurally-lock-you-in","How Traditional PaaS Platforms Structurally Lock You In",[56,18221,18222],{},"The fundamental problem is architectural: the provider holds the infrastructure. You pay for usage, but you own nothing.",[56,18224,18225],{},"With Heroku, for example, your dynos run on Salesforce servers. You can configure what runs on those dynos, but you can't access the underlying server, address it directly, or transfer it to another environment. Your databases? Also with the provider. Your add-ons, environment variables, build pipelines? All proprietary.",[56,18227,18228],{},"The same structure is found in most modern PaaS offerings. The deployment experience is excellent. The exit experience is not.",[56,18230,18231],{},"This is not an oversight. It's the model.",[71,18233,18235],{"id":18234},"cloud-sovereignty-what-it-concretely-means-technically","Cloud Sovereignty: What It Concretely Means Technically",[56,18237,18238],{},"Cloud sovereignty is a term widely used in the industry and rarely precisely defined. Usually it means: data storage in a specific country or with a specific provider. That's relevant, but not sufficient.",[56,18240,18241,18244],{},[60,18242,18243],{"href":325},"Real sovereignty"," means: you can switch your provider without jeopardizing your operations. You can shut down your provider without losing your applications. You have direct access to the infrastructure your services run on at all times.",[187,18246,18248],{"id":18247},"your-infrastructure-your-account-the-byoc-approach","Your Infrastructure, Your Account. The BYOC Approach",[56,18250,18251,18252,18254],{},"BYOC stands for ",[60,18253,9767],{"href":413},", or more specifically: Bring Your Own Account. The principle is simple: instead of a PaaS provider renting infrastructure for you and selling you access to it, you connect your own cloud account to the tool. The tool orchestrates your infrastructure on your account. It doesn't own it.",[56,18256,18257],{},"The difference is fundamental. You're not a tenant. You're an owner.",[187,18259,18261],{"id":18260},"the-what-happens-if-test-as-an-architecture-criterion","The \"What Happens If\" Test as an Architecture Criterion",[56,18263,18264],{},"A simple test for any cloud platform: what happens if the provider ceases to exist tomorrow?",[56,18266,18267],{},"With traditional PaaS models, the answer is uncomfortable: your services go down. You must migrate immediately. Under time pressure, without preparation.",[56,18269,18270],{},"With a BYOC model, the answer is different: the infrastructure keeps running because it belongs to you. You lose the orchestration tool, but you don't lose your operations.",[56,18272,18273],{},"This test is not an academic thought experiment. Startups die. Providers pivot. Prices rise. Those who align their architecture with this test sleep better.",[71,18275,18277],{"id":18276},"how-lowcloud-architecturally-eliminates-vendor-lock-in","How lowcloud Architecturally Eliminates Vendor Lock-in",[56,18279,18280],{},"lowcloud is built on this principle. Not as a marketing promise, but as a fundamental technical decision that shapes the entire product design.",[187,18282,18284],{"id":18283},"orchestration-instead-of-hosting-what-the-difference-is","Orchestration Instead of Hosting. What the Difference Is",[56,18286,18287],{},"lowcloud doesn't rent infrastructure for you. lowcloud orchestrates infrastructure on your account.",[56,18289,18290,18291,18294],{},"Specifically: you connect your ",[60,18292,18293],{"href":5426},"Hetzner account to lowcloud",", for example. lowcloud provisions servers there, configures Docker containers, sets up networks and databases. All on your account, with your credentials, in your infrastructure. lowcloud is the tool, not the owner.",[56,18296,18297],{},"This means:",[103,18299,18300,18303,18306,18309],{},[106,18301,18302],{},"The servers are in your Hetzner account. You can access them directly at any time.",[106,18304,18305],{},"The Docker containers and their configuration belong to you.",[106,18307,18308],{},"Your databases run on servers in your account.",[106,18310,18311],{},"You have full SSH access and direct control at all times.",[56,18313,18314],{},"This architecture is not a feature. It's an attitude: we want you to use the tool because it makes your daily work easier, not because you can't continue without us.",[187,18316,18318],{"id":18317},"when-you-shut-down-lowcloud-what-happens-and-what-doesnt","When You Shut Down lowcloud: What Happens and What Doesn't",[56,18320,18321],{},"This is the concrete test: you cancel your lowcloud account. What happens?",[56,18323,18324],{},"Your Docker containers keep running. Your databases are reachable. Your servers in your Hetzner account continue to exist. You lose the dashboard, automated deployments, monitoring, and the simple management interface, but you don't lose your applications.",[56,18326,18327],{},"You can access your servers directly via SSH and continue working manually. You can connect another tool. You can transfer the infrastructure to another management layer.",[56,18329,18330],{},"The transition requires effort. But it's possible, calculable, and can be planned under normal conditions, not as an emergency measure under pressure.",[71,18332,18334],{"id":18333},"what-this-means-for-devops-teams-in-practice","What This Means for DevOps Teams in Practice",[56,18336,18337],{},"For developers and DevOps teams, this approach concretely changes several things:",[56,18339,18340],{},"Full transparency over infrastructure. Anyone who can directly access the Hetzner account sees exactly what's running. No black box, no hidden network configurations, no \"the platform manages that for you.\"",[56,18342,18343],{},"Emergency scenarios are plannable. A runbook for the case that lowcloud fails or is unreachable can be written. The infrastructure is known. The manual steps can be documented. With traditional PaaS models, this is often simply not possible.",[56,18345,18346],{},"Compliance becomes easier. Many industries have requirements about where data resides and who has access to it. When the infrastructure runs on your own account, these questions are easier to answer. You can prove that only you and nobody else has access to your production data.",[56,18348,18349],{},"No negotiation risk with price increases. When a provider doubles their prices, the reaction with BYOC is different. You can switch the orchestration tool without migrating the infrastructure. This fundamentally changes the negotiation position.",[56,18351,18352,18353,18356],{},"Less risk during growth. Those who grow don't want to discover at the wrong moment that their infrastructure is chained to a single provider. Making the ",[60,18354,18355],{"href":5118},"right architectural decisions"," early costs little. Correcting them later costs a lot.",[71,18358,18360],{"id":18359},"conclusion-simplicity-and-independence-are-not-mutually-exclusive","Conclusion: Simplicity and Independence Are Not Mutually Exclusive",[56,18362,18363],{},"The most common objection to BYOC approaches is: \"That's more complicated.\" That's true for traditional self-hosting setups. For lowcloud, it's not.",[56,18365,18366],{},"The goal is for you to use a platform that gives you the simplicity of a modern PaaS. Deployments with a few clicks, automatic scaling, easy database connectivity, without giving up your independence. These two things are not contradictory when the product is built on this principle from the start.",[56,18368,18369],{},"Avoiding cloud vendor lock-in doesn't mean sacrificing convenience. It means getting convenience and control together.",[56,18371,18372],{},"lowcloud is built for teams that want to understand and control their infrastructure while still not having time to manage everything manually. If you want to know what this concretely looks like for your setup, you can try lowcloud directly and connect your own Hetzner or Kyberio account.",{"title":490,"searchDepth":491,"depth":491,"links":18374},[18375,18379,18380,18384,18388,18389],{"id":18166,"depth":491,"text":18167,"children":18376},[18377,18378],{"id":18173,"depth":499,"text":18174},{"id":18183,"depth":499,"text":18184},{"id":18218,"depth":491,"text":18219},{"id":18234,"depth":491,"text":18235,"children":18381},[18382,18383],{"id":18247,"depth":499,"text":18248},{"id":18260,"depth":499,"text":18261},{"id":18276,"depth":491,"text":18277,"children":18385},[18386,18387],{"id":18283,"depth":499,"text":18284},{"id":18317,"depth":499,"text":18318},{"id":18333,"depth":491,"text":18334},{"id":18359,"depth":491,"text":18360},"2026-03-04","Vendor lock-in is the unspoken business model of many cloud platforms. This article shows what avoiding cloud vendor lock-in actually looks like and how lowcloud architecturally breaks this pattern.",{"src":18393},"\u002Fimages\u002Fblog\u002Fcloud-vendor-lock-in.jpg",{},{"title":18155,"description":18391},"en\u002F3.blog\u002F13.cloud-vendor-lock-in","Iy4hiiKPRVH8XAoSzQo2cOZnZotxNjUgX5jT0FifnVE",{"id":18399,"title":18400,"authors":18401,"badge":10,"body":18404,"date":18820,"description":18821,"extension":510,"image":18822,"lastUpdated":6920,"meta":18824,"navigation":14,"path":8917,"published":14,"seo":18825,"stem":18826,"tags":10,"__hash__":18827},"posts\u002Fen\u002F3.blog\u002F12.cloud-sovereignty-framework.md","Cloud Sovereignty Framework: How the EU Is Finally Making Cloud Sovereignty Measurable",[18402],{"name":43,"to":44,"avatar":18403},{"src":46},{"type":48,"value":18405,"toc":18802},[18406,18413,18417,18423,18430,18441,18450,18454,18457,18461,18468,18472,18475,18479,18482,18486,18489,18496,18507,18510,18514,18517,18537,18541,18561,18564,18568,18575,18580,18585,18635,18639,18671,18676,18706,18710,18713,18716,18719,18723,18726,18732,18738,18744,18750,18756,18760,18763,18766,18770,18777,18780,18783,18787,18790,18793,18795],[56,18407,18408,18409,18412],{},"Cloud sovereignty is a term that has appeared in tenders, strategy papers, and press releases for years. Often without a clear definition. The EU has now changed that. With the new ",[60,18410,8918],{"href":17977,"rel":18411},[64],", there is for the first time a structured, verifiable framework for what a cloud service must deliver to qualify as sovereign. This has concrete consequences for providers, operators, and everyone selecting cloud infrastructure for regulated use cases.",[71,18414,18416],{"id":18415},"what-was-missing-and-why-the-framework-is-coming-now","What Was Missing and Why the Framework Is Coming Now",[56,18418,18419,18420,18422],{},"Anyone who searched for a sovereign cloud in recent years faced a problem: every provider called itself sovereign, none had to prove it. European subsidiaries of American hyperscalers marketed their data centers in Frankfurt or Dublin as \"EU-sovereign,\" even though the parent company is based in the US and falls under the scope of the ",[60,18421,6823],{"href":325}," of 2018.",[56,18424,18425,18426,18429],{},"The US CLOUD Act requires American companies to grant US authorities access to stored data upon request, even when that data is physically located in Europe. This is not a theoretical risk but a structural problem that is not solved by a European subsidiary. For a full breakdown of how the ",[60,18427,18428],{"href":6023},"Cloud Act conflicts with GDPR"," in practice, see our dedicated analysis.",[56,18431,18432,18433,557,18435,18437,18438,18440],{},"At the same time, regulatory pressure has increased. ",[60,18434,12775],{"href":13084},[60,18436,17356],{"href":13309},", the ",[60,18439,6963],{"href":6925},", the Cyber Resilience Act, and for public authorities, GDPR-compliant processing of data with elevated protection requirements. In this environment, the lack of clear, verifiable criteria increasingly became an obstacle for procurement decisions.",[56,18442,18443,18444,18449],{},"The new EU framework addresses exactly this. It builds on the ",[60,18445,18448],{"href":18446,"rel":18447},"https:\u002F\u002Fec.europa.eu\u002Fnewsroom\u002Fcipr\u002Fitems\u002F713799\u002Fen",[64],"EUCS"," (EU Cybersecurity Certification Scheme for Cloud Services), developed by ENISA, and defines cloud sovereignty as an independent concept with concrete technical, organizational, and legal requirements.",[71,18451,18453],{"id":18452},"the-three-dimensions-of-cloud-sovereignty-according-to-the-eu","The Three Dimensions of Cloud Sovereignty According to the EU",[56,18455,18456],{},"The framework distinguishes three dimensions that are considered independently but must all be met together to achieve the highest sovereignty level.",[187,18458,18460],{"id":18459},"data-sovereignty","Data Sovereignty",[56,18462,18463,18464,18467],{},"Data sovereignty means that processed and stored data remains exclusively in the EU and is only physically accessible by EU-based entities. This sounds like a given, but it is not — and it's critical to understand why ",[60,18465,18466],{"href":5059},"data residency alone does not equal sovereignty",". Replication to backup data centers outside the EU, automatic log forwarding to the parent company's central monitoring systems, or support access by non-European personnel. All of this can break data sovereignty without being immediately visible.",[187,18469,18471],{"id":18470},"operational-sovereignty","Operational Sovereignty",[56,18473,18474],{},"Operational sovereignty goes further: who operates the infrastructure, who has privileged access, and where are the subcontractors based? The framework requires that operations, administration, and support are carried out exclusively by EU-based and EU-controlled entities. A US corporation running its European operations through a subsidiary has a structural problem here, as corporate directives, support processes, and security response teams are often not fully decoupled.",[187,18476,18478],{"id":18477},"legal-immunity","Legal Immunity",[56,18480,18481],{},"This is the toughest requirement: the cloud provider must not be subject to any non-European jurisdiction that could allow authorities to access customer data. This includes US, British, or other third-country laws with extraterritorial scope. Only European-controlled companies without a US parent company or US stock exchange listing can structurally meet this requirement.",[71,18483,18485],{"id":18484},"the-eucs-and-the-sovereign-seal-what-is-the-difference","The EUCS and the Sovereign SEAL. What Is the Difference?",[56,18487,18488],{},"The EUCS provides three trust levels: Basic, Substantial, and High. These levels cover classic cybersecurity requirements. Availability, integrity, encryption, incident response. A provider at the High level is technically well-secured, but that says nothing about sovereignty.",[56,18490,18491,18492,18495],{},"The Sovereign Level, informally referred to as ",[109,18493,18494],{},"SEAL",", is an additional label that goes beyond the EUCS High level. It combines all three sovereignty dimensions and requires the provider to:",[103,18497,18498,18501,18504],{},[106,18499,18500],{},"have its headquarters and control in the EU",[106,18502,18503],{},"have no corporate dependencies outside the EU that could enable legal access",[106,18505,18506],{},"have implemented technical controls that prevent data access even in the case of a third-country authority request, through encryption with keys managed exclusively on the EU side",[56,18508,18509],{},"The SEAL label is therefore not a self-declaration but a certification verifiable by accredited bodies. For public authorities and regulated industries, this will increasingly become a prerequisite in tenders.",[71,18511,18513],{"id":18512},"eucs-levels-and-seal-levels-at-a-glance","EUCS Levels and SEAL Levels at a Glance",[56,18515,18516],{},"To clearly separate the concepts, a two-tier picture helps:",[103,18518,18519,18528],{},[106,18520,18521,18523,18524,18527],{},[109,18522,18448],{}," describes ",[2186,18525,18526],{},"cybersecurity trust levels"," for cloud services (Basic → Substantial → High).",[106,18529,18530,18523,18533,18536],{},[109,18531,18532],{},"SEAL \u002F Sovereign Level",[2186,18534,18535],{},"sovereignty requirements"," (data sovereignty, operational sovereignty, legal immunity), typically in addition to a high EUCS level.",[187,18538,18540],{"id":18539},"eucs-levels","EUCS Levels",[103,18542,18543,18549,18555],{},[106,18544,18545,18548],{},[109,18546,18547],{},"EUCS Basic:"," Entry level with fundamental security requirements. Focus on baseline controls and minimum measures. Suitable for workloads with low protection needs where a standard security level is sufficient.",[106,18550,18551,18554],{},[109,18552,18553],{},"EUCS Substantial:"," Mid-level with significantly higher requirements for technical controls, organizational processes, and their implementation. Fits typical enterprise workloads with medium risk where security must be reliably and repeatably operated.",[106,18556,18557,18560],{},[109,18558,18559],{},"EUCS High:"," Highest EUCS level for highly critical or heavily regulated scenarios. Particularly stringent controls, robust operational processes, and auditability and evidence management are the focus here.",[56,18562,18563],{},"Important: A service can meet EUCS High and still not be \"sovereign\" if, for example, non-European corporate or legal dependencies exist.",[187,18565,18567],{"id":18566},"_3-seal-sovereign-level-in-detail","3) SEAL \u002F Sovereign Level (In Detail)",[56,18569,18570,18571,18574],{},"The SEAL (",[2186,18572,18573],{},"Sovereignty Effectiveness Assurance Level",") addresses exactly this gap and supplements EUCS (particularly EUCS High) with sovereignty criteria. In the framework, a cloud service is not assessed \"once overall\" but along 8 sovereignty objectives (Sovereignty Objectives, often referred to as SOV-1 through SOV-8). For each of these objectives, a SEAL level (typically 0 to 4) is assigned, expressing the maturity or effectiveness of the measures.",[18576,18577,18579],"h4",{"id":18578},"the-8-seal-assessment-areas-sovereignty-objectives","The 8 SEAL Assessment Areas (Sovereignty Objectives)",[56,18581,18582],{},[2186,18583,18584],{},"(Each area is assessed separately with a SEAL level.)",[103,18586,18587,18593,18599,18605,18611,18617,18623,18629],{},[106,18588,18589,18592],{},[109,18590,18591],{},"SOV-1 Strategic Sovereignty:"," Control over governance, ownership, strategic direction, \"who decides.\"",[106,18594,18595,18598],{},[109,18596,18597],{},"SOV-2 Legal Sovereignty:"," Exposure to non-EU law and ability to prevent third-country access.",[106,18600,18601,18604],{},[109,18602,18603],{},"SOV-3 Operational Sovereignty:"," Operational and support capability within the EU, including emergency and escalation capability.",[106,18606,18607,18610],{},[109,18608,18609],{},"SOV-4 Data\u002FControl Sovereignty:"," Demonstrable control over data location, data flows, and processing (including side channels such as telemetry).",[106,18612,18613,18616],{},[109,18614,18615],{},"SOV-5 Supply Chain Sovereignty:"," Transparency and manageability of critical supply chain and sub-processor dependencies.",[106,18618,18619,18622],{},[109,18620,18621],{},"SOV-6 Technological Sovereignty:"," Avoidance of critical technical lock-ins, traceability, and replaceability of central components.",[106,18624,18625,18628],{},[109,18626,18627],{},"SOV-7 Security and Compliance Sovereignty:"," Security controls, evidence, audits, and EU-compliant implementation in practice.",[106,18630,18631,18634],{},[109,18632,18633],{},"SOV-8 Environmental\u002FSustainability Aspects:"," Energy efficiency, controlled footprint, and measurable sustainability requirements.",[18576,18636,18638],{"id":18637},"what-the-seal-levels-practically-express-04","What the SEAL Levels Practically Express (0–4)",[103,18640,18641,18647,18653,18659,18665],{},[106,18642,18643,18646],{},[109,18644,18645],{},"SEAL-0:"," No relevant sovereignty demonstrable.",[106,18648,18649,18652],{},[109,18650,18651],{},"SEAL-1:"," Basic fulfillment (EU law\u002Frules formally addressed), but strong non-EU dependencies.",[106,18654,18655,18658],{},[109,18656,18657],{},"SEAL-2:"," Material sovereignty measures in place, but still relevant external dependencies.",[106,18660,18661,18664],{},[109,18662,18663],{},"SEAL-3:"," High degree of EU control and operational independence, external influences strongly limited.",[106,18666,18667,18670],{},[109,18668,18669],{},"SEAL-4:"," Very high to complete digital sovereignty in this target area, with minimal critical non-EU dependencies.",[56,18672,18673],{},[109,18674,18675],{},"Typical core elements found across many SOV objectives include:",[103,18677,18678,18684,18690,18696],{},[106,18679,18680,18683],{},[109,18681,18682],{},"Data Sovereignty:"," Data processing and storage in the EU. No hidden data outflows via telemetry, support tools, or subsystems.",[106,18685,18686,18689],{},[109,18687,18688],{},"Operational Sovereignty:"," Operations, administration, and support by EU-based, EU-controlled entities. Subcontractor rules are strict and must be fully transparent.",[106,18691,18692,18695],{},[109,18693,18694],{},"Legal Immunity:"," Minimization or exclusion of third-country legal access (e.g., extraterritorial access laws). This is why pure \"EU region\" offerings from US hyperscalers structurally hit their limits.",[106,18697,18698,18701,18702,18705],{},[109,18699,18700],{},"Key Sovereignty (Practical Lever):"," Encryption is not enough. What matters is that ",[109,18703,18704],{},"key management"," is implemented so that third parties cannot force access because the keys are controlled on the EU side.",[71,18707,18709],{"id":18708},"what-this-means-for-hyperscalers","What This Means for Hyperscalers",[56,18711,18712],{},"AWS, Microsoft Azure, and Google Cloud all have European data centers, European subsidiaries, and have announced or already launched dedicated \"Sovereign Cloud\" offerings. Nevertheless, they structurally cannot achieve the Sovereign Level because the parent company in each case is based in the US, is subject to US securities law, and thus to the CLOUD Act.",[56,18714,18715],{},"Individual attempts to work around this, for example through joint ventures with European partners such as the project between Thales and Google or T-Systems and Microsoft, are technically demanding and organizationally complex. They reduce the risk but do not fully resolve the structural problem. The framework sets the bar so that genuine decoupling is necessary, not just contractual safeguards.",[56,18717,18718],{},"This is not hidden protectionism but a factual consequence of the stated requirements. Anyone who must demonstrate legal immunity from the CLOUD Act can only do so when no US corporation stands in the background.",[71,18720,18722],{"id":18721},"technical-requirements-in-detail","Technical Requirements in Detail",[56,18724,18725],{},"Anyone pursuing certification must demonstrate concrete technical measures. The most important ones:",[56,18727,18728,18731],{},[109,18729,18730],{},"Encryption:"," Data must be encrypted both at rest and in transit. This is standard – but the decisive factor is who controls the keys.",[56,18733,18734,18737],{},[109,18735,18736],{},"Key Management:"," Cryptographic keys may only be managed by EU-based entities. An external key management service from the provider, accessible only to the customer (Bring Your Own Key \u002F Hold Your Own Key), can meet this requirement – if it is itself operated in a sovereign manner.",[56,18739,18740,18743],{},[109,18741,18742],{},"Access Controls:"," Privileged access to production systems must be fully logged, restricted to EU personnel, and secured by technical measures against unscheduled access. Break-glass processes must be documented and auditable.",[56,18745,18746,18749],{},[109,18747,18748],{},"Subcontractors:"," Every subcontractor that could potentially have access to customer data must meet the same requirements as the main provider. No silent sub-processors from third countries.",[56,18751,18752,18755],{},[109,18753,18754],{},"Logging and Auditing:"," Complete, tamper-proof logs of all data access – not only at the application level but down to the infrastructure level.",[71,18757,18759],{"id":18758},"what-cloud-sovereignty-is-not-the-distinction-from-gdpr","What Cloud Sovereignty Is Not. The Distinction from GDPR",[56,18761,18762],{},"A common misconception: GDPR compliance is not the same as cloud sovereignty. The GDPR regulates how personal data may be processed. It says nothing about whether a provider is exposed to non-European legal access.",[56,18764,18765],{},"A service can be fully GDPR-compliant. Data processing agreement, data protection impact assessment, standard contractual clauses – and still be structurally vulnerable to a US authority demanding access to data based on the CLOUD Act. The framework makes this distinction explicit. Sovereignty is a separate dimension that goes beyond data protection law.",[71,18767,18769],{"id":18768},"relevance-for-kubernetes-paas-platforms","Relevance for Kubernetes PaaS Platforms",[56,18771,18772,18773,18776],{},"For operators and users of ",[60,18774,18775],{"href":5076},"Kubernetes-based PaaS platforms",", the framework has direct consequences. A platform operated on non-sovereign infrastructure inherits its weaknesses – no matter how well the application layer itself is secured. Sovereign by design means that the infrastructure layer on which the platform runs already meets the framework's requirements.",[56,18778,18779],{},"This is the approach lowcloud takes: a fully European-controlled platform running on infrastructure that is structurally suitable for the Sovereign Level. For development teams, this means they can work cloud-native. With familiar Kubernetes workflows, without making sovereignty compromises.",[56,18781,18782],{},"The EU Cloud Sovereignty Framework now also gives this approach a formal framework. Instead of \"we are hosted in Germany,\" there will be verifiable criteria in the future against which providers must be measured.",[71,18784,18786],{"id":18785},"outlook-what-comes-next","Outlook: What Comes Next",[56,18788,18789],{},"The framework was initially published as an orientation framework. The final adoption of the EUCS by EU member states is still pending. There have been political tensions in the past, particularly around the question of whether the Sovereign Level effectively excludes US hyperscalers. It does, and this is politically controversial.",[56,18791,18792],{},"Nevertheless: the direction is clear. Public authorities and companies in regulated industries will increasingly ask for certified sovereign cloud services in tenders. Those who invest in sovereign infrastructure now are prepared for these requirements – those who wait will have to migrate under time pressure later.",[479,18794],{},[56,18796,18797,18798,18801],{},"If you want to know what a Kubernetes PaaS platform on sovereign infrastructure looks like in practice and what it means for your stack, check out how ",[60,18799,299],{"href":5869,"rel":18800},[64]," implements it. Without vendor lock-in, without compromises on sovereignty.",{"title":490,"searchDepth":491,"depth":491,"links":18803},[18804,18805,18810,18811,18815,18816,18817,18818,18819],{"id":18415,"depth":491,"text":18416},{"id":18452,"depth":491,"text":18453,"children":18806},[18807,18808,18809],{"id":18459,"depth":499,"text":18460},{"id":18470,"depth":499,"text":18471},{"id":18477,"depth":499,"text":18478},{"id":18484,"depth":491,"text":18485},{"id":18512,"depth":491,"text":18513,"children":18812},[18813,18814],{"id":18539,"depth":499,"text":18540},{"id":18566,"depth":499,"text":18567},{"id":18708,"depth":491,"text":18709},{"id":18721,"depth":491,"text":18722},{"id":18758,"depth":491,"text":18759},{"id":18768,"depth":491,"text":18769},{"id":18785,"depth":491,"text":18786},"2026-03-03","The new Cloud Sovereignty Framework provides the first structured, verifiable framework for what a cloud service must deliver to qualify as sovereign.",{"src":18823},"\u002Fimages\u002Fblog\u002Fcloud-sovereignty-framework.jpg",{},{"title":18400,"description":18821},"en\u002F3.blog\u002F12.cloud-sovereignty-framework","bnlhW6fKGJIwt24Xw__vNdy9Dk2rVOatMBl-OTlCnKs",{"id":18829,"title":18830,"authors":18831,"badge":10,"body":18834,"date":19114,"description":19115,"extension":510,"image":19116,"lastUpdated":3938,"meta":19118,"navigation":14,"path":19119,"published":14,"seo":19120,"stem":19121,"tags":10,"__hash__":19122},"posts\u002Fen\u002F3.blog\u002F10.digital-sovereignty-lowcloud-vs-vercel-b2b.md","The Vercel Alternative for the German Mittelstand: Sovereign Hosting on Hetzner with lowcloud",[18832],{"name":43,"to":44,"avatar":18833},{"src":46},{"type":48,"value":18835,"toc":19107},[18836,18842,18845,18848,18853,18880,18896,18902,18905,18908,18913,18934,18937,18943,18946,18949,18955,18961,18968,19081,19087,19090,19104],[187,18837,18839],{"id":18838},"digital-sovereignty-in-the-mittelstand-the-non-negotiable-principles-gdpr-data-control",[109,18840,18841],{},"Digital Sovereignty in the Mittelstand: The Non-Negotiable Principles (GDPR & Data Control)",[56,18843,18844],{},"For the German Mittelstand (mid-sized companies), one thing is fixed in every technology decision: control and stability are non-negotiable.",[56,18846,18847],{},"The value of the company lies in its expertise and its data. Speed is important, but never at the expense of legal certainty or availability.",[56,18849,18850],{},[109,18851,18852],{},"The top priorities that modern cloud solutions must meet:",[103,18854,18855,18863,18874],{},[106,18856,18857,18862],{},[109,18858,18859,18861],{},[60,18860,18460],{"href":325}," and Control:"," The ownership of all critical data must lie with the company at all times (no access by foreign authorities).",[106,18864,18865,18873],{},[109,18866,18867,18868,1605],{},"Legal Certainty and ",[60,18869,18872],{"href":18870,"rel":18871},"https:\u002F\u002Fwww.bmjv.de\u002FDE\u002Fthemen\u002Fdigitales\u002Fdigitale_kommunikation\u002Fdsgvo\u002Fdsgvo.html",[64],"GDPR"," Compliance with strict German and European data protection regulations is a liability issue.",[106,18875,18876,18879],{},[109,18877,18878],{},"Stability and Reliability:"," IT systems must run without downtime, as they are directly linked to production or core business.",[56,18881,18882,18883,557,18885,1829,18890,18895],{},"This risk profile explains why many mid-sized companies traditionally rely on their own infrastructure or on German cloud providers like ",[60,18884,5136],{"href":5426},[60,18886,18889],{"href":18887,"rel":18888},"https:\u002F\u002Fwww.kyberio.com\u002F",[64],"Kyberio",[60,18891,18894],{"href":18892,"rel":18893},"https:\u002F\u002Fwww.plusserver.com\u002F",[64],"Plusserver",", and why a solution for GDPR-compliant hosting is needed.",[187,18897,18899],{"id":18898},"vercel-vs-lowcloud-where-speed-meets-gdpr-boundaries-and-sovereignty",[109,18900,18901],{},"Vercel vs. lowcloud: Where Speed Meets GDPR Boundaries and Sovereignty",[56,18903,18904],{},"In the global developer community, Vercel is known for its unbeatable Developer Experience (DX) and lightning-fast frontend deployment. However, while startups and global tech giants use Vercel intensively, acceptance in the German Mittelstand is negligible.",[56,18906,18907],{},"The reason is simple: the strategic risks outweigh the operational benefits.",[56,18909,18910],{},[109,18911,18912],{},"The problem Vercel creates for the Mittelstand:",[103,18914,18915,18924],{},[106,18916,18917,18920,18921,415],{},[109,18918,18919],{},"Loss of Data Sovereignty:"," Vercel operates a proprietary, global Edge network. Control over the exact location of data (data residency) is not guaranteed, making compliance with strict German data protection guidelines ",[109,18922,18923],{},"complicated to impossible",[106,18925,18926,18929,18930,18933],{},[109,18927,18928],{},"No Backend Control:"," Vercel is primarily a Frontend Cloud. It forces companies to host the critical parts of the full stack—especially ",[109,18931,18932],{},"persistent"," databases and complex backends—separately with other, often equally non-sovereign providers.",[56,18935,18936],{},"For the Mittelstand, which depends on stability, security, and legal certainty, speed is not an argument when it comes at the expense of these fundamental control mechanisms.",[187,18938,18940],{"id":18939},"the-dilemma-why-german-companies-seek-a-vercel-alternative-on-sovereign-infrastructure",[109,18941,18942],{},"The Dilemma: Why German Companies Seek a Vercel Alternative on Sovereign Infrastructure",[56,18944,18945],{},"Vercel has set the bar extremely high for the Developer Experience (DX). The simplicity of connecting a repository and starting a deployment via push is unbeatable. The optimization for modern frontends like Next.js and static content at the Edge delivers maximum speed.",[56,18947,18948],{},"However, this admirable simplicity abruptly ends where the responsibility of the Mittelstand begins: with control over their own full stack.",[56,18950,18951,18952,415],{},"The strategic gap that opens up here is clear: IT needs the Vercel simplicity, but must necessarily be able to apply it to its own, sovereign infrastructure (Hetzner, Mittwald, and many others). Since Vercel does not offer this control, the question for the Mittelstand is not whether simplicity is needed, but how to get it onto their sovereign infrastructure. This is precisely where lowcloud comes in. That's why many technical decision-makers are actively looking for a ",[109,18953,18954],{},"Vercel alternative that meets German requirements",[187,18956,18958],{"id":18957},"the-vercel-developer-experience-dx-on-hetzner-this-is-where-lowcloud-steps-in",[109,18959,18960],{},"The Vercel Developer Experience (DX) on Hetzner: This is Where lowcloud Steps In",[56,18962,18963,18964,18967],{},"lowcloud is the answer for the Mittelstand. It is a Zero-Config automation solution for the infrastructure you already own, control, and trust. lowcloud is the tool that enables developers in the Mittelstand to ",[109,18965,18966],{},"easily deploy on Hetzner"," without taking strategic risks.",[1305,18969,18970,18993],{},[1308,18971,18972],{},[1311,18973,18974,18978,18983,18988],{},[1314,18975,18976],{},[109,18977,1318],{},[1314,18979,18980],{},[109,18981,18982],{},"Vercel (PaaS)",[1314,18984,18985],{},[109,18986,18987],{},"lowcloud (BYOC-PaaS)",[1314,18989,18990],{},[109,18991,18992],{},"The Difference for the Mittelstand",[1335,18994,18995,19021,19043,19062],{},[1311,18996,18997,19002,19008,19018],{},[1340,18998,18999],{},[109,19000,19001],{},"Control & Sovereignty",[1340,19003,19004,19005,415],{},"Proprietary network, ",[60,19006,19007],{"href":333},"Vendor Lock-in",[1340,19009,19010,19013,19014,19017],{},[109,19011,19012],{},"Full control"," through deployment in ",[109,19015,19016],{},"your own cloud tenant"," (BYOC).",[1340,19019,19020],{},"Avoidance of Vendor Lock-in and protection of data sovereignty.",[1311,19022,19023,19028,19034,19040],{},[1340,19024,19025],{},[109,19026,19027],{},"Full-Stack Integration",[1340,19029,19030,19031,415],{},"Backend and DB must be hosted ",[109,19032,19033],{},"externally",[1340,19035,19036,19039],{},[109,19037,19038],{},"Frontend, backend, and database"," are automated in one process.",[1340,19041,19042],{},"Elimination of complexity and fragmented infrastructure.",[1311,19044,19045,19050,19053,19059],{},[1340,19046,19047],{},[109,19048,19049],{},"Data Residency (GDPR)",[1340,19051,19052],{},"Globally distributed (Risk).",[1340,19054,19055,19058],{},[109,19056,19057],{},"100% German hosters"," (Hetzner, Mittwald, and others) are integrated.",[1340,19060,19061],{},"Guaranteed legal certainty.",[1311,19063,19064,19069,19072,19078],{},[1340,19065,19066],{},[109,19067,19068],{},"Cost Structure",[1340,19070,19071],{},"High, unpredictable usage costs upon scaling.",[1340,19073,19074,19077],{},[109,19075,19076],{},"Transparent IaaS costs"," of your chosen hoster.",[1340,19079,19080],{},"Massive cost and time savings.",[187,19082,19084],{"id":19083},"lowcloud-the-zero-config-automation-to-easily-deploy-on-hetzner",[109,19085,19086],{},"lowcloud: The Zero-Config Automation to Easily Deploy on Hetzner",[56,19088,19089],{},"lowcloud solves the problem for the Mittelstand by uniting the fear of losing control with the demand for speed and efficiency:",[103,19091,19092,19098],{},[106,19093,19094,19097],{},[109,19095,19096],{},"Sovereignty with One Click:"," Through the BYOC approach, you connect lowcloud with your existing cloud account (e.g., Hetzner). The application is deployed where you have full legal and data sovereignty.",[106,19099,19100,19103],{},[109,19101,19102],{},"Full-Stack Stability:"," lowcloud automates the provisioning of the entire stack, managing patching and updates. This ensures higher availability and relieves your IT teams.",[56,19105,19106],{},"lowcloud is the tool that allows developers in the Mittelstand to be fast without taking strategic risks. You save time and money by focusing on innovation while the infrastructure runs reliably, sovereignly, and automatically.",{"title":490,"searchDepth":491,"depth":491,"links":19108},[19109,19110,19111,19112,19113],{"id":18838,"depth":499,"text":18841},{"id":18898,"depth":499,"text":18901},{"id":18939,"depth":499,"text":18942},{"id":18957,"depth":499,"text":18960},{"id":19083,"depth":499,"text":19086},"2026-02-27","Looking for Vercel's Developer Experience but need GDPR security and control? lowcloud enables easy deployment on Hetzner and guarantees 100% digital sovereignty.",{"src":19117},"\u002Fimages\u002Fblog\u002Fdigital-sovereignty-lowcloud-vs-vercel-b2b.jpg",{},"\u002Fen\u002Fblog\u002Fdigital-sovereignty-lowcloud-vs-vercel-b2b",{"title":18830,"description":19115},"en\u002F3.blog\u002F10.digital-sovereignty-lowcloud-vs-vercel-b2b","W4_djbOXF94S86ByJIlDiMUseB19JHhFhJWBf5Gi8YM",{"id":19124,"title":19125,"authors":19126,"badge":10,"body":19129,"date":19464,"description":19465,"extension":510,"image":19466,"lastUpdated":7615,"meta":19468,"navigation":14,"path":7292,"published":14,"seo":19469,"stem":19470,"tags":19471,"__hash__":19472},"posts\u002Fen\u002F3.blog\u002F9.deployment-bottleneck.md","Deployment as a Bottleneck: When AI Codes Faster Than You Can Deploy",[19127],{"name":43,"to":44,"avatar":19128},{"src":46},{"type":48,"value":19130,"toc":19444},[19131,19134,19138,19142,19151,19154,19157,19161,19167,19170,19174,19178,19185,19192,19196,19199,19202,19205,19209,19214,19217,19221,19229,19255,19258,19262,19266,19269,19275,19279,19282,19310,19313,19317,19324,19327,19331,19334,19340,19346,19352,19358,19361,19365,19368,19371,19397,19403,19406,19420,19423,19426,19429,19433,19436,19439],[56,19132,19133],{},"AI tools like GitHub Copilot, Cursor, and Claude have fundamentally changed how developers write code. Features that once took days are now built in mere hours. Yet, while code production has surged to an entirely new level, a critical part of the software delivery process is lagging behind: deployment. If your team is blazing fast at coding but still painfully slow to ship, you haven't eliminated the bottleneck—you've just shifted it further down the pipeline.",[71,19135,19137],{"id":19136},"the-new-bottleneck-in-software-development","The New Bottleneck in Software Development",[187,19139,19141],{"id":19140},"what-has-changed-because-of-ai","What has changed because of AI?",[56,19143,19144,19145,19150],{},"AI-assisted development tools are no longer science fiction. According to a ",[60,19146,19149],{"href":19147,"rel":19148},"https:\u002F\u002Fgithub.blog\u002Fnews-insights\u002Fresearch\u002Fresearch-quantifying-github-copilots-impact-on-developer-productivity-and-happiness\u002F",[64],"2023 study"," by GitHub, developers using Copilot are up to 55% faster at completing coding tasks. In practice, this means producing more code, shipping more features, and opening more pull requests in far less time.",[56,19152,19153],{},"At first glance, this sounds like a massive win. However, as code velocity spikes, unprecedented pressure hits your downstream processes. Tests must execute faster. Code review processes have to scale.",[56,19155,19156],{},"And most importantly: Deployments must be incredibly fast, highly reliable, and easily reproducible.",[187,19158,19160],{"id":19159},"why-deployment-hasnt-kept-pace","Why deployment hasn't kept pace",[56,19162,19163,19164,19166],{},"Deployment infrastructures rarely scale organically alongside development speed. Many teams still rely on pipelines built years ago—designed for an era when deploying once a week was considered the gold standard. Manual approvals, fragile handwritten bash scripts, and non-existent rollback mechanisms — classic symptoms of the ",[60,19165,10169],{"href":7312}," — were somewhat tolerable back when the flow of new code was slow and manageable.",[56,19168,19169],{},"In a world where AI multiplies code production by an order of magnitude, these exact weaknesses turn into critical bottlenecks.",[71,19171,19173],{"id":19172},"what-turns-deployment-into-a-bottleneck","What Turns Deployment Into a Bottleneck?",[187,19175,19177],{"id":19176},"manual-steps-and-lack-of-automation","Manual steps and lack of automation",[56,19179,19180,19181,19184],{},"The most common culprit behind sluggish deployments is ",[60,19182,19183],{"href":7300},"manual intervention",". A developer creates a pull request, waits for a code review, waits for staging approval, and finally waits for the Ops team to kick off the production deployment. Every single hand-off burns time. Add them all up, and you're looking at hours or even days of waiting to ship code that took mere minutes to write.",[56,19186,19187,19188,19191],{},"Automation is the absolute key here — and the ",[60,19189,19190],{"href":13462},"biggest lever for cutting IT costs",". A comprehensive CI\u002FCD pipeline, running from the initial commit all the way to deployment, reduces manual touchpoints to an absolute minimum. It actively ensures that deployments remain consistent and reproducible.",[187,19193,19195],{"id":19194},"environment-conflicts-and-configuration-chaos","Environment conflicts and configuration chaos",[56,19197,19198],{},"\"It works on my machine\" is an industry-wide punchline. But \"It works on staging, but not in production\" is a terrifying, daily reality for many.",[56,19200,19201],{},"Different environment variables, mismatched dependency versions, and unversioned configurations all lead to deployment failures that are incredibly frustrating to track down and debug.",[56,19203,19204],{},"Tools like Docker and Kubernetes were built to tackle this directly through containerization and declarative infrastructure. However, they inevitably introduce their own steep learning curves and massive operational complexity.",[187,19206,19208],{"id":19207},"the-kubernetes-complexity-trap","The Kubernetes complexity trap",[56,19210,19211,19213],{},[60,19212,1543],{"href":1542}," is the undisputed de-facto standard for container orchestration. At the same time, it is easily one of the most complex platforms in the modern software stack. Running your own bare-metal Kubernetes cluster means wrestling with endless YAML manifests, Ingress controllers, complex RBAC rules, Storage Classes, network policies, and a sprawling ecosystem of operators.",[56,19215,19216],{},"For many development teams, this extreme complexity is a massive hurdle. Every hour spent maintaining infrastructure is an hour stolen from actual product development. Here, the deployment bottleneck isn't caused by a lack of proper tooling—it's caused by the overwhelming operational weight of the platform itself.",[71,19218,19220],{"id":19219},"dora-metrics-where-your-bottleneck-becomes-measurable","DORA Metrics: Where Your Bottleneck Becomes Measurable",[56,19222,19223,19224,19228],{},"The DevOps Research and Assessment (",[60,19225,17356],{"href":19226,"rel":19227},"https:\u002F\u002Fdora.dev\u002F",[64],") program has defined four highly critical metrics to objectively measure the performance of any software delivery process:",[103,19230,19231,19237,19243,19249],{},[106,19232,19233,19236],{},[109,19234,19235],{},"Deployment Frequency:"," How often do you successfully deploy to production?",[106,19238,19239,19242],{},[109,19240,19241],{},"Lead Time for Changes:"," How long does it actually take from committing code to running it in production?",[106,19244,19245,19248],{},[109,19246,19247],{},"Change Failure Rate:"," How often do your deployments directly cause service degradation or failures?",[106,19250,19251,19254],{},[109,19252,19253],{},"Mean Time to Restore (MTTR):"," How fast can you recover when a deployment inevitably breaks something?",[56,19256,19257],{},"According to DORA, elite development teams deploy multiple times a day. They maintain a lead time of less than one hour, and they recover from incidents just as fast. If your team falls significantly behind these benchmarks, the signal is clear: your deployment process is the anchor dragging down your overall velocity.",[71,19259,19261],{"id":19260},"strategies-to-unblock-your-deployments","Strategies to Unblock Your Deployments",[187,19263,19265],{"id":19264},"adopt-gitops-workflows","Adopt GitOps workflows",[56,19267,19268],{},"GitOps is a modern approach where Git serves as the single source of truth for your entire infrastructure and application state. Every single change, whether it's raw code or configuration tweaking, is tracked via pull requests and automatically synced into the target environment via an automated pipeline.",[56,19270,19271,19272,415],{},"Tools like Argo CD or Flux implement this exact principle brilliantly for Kubernetes environments. The result is fully automated, highly auditable deployments. Manual interventions are practically eliminated, and rolling back is as simple as running a ",[554,19273,19274],{},"git revert",[187,19276,19278],{"id":19277},"modernize-your-cicd-pipelines","Modernize your CI\u002FCD pipelines",[56,19280,19281],{},"A truly modern CI\u002FCD pipeline goes far beyond simply building and pushing a Docker image. It must heavily integrate:",[103,19283,19284,19290,19295,19304],{},[106,19285,19286,19289],{},[109,19287,19288],{},"Automated Testing"," (Unit, Integration, End-to-End)",[106,19291,19292,19294],{},[109,19293,16994],{}," (Container images, specific dependencies)",[106,19296,19297,19300,19301,19303],{},[109,19298,19299],{},"Canary Deployments or Blue-Green Deployments"," for highly controlled, low-risk rollouts — see our ",[60,19302,12975],{"href":7620}," for practical rollout strategies",[106,19305,19306,19309],{},[109,19307,19308],{},"Automated Rollbacks"," triggered by failing health checks",[56,19311,19312],{},"Upgrading your pipeline to this standard doesn't just clear up the deployment frequency bottleneck. It radically drops your change failure rate.",[187,19314,19316],{"id":19315},"leverage-paas-platforms-to-abstract-complexity","Leverage PaaS platforms to abstract complexity",[56,19318,19319,19320,19323],{},"Not every engineering team has the bandwidth or dedicated headcount to operate and optimize a full-blown Kubernetes infrastructure from scratch. This is exactly where ",[60,19321,19322],{"href":80},"Platform-as-a-Service solutions (PaaS)"," shine. They abstract the daunting complexity of Kubernetes away, giving development teams a straightforward, self-serve interface to handle deployments effortlessly.",[56,19325,19326],{},"Instead of meticulously maintaining YAML files and manually tinkering with Kubernetes resources, teams can deploy code straight out of their Git repository. Automated pipelines, pre-configured staging environments, and fully integrated monitoring are available out-of-the-box.",[71,19328,19330],{"id":19329},"how-a-modern-paas-liberates-your-deployments","How a Modern PaaS Liberates Your Deployments",[56,19332,19333],{},"A modern, cloud-native Kubernetes PaaS platform like lowcloud aggressively attacks the deployment bottleneck from multiple angles at once:",[56,19335,19336,19339],{},[109,19337,19338],{},"Self-Service Deployments:"," Developers gain the exact tools to deploy their own applications completely independently. Waiting for a dedicated Ops engineer is entirely removed from the workflow.",[56,19341,19342,19345],{},[109,19343,19344],{},"Automated Pipelines:"," A simple Git push automatically translates into a full deployment. The build, test, and rollout phases happen automatically. Achieving lead times of under an hour becomes a realistic standard for the entire team.",[56,19347,19348,19351],{},[109,19349,19350],{},"Kubernetes Without the Headache:"," The entire underlying Kubernetes infrastructure is fully managed by the platform. The team directs 100% of their focus purely on their application. Cluster upgrades, detailed node configurations, and obscure network policies are securely handled in the background.",[56,19353,19354,19357],{},[109,19355,19356],{},"Integrated Observability and Automated Rollbacks:"," If a rollout goes sideways, an automatic rollback is triggered instantly. Detailed metrics and system logs are natively available within the platform, removing the strict need to stitch together an external observability stack.",[56,19359,19360],{},"The results are obvious: Workflows that used to be dragged down by multi-hour processes are now executing flawlessly several times a day. You get higher security, vastly better reliability, and practically zero manual heavy lifting.",[71,19362,19364],{"id":19363},"whats-next-ai-in-the-deployment-process","What's Next: AI in the Deployment Process?",[56,19366,19367],{},"If AI has drastically accelerated how we write code, the next logical question to ask is: Will AI take control of the deployment process too?",[56,19369,19370],{},"The answer is yes. The very first concrete approaches are already proving their massive value in production:",[103,19372,19373,19379,19385,19391],{},[106,19374,19375,19378],{},[109,19376,19377],{},"Automated Test Generation:"," AI doesn't just generate the application code; it writes the accompanying test suites. This drastically improves pipeline quality right out of the gate.",[106,19380,19381,19384],{},[109,19382,19383],{},"Intelligent Rollbacks:"," AI models detecting microscopic anomalies in system metrics can automatically trigger a clean rollback before a single user ever realizes there's a bug.",[106,19386,19387,19390],{},[109,19388,19389],{},"Predictive Scaling:"," AI-driven auto-scalers analyze complex traffic patterns and proactively scale up infrastructure ahead of spikes, rather than reacting only after the system starts choking.",[106,19392,19393,19396],{},[109,19394,19395],{},"AI-Assisted Incident Diagnostics:"," Specialized tools read through massive piles of logs and metrics to instantly suggest highly accurate fixes during outages.",[56,19398,19399,19402],{},[109,19400,19401],{},"However, the golden rule remains:"," AI acts as a phenomenal amplifier. It does not replace the fundamental need for a rock-solid deployment platform.",[56,19404,19405],{},"Even the most brilliant AI requires an extremely stable, highly reproducible foundation to operate on:",[103,19407,19408,19411,19414,19417],{},[106,19409,19410],{},"It demands standardized, predictable deployments, not fragile, hand-cranked pipelines.",[106,19412,19413],{},"It heavily requires clean, strict isolation between Dev, Staging, and Production environments.",[106,19415,19416],{},"It needs absolute guardrails enforced through strict policies, pristine secrets handling, and deep audit logs.",[106,19418,19419],{},"It fundamentally relies on flawless observability (Logs, Metrics, Traces) to make any intelligent decisions.",[56,19421,19422],{},"This is precisely where lowcloud enters the equation. It delivers exactly this highly stable, sovereign foundation for Kubernetes deployments. The self-service focus, robust CI\u002FCD principles, and clean monitoring capabilities make executing complex—or even AI-driven—rollouts an incredibly safe, reliable reality.",[56,19424,19425],{},"The future of software delivery is undoubtedly automated. But it's also going to be highly intelligent.",[56,19427,19428],{},"That specifically demands a platform totally capable of absorbing extreme complexity while guaranteeing iron-clad security. Only with those foundations will AI provide not just faster code, but also profoundly safer, highly controlled deployments.",[71,19430,19432],{"id":19431},"the-bottom-line","The Bottom Line",[56,19434,19435],{},"Nobody debates that AI has dramatically sped up the creation of code. But if you want to harness the full, explosive power of that acceleration, you need to modernize your deployment process. Legacy, manual deployment workflows are officially the most glaring bottleneck in the modern software delivery cycle.",[56,19437,19438],{},"The phenomenal news is that you don't need to rebuild the wheel. The tools and battle-tested best practices to smash this bottleneck are already available. Modern CI\u002FCD pipelines, GitOps workflows, and intelligent Kubernetes PaaS approaches allow teams of any size to ship code incredibly fast and perfectly safely. It all works today, without forcing you to carry the crushing operational overhead of running a bare-metal Kubernetes cluster.",[56,19440,19441,19443],{},[109,19442,299],{}," hands you exactly this leverage. Zero operational pain, entirely self-serve, and blazing fast. Your code should reach your users exactly as fast as AI helps you write it. Learn more about lowcloud and securely roll out your first robust deployment today.",{"title":490,"searchDepth":491,"depth":491,"links":19445},[19446,19450,19455,19456,19461,19462,19463],{"id":19136,"depth":491,"text":19137,"children":19447},[19448,19449],{"id":19140,"depth":499,"text":19141},{"id":19159,"depth":499,"text":19160},{"id":19172,"depth":491,"text":19173,"children":19451},[19452,19453,19454],{"id":19176,"depth":499,"text":19177},{"id":19194,"depth":499,"text":19195},{"id":19207,"depth":499,"text":19208},{"id":19219,"depth":491,"text":19220},{"id":19260,"depth":491,"text":19261,"children":19457},[19458,19459,19460],{"id":19264,"depth":499,"text":19265},{"id":19277,"depth":499,"text":19278},{"id":19315,"depth":499,"text":19316},{"id":19329,"depth":491,"text":19330},{"id":19363,"depth":491,"text":19364},{"id":19431,"depth":491,"text":19432},"2026-02-26","AI is fundamentally changing software development. But if you code in real-time and take weeks to deploy, you just shifted the problem. Why deployment is the real bottleneck – and how to solve it.",{"src":19467},"\u002Fimages\u002Fblog\u002Fthe_deployment_bottleneck.jpeg",{},{"title":19125,"description":19465},"en\u002F3.blog\u002F9.deployment-bottleneck","Cloud, DevOps, CI\u002FCD, Deployment","jTiDEKS7_sLZ0byCYUUF_usP7YWPvJCfNkgZaf3LLm0",{"id":19474,"title":19475,"authors":19476,"badge":10,"body":19479,"date":20101,"description":20102,"extension":510,"image":20103,"lastUpdated":1520,"meta":20105,"navigation":14,"path":1467,"published":14,"seo":20106,"stem":20107,"tags":20108,"__hash__":20109},"posts\u002Fen\u002F3.blog\u002F8.s3-compatible-object-storage.md","Best S3-Compatible Object Storage Providers (2026 Comparison)",[19477],{"name":13,"to":523,"avatar":19478},{"src":8},{"type":48,"value":19480,"toc":20086},[19481,19488,19511,19515,19528,19533,19536,19540,19543,19547,19552,19563,19577,19580,19584,19598,19602,19611,19618,19622,19633,19636,19641,19648,19652,19663,19666,19671,19678,19682,19696,19699,19704,19715,19719,19736,19741,19756,19763,19767,19777,19780,19784,19790,19799,19808,19813,19822,19826,20022,20026,20031,20045,20049,20063,20070,20074,20077,20080],[56,19482,19483,19484,19487],{},"The S3 API from Amazon Web Services is the de-facto standard for object storage. SDKs, CLI tools, and applications rely heavily on this interface. This remains true even if you don't use AWS directly. At the same time, there are now a whole range of ",[109,19485,19486],{},"S3-compatible object storage solutions"," that work without AWS dependency. We'll break down the available options, how they differ, and when each setup actually makes sense in production.",[56,19489,19490,19493,19494,19496,19497,19499,19500,19503,19504,2283,19507,19510],{},[109,19491,19492],{},"Quick comparison:"," For GDPR-compliant self-hosted setups, ",[109,19495,1328],{}," (Apache 2.0, high I\u002FO) or ",[109,19498,1333],{}," (Rust, lightweight) are the strongest MinIO alternatives today. For managed storage in Europe, ",[109,19501,19502],{},"Hetzner Object Storage"," is the simplest GDPR-compliant option. For zero-egress-cost cloud storage, ",[109,19505,19506],{},"Cloudflare R2",[109,19508,19509],{},"Wasabi"," lead for non-EU workloads.",[71,19512,19514],{"id":19513},"what-does-s3-compatibility-mean","What does S3 compatibility mean?",[56,19516,19517,19518,557,19521,557,19524,19527],{},"Amazon S3 (Simple Storage Service) provides an HTTP REST API that has become an industry standard. Tools like ",[554,19519,19520],{},"aws cli",[554,19522,19523],{},"rclone",[554,19525,19526],{},"s3cmd",", and most applications with object storage integration expect exactly this interface.",[56,19529,19530,19532],{},[109,19531,1368],{}," means: A storage system implements the same API and works as a drop-in replacement for AWS S3. Existing tools, clients, and workflows can continue to be used without disruption. You only need to update the endpoint URL and credentials.",[56,19534,19535],{},"This makes switching between local development environments, on-premise clusters, and cloud providers simple, because the same mechanisms apply everywhere.",[71,19537,19539],{"id":19538},"self-hosted-s3-compatible-solutions","Self-hosted S3-compatible solutions",[56,19541,19542],{},"Self-hosted solutions are particularly suitable when compliance requirements or cost control play a role. These are the projects worth taking a closer look at right now:",[187,19544,19546],{"id":19545},"minio","MinIO",[56,19548,19549,19551],{},[109,19550,19546],{}," is the most well-known S3-compatible self-hosted object storage. Written in Go, it is performant and relatively easy to operate.",[56,19553,19554,19555,19558,19559,19562],{},"MinIO has, however, changed its licensing strategy. The Community Edition is under the ",[109,19556,19557],{},"AGPL-3.0 license",", which raises legal questions for commercial use cases. In addition, MinIO has shifted to a ",[109,19560,19561],{},"source-only distribution",". Pre-compiled binaries are no longer provided for the open-source version. Productive use therefore requires either self-compiling or a commercial license.",[19564,19565,19568],"callout",{"color":19566,"icon":19567},"warning","i-lucide-triangle-alert",[56,19569,19570,19573,19574,415],{},[109,19571,19572],{},"The MinIO Community Edition is no longer maintained."," The GitHub repository was archived in February 2026 and is now read-only. The AGPL-3.0 license remains, but there is no active development, no security patches, and no pre-built binaries for the open-source version. Anyone using MinIO commercially without a paid license is also taking on legal risk. If you're evaluating storage options today, consider ",[60,19575,19576],{"href":1525},"SeaweedFS or Garage as license-friendly, actively maintained alternatives",[56,19578,19579],{},"For existing users, little changes in the short term. However, those evaluating newly should know the alternatives.",[56,19581,19582],{},[109,19583,202],{},[103,19585,19586,19589,19592,19595],{},[106,19587,19588],{},"Very high S3 API compatibility",[106,19590,19591],{},"Simple installation and operation",[106,19593,19594],{},"Good performance even with large files",[106,19596,19597],{},"Active community and extensive documentation",[187,19599,19601],{"id":19600},"ceph-radosgw","Ceph \u002F RadosGW",[56,19603,19604,19607,19608,415],{},[109,19605,19606],{},"Ceph"," is a distributed storage system that combines object, block, and file storage in one system. The S3-compatible interface is provided by the ",[109,19609,19610],{},"RADOS Gateway (RadosGW)",[56,19612,19613,19614,19617],{},"Ceph is suitable for ",[109,19615,19616],{},"very large amounts of data",", high fault tolerance, and multi-protocol environments. Operation, however, requires solid knowledge and appropriate hardware resources. For smaller teams or simpler setups, Ceph is often oversized.",[56,19619,19620],{},[109,19621,202],{},[103,19623,19624,19627,19630],{},[106,19625,19626],{},"Extremely scalable (petabyte range)",[106,19628,19629],{},"Highly available through distributed architecture",[106,19631,19632],{},"Supports S3, Swift, and native Ceph protocol",[187,19634,1333],{"id":19635},"garage",[56,19637,19638,19640],{},[109,19639,1333],{}," is a lightweight, distributed object storage with an S3-compatible API, written in Rust. Garage was developed for scenarios where solutions like Ceph are too complex or resource-hungry.",[56,19642,19643,19644,19647],{},"Garage is optimized for ",[109,19645,19646],{},"geographically distributed setups"," and is well suited for edge deployments or small, decentralized infrastructures. The license is AGPL-3.0, the operation is significantly simpler than with Ceph.",[56,19649,19650],{},[109,19651,202],{},[103,19653,19654,19657,19660],{},[106,19655,19656],{},"Very resource-efficient",[106,19658,19659],{},"Designed for distributed and edge setups",[106,19661,19662],{},"Simple configuration",[187,19664,1328],{"id":19665},"seaweedfs",[56,19667,19668,19670],{},[109,19669,1328],{}," is a distributed object storage with an S3-compatible interface. Originally built for the efficient storage of large amounts of small files, SeaweedFS is now a fully-fledged S3-compatible solution.",[56,19672,19673,19674,19677],{},"Its strength lies in ",[109,19675,19676],{},"high read and write speeds",", particularly when handling many small objects. This is an area where Ceph traditionally shows weaknesses.",[56,19679,19680],{},[109,19681,202],{},[103,19683,19684,19687,19690,19693],{},[106,19685,19686],{},"Very high I\u002FO performance, especially with small objects",[106,19688,19689],{},"Erasure coding and replication",[106,19691,19692],{},"Cloud tiering and FUSE mount",[106,19694,19695],{},"Business-friendly Apache 2.0 license",[187,19697,1323],{"id":19698},"rustfs",[56,19700,19701,19703],{},[109,19702,1323],{}," is a newer open-source project that positions itself as an alternative to MinIO written in Rust. Rust brings memory safety without a garbage collector, which translates into low resource consumption and less attack surface for memory errors.",[56,19705,19706,19707,19710,19711,19714],{},"RustFS advertises ",[109,19708,19709],{},"100% S3 API compatibility",", Kubernetes support, and enterprise features such as WORM compliance, active replication, and cross-cloud redundancy. The solution is released under the ",[109,19712,19713],{},"Apache 2.0 license",". This bypasses the typical licensing concerns that exist with MinIO (AGPL-3.0) and Garage (AGPL-3.0) in commercial environments.",[56,19716,19717],{},[109,19718,202],{},[103,19720,19721,19724,19727,19730,19733],{},[106,19722,19723],{},"Apache 2.0 license, no AGPL risk",[106,19725,19726],{},"Written in Rust, memory safety without GC",[106,19728,19729],{},"Enterprise features: WORM, cross-cloud replication, versioning",[106,19731,19732],{},"Kubernetes-native architecture, multi-cloud capable",[106,19734,19735],{},"Compact binary (\u003C 100 MB), suitable for edge",[56,19737,19738],{},[109,19739,19740],{},"Limitations:",[103,19742,19743,19750,19753],{},[106,19744,19745,19746,19749],{},"Currently still in ",[109,19747,19748],{},"Alpha stage",", no stable production release",[106,19751,19752],{},"Small community, hardly any independent benchmarks or production experience reports",[106,19754,19755],{},"Long-term stability and maintenance not yet assessable",[56,19757,19758,19759,19762],{},"For productive use today, RustFS is still too early. As a ",[109,19760,19761],{},"MinIO alternative with an Apache license",", however, it is worth keeping an eye on the project.",[71,19764,19766],{"id":19765},"kubernetes-native-approaches","Kubernetes-native approaches",[56,19768,19769,19772,19773],{},[109,19770,19771],{},"Rook"," is a Kubernetes operator that integrates Ceph as a storage backend into the cluster. Deployment, scaling, and recovery run via Kubernetes-native mechanisms. ",[60,19774,19776],{"href":19775},"\u002Fen\u002Fdocs","Deploy Rook on Kubernetes",[56,19778,19779],{},"Rook significantly reduces the complexity of Ceph and makes operations more accessible for Kubernetes-experienced teams. The result: an S3-compatible object storage that runs entirely in the cluster, without external infrastructure dependencies.",[71,19781,19783],{"id":19782},"managed-s3-compatible-cloud-providers","Managed S3-compatible Cloud Providers",[56,19785,19786,19787,415],{},"If you don't want to operate your own object storage, you can fall back on ",[109,19788,19789],{},"managed S3-compatible cloud services",[56,19791,19792,19794,19795,19798],{},[109,19793,19506],{}," differs from AWS S3 primarily in that ",[109,19796,19797],{},"no egress costs"," apply. This is relevant for applications with high data output, such as media delivery or publicly accessible files.",[56,19800,19801,19804,19805,19807],{},[109,19802,19803],{},"Backblaze B2"," is an affordable S3-compatible object storage with a transparent pricing model. B2 is often used for backups and natively supported by ",[554,19806,19523],{}," and many backup tools.",[56,19809,19810,19812],{},[109,19811,19509],{}," is a US-based managed object storage provider focused on performance and cost. There are no egress fees and no API request charges — with one condition: free egress applies only when monthly data transfer does not exceed the amount of data stored (1:1 ratio). For typical backup and archiving workloads this is rarely an issue; for high-volume delivery use cases it's worth checking. Note: Wasabi operates under US jurisdiction and is therefore not suitable for strict GDPR compliance without additional contractual measures.",[56,19814,19815,19817,19818,19821],{},[109,19816,19502],{}," runs in three data centers — Falkenstein, Nuremberg (DE) and Helsinki (FI) — and is therefore ",[109,19819,19820],{},"GDPR-compliant"," without additional effort. A practical and affordable option for European companies with data sovereignty requirements.",[71,19823,19825],{"id":19824},"comparison-by-criteria","Comparison by Criteria",[1305,19827,19828,19860],{},[1308,19829,19830],{},[1311,19831,19832,19837,19842,19846,19851,19855],{},[1314,19833,19834],{},[109,19835,19836],{},"Solution",[1314,19838,19839],{},[109,19840,19841],{},"Type",[1314,19843,19844],{},[109,19845,1342],{},[1314,19847,19848],{},[109,19849,19850],{},"Operational Effort",[1314,19852,19853],{},[109,19854,18872],{},[1314,19856,19857],{},[109,19858,19859],{},"Best Use Case",[1335,19861,19862,19879,19895,19910,19925,19941,19958,19976,19991,20006],{},[1311,19863,19864,19866,19868,19871,19873,19876],{},[1340,19865,19546],{},[1340,19867,7760],{},[1340,19869,19870],{},"AGPL-3.0 \u002F Commercial",[1340,19872,1445],{},[1340,19874,19875],{},"✅ (On-Prem)",[1340,19877,19878],{},"Allrounder, Dev to Enterprise",[1311,19880,19881,19883,19885,19888,19890,19892],{},[1340,19882,19601],{},[1340,19884,7760],{},[1340,19886,19887],{},"LGPL-2.1 \u002F LGPL-3.0",[1340,19889,1442],{},[1340,19891,19875],{},[1340,19893,19894],{},"Enterprise, large data volumes",[1311,19896,19897,19899,19901,19903,19905,19907],{},[1340,19898,1333],{},[1340,19900,7760],{},[1340,19902,1350],{},[1340,19904,1426],{},[1340,19906,19875],{},[1340,19908,19909],{},"Edge, small distributed setups",[1311,19911,19912,19914,19916,19918,19920,19922],{},[1340,19913,1328],{},[1340,19915,7760],{},[1340,19917,1345],{},[1340,19919,1445],{},[1340,19921,19875],{},[1340,19923,19924],{},"Many small objects, high I\u002FO",[1311,19926,19927,19929,19931,19933,19936,19938],{},[1340,19928,1323],{},[1340,19930,7760],{},[1340,19932,1345],{},[1340,19934,19935],{},"Unclear (Alpha)",[1340,19937,19875],{},[1340,19939,19940],{},"MinIO alternative (still Alpha!)",[1311,19942,19943,19946,19949,19951,19953,19955],{},[1340,19944,19945],{},"Rook + Ceph",[1340,19947,19948],{},"Kubernetes-native",[1340,19950,1345],{},[1340,19952,1445],{},[1340,19954,19875],{},[1340,19956,19957],{},"Kubernetes cluster with storage need",[1311,19959,19960,19962,19965,19968,19970,19973],{},[1340,19961,19506],{},[1340,19963,19964],{},"Managed Cloud",[1340,19966,19967],{},"Proprietary",[1340,19969,16164],{},[1340,19971,19972],{},"⚠️ US Provider",[1340,19974,19975],{},"Public Assets, no egress",[1311,19977,19978,19980,19982,19984,19986,19988],{},[1340,19979,19803],{},[1340,19981,19964],{},[1340,19983,19967],{},[1340,19985,16164],{},[1340,19987,19972],{},[1340,19989,19990],{},"Backup, Archiving",[1311,19992,19993,19995,19997,19999,20001,20003],{},[1340,19994,19509],{},[1340,19996,19964],{},[1340,19998,19967],{},[1340,20000,16164],{},[1340,20002,19972],{},[1340,20004,20005],{},"High-throughput, predictable costs",[1311,20007,20008,20010,20012,20014,20016,20019],{},[1340,20009,19502],{},[1340,20011,19964],{},[1340,20013,19967],{},[1340,20015,16164],{},[1340,20017,20018],{},"✅ EU (DE\u002FFI)",[1340,20020,20021],{},"GDPR-compliant cloud projects",[71,20023,20025],{"id":20024},"when-self-hosted-when-managed","When Self-hosted, when Managed?",[56,20027,20028],{},[109,20029,20030],{},"Self-hosted:",[103,20032,20033,20036,20039,20042],{},[106,20034,20035],{},"Full control over data required",[106,20037,20038],{},"Compliance requirements (BSI, GDPR, NIS2) mandate On-Premise",[106,20040,20041],{},"Existing Kubernetes infrastructure that can be used",[106,20043,20044],{},"Cloud costs exceed operational effort",[56,20046,20047],{},[109,20048,6403],{},[103,20050,20051,20054,20057,20060],{},[106,20052,20053],{},"No Ops team for storage operation available",[106,20055,20056],{},"Scalability without upfront investment required",[106,20058,20059],{},"Time-to-Market is a priority",[106,20061,20062],{},"Uncritical or public data",[56,20064,20065,20066,20069],{},"For European companies with data protection requirements, an ",[109,20067,20068],{},"EU-based managed provider"," or a self-hosted solution on their own infrastructure is usually an option.",[71,20071,20073],{"id":20072},"whats-next","What's Next?",[56,20075,20076],{},"If you're evaluating S3-compatible storage today, the licensing changes at MinIO are hard to ignore. The good news is that there are solid alternatives. Ceph serves the heavy enterprise workloads, SeaweedFS excels at handling high I\u002FO for small files, and lightweight tools like Garage fill edge-deployment niches. RustFS is definitely the project to keep on your radar for the future.",[56,20078,20079],{},"For Kubernetes environments, Rook + Ceph offers a natively integrated solution. If you want to skip the operational overhead entirely, European managed providers like Hetzner Object Storage are an easy path to check the GDPR compliance box without the headache.",[56,20081,20082,20083,20085],{},"On ",[109,20084,299],{},", Kubernetes workloads run on truly sovereign infrastructure. You also have the ability to integrate S3-compatible object storage directly into the platform, completely independent of US hyperscalers.",{"title":490,"searchDepth":491,"depth":491,"links":20087},[20088,20089,20096,20097,20098,20099,20100],{"id":19513,"depth":491,"text":19514},{"id":19538,"depth":491,"text":19539,"children":20090},[20091,20092,20093,20094,20095],{"id":19545,"depth":499,"text":19546},{"id":19600,"depth":499,"text":19601},{"id":19635,"depth":499,"text":1333},{"id":19665,"depth":499,"text":1328},{"id":19698,"depth":499,"text":1323},{"id":19765,"depth":491,"text":19766},{"id":19782,"depth":491,"text":19783},{"id":19824,"depth":491,"text":19825},{"id":20024,"depth":491,"text":20025},{"id":20072,"depth":491,"text":20073},"2026-02-25","Compare the best S3-compatible object storage solutions in 2026: MinIO, Cloudflare R2, Hetzner, Backblaze B2, Wasabi, Garage, Ceph and more — with a comparison table and decision guide for GDPR-compliant and Kubernetes environments.",{"src":20104},"\u002Fimages\u002Fblog\u002Fs3_overview_object_storage.jpeg",{},{"title":19475,"description":20102},"en\u002F3.blog\u002F8.s3-compatible-object-storage","Cloud, Object Storage, Infrastructure","gm1lIbPVJ7N-iA_jgOKIVRqiPWDxDhjTnmn5bAPfeQ0",{"id":20111,"title":20112,"authors":20113,"badge":10,"body":20116,"date":20264,"description":20265,"extension":510,"image":20266,"lastUpdated":12811,"meta":20268,"navigation":14,"path":325,"published":14,"seo":20269,"stem":20270,"tags":10,"__hash__":20271},"posts\u002Fen\u002F3.blog\u002F7.cloud-illusion-digital-sovereignty.md","The Cloud Illusion: Why a Server Location in Germany Doesn’t Guarantee Digital Sovereignty",[20114],{"name":43,"to":44,"avatar":20115},{"src":46},{"type":48,"value":20117,"toc":20258},[20118,20123,20128,20132,20151,20161,20170,20191,20195,20198,20201,20209,20212,20220,20223,20227,20230,20236,20242,20248,20252,20255],[56,20119,20120,20121,415],{},"Many mid-market companies in Germany feel they’ve got it covered. The cloud strategy checklist looks complete: data sits in a Frankfurt data center, the provider is ISO-certified, and the contract promises “Hosted in Germany.” But as we explain in detail, ",[60,20122,15269],{"href":5059},[56,20124,20125,20126,415],{},"Yet behind that facade, digital sovereignty often crumbles where it matters most: in legal immunity against extraterritorial access and in technological freedom from ",[60,20127,4986],{"href":333},[71,20129,20131],{"id":20130},"_1-location-vs-access-control-the-cloud-act-dilemma","1. Location vs. Access Control: The Cloud Act Dilemma",[56,20133,20134,20135,20140,20141,20145,20146,20150],{},"A common misconception is that the physical presence of hardware protects data from foreign access. Companies relying on US hyperscalers are subject to the ",[60,20136,20139],{"href":20137,"rel":20138},"https:\u002F\u002Fwww.justice.gov\u002Fcriminal\u002Fcloud-act-resources",[64],"US Cloud Act"," – even when their data resides in Germany. The law requires US companies to hand over data on request, which frequently conflicts with the ",[60,20142,18872],{"href":20143,"rel":20144},"https:\u002F\u002Fwww.bmi.bund.de\u002FSharedDocs\u002Ffaqs\u002FDE\u002Fthemen\u002Fit-digitalpolitik\u002Fdatenschutz\u002Fdatenschutzgrundvo-liste.html",[64],". Since the ",[60,20147,20149],{"href":13880,"rel":20148},[64],"Schrems II"," ruling, it has been clear: a server location in the EU or Germany alone does not meet the high bar for data protection compliance.",[20152,20153,20154],"blockquote",{},[56,20155,20156,20157,20160],{},"For a detailed analysis of this legal conflict, read our article on ",[60,20158,20159],{"href":6023},"Cloud Act vs. GDPR"," and the real risks for EU businesses.",[56,20162,20163,20166,20167,20169],{},[109,20164,20165],{},"Real data sovereignty"," means — and ",[60,20168,15386],{"href":14284}," can deliver exactly this:",[103,20171,20172,20177,20186],{},[106,20173,20174,20176],{},[109,20175,16426],{}," No access by third-country authorities.",[106,20178,20179,20182,20183,415],{},[109,20180,20181],{},"Compliance:"," Full alignment with ",[60,20184,20185],{"href":8917},"European standards",[106,20187,20188,20190],{},[109,20189,16438],{}," Full ownership of your tech stack and data.",[71,20192,20194],{"id":20193},"_2-the-overlooked-champions-why-local-cloud-providers-are-often-underestimated","2. The Overlooked Champions: Why Local Cloud Providers Are Often Underestimated",[56,20196,20197],{},"Germany has a strong ecosystem of local infrastructure providers. These sovereign cloud solutions excel in performance, legal certainty, and personal support. But in practice, IT teams face a major hurdle: developer experience (DX).",[56,20199,20200],{},"While US hyperscalers have spent years setting the standard for managed services and one-click deployments, many local providers have lagged behind on usability. DevOps teams are often forced to choose between:",[103,20202,20203],{},[106,20204,20205,20208],{},[109,20206,20207],{},"Speed and convenience:"," Use US tools and accept the risk of legal dependency.",[56,20210,20211],{},"or",[103,20213,20214],{},[106,20215,20216,20219],{},[109,20217,20218],{},"Security and compliance:"," Use local providers, which often means manual configuration, ticket-based processes, and a steep learning curve.",[56,20221,20222],{},"This “DX gap” means developers often push – sometimes unconsciously – toward hyperscalers to keep their workflows fast.",[71,20224,20226],{"id":20225},"_3-the-solution-maximum-sovereignty-without-compromising-usability","3. The Solution: Maximum Sovereignty Without Compromising Usability",[56,20228,20229],{},"Data protection and modern software development don't have to be mutually exclusive. At lowcloud, we solve this dilemma. We don’t run our own hardware, but add a highly automated abstraction layer on top of sovereign German infrastructure providers. That connects local hardware with global software standards.",[56,20231,20232,20235],{},[109,20233,20234],{},"Automated deployment:","\nNo more manual provisioning or ticket queues. With lowcloud, you provision sovereign resources automatically with a click or via API – as fast as DevOps teams expect from hyperscalers.",[56,20237,20238,20241],{},[109,20239,20240],{},"Automated management:","\nWe reduce your operational complexity. From scaling to lifecycle management, lowcloud automates the entire management layer so you can focus on your application instead of infrastructure.",[56,20243,20244,20247],{},[109,20245,20246],{},"No vendor lock-in:","\nYou stay fully independent: infrastructure lives directly in your provider account, not ours. With our abstraction layer, you can switch between local providers without rebuilding your toolchain.",[71,20249,20251],{"id":20250},"conclusion-time-for-a-future-proof-cloud-strategy","Conclusion: Time for a Future-Proof Cloud Strategy",[56,20253,20254],{},"Real sovereignty is strategic, not just marketing. Companies that choose cloud infrastructure without US ties protect themselves against legal risk and technological dependency.",[56,20256,20257],{},"Our BYOC approach gives you full data ownership – and lets you deploy as fast as with hyperscalers.",{"title":490,"searchDepth":491,"depth":491,"links":20259},[20260,20261,20262,20263],{"id":20130,"depth":491,"text":20131},{"id":20193,"depth":491,"text":20194},{"id":20225,"depth":491,"text":20226},{"id":20250,"depth":491,"text":20251},"2026-02-24","A German data center alone isn’t enough: How the US Cloud Act, Schrems II, and vendor lock-in undermine real data sovereignty – and how lowcloud closes the developer experience gap.",{"src":20267},"\u002Fimages\u002Fblog\u002Fcloud_illusion_vs_real_sovereignty.jpeg",{},{"title":20112,"description":20265},"en\u002F3.blog\u002F7.cloud-illusion-digital-sovereignty","Nz6U4J9dSlpMuPhxDckLmxBVt0DH3d17jepb-Bs0DYE",{"id":20273,"title":20274,"authors":20275,"badge":10,"body":20278,"date":21171,"description":21172,"extension":510,"image":21173,"lastUpdated":1520,"meta":21175,"navigation":14,"path":1542,"published":14,"seo":21176,"stem":21177,"tags":10,"__hash__":21178},"posts\u002Fen\u002F3.blog\u002F6.what-is-kubernetes.md","What Is Kubernetes? A Practical Guide to Container Orchestration",[20276],{"name":13,"to":523,"avatar":20277},{"src":8},{"type":48,"value":20279,"toc":21146},[20280,20286,20290,20300,20307,20311,20320,20367,20374,20378,20385,20389,20394,20420,20424,20429,20449,20453,20460,20463,20467,20470,20474,20480,20487,20491,20502,20522,20526,20531,20550,20554,20557,20561,20572,20576,20582,20591,20594,20601,20619,20622,20626,20632,20693,20703,20852,20859,20863,20870,20875,20892,20897,20914,20917,20921,20931,20936,20955,20960,20982,20987,21004,21007,21011,21014,21019,21022,21027,21030,21035,21038,21043,21054,21059,21062,21066,21074,21085,21088,21113,21120,21122,21124,21129,21140,21143],[56,20281,20282,20283,20285],{},"Containers have fundamentally changed how we build and ship software. But once you go from a handful of containers to dozens or hundreds, managing them by hand quickly becomes unsustainable. That's where ",[109,20284,1543],{}," comes in — a platform that automates the management of containerized applications at scale. So what exactly is Kubernetes, how does it work, and when does it actually make sense to use it?",[71,20287,20289],{"id":20288},"the-origins-of-kubernetes","The Origins of Kubernetes",[56,20291,20292,20293,733,20296,20299],{},"Kubernetes was originally developed at Google, drawing on more than 15 years of experience running internal systems like ",[109,20294,20295],{},"Borg",[109,20297,20298],{},"Omega",", which orchestrate millions of containers across Google's data centers. It was open-sourced in 2014 and donated to the Cloud Native Computing Foundation (CNCF) in 2015. Today, Kubernetes has become the de facto standard for container orchestration and is actively maintained by a large community of developers, companies, and cloud providers.",[56,20301,20302,20303,20306],{},"The name \"Kubernetes\" comes from Greek and means \"helmsman\" or \"pilot\" — a fitting metaphor for a platform that steers containers through complex infrastructure. The project is commonly abbreviated as ",[109,20304,20305],{},"K8s"," (K, followed by eight letters, followed by s).",[71,20308,20310],{"id":20309},"the-problem-kubernetes-solves","The Problem Kubernetes Solves",[56,20312,20313,20314,20319],{},"Before container orchestration became widespread, deploying applications was often tedious and error-prone. Docker made containers popular, but ",[109,20315,20316,20318],{},[60,20317,2156],{"href":2179}," alone"," falls short once applications need to run across multiple servers. Development and DevOps teams then face challenges such as:",[103,20321,20322,20328,20334,20340,20345,20350,20355],{},[106,20323,20324,20327],{},[109,20325,20326],{},"Distributing containers"," across multiple servers (nodes)",[106,20329,20330,20333],{},[109,20331,20332],{},"Load balancing"," between container instances",[106,20335,20336,20339],{},[109,20337,20338],{},"Automatically restarting"," failed containers",[106,20341,20342,20344],{},[109,20343,7422],{}," under increased load",[106,20346,20347,20349],{},[109,20348,9743],{}," with zero downtime",[106,20351,20352,20354],{},[109,20353,9737],{}," and network configuration",[106,20356,20357,20360,20361,2283,20364,5903],{},[109,20358,20359],{},"Storage management"," for persistent data (e.g., ",[60,20362,20363],{"href":3634},"deploying PostgreSQL with Helm charts",[60,20365,20366],{"href":1525},"self-hosted object storage like SeaweedFS and Garage",[56,20368,20369,20370,20373],{},"Handling all of this manually is not only time-consuming but also error-prone. Kubernetes automates these processes through a ",[109,20371,20372],{},"declarative API"," that lets developers describe the desired state of their application while Kubernetes takes care of the rest.",[71,20375,20377],{"id":20376},"how-does-kubernetes-work-the-core-architecture","How Does Kubernetes Work? The Core Architecture",[56,20379,20380,20381,20384],{},"Kubernetes organizes resources into ",[109,20382,20383],{},"clusters"," made up of multiple servers, either physical or virtual. A cluster consists of two main components:",[187,20386,20388],{"id":20387},"control-plane-the-brain-of-the-cluster","Control Plane: The Brain of the Cluster",[56,20390,1701,20391,20393],{},[109,20392,5501],{}," is the management layer of Kubernetes and makes all scheduling and orchestration decisions for the cluster. It includes several components:",[103,20395,20396,20402,20408,20414],{},[106,20397,20398,20401],{},[109,20399,20400],{},"API Server",": The central communication hub through which all requests are routed",[106,20403,20404,20407],{},[109,20405,20406],{},"Scheduler",": Decides which node a new Pod should be placed on",[106,20409,20410,20413],{},[109,20411,20412],{},"Controller Manager",": Monitors the cluster state and reconciles it with the desired state",[106,20415,20416,20419],{},[109,20417,20418],{},"etcd",": A distributed key-value store that holds the entire cluster state",[187,20421,20423],{"id":20422},"worker-nodes-where-the-work-happens","Worker Nodes: Where the Work Happens",[56,20425,20426,20428],{},[109,20427,5507],{}," are the servers that actually run your containers. Each node runs the following components:",[103,20430,20431,20437,20443],{},[106,20432,20433,20436],{},[109,20434,20435],{},"Kubelet",": An agent that communicates with the Control Plane and manages containers on the node",[106,20438,20439,20442],{},[109,20440,20441],{},"Container Runtime",": The software that runs containers (e.g., containerd or CRI-O)",[106,20444,20445,20448],{},[109,20446,20447],{},"Kube-proxy",": Manages network rules and enables communication between Pods",[187,20450,20452],{"id":20451},"the-desired-state-model","The Desired State Model",[56,20454,20455,20456,20459],{},"At the heart of Kubernetes is the ",[109,20457,20458],{},"desired state model",". Rather than issuing imperative commands (\"start three containers on server A\"), you describe the state you want (\"I want three instances of my application running\"). Kubernetes continuously monitors the actual state and automatically reconciles it with the desired state.",[56,20461,20462],{},"For example, if a container crashes, Kubernetes detects the discrepancy and automatically starts a new container to restore the desired state — without any manual intervention.",[71,20464,20466],{"id":20465},"key-kubernetes-concepts","Key Kubernetes Concepts",[56,20468,20469],{},"To work with Kubernetes effectively, you need to understand a few core concepts:",[187,20471,20473],{"id":20472},"pods-the-smallest-unit","Pods — The Smallest Unit",[56,20475,7445,20476,20479],{},[109,20477,20478],{},"Pod"," is the smallest deployable unit in Kubernetes. A Pod contains one or more containers that share networking and storage. In most cases, a Pod runs a single container, but there are scenarios (e.g., the sidecar pattern) where multiple containers need to work closely together.",[56,20481,20482,20483,20486],{},"Pods are ",[109,20484,20485],{},"ephemeral",", meaning they can be deleted and recreated at any time. Kubernetes does not guarantee that a Pod will be rescheduled on the same node or retain the same IP address.",[187,20488,20490],{"id":20489},"services-stable-network-endpoints","Services — Stable Network Endpoints",[56,20492,20493,20494,20497,20498,20501],{},"Since Pods are short-lived, you need a stable way to reach them. ",[109,20495,20496],{},"Services"," provide a consistent IP address and DNS name, automatically routing traffic to the appropriate Pods. Services act as ",[109,20499,20500],{},"load balancers"," and come in several types:",[103,20503,20504,20510,20516],{},[106,20505,20506,20509],{},[109,20507,20508],{},"ClusterIP",": Internal access within the cluster",[106,20511,20512,20515],{},[109,20513,20514],{},"NodePort",": External access via a port on each node",[106,20517,20518,20521],{},[109,20519,20520],{},"LoadBalancer",": Integration with cloud load balancers",[187,20523,20525],{"id":20524},"deployments-declarative-management","Deployments — Declarative Management",[56,20527,7445,20528,20530],{},[109,20529,2755],{}," defines how many replicas of an application should run and which container image to use. Deployments enable:",[103,20532,20533,20539,20544],{},[106,20534,20535,20538],{},[109,20536,20537],{},"Declarative updates",": Changing the desired state in a YAML file",[106,20540,20541,20543],{},[109,20542,9743],{},": Gradually replacing old Pods with new ones",[106,20545,20546,20549],{},[109,20547,20548],{},"Rollbacks",": Reverting to a previous version if something goes wrong",[71,20551,20553],{"id":20552},"what-can-kubernetes-do-core-features","What Can Kubernetes Do? Core Features",[56,20555,20556],{},"Kubernetes provides a wide range of features that simplify the management of containerized applications:",[187,20558,20560],{"id":20559},"self-healing-and-high-availability","Self-Healing and High Availability",[56,20562,20563,20564,20567,20568,20571],{},"Kubernetes continuously monitors the health of all Pods. If a Pod fails, a new one is automatically started. If a Pod stops responding to ",[109,20565,20566],{},"health checks"," (liveness and readiness probes), it is either restarted or removed from load balancing. This ensures high ",[109,20569,20570],{},"availability"," without manual intervention.",[187,20573,20575],{"id":20574},"automatic-scaling","Automatic Scaling",[56,20577,1701,20578,20581],{},[109,20579,20580],{},"Horizontal Pod Autoscaler"," allows Kubernetes to automatically adjust the number of Pod replicas based on CPU usage, memory consumption, or custom metrics. As load increases, new Pods are added; as it decreases, they are removed.",[56,20583,1701,20584,20587,20588,20590],{},[109,20585,20586],{},"Vertical Pod Autoscaler"," adjusts the resource requests of individual Pods, while the ",[109,20589,5556],{}," adds new nodes to the cluster when needed.",[187,20592,20593],{"id":4262},"Rolling Updates and Rollbacks",[56,20595,20596,20597,20600],{},"Deployments support ",[109,20598,20599],{},"rolling updates",", where new versions are gradually rolled out while old versions continue to serve traffic. If issues arise, changes can be reverted with a single command:",[598,20602,20604],{"className":600,"code":20603,"language":602,"meta":490,"style":490},"kubectl rollout undo deployment\u002Fmy-app\n",[554,20605,20606],{"__ignoreMap":490},[606,20607,20608,20610,20613,20616],{"class":608,"line":609},[606,20609,1570],{"class":618},[606,20611,20612],{"class":622}," rollout",[606,20614,20615],{"class":622}," undo",[606,20617,20618],{"class":622}," deployment\u002Fmy-app\n",[56,20620,20621],{},"This strategy minimizes downtime and reduces the risk of faulty deployments.",[71,20623,20625],{"id":20624},"kubectl-and-yaml-kubernetes-in-practice","kubectl and YAML: Kubernetes in Practice",[56,20627,20628,20629,20631],{},"Interaction with Kubernetes primarily happens through ",[109,20630,1570],{},", the command-line tool for Kubernetes. It lets developers create, inspect, modify, and delete resources:",[598,20633,20635],{"className":600,"code":20634,"language":602,"meta":490,"style":490},"# List Pods\nkubectl get pods\n\n# View Pod logs\nkubectl logs my-pod\n\n# Port-forward for local debugging\nkubectl port-forward my-pod 8080:80\n",[554,20636,20637,20642,20652,20656,20661,20671,20675,20680],{"__ignoreMap":490},[606,20638,20639],{"class":608,"line":609},[606,20640,20641],{"class":612},"# List Pods\n",[606,20643,20644,20646,20649],{"class":608,"line":491},[606,20645,1570],{"class":618},[606,20647,20648],{"class":622}," get",[606,20650,20651],{"class":622}," pods\n",[606,20653,20654],{"class":608,"line":499},[606,20655,647],{"emptyLinePlaceholder":14},[606,20657,20658],{"class":608,"line":650},[606,20659,20660],{"class":612},"# View Pod logs\n",[606,20662,20663,20665,20668],{"class":608,"line":672},[606,20664,1570],{"class":618},[606,20666,20667],{"class":622}," logs",[606,20669,20670],{"class":622}," my-pod\n",[606,20672,20673],{"class":608,"line":688},[606,20674,647],{"emptyLinePlaceholder":14},[606,20676,20677],{"class":608,"line":699},[606,20678,20679],{"class":612},"# Port-forward for local debugging\n",[606,20681,20682,20684,20687,20690],{"class":608,"line":709},[606,20683,1570],{"class":618},[606,20685,20686],{"class":622}," port-forward",[606,20688,20689],{"class":622}," my-pod",[606,20691,20692],{"class":622}," 8080:80\n",[56,20694,20695,20696,20699,20700,20702],{},"Kubernetes resources are typically defined in ",[109,20697,20698],{},"YAML files"," that describe the desired state — though as complexity grows, tools like Helm, Kustomize, and CRDs can ",[60,20701,15680],{"href":2108}," significantly. Here's a simple example of a Deployment:",[598,20704,20706],{"className":1592,"code":20705,"language":1594,"meta":490,"style":490},"apiVersion: apps\u002Fv1\nkind: Deployment\nmetadata:\n name: my-app\nspec:\n replicas: 3\n selector:\n matchLabels:\n app: my-app\n template:\n metadata:\n labels:\n app: my-app\n spec:\n containers:\n - name: my-app\n image: my-app:1.0\n ports:\n - containerPort: 8080\n",[554,20707,20708,20716,20724,20730,20738,20744,20752,20758,20764,20772,20778,20785,20792,20801,20807,20813,20823,20832,20839],{"__ignoreMap":490},[606,20709,20710,20712,20714],{"class":608,"line":609},[606,20711,1602],{"class":1601},[606,20713,1605],{"class":629},[606,20715,1776],{"class":622},[606,20717,20718,20720,20722],{"class":608,"line":491},[606,20719,1613],{"class":1601},[606,20721,1605],{"class":629},[606,20723,1785],{"class":622},[606,20725,20726,20728],{"class":608,"line":499},[606,20727,1790],{"class":1601},[606,20729,1630],{"class":629},[606,20731,20732,20734,20736],{"class":608,"line":650},[606,20733,1797],{"class":1601},[606,20735,1605],{"class":629},[606,20737,1802],{"class":622},[606,20739,20740,20742],{"class":608,"line":672},[606,20741,1807],{"class":1601},[606,20743,1630],{"class":629},[606,20745,20746,20748,20750],{"class":608,"line":688},[606,20747,1814],{"class":1601},[606,20749,1605],{"class":629},[606,20751,1819],{"class":1237},[606,20753,20754,20756],{"class":608,"line":699},[606,20755,3155],{"class":1601},[606,20757,1630],{"class":629},[606,20759,20760,20762],{"class":608,"line":709},[606,20761,3162],{"class":1601},[606,20763,1630],{"class":629},[606,20765,20766,20768,20770],{"class":608,"line":720},[606,20767,5633],{"class":1601},[606,20769,1605],{"class":629},[606,20771,1802],{"class":622},[606,20773,20774,20776],{"class":608,"line":859},[606,20775,3182],{"class":1601},[606,20777,1630],{"class":629},[606,20779,20780,20783],{"class":608,"line":875},[606,20781,20782],{"class":1601}," metadata",[606,20784,1630],{"class":629},[606,20786,20787,20790],{"class":608,"line":889},[606,20788,20789],{"class":1601}," labels",[606,20791,1630],{"class":629},[606,20793,20794,20797,20799],{"class":608,"line":898},[606,20795,20796],{"class":1601}," app",[606,20798,1605],{"class":629},[606,20800,1802],{"class":622},[606,20802,20803,20805],{"class":608,"line":912},[606,20804,3189],{"class":1601},[606,20806,1630],{"class":629},[606,20808,20809,20811],{"class":608,"line":917},[606,20810,3196],{"class":1601},[606,20812,1630],{"class":629},[606,20814,20815,20817,20819,20821],{"class":608,"line":923},[606,20816,3203],{"class":629},[606,20818,1871],{"class":1601},[606,20820,1605],{"class":629},[606,20822,1802],{"class":622},[606,20824,20825,20827,20829],{"class":608,"line":939},[606,20826,3219],{"class":1601},[606,20828,1605],{"class":629},[606,20830,20831],{"class":622}," my-app:1.0\n",[606,20833,20834,20837],{"class":608,"line":953},[606,20835,20836],{"class":1601}," ports",[606,20838,1630],{"class":629},[606,20840,20841,20844,20847,20849],{"class":608,"line":1116},[606,20842,20843],{"class":629}," -",[606,20845,20846],{"class":1601}," containerPort",[606,20848,1605],{"class":629},[606,20850,20851],{"class":1237}," 8080\n",[56,20853,20854,20855,20858],{},"Running ",[554,20856,20857],{},"kubectl apply -f deployment.yaml"," applies this configuration to the cluster.",[71,20860,20862],{"id":20861},"when-is-kubernetes-worth-it","When Is Kubernetes Worth It?",[56,20864,20865,20866,20869],{},"Despite its benefits, Kubernetes isn't the right choice for every project. The platform comes with significant ",[109,20867,20868],{},"complexity"," and requires both a learning investment and operational expertise.",[56,20871,20872],{},[109,20873,20874],{},"Kubernetes is a good fit when:",[103,20876,20877,20880,20883,20886,20889],{},[106,20878,20879],{},"You need to orchestrate multiple container-based services",[106,20881,20882],{},"High availability and automatic scaling are important",[106,20884,20885],{},"You're pursuing a multi-cloud or hybrid cloud strategy",[106,20887,20888],{},"Your team already has container experience",[106,20890,20891],{},"You need a standardized platform for diverse workloads",[56,20893,20894],{},[109,20895,20896],{},"Kubernetes is overkill when:",[103,20898,20899,20902,20905,20911],{},[106,20900,20901],{},"You're running a single, simple application",[106,20903,20904],{},"Your team lacks the resources to build Kubernetes expertise",[106,20906,20907,20910],{},[60,20908,20909],{"href":4315},"Docker Compose or simpler orchestration"," tools are sufficient",[106,20912,20913],{},"You prefer a serverless architecture",[56,20915,20916],{},"An honest assessment of your requirements and resources is essential. Not every project needs the full feature set of Kubernetes.",[71,20918,20920],{"id":20919},"kubernetes-distributions-and-managed-services","Kubernetes Distributions and Managed Services",[56,20922,20923,20924,733,20927,20930],{},"Kubernetes is an open-source project, but there are numerous ",[109,20925,20926],{},"distributions",[109,20928,20929],{},"managed services"," that simplify getting started and day-to-day operations:",[56,20932,20933],{},[109,20934,20935],{},"For local development:",[103,20937,20938,20944,20949],{},[106,20939,20940,20943],{},[109,20941,20942],{},"Minikube",": Lightweight Kubernetes for developers",[106,20945,20946,20948],{},[109,20947,1613],{}," (Kubernetes in Docker): Fast local clusters",[106,20950,20951,20954],{},[109,20952,20953],{},"K3s",": Lightweight distribution for edge, IoT, and resource-constrained clusters",[56,20956,20957],{},[109,20958,20959],{},"Managed Kubernetes in the cloud:",[103,20961,20962,20967,20972,20977],{},[106,20963,20964],{},[109,20965,20966],{},"Google Kubernetes Engine (GKE)",[106,20968,20969],{},[109,20970,20971],{},"Amazon Elastic Kubernetes Service (EKS)",[106,20973,20974],{},[109,20975,20976],{},"Azure Kubernetes Service (AKS)",[106,20978,20979],{},[109,20980,20981],{},"DigitalOcean Kubernetes",[56,20983,20984],{},[109,20985,20986],{},"Enterprise distributions:",[103,20988,20989,20994,20999],{},[106,20990,20991],{},[109,20992,20993],{},"Red Hat OpenShift",[106,20995,20996],{},[109,20997,20998],{},"Rancher",[106,21000,21001],{},[109,21002,21003],{},"VMware Tanzu",[56,21005,21006],{},"Managed services handle Control Plane management and significantly reduce operational overhead, allowing teams to focus on their applications rather than maintaining clusters.",[71,21008,21010],{"id":21009},"getting-started-with-your-first-kubernetes-cluster","Getting Started with Your First Kubernetes Cluster",[56,21012,21013],{},"Getting into Kubernetes doesn't have to be overwhelming. A pragmatic approach might look like this:",[56,21015,21016],{},[109,21017,21018],{},"Step 1: Experiment locally",[56,21020,21021],{},"Install Minikube or kind and try out simple Deployments. Get familiar with Pods, Services, and Deployments in a safe local environment.",[56,21023,21024],{},[109,21025,21026],{},"Step 2: Work through tutorials",[56,21028,21029],{},"The official Kubernetes documentation offers excellent tutorials. Work through them and build simple applications to reinforce your understanding.",[56,21031,21032],{},[109,21033,21034],{},"Step 3: Use a managed service",[56,21036,21037],{},"For production workloads, a managed Kubernetes service is recommended. The setup complexity is much lower, letting you focus on deploying your applications.",[56,21039,21040],{},[109,21041,21042],{},"Step 4: Set up monitoring and logging",[56,21044,21045,21046,21049,21050,21053],{},"Implement ",[60,21047,21048],{"href":4125},"monitoring with Prometheus and Grafana"," and centralized logging (e.g., Loki stack or EFK with Fluent Bit) from the start. Observability is critical in distributed systems — and especially so when ",[60,21051,21052],{"href":4193},"running AI agent workloads on Kubernetes",", where the Reason-Act loop and tool calls add new tracing requirements.",[56,21055,21056],{},[109,21057,21058],{},"Step 5: Adopt GitOps and CI\u002FCD",[56,21060,21061],{},"Automate deployments with GitOps tools like ArgoCD or Flux, and integrate Kubernetes into your CI\u002FCD pipeline.",[71,21063,21065],{"id":21064},"kubernetes-as-a-foundation-for-paas-platforms","Kubernetes as a Foundation for PaaS Platforms",[56,21067,21068,21069,21073],{},"Kubernetes is capable but complex. Many organizations want the benefits of container orchestration without having to deal with the operational overhead of running Kubernetes themselves. This is exactly where modern ",[109,21070,21071],{},[60,21072,81],{"href":8329}," solutions come in.",[56,21075,21076,21077,21080,21081,21084],{},"These platforms build on top of Kubernetes and provide an abstraction layer that gives developers a ",[109,21078,21079],{},"Heroku-like deployment experience"," — push your code with ",[554,21082,21083],{},"git push"," and it's live in production — while leveraging Kubernetes' reliability and scalability under the hood. Teams get self-service access to resources without needing to write YAML files or understand cluster internals.",[56,21086,21087],{},"Kubernetes-based PaaS solutions combine the best of both worlds:",[103,21089,21090,21096,21102,21107],{},[106,21091,1701,21092,21095],{},[109,21093,21094],{},"standardization and portability"," of Kubernetes",[106,21097,1701,21098,21101],{},[109,21099,21100],{},"developer experience"," of a streamlined deployment platform",[106,21103,21104,21106],{},[109,21105,10081],{}," through operation on your own infrastructure",[106,21108,21109,21112],{},[109,21110,21111],{},"Cost efficiency"," through multi-tenancy and optimized resource utilization",[56,21114,21115,21116,21119],{},"For teams that want Kubernetes benefits without Kubernetes complexity, a PaaS platform is often the most pragmatic path. For teams that want to skip YAML entirely, ",[60,21117,21118],{"href":8155},"zero-config Kubernetes platforms"," offer sensible defaults out of the box. You get automatic scaling, self-healing, and declarative management — without needing to build a dedicated Kubernetes operations team.",[479,21121],{},[71,21123,2102],{"id":2101},[56,21125,21126,21128],{},[109,21127,1543],{}," has shaped how modern cloud-native applications are operated and has become an industry standard. The platform offers a comprehensive set of features for orchestration, scaling, and self-healing. At the same time, its complexity should not be underestimated — Kubernetes is a sophisticated tool that requires careful planning and expertise.",[56,21130,21131,21132,21135,21136,21139],{},"For teams running complex, distributed applications with the resources to support it, Kubernetes is an excellent choice. Our ",[60,21133,21134],{"href":2728},"step-by-step Kubernetes migration guide"," provides a structured approach for teams ready to make the transition. For smaller projects or teams without dedicated DevOps capacity, simpler alternatives or abstracted ",[60,21137,21138],{"href":80},"PaaS platforms"," may be the better option.",[56,21141,21142],{},"The question isn't \"Do I need Kubernetes?\" but rather \"Do I need the benefits of container orchestration, and if so, at what level of abstraction?\" The answer determines whether you work with Kubernetes directly or use a platform that pairs Kubernetes capabilities with developer-friendly workflows.",[1499,21144,21145],{},"html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}",{"title":490,"searchDepth":491,"depth":491,"links":21147},[21148,21149,21150,21155,21160,21165,21166,21167,21168,21169,21170],{"id":20288,"depth":491,"text":20289},{"id":20309,"depth":491,"text":20310},{"id":20376,"depth":491,"text":20377,"children":21151},[21152,21153,21154],{"id":20387,"depth":499,"text":20388},{"id":20422,"depth":499,"text":20423},{"id":20451,"depth":499,"text":20452},{"id":20465,"depth":491,"text":20466,"children":21156},[21157,21158,21159],{"id":20472,"depth":499,"text":20473},{"id":20489,"depth":499,"text":20490},{"id":20524,"depth":499,"text":20525},{"id":20552,"depth":491,"text":20553,"children":21161},[21162,21163,21164],{"id":20559,"depth":499,"text":20560},{"id":20574,"depth":499,"text":20575},{"id":4262,"depth":499,"text":20593},{"id":20624,"depth":491,"text":20625},{"id":20861,"depth":491,"text":20862},{"id":20919,"depth":491,"text":20920},{"id":21009,"depth":491,"text":21010},{"id":21064,"depth":491,"text":21065},{"id":2101,"depth":491,"text":2102},"2026-02-23","What is Kubernetes and how does container orchestration work? Learn about K8s architecture, Pods, Services, auto-scaling, and when Kubernetes is the right fit for your project.",{"src":21174},"\u002Fimages\u002Fblog\u002Fwhat_is_kubernetes.jpeg",{},{"title":20274,"description":21172},"en\u002F3.blog\u002F6.what-is-kubernetes","imLLQzT3wbW3a1CNp_k0hYxBHdq1nekZDMm8O7kEjqU",{"id":21180,"title":21181,"authors":21182,"badge":10,"body":21188,"date":22580,"description":22581,"extension":510,"image":22582,"lastUpdated":15743,"meta":22584,"navigation":14,"path":22585,"published":14,"seo":22586,"stem":22587,"tags":10,"__hash__":22588},"posts\u002Fen\u002F3.blog\u002F5.self-host-docmost-with-docker-and-traefik.md","Self-Host Docmost with Docker Compose and Traefik: Complete Guide",[21183],{"name":21184,"to":21185,"avatar":21186},"Florian Karbus","\u002Fabout\u002Ffloriankarbus",{"src":21187},"\u002Fimages\u002Fblog\u002Fauthors\u002Fflorian.png",{"type":48,"value":21189,"toc":22561},[21190,21194,21201,21205,21208,21240,21244,21249,21255,21261,21267,21271,21274,21309,21312,21316,21319,21345,21348,21354,21357,21361,21364,21386,21390,21393,21409,21413,21416,21436,21442,21631,21637,21778,21781,21813,21816,21834,21838,21841,21852,21855,21874,21880,22311,22324,22328,22331,22350,22354,22357,22371,22374,22388,22391,22395,22401,22412,22416,22420,22423,22453,22457,22477,22481,22484,22495,22500,22505,22527,22530,22536,22545,22547,22558],[51,21191,21193],{"id":21192},"self-host-docmost-your-private-documentation-platform","Self-Host Docmost: Your Private Documentation Platform",[56,21195,21196,21197,21200],{},"Cloud-based documentation tools like Notion or Confluence store your sensitive data on third-party servers, often outside the EU. The solution? Self-hosting ",[109,21198,21199],{},"Docmost"," – an open-source platform that gives you full control. In this guide, we'll set up Docmost with Docker Compose and Traefik.",[71,21202,21204],{"id":21203},"what-is-docmost","What is Docmost?",[56,21206,21207],{},"Docmost is a modern, open-source documentation and wiki platform. Think of it as a self-hosted alternative to Notion or Confluence. It offers:",[103,21209,21210,21216,21222,21228,21234],{},[106,21211,21212,21215],{},[109,21213,21214],{},"Real-time collaboration",": Multiple users can edit documents simultaneously",[106,21217,21218,21221],{},[109,21219,21220],{},"Nested pages",": Organize your documentation in a hierarchical structure",[106,21223,21224,21227],{},[109,21225,21226],{},"Rich text editor",": A powerful WYSIWYG editor with markdown support",[106,21229,21230,21233],{},[109,21231,21232],{},"Workspaces",": Separate spaces for different teams or projects",[106,21235,21236,21239],{},[109,21237,21238],{},"Full-text search",": Find any document instantly",[187,21241,21243],{"id":21242},"why-self-host-docmost","Why Self-Host Docmost?",[56,21245,21246,21248],{},[109,21247,18460],{},": Your documentation contains sensitive business information. Self-hosting ensures this data never leaves your infrastructure.",[56,21250,21251,21254],{},[109,21252,21253],{},"GDPR Compliance",": By hosting in Germany or the EU, you maintain full compliance with data protection regulations.",[56,21256,21257,21260],{},[109,21258,21259],{},"No Vendor Lock-in",": You own your data and can migrate or back it up whenever you want.",[56,21262,21263,21266],{},[109,21264,21265],{},"Cost Savings",": No per-user pricing. Host unlimited users on your own server.",[71,21268,21270],{"id":21269},"technical-requirements","Technical Requirements",[56,21272,21273],{},"Before we start, make sure you have:",[103,21275,21276,21283,21300,21306],{},[106,21277,21278,21279,21282],{},"A server or VPS with at least ",[109,21280,21281],{},"2 GB RAM"," (4 GB recommended)",[106,21284,21285,733,21289,21293,21294,5903],{},[109,21286,21287],{},[60,21288,2156],{"href":2179},[109,21290,21291],{},[60,21292,2625],{"href":2333}," installed (",[60,21295,21299],{"href":21296,":target":21297,"rel":21298},"https:\u002F\u002Fdocs.docker.com\u002Fengine\u002Finstall\u002F","\\_blank",[64],"official installation guide",[106,21301,7445,21302,21305],{},[109,21303,21304],{},"domain name"," pointing to your server",[106,21307,21308],{},"Basic knowledge of the command line",[56,21310,21311],{},"For this tutorial, we'll use a Hetzner Cloud server, but any VPS provider works.",[71,21313,21315],{"id":21314},"understanding-the-architecture","Understanding the Architecture",[56,21317,21318],{},"Our setup consists of four main components:",[3976,21320,21321,21326,21333,21339],{},[106,21322,21323,21325],{},[109,21324,21199],{},": The main application",[106,21327,21328,21332],{},[109,21329,21330],{},[60,21331,3635],{"href":3634},": Database for storing all documentation data",[106,21334,21335,21338],{},[109,21336,21337],{},"Redis",": Cache and session storage for better performance",[106,21340,21341,21344],{},[109,21342,21343],{},"Traefik",": Reverse proxy handling SSL certificates and routing",[56,21346,21347],{},"Here's how they work together:",[598,21349,21352],{"className":21350,"code":21351,"language":1696},[1694],"Internet → Traefik (SSL) → Docmost → PostgreSQL\u002FRedis\n",[554,21353,21351],{"__ignoreMap":490},[56,21355,21356],{},"Traefik automatically obtains Let's Encrypt SSL certificates, so your documentation is always served over HTTPS.",[71,21358,21360],{"id":21359},"step-1-prepare-your-server","Step 1: Prepare Your Server",[56,21362,21363],{},"First, connect to your server via SSH and create a directory for Docmost:",[598,21365,21367],{"className":600,"code":21366,"language":602,"meta":490,"style":490},"mkdir -p ~\u002Fdocmost\ncd ~\u002Fdocmost\n",[554,21368,21369,21378],{"__ignoreMap":490},[606,21370,21371,21373,21375],{"class":608,"line":609},[606,21372,619],{"class":618},[606,21374,623],{"class":622},[606,21376,21377],{"class":622}," ~\u002Fdocmost\n",[606,21379,21380,21384],{"class":608,"line":491},[606,21381,21383],{"class":21382},"s2Zo4","cd",[606,21385,21377],{"class":622},[71,21387,21389],{"id":21388},"step-2-create-the-docker-network","Step 2: Create the Docker Network",[56,21391,21392],{},"Traefik needs a shared network to communicate with Docmost:",[598,21394,21396],{"className":600,"code":21395,"language":602,"meta":490,"style":490},"docker network create web\n",[554,21397,21398],{"__ignoreMap":490},[606,21399,21400,21402,21404,21406],{"class":608,"line":609},[606,21401,653],{"class":618},[606,21403,794],{"class":622},[606,21405,797],{"class":622},[606,21407,21408],{"class":622}," web\n",[71,21410,21412],{"id":21411},"step-3-set-up-traefik","Step 3: Set Up Traefik",[56,21414,21415],{},"Create a directory for Traefik and its configuration:",[598,21417,21419],{"className":600,"code":21418,"language":602,"meta":490,"style":490},"mkdir -p ~\u002Ftraefik\ncd ~\u002Ftraefik\n",[554,21420,21421,21430],{"__ignoreMap":490},[606,21422,21423,21425,21427],{"class":608,"line":609},[606,21424,619],{"class":618},[606,21426,623],{"class":622},[606,21428,21429],{"class":622}," ~\u002Ftraefik\n",[606,21431,21432,21434],{"class":608,"line":491},[606,21433,21383],{"class":21382},[606,21435,21429],{"class":622},[56,21437,21438,21439,1605],{},"Create the Traefik configuration file ",[554,21440,21441],{},"traefik.yml",[598,21443,21445],{"className":1592,"code":21444,"language":1594,"meta":490,"style":490},"entryPoints:\n web:\n address: ':80'\n http:\n redirections:\n entryPoint:\n to: websecure\n scheme: https\n websecure:\n address: ':443'\n\ncertificatesResolvers:\n letsencrypt:\n acme:\n email: your-email@example.com\n storage: \u002Fletsencrypt\u002Facme.json\n httpChallenge:\n entryPoint: web\n\nproviders:\n docker:\n exposedByDefault: false\n network: web\n",[554,21446,21447,21454,21461,21475,21481,21488,21495,21505,21515,21522,21535,21539,21546,21553,21560,21570,21580,21587,21595,21599,21606,21613,21622],{"__ignoreMap":490},[606,21448,21449,21452],{"class":608,"line":609},[606,21450,21451],{"class":1601},"entryPoints",[606,21453,1630],{"class":629},[606,21455,21456,21459],{"class":608,"line":491},[606,21457,21458],{"class":1601}," web",[606,21460,1630],{"class":629},[606,21462,21463,21466,21468,21470,21473],{"class":608,"line":499},[606,21464,21465],{"class":1601}," address",[606,21467,1605],{"class":629},[606,21469,14493],{"class":629},[606,21471,21472],{"class":622},":80",[606,21474,14499],{"class":629},[606,21476,21477,21479],{"class":608,"line":650},[606,21478,3365],{"class":1601},[606,21480,1630],{"class":629},[606,21482,21483,21486],{"class":608,"line":672},[606,21484,21485],{"class":1601}," redirections",[606,21487,1630],{"class":629},[606,21489,21490,21493],{"class":608,"line":688},[606,21491,21492],{"class":1601}," entryPoint",[606,21494,1630],{"class":629},[606,21496,21497,21500,21502],{"class":608,"line":699},[606,21498,21499],{"class":1601}," to",[606,21501,1605],{"class":629},[606,21503,21504],{"class":622}," websecure\n",[606,21506,21507,21510,21512],{"class":608,"line":709},[606,21508,21509],{"class":1601}," scheme",[606,21511,1605],{"class":629},[606,21513,21514],{"class":622}," https\n",[606,21516,21517,21520],{"class":608,"line":720},[606,21518,21519],{"class":1601}," websecure",[606,21521,1630],{"class":629},[606,21523,21524,21526,21528,21530,21533],{"class":608,"line":859},[606,21525,21465],{"class":1601},[606,21527,1605],{"class":629},[606,21529,14493],{"class":629},[606,21531,21532],{"class":622},":443",[606,21534,14499],{"class":629},[606,21536,21537],{"class":608,"line":875},[606,21538,647],{"emptyLinePlaceholder":14},[606,21540,21541,21544],{"class":608,"line":889},[606,21542,21543],{"class":1601},"certificatesResolvers",[606,21545,1630],{"class":629},[606,21547,21548,21551],{"class":608,"line":898},[606,21549,21550],{"class":1601}," letsencrypt",[606,21552,1630],{"class":629},[606,21554,21555,21558],{"class":608,"line":912},[606,21556,21557],{"class":1601}," acme",[606,21559,1630],{"class":629},[606,21561,21562,21565,21567],{"class":608,"line":917},[606,21563,21564],{"class":1601}," email",[606,21566,1605],{"class":629},[606,21568,21569],{"class":622}," your-email@example.com\n",[606,21571,21572,21575,21577],{"class":608,"line":923},[606,21573,21574],{"class":1601}," storage",[606,21576,1605],{"class":629},[606,21578,21579],{"class":622}," \u002Fletsencrypt\u002Facme.json\n",[606,21581,21582,21585],{"class":608,"line":939},[606,21583,21584],{"class":1601}," httpChallenge",[606,21586,1630],{"class":629},[606,21588,21589,21591,21593],{"class":608,"line":953},[606,21590,21492],{"class":1601},[606,21592,1605],{"class":629},[606,21594,21408],{"class":622},[606,21596,21597],{"class":608,"line":1116},[606,21598,647],{"emptyLinePlaceholder":14},[606,21600,21601,21604],{"class":608,"line":1136},[606,21602,21603],{"class":1601},"providers",[606,21605,1630],{"class":629},[606,21607,21608,21611],{"class":608,"line":1146},[606,21609,21610],{"class":1601}," docker",[606,21612,1630],{"class":629},[606,21614,21615,21618,21620],{"class":608,"line":1155},[606,21616,21617],{"class":1601}," exposedByDefault",[606,21619,1605],{"class":629},[606,21621,1909],{"class":1908},[606,21623,21624,21627,21629],{"class":608,"line":1165},[606,21625,21626],{"class":1601}," network",[606,21628,1605],{"class":629},[606,21630,21408],{"class":622},[56,21632,21633,21634,1605],{},"Create the Traefik ",[554,21635,21636],{},"docker-compose.yml",[598,21638,21640],{"className":1592,"code":21639,"language":1594,"meta":490,"style":490},"services:\n traefik:\n image: traefik:v3.6\n container_name: traefik\n restart: always\n ports:\n - '80:80'\n - '443:443'\n volumes:\n - .\u002Ftraefik.yml:\u002Fetc\u002Ftraefik\u002Ftraefik.yml:ro\n - .\u002Fletsencrypt:\u002Fletsencrypt\n - \u002Fvar\u002Frun\u002Fdocker.sock:\u002Fvar\u002Frun\u002Fdocker.sock:ro\n networks:\n - web\n\nnetworks:\n web:\n external: true\n",[554,21641,21642,21648,21655,21664,21674,21684,21690,21701,21712,21718,21725,21732,21739,21746,21752,21756,21763,21769],{"__ignoreMap":490},[606,21643,21644,21646],{"class":608,"line":609},[606,21645,2352],{"class":1601},[606,21647,1630],{"class":629},[606,21649,21650,21653],{"class":608,"line":491},[606,21651,21652],{"class":1601}," traefik",[606,21654,1630],{"class":629},[606,21656,21657,21659,21661],{"class":608,"line":499},[606,21658,2366],{"class":1601},[606,21660,1605],{"class":629},[606,21662,21663],{"class":622}," traefik:v3.6\n",[606,21665,21666,21669,21671],{"class":608,"line":650},[606,21667,21668],{"class":1601}," container_name",[606,21670,1605],{"class":629},[606,21672,21673],{"class":622}," traefik\n",[606,21675,21676,21679,21681],{"class":608,"line":672},[606,21677,21678],{"class":1601}," restart",[606,21680,1605],{"class":629},[606,21682,21683],{"class":622}," always\n",[606,21685,21686,21688],{"class":608,"line":688},[606,21687,2376],{"class":1601},[606,21689,1630],{"class":629},[606,21691,21692,21694,21696,21699],{"class":608,"line":699},[606,21693,1888],{"class":629},[606,21695,14493],{"class":629},[606,21697,21698],{"class":622},"80:80",[606,21700,14499],{"class":629},[606,21702,21703,21705,21707,21710],{"class":608,"line":709},[606,21704,1888],{"class":629},[606,21706,14493],{"class":629},[606,21708,21709],{"class":622},"443:443",[606,21711,14499],{"class":629},[606,21713,21714,21716],{"class":608,"line":720},[606,21715,2447],{"class":1601},[606,21717,1630],{"class":629},[606,21719,21720,21722],{"class":608,"line":859},[606,21721,1888],{"class":629},[606,21723,21724],{"class":622}," .\u002Ftraefik.yml:\u002Fetc\u002Ftraefik\u002Ftraefik.yml:ro\n",[606,21726,21727,21729],{"class":608,"line":875},[606,21728,1888],{"class":629},[606,21730,21731],{"class":622}," .\u002Fletsencrypt:\u002Fletsencrypt\n",[606,21733,21734,21736],{"class":608,"line":889},[606,21735,1888],{"class":629},[606,21737,21738],{"class":622}," \u002Fvar\u002Frun\u002Fdocker.sock:\u002Fvar\u002Frun\u002Fdocker.sock:ro\n",[606,21740,21741,21744],{"class":608,"line":898},[606,21742,21743],{"class":1601}," networks",[606,21745,1630],{"class":629},[606,21747,21748,21750],{"class":608,"line":912},[606,21749,1888],{"class":629},[606,21751,21408],{"class":622},[606,21753,21754],{"class":608,"line":917},[606,21755,647],{"emptyLinePlaceholder":14},[606,21757,21758,21761],{"class":608,"line":923},[606,21759,21760],{"class":1601},"networks",[606,21762,1630],{"class":629},[606,21764,21765,21767],{"class":608,"line":939},[606,21766,21458],{"class":1601},[606,21768,1630],{"class":629},[606,21770,21771,21774,21776],{"class":608,"line":953},[606,21772,21773],{"class":1601}," external",[606,21775,1605],{"class":629},[606,21777,14566],{"class":1908},[56,21779,21780],{},"Create the Let's Encrypt storage file:",[598,21782,21784],{"className":600,"code":21783,"language":602,"meta":490,"style":490},"mkdir -p letsencrypt\ntouch letsencrypt\u002Facme.json\nchmod 600 letsencrypt\u002Facme.json\n",[554,21785,21786,21795,21803],{"__ignoreMap":490},[606,21787,21788,21790,21792],{"class":608,"line":609},[606,21789,619],{"class":618},[606,21791,623],{"class":622},[606,21793,21794],{"class":622}," letsencrypt\n",[606,21796,21797,21800],{"class":608,"line":491},[606,21798,21799],{"class":618},"touch",[606,21801,21802],{"class":622}," letsencrypt\u002Facme.json\n",[606,21804,21805,21808,21811],{"class":608,"line":499},[606,21806,21807],{"class":618},"chmod",[606,21809,21810],{"class":1237}," 600",[606,21812,21802],{"class":622},[56,21814,21815],{},"Start Traefik:",[598,21817,21819],{"className":600,"code":21818,"language":602,"meta":490,"style":490},"docker compose up -d\n",[554,21820,21821],{"__ignoreMap":490},[606,21822,21823,21825,21828,21831],{"class":608,"line":609},[606,21824,653],{"class":618},[606,21826,21827],{"class":622}," compose",[606,21829,21830],{"class":622}," up",[606,21832,21833],{"class":622}," -d\n",[71,21835,21837],{"id":21836},"step-4-set-up-docmost","Step 4: Set Up Docmost",[56,21839,21840],{},"Navigate back to the Docmost directory:",[598,21842,21844],{"className":600,"code":21843,"language":602,"meta":490,"style":490},"cd ~\u002Fdocmost\n",[554,21845,21846],{"__ignoreMap":490},[606,21847,21848,21850],{"class":608,"line":609},[606,21849,21383],{"class":21382},[606,21851,21377],{"class":622},[56,21853,21854],{},"Generate a secure secret key for your application:",[598,21856,21858],{"className":600,"code":21857,"language":602,"meta":490,"style":490},"openssl rand -hex 32\n",[554,21859,21860],{"__ignoreMap":490},[606,21861,21862,21865,21868,21871],{"class":608,"line":609},[606,21863,21864],{"class":618},"openssl",[606,21866,21867],{"class":622}," rand",[606,21869,21870],{"class":622}," -hex",[606,21872,21873],{"class":1237}," 32\n",[56,21875,21876,21877,21879],{},"Create the ",[554,21878,21636],{}," for Docmost:",[598,21881,21883],{"className":1592,"code":21882,"language":1594,"meta":490,"style":490},"services:\n docmost:\n image: docmost\u002Fdocmost:latest\n depends_on:\n - db\n - redis\n environment:\n APP_URL: 'https:\u002F\u002Fdocs.your-domain.de'\n APP_SECRET: 'REPLACE_WITH_LONG_SECRET'\n DATABASE_URL: 'postgresql:\u002F\u002Fdocmost:STRONG_DB_PASSWORD@db:5432\u002Fdocmost?schema=public'\n REDIS_URL: 'redis:\u002F\u002Fredis:6379'\n restart: unless-stopped\n volumes:\n - docmost:\u002Fapp\u002Fdata\u002Fstorage\n networks:\n - web\n - internal\n labels:\n - 'traefik.enable=true'\n - 'traefik.http.routers.docmost.rule=Host(`docs.your-domain.de`)'\n - 'traefik.http.routers.docmost.entrypoints=websecure'\n - 'traefik.http.routers.docmost.tls.certresolver=letsencrypt'\n - 'traefik.http.services.docmost.loadbalancer.server.port=3000'\n\n db:\n image: postgres:16-alpine\n environment:\n POSTGRES_DB: docmost\n POSTGRES_USER: docmost\n POSTGRES_PASSWORD: STRONG_DB_PASSWORD\n restart: unless-stopped\n volumes:\n - db_data:\u002Fvar\u002Flib\u002Fpostgresql\u002Fdata\n networks:\n - internal\n\n redis:\n image: redis:7.2-alpine\n restart: unless-stopped\n volumes:\n - redis_data:\u002Fdata\n networks:\n - internal\n\nvolumes:\n docmost:\n db_data:\n redis_data:\n\nnetworks:\n web:\n external: true\n internal:\n",[554,21884,21885,21891,21898,21907,21913,21919,21926,21932,21946,21960,21973,21987,21996,22002,22009,22015,22021,22028,22035,22046,22057,22068,22079,22090,22094,22100,22109,22115,22125,22134,22143,22151,22157,22165,22172,22179,22184,22192,22202,22211,22218,22226,22233,22240,22245,22252,22259,22267,22275,22280,22287,22294,22303],{"__ignoreMap":490},[606,21886,21887,21889],{"class":608,"line":609},[606,21888,2352],{"class":1601},[606,21890,1630],{"class":629},[606,21892,21893,21896],{"class":608,"line":491},[606,21894,21895],{"class":1601}," docmost",[606,21897,1630],{"class":629},[606,21899,21900,21902,21904],{"class":608,"line":499},[606,21901,2366],{"class":1601},[606,21903,1605],{"class":629},[606,21905,21906],{"class":622}," docmost\u002Fdocmost:latest\n",[606,21908,21909,21911],{"class":608,"line":650},[606,21910,2413],{"class":1601},[606,21912,1630],{"class":629},[606,21914,21915,21917],{"class":608,"line":672},[606,21916,1888],{"class":629},[606,21918,2422],{"class":622},[606,21920,21921,21923],{"class":608,"line":688},[606,21922,1888],{"class":629},[606,21924,21925],{"class":622}," redis\n",[606,21927,21928,21930],{"class":608,"line":699},[606,21929,2396],{"class":1601},[606,21931,1630],{"class":629},[606,21933,21934,21937,21939,21941,21944],{"class":608,"line":709},[606,21935,21936],{"class":1601}," APP_URL",[606,21938,1605],{"class":629},[606,21940,14493],{"class":629},[606,21942,21943],{"class":622},"https:\u002F\u002Fdocs.your-domain.de",[606,21945,14499],{"class":629},[606,21947,21948,21951,21953,21955,21958],{"class":608,"line":720},[606,21949,21950],{"class":1601}," APP_SECRET",[606,21952,1605],{"class":629},[606,21954,14493],{"class":629},[606,21956,21957],{"class":622},"REPLACE_WITH_LONG_SECRET",[606,21959,14499],{"class":629},[606,21961,21962,21964,21966,21968,21971],{"class":608,"line":859},[606,21963,2403],{"class":1601},[606,21965,1605],{"class":629},[606,21967,14493],{"class":629},[606,21969,21970],{"class":622},"postgresql:\u002F\u002Fdocmost:STRONG_DB_PASSWORD@db:5432\u002Fdocmost?schema=public",[606,21972,14499],{"class":629},[606,21974,21975,21978,21980,21982,21985],{"class":608,"line":875},[606,21976,21977],{"class":1601}," REDIS_URL",[606,21979,1605],{"class":629},[606,21981,14493],{"class":629},[606,21983,21984],{"class":622},"redis:\u002F\u002Fredis:6379",[606,21986,14499],{"class":629},[606,21988,21989,21991,21993],{"class":608,"line":889},[606,21990,21678],{"class":1601},[606,21992,1605],{"class":629},[606,21994,21995],{"class":622}," unless-stopped\n",[606,21997,21998,22000],{"class":608,"line":898},[606,21999,2447],{"class":1601},[606,22001,1630],{"class":629},[606,22003,22004,22006],{"class":608,"line":912},[606,22005,1888],{"class":629},[606,22007,22008],{"class":622}," docmost:\u002Fapp\u002Fdata\u002Fstorage\n",[606,22010,22011,22013],{"class":608,"line":917},[606,22012,21743],{"class":1601},[606,22014,1630],{"class":629},[606,22016,22017,22019],{"class":608,"line":923},[606,22018,1888],{"class":629},[606,22020,21408],{"class":622},[606,22022,22023,22025],{"class":608,"line":939},[606,22024,1888],{"class":629},[606,22026,22027],{"class":622}," internal\n",[606,22029,22030,22033],{"class":608,"line":953},[606,22031,22032],{"class":1601}," labels",[606,22034,1630],{"class":629},[606,22036,22037,22039,22041,22044],{"class":608,"line":1116},[606,22038,1888],{"class":629},[606,22040,14493],{"class":629},[606,22042,22043],{"class":622},"traefik.enable=true",[606,22045,14499],{"class":629},[606,22047,22048,22050,22052,22055],{"class":608,"line":1136},[606,22049,1888],{"class":629},[606,22051,14493],{"class":629},[606,22053,22054],{"class":622},"traefik.http.routers.docmost.rule=Host(`docs.your-domain.de`)",[606,22056,14499],{"class":629},[606,22058,22059,22061,22063,22066],{"class":608,"line":1146},[606,22060,1888],{"class":629},[606,22062,14493],{"class":629},[606,22064,22065],{"class":622},"traefik.http.routers.docmost.entrypoints=websecure",[606,22067,14499],{"class":629},[606,22069,22070,22072,22074,22077],{"class":608,"line":1155},[606,22071,1888],{"class":629},[606,22073,14493],{"class":629},[606,22075,22076],{"class":622},"traefik.http.routers.docmost.tls.certresolver=letsencrypt",[606,22078,14499],{"class":629},[606,22080,22081,22083,22085,22088],{"class":608,"line":1165},[606,22082,1888],{"class":629},[606,22084,14493],{"class":629},[606,22086,22087],{"class":622},"traefik.http.services.docmost.loadbalancer.server.port=3000",[606,22089,14499],{"class":629},[606,22091,22092],{"class":608,"line":1171},[606,22093,647],{"emptyLinePlaceholder":14},[606,22095,22096,22098],{"class":608,"line":1176},[606,22097,2431],{"class":1601},[606,22099,1630],{"class":629},[606,22101,22102,22104,22106],{"class":608,"line":1182},[606,22103,2366],{"class":1601},[606,22105,1605],{"class":629},[606,22107,22108],{"class":622}," postgres:16-alpine\n",[606,22110,22111,22113],{"class":608,"line":1200},[606,22112,2396],{"class":1601},[606,22114,1630],{"class":629},[606,22116,22117,22120,22122],{"class":608,"line":1205},[606,22118,22119],{"class":1601}," POSTGRES_DB",[606,22121,1605],{"class":629},[606,22123,22124],{"class":622}," docmost\n",[606,22126,22127,22130,22132],{"class":608,"line":1211},[606,22128,22129],{"class":1601}," POSTGRES_USER",[606,22131,1605],{"class":629},[606,22133,22124],{"class":622},[606,22135,22136,22138,22140],{"class":608,"line":1253},[606,22137,2467],{"class":1601},[606,22139,1605],{"class":629},[606,22141,22142],{"class":622}," STRONG_DB_PASSWORD\n",[606,22144,22145,22147,22149],{"class":608,"line":1258},[606,22146,21678],{"class":1601},[606,22148,1605],{"class":629},[606,22150,21995],{"class":622},[606,22152,22153,22155],{"class":608,"line":1264},[606,22154,2447],{"class":1601},[606,22156,1630],{"class":629},[606,22158,22160,22162],{"class":608,"line":22159},33,[606,22161,1888],{"class":629},[606,22163,22164],{"class":622}," db_data:\u002Fvar\u002Flib\u002Fpostgresql\u002Fdata\n",[606,22166,22168,22170],{"class":608,"line":22167},34,[606,22169,21743],{"class":1601},[606,22171,1630],{"class":629},[606,22173,22175,22177],{"class":608,"line":22174},35,[606,22176,1888],{"class":629},[606,22178,22027],{"class":622},[606,22180,22182],{"class":608,"line":22181},36,[606,22183,647],{"emptyLinePlaceholder":14},[606,22185,22187,22190],{"class":608,"line":22186},37,[606,22188,22189],{"class":1601}," redis",[606,22191,1630],{"class":629},[606,22193,22195,22197,22199],{"class":608,"line":22194},38,[606,22196,2366],{"class":1601},[606,22198,1605],{"class":629},[606,22200,22201],{"class":622}," redis:7.2-alpine\n",[606,22203,22205,22207,22209],{"class":608,"line":22204},39,[606,22206,21678],{"class":1601},[606,22208,1605],{"class":629},[606,22210,21995],{"class":622},[606,22212,22214,22216],{"class":608,"line":22213},40,[606,22215,2447],{"class":1601},[606,22217,1630],{"class":629},[606,22219,22221,22223],{"class":608,"line":22220},41,[606,22222,1888],{"class":629},[606,22224,22225],{"class":622}," redis_data:\u002Fdata\n",[606,22227,22229,22231],{"class":608,"line":22228},42,[606,22230,21743],{"class":1601},[606,22232,1630],{"class":629},[606,22234,22236,22238],{"class":608,"line":22235},43,[606,22237,1888],{"class":629},[606,22239,22027],{"class":622},[606,22241,22243],{"class":608,"line":22242},44,[606,22244,647],{"emptyLinePlaceholder":14},[606,22246,22248,22250],{"class":608,"line":22247},45,[606,22249,2481],{"class":1601},[606,22251,1630],{"class":629},[606,22253,22255,22257],{"class":608,"line":22254},46,[606,22256,21895],{"class":1601},[606,22258,1630],{"class":629},[606,22260,22262,22265],{"class":608,"line":22261},47,[606,22263,22264],{"class":1601}," db_data",[606,22266,1630],{"class":629},[606,22268,22270,22273],{"class":608,"line":22269},48,[606,22271,22272],{"class":1601}," redis_data",[606,22274,1630],{"class":629},[606,22276,22278],{"class":608,"line":22277},49,[606,22279,647],{"emptyLinePlaceholder":14},[606,22281,22283,22285],{"class":608,"line":22282},50,[606,22284,21760],{"class":1601},[606,22286,1630],{"class":629},[606,22288,22290,22292],{"class":608,"line":22289},51,[606,22291,21458],{"class":1601},[606,22293,1630],{"class":629},[606,22295,22297,22299,22301],{"class":608,"line":22296},52,[606,22298,21773],{"class":1601},[606,22300,1605],{"class":629},[606,22302,14566],{"class":1908},[606,22304,22306,22309],{"class":608,"line":22305},53,[606,22307,22308],{"class":1601}," internal",[606,22310,1630],{"class":629},[56,22312,22313,22314,22316,22317,1842,22320,22323],{},"Replace ",[554,22315,21957],{}," with the secret key you generated using ",[554,22318,22319],{},"openssl rand -hex 32",[554,22321,22322],{},"STRONG_DB_PASSWORD"," with a secure database password (you can generate one the same way).",[71,22325,22327],{"id":22326},"step-5-configure-dns","Step 5: Configure DNS",[56,22329,22330],{},"Before starting Docmost, make sure your DNS is configured:",[3976,22332,22333,22336,22347],{},[106,22334,22335],{},"Log into your domain registrar",[106,22337,22338,22339,22342,22343,22346],{},"Create an ",[109,22340,22341],{},"A record"," pointing ",[554,22344,22345],{},"docs.your-domain.de"," to your server's IP address",[106,22348,22349],{},"Wait for DNS propagation (usually a few minutes)",[71,22351,22353],{"id":22352},"step-6-launch-docmost","Step 6: Launch Docmost",[56,22355,22356],{},"Start all services:",[598,22358,22359],{"className":600,"code":21818,"language":602,"meta":490,"style":490},[554,22360,22361],{"__ignoreMap":490},[606,22362,22363,22365,22367,22369],{"class":608,"line":609},[606,22364,653],{"class":618},[606,22366,21827],{"class":622},[606,22368,21830],{"class":622},[606,22370,21833],{"class":622},[56,22372,22373],{},"Check if everything is running:",[598,22375,22377],{"className":600,"code":22376,"language":602,"meta":490,"style":490},"docker compose ps\n",[554,22378,22379],{"__ignoreMap":490},[606,22380,22381,22383,22385],{"class":608,"line":609},[606,22382,653],{"class":618},[606,22384,21827],{"class":622},[606,22386,22387],{"class":622}," ps\n",[56,22389,22390],{},"You should see all three containers (docmost, db, redis) in a \"running\" state.",[71,22392,22394],{"id":22393},"step-7-initial-setup","Step 7: Initial Setup",[56,22396,22397,22398,22400],{},"Open ",[554,22399,21943],{}," in your browser. You'll be greeted by the Docmost setup wizard:",[3976,22402,22403,22406,22409],{},[106,22404,22405],{},"Create your admin account",[106,22407,22408],{},"Set up your first workspace",[106,22410,22411],{},"Start documenting!",[71,22413,22415],{"id":22414},"maintenance","Maintenance",[187,22417,22419],{"id":22418},"updating-docmost","Updating Docmost",[56,22421,22422],{},"To update to the latest version:",[598,22424,22426],{"className":600,"code":22425,"language":602,"meta":490,"style":490},"cd ~\u002Fdocmost\ndocker compose pull\ndocker compose up -d\n",[554,22427,22428,22434,22443],{"__ignoreMap":490},[606,22429,22430,22432],{"class":608,"line":609},[606,22431,21383],{"class":21382},[606,22433,21377],{"class":622},[606,22435,22436,22438,22440],{"class":608,"line":491},[606,22437,653],{"class":618},[606,22439,21827],{"class":622},[606,22441,22442],{"class":622}," pull\n",[606,22444,22445,22447,22449,22451],{"class":608,"line":499},[606,22446,653],{"class":618},[606,22448,21827],{"class":622},[606,22450,21830],{"class":622},[606,22452,21833],{"class":622},[71,22454,22456],{"id":22455},"security-best-practices","Security Best Practices",[3976,22458,22459,22465,22471],{},[106,22460,22461,22464],{},[109,22462,22463],{},"Use strong passwords",": Generate random passwords for the database and APP_SECRET",[106,22466,22467,22470],{},[109,22468,22469],{},"Enable firewall",": Only expose ports 80 and 443",[106,22472,22473,22476],{},[109,22474,22475],{},"Regular updates",": Keep Docker images up to date",[71,22478,22480],{"id":22479},"the-easier-way-deploy-with-lowcloud","The Easier Way: Deploy with lowcloud",[56,22482,22483],{},"While this tutorial gives you full control, setting up Docmost manually requires:",[103,22485,22486,22489,22492],{},[106,22487,22488],{},"Server provisioning and SSH configuration",[106,22490,22491],{},"Docker installation and management",[106,22493,22494],{},"Traefik configuration for SSL",[56,22496,22497],{},[109,22498,22499],{},"What if all of this could be automated?",[56,22501,2493,22502,22504],{},[109,22503,299],{},", you can deploy Docmost – or any application with a Docker Compose file – with just a few clicks:",[3976,22506,22507,22513,22521],{},[106,22508,22509,22512],{},[109,22510,22511],{},"Connect your Hetzner account"," – link your infrastructure with an API token",[106,22514,22515,22518,22519],{},[109,22516,22517],{},"Configure your compose service"," – paste your ",[554,22520,21636],{},[106,22522,22523,22526],{},[109,22524,22525],{},"Hit deploy"," – lowcloud handles the rest",[56,22528,22529],{},"lowcloud automatically provisions your VM, sets up the reverse proxy with SSL, and keeps everything updated. Whether it's Docmost, n8n, or your own custom stack – if it runs with Docker Compose, lowcloud can deploy it. Your data stays on your own server in Germany, fully GDPR-compliant.",[56,22531,22532,22535],{},[109,22533,22534],{},"The result",": All the benefits of self-hosting without the DevOps overhead.",[56,22537,22538,22539,22544],{},"Ready to simplify your deployment workflow? ",[60,22540,22543],{"href":22541,":target":21297,"rel":22542},"https:\u002F\u002Fapp.lowcloud.de",[64],"Get started with lowcloud"," and deploy Docmost in under 10 minutes.",[479,22546],{},[56,22548,22549],{},[2186,22550,22551,22552,22557],{},"For more information about Docmost, visit the ",[60,22553,22556],{"href":22554,":target":21297,"rel":22555},"https:\u002F\u002Fdocmost.com\u002Fdocs",[64],"official documentation",". Questions about deployment? The lowcloud team is happy to help.",[1499,22559,22560],{},"html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sfNiH, html code.shiki .sfNiH{--shiki-light:#FF5370;--shiki-default:#FF9CAC;--shiki-dark:#FF9CAC}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}",{"title":490,"searchDepth":491,"depth":491,"links":22562},[22563,22566,22567,22568,22569,22570,22571,22572,22573,22574,22575,22578,22579],{"id":21203,"depth":491,"text":21204,"children":22564},[22565],{"id":21242,"depth":499,"text":21243},{"id":21269,"depth":491,"text":21270},{"id":21314,"depth":491,"text":21315},{"id":21359,"depth":491,"text":21360},{"id":21388,"depth":491,"text":21389},{"id":21411,"depth":491,"text":21412},{"id":21836,"depth":491,"text":21837},{"id":22326,"depth":491,"text":22327},{"id":22352,"depth":491,"text":22353},{"id":22393,"depth":491,"text":22394},{"id":22414,"depth":491,"text":22415,"children":22576},[22577],{"id":22418,"depth":499,"text":22419},{"id":22455,"depth":491,"text":22456},{"id":22479,"depth":491,"text":22480},"2026-01-14","Learn how to self-host Docmost on your own server using Docker Compose and Traefik as a reverse proxy. A step-by-step tutorial for GDPR-compliant documentation.",{"src":22583},"\u002Fimages\u002Fblog\u002Fself_host_docmost_with_docker_and_traefik.jpeg",{},"\u002Fen\u002Fblog\u002Fself-host-docmost-with-docker-and-traefik",{"title":21181,"description":22581},"en\u002F3.blog\u002F5.self-host-docmost-with-docker-and-traefik","-Sl-lY1wQpnLxT4ZlwNDXZeLvj95EOvutTqgX_IvXu0",{"id":22590,"title":22591,"authors":22592,"badge":10,"body":22595,"date":23789,"description":23790,"extension":510,"image":23791,"lastUpdated":3942,"meta":23793,"navigation":14,"path":2333,"published":14,"seo":23794,"stem":23795,"tags":23796,"__hash__":23797},"posts\u002Fen\u002F3.blog\u002F4.docker-compose-for-beginners.md","Docker Compose Tutorial: Managing Multi-Container Apps Made Easy",[22593],{"name":13,"to":523,"avatar":22594},{"src":8},{"type":48,"value":22596,"toc":23773},[22597,22601,22608,22611,22620,22626,22630,22637,22643,22648,22656,22660,22663,22667,22680,22684,22691,22695,22698,22701,22887,22896,22900,22903,22908,22921,22927,22932,22943,22946,22951,22965,22968,22973,22985,22988,22993,23009,23012,23016,23026,23036,23062,23067,23084,23088,23091,23100,23106,23122,23128,23132,23135,23378,23381,23491,23495,23500,23514,23517,23532,23538,23542,23587,23591,23594,23691,23695,23698,23703,23729,23732,23737,23763,23765,23770],[51,22598,22600],{"id":22599},"docker-compose-tutorial-for-beginners","Docker Compose Tutorial for Beginners",[56,22602,22603,22604,22607],{},"In our ",[60,22605,22606],{"href":2179},"last article",", we looked at how Docker works under the hood. We learned what images are, how the daemon operates, and how to start a single container.",[56,22609,22610],{},"But let's be honest: Modern web applications are rarely solo acts.",[56,22612,22613,22614,22616,22617,22619],{},"A typical app often consists of a frontend, a backend service, a database like ",[60,22615,3635],{"href":3634},", and maybe a caching layer like Redis. If you try to juggle all of this with individual ",[554,22618,2160],{}," commands in the terminal, you'll quickly lose track. You'd have to manually create networks, manage IP addresses, and pay attention to startup order.",[56,22621,22622,22623,22625],{},"This is exactly where ",[109,22624,2625],{}," comes into play.",[71,22627,22629],{"id":22628},"what-is-docker-compose","What is Docker Compose?",[56,22631,22632,22633,22636],{},"Docker Compose is a tool for multi-container applications. If the ",[554,22634,22635],{},"Dockerfile"," is the recipe for a single component (like a cake), then Docker Compose is the menu for the entire 3-course meal.",[56,22638,22639,22640,22642],{},"With a single file, the ",[554,22641,21636],{},", you describe your complete infrastructure. The genius part: You can spin up your entire environment with a single command.",[56,22644,22645],{},[109,22646,22647],{},"Why is this especially important for selfhosting?",[56,22649,22650,22651,22655],{},"If you want to host your own services on a VPS, you need a solution that manages multiple containers simultaneously. Without Docker Compose, things get messy fast. With Docker Compose, you have everything under control. Whether you're running Nextcloud, GitLab, ",[60,22652,22654],{"href":22653},"\u002Fen\u002Fblog\u002Fself-hosted-n8n-on-hetzner","n8n",", or a WordPress instance.",[71,22657,22659],{"id":22658},"the-anatomy-of-docker-composeyml","The Anatomy of docker-compose.yml",[56,22661,22662],{},"Docker Compose uses YAML. This is a format that's readable for both humans and machines. Let's look at the most important building blocks.",[187,22664,22666],{"id":22665},"services-the-individual-containers","Services: The Individual Containers",[56,22668,22669,22670,22672,22673,2283,22676,22679],{},"Under ",[554,22671,2352],{}," you define the containers that should run. Each service gets a name (like ",[554,22674,22675],{},"web",[554,22677,22678],{},"db","), which you can later use for internal communication.",[187,22681,22683],{"id":22682},"networks-simple-networking","Networks: Simple Networking",[56,22685,22686,22687,22690],{},"Container networking used to be complicated. With Docker Compose, it's almost magical. Services in the same network can reach each other via their service name. You don't have to hardcode IP addresses anymore. Your backend simply calls ",[554,22688,22689],{},"db:5432",", and Docker routes it to the database container.",[187,22692,22694],{"id":22693},"volumes-persistent-data","Volumes: Persistent Data",[56,22696,22697],{},"Containers are ephemeral. When you delete a database container, the data is gone. Unless you use volumes. In the Compose file, you define where data should be persistently stored on your host system.",[56,22699,22700],{},"Here's a practical example for a setup with a web app and database:",[598,22702,22704],{"className":1592,"code":22703,"language":1594,"meta":490,"style":490},"version: '3.8'\n\nservices:\n webapp:\n build: .\u002Fapp\n ports:\n - '8080:80'\n depends_on:\n - database\n environment:\n - DB_HOST=database\n - DB_USER=${DB_USER}\n - DB_PASS=${DB_PASSWORD}\n restart: unless-stopped\n\n database:\n image: postgres:15-alpine\n volumes:\n - db_data:\u002Fvar\u002Flib\u002Fpostgresql\u002Fdata\n environment:\n - POSTGRES_USER=${DB_USER}\n - POSTGRES_PASSWORD=${DB_PASSWORD}\n restart: unless-stopped\n\nvolumes:\n db_data:\n",[554,22705,22706,22719,22723,22729,22736,22746,22752,22763,22769,22776,22782,22789,22796,22803,22811,22815,22822,22831,22837,22843,22849,22856,22863,22871,22875,22881],{"__ignoreMap":490},[606,22707,22708,22710,22712,22714,22717],{"class":608,"line":609},[606,22709,2955],{"class":1601},[606,22711,1605],{"class":629},[606,22713,14493],{"class":629},[606,22715,22716],{"class":622},"3.8",[606,22718,14499],{"class":629},[606,22720,22721],{"class":608,"line":491},[606,22722,647],{"emptyLinePlaceholder":14},[606,22724,22725,22727],{"class":608,"line":499},[606,22726,2352],{"class":1601},[606,22728,1630],{"class":629},[606,22730,22731,22734],{"class":608,"line":650},[606,22732,22733],{"class":1601}," webapp",[606,22735,1630],{"class":629},[606,22737,22738,22741,22743],{"class":608,"line":672},[606,22739,22740],{"class":1601}," build",[606,22742,1605],{"class":629},[606,22744,22745],{"class":622}," .\u002Fapp\n",[606,22747,22748,22750],{"class":608,"line":688},[606,22749,2376],{"class":1601},[606,22751,1630],{"class":629},[606,22753,22754,22756,22758,22761],{"class":608,"line":699},[606,22755,1888],{"class":629},[606,22757,14493],{"class":629},[606,22759,22760],{"class":622},"8080:80",[606,22762,14499],{"class":629},[606,22764,22765,22767],{"class":608,"line":709},[606,22766,2413],{"class":1601},[606,22768,1630],{"class":629},[606,22770,22771,22773],{"class":608,"line":720},[606,22772,1888],{"class":629},[606,22774,22775],{"class":622}," database\n",[606,22777,22778,22780],{"class":608,"line":859},[606,22779,2396],{"class":1601},[606,22781,1630],{"class":629},[606,22783,22784,22786],{"class":608,"line":875},[606,22785,1888],{"class":629},[606,22787,22788],{"class":622}," DB_HOST=database\n",[606,22790,22791,22793],{"class":608,"line":889},[606,22792,1888],{"class":629},[606,22794,22795],{"class":622}," DB_USER=${DB_USER}\n",[606,22797,22798,22800],{"class":608,"line":898},[606,22799,1888],{"class":629},[606,22801,22802],{"class":622}," DB_PASS=${DB_PASSWORD}\n",[606,22804,22805,22807,22809],{"class":608,"line":912},[606,22806,21678],{"class":1601},[606,22808,1605],{"class":629},[606,22810,21995],{"class":622},[606,22812,22813],{"class":608,"line":917},[606,22814,647],{"emptyLinePlaceholder":14},[606,22816,22817,22820],{"class":608,"line":923},[606,22818,22819],{"class":1601}," database",[606,22821,1630],{"class":629},[606,22823,22824,22826,22828],{"class":608,"line":939},[606,22825,2366],{"class":1601},[606,22827,1605],{"class":629},[606,22829,22830],{"class":622}," postgres:15-alpine\n",[606,22832,22833,22835],{"class":608,"line":953},[606,22834,2447],{"class":1601},[606,22836,1630],{"class":629},[606,22838,22839,22841],{"class":608,"line":1116},[606,22840,1888],{"class":629},[606,22842,22164],{"class":622},[606,22844,22845,22847],{"class":608,"line":1136},[606,22846,2396],{"class":1601},[606,22848,1630],{"class":629},[606,22850,22851,22853],{"class":608,"line":1146},[606,22852,1888],{"class":629},[606,22854,22855],{"class":622}," POSTGRES_USER=${DB_USER}\n",[606,22857,22858,22860],{"class":608,"line":1155},[606,22859,1888],{"class":629},[606,22861,22862],{"class":622}," POSTGRES_PASSWORD=${DB_PASSWORD}\n",[606,22864,22865,22867,22869],{"class":608,"line":1165},[606,22866,21678],{"class":1601},[606,22868,1605],{"class":629},[606,22870,21995],{"class":622},[606,22872,22873],{"class":608,"line":1171},[606,22874,647],{"emptyLinePlaceholder":14},[606,22876,22877,22879],{"class":608,"line":1176},[606,22878,2481],{"class":1601},[606,22880,1630],{"class":629},[606,22882,22883,22885],{"class":608,"line":1182},[606,22884,22264],{"class":1601},[606,22886,1630],{"class":629},[56,22888,22889],{},[2186,22890,22891,22892,22895],{},"Note: The variables like ",[554,22893,22894],{},"${DB_USER}"," are environment variables. More on that in a moment.",[71,22897,22899],{"id":22898},"essential-docker-compose-commands","Essential Docker Compose Commands",[56,22901,22902],{},"Docker Compose makes your workflow extremely efficient. Instead of long shell scripts, you only need a handful of commands:",[56,22904,22905],{},[109,22906,22907],{},"Start containers:",[598,22909,22911],{"className":600,"code":22910,"language":602,"meta":490,"style":490},"docker-compose up -d\n",[554,22912,22913],{"__ignoreMap":490},[606,22914,22915,22917,22919],{"class":608,"line":609},[606,22916,4226],{"class":618},[606,22918,21830],{"class":622},[606,22920,21833],{"class":622},[56,22922,22923,22924,22926],{},"This command reads your configuration, pulls the necessary images, creates networks, and starts all containers in the background (",[554,22925,2252],{}," for detached).",[56,22928,22929],{},[109,22930,22931],{},"Check status:",[598,22933,22935],{"className":600,"code":22934,"language":602,"meta":490,"style":490},"docker-compose ps\n",[554,22936,22937],{"__ignoreMap":490},[606,22938,22939,22941],{"class":608,"line":609},[606,22940,4226],{"class":618},[606,22942,22387],{"class":622},[56,22944,22945],{},"Shows you immediately which services are running, which ports are occupied, and if a container has crashed.",[56,22947,22948],{},[109,22949,22950],{},"View logs:",[598,22952,22954],{"className":600,"code":22953,"language":602,"meta":490,"style":490},"docker-compose logs -f\n",[554,22955,22956],{"__ignoreMap":490},[606,22957,22958,22960,22962],{"class":608,"line":609},[606,22959,4226],{"class":618},[606,22961,20667],{"class":622},[606,22963,22964],{"class":622}," -f\n",[56,22966,22967],{},"Essential for debugging. This lets you see the log outputs of all services bundled in one stream.",[56,22969,22970],{},[109,22971,22972],{},"Stop containers:",[598,22974,22976],{"className":600,"code":22975,"language":602,"meta":490,"style":490},"docker-compose down\n",[554,22977,22978],{"__ignoreMap":490},[606,22979,22980,22982],{"class":608,"line":609},[606,22981,4226],{"class":618},[606,22983,22984],{"class":622}," down\n",[56,22986,22987],{},"Stops the containers and cleans up the networks. Clean and tidy.",[56,22989,22990],{},[109,22991,22992],{},"Rebuild containers:",[598,22994,22996],{"className":600,"code":22995,"language":602,"meta":490,"style":490},"docker-compose up -d --build\n",[554,22997,22998],{"__ignoreMap":490},[606,22999,23000,23002,23004,23006],{"class":608,"line":609},[606,23001,4226],{"class":618},[606,23003,21830],{"class":622},[606,23005,659],{"class":622},[606,23007,23008],{"class":622}," --build\n",[56,23010,23011],{},"If you've made changes to your code, this command rebuilds the images and starts the containers.",[71,23013,23015],{"id":23014},"environment-variables-and-security","Environment Variables and Security",[56,23017,23018,23019,23022,23023,23025],{},"In the code example above, we used ",[554,23020,23021],{},"${DB_PASSWORD}",". Hardcoded passwords in a ",[554,23024,11],{}," file are a security risk – especially if you push the code to GitHub.",[56,23027,23028,23029,23032,23033,23035],{},"Docker Compose supports ",[554,23030,23031],{},".env"," files automatically. Create a file named ",[554,23034,23031],{}," in the same folder and add the variables:",[598,23037,23039],{"className":600,"code":23038,"language":602,"meta":490,"style":490},"DB_USER=admin\nDB_PASSWORD=supersecret\n",[554,23040,23041,23052],{"__ignoreMap":490},[606,23042,23043,23046,23049],{"class":608,"line":609},[606,23044,23045],{"class":668},"DB_USER",[606,23047,23048],{"class":629},"=",[606,23050,23051],{"class":622},"admin\n",[606,23053,23054,23057,23059],{"class":608,"line":491},[606,23055,23056],{"class":668},"DB_PASSWORD",[606,23058,23048],{"class":629},[606,23060,23061],{"class":622},"supersecret\n",[56,23063,23064],{},[109,23065,23066],{},"Important for security:",[103,23068,23069,23078,23081],{},[106,23070,23071,23072,23074,23075],{},"Add ",[554,23073,23031],{}," to your ",[554,23076,23077],{},".gitignore",[106,23079,23080],{},"Use different passwords on your production server than locally",[106,23082,23083],{},"Never use default passwords like \"admin123\"",[71,23085,23087],{"id":23086},"docker-compose-for-selfhosting-on-your-vps","Docker Compose for Selfhosting on Your VPS",[56,23089,23090],{},"Why is Docker Compose perfect for selfhosting?",[56,23092,23093,23096,23097,23099],{},[109,23094,23095],{},"1. Easy Setup on a VPS","\nYou log in via SSH to your server, upload your ",[554,23098,21636],{},", and start your complete infrastructure with one command.",[56,23101,23102,23105],{},[109,23103,23104],{},"2. Reproducible Environments","\nYour local development looks exactly like your production server. No more \"but it works on my machine!\" problems.",[56,23107,23108,23111,23112,23114,23115,733,23118,23121],{},[109,23109,23110],{},"3. Simple Updates","\nNew version of your app? Change the image tag in the ",[554,23113,21636],{},", run ",[554,23116,23117],{},"docker-compose pull",[554,23119,23120],{},"docker-compose up -d"," – done.",[56,23123,23124,23127],{},[109,23125,23126],{},"4. Resource Efficiency","\nOn a VPS with 4GB RAM, you can easily host 5-10 smaller services simultaneously, thanks to the lean container architecture.",[71,23129,23131],{"id":23130},"practical-example-wordpress-with-mysql","Practical Example: WordPress with MySQL",[56,23133,23134],{},"Here's a complete example of how you can selfhost WordPress:",[598,23136,23138],{"className":1592,"code":23137,"language":1594,"meta":490,"style":490},"version: '3.8'\n\nservices:\n wordpress:\n image: wordpress:latest\n ports:\n - '80:80'\n environment:\n WORDPRESS_DB_HOST: db\n WORDPRESS_DB_USER: ${DB_USER}\n WORDPRESS_DB_PASSWORD: ${DB_PASSWORD}\n WORDPRESS_DB_NAME: wordpress\n volumes:\n - wordpress_data:\u002Fvar\u002Fwww\u002Fhtml\n depends_on:\n - db\n restart: unless-stopped\n\n db:\n image: mysql:8.0\n environment:\n MYSQL_DATABASE: wordpress\n MYSQL_USER: ${DB_USER}\n MYSQL_PASSWORD: ${DB_PASSWORD}\n MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASSWORD}\n volumes:\n - db_data:\u002Fvar\u002Flib\u002Fmysql\n restart: unless-stopped\n\nvolumes:\n wordpress_data:\n db_data:\n",[554,23139,23140,23152,23156,23162,23169,23178,23184,23194,23200,23209,23219,23229,23239,23245,23252,23258,23264,23272,23276,23282,23291,23297,23306,23315,23324,23334,23340,23347,23355,23359,23365,23372],{"__ignoreMap":490},[606,23141,23142,23144,23146,23148,23150],{"class":608,"line":609},[606,23143,2955],{"class":1601},[606,23145,1605],{"class":629},[606,23147,14493],{"class":629},[606,23149,22716],{"class":622},[606,23151,14499],{"class":629},[606,23153,23154],{"class":608,"line":491},[606,23155,647],{"emptyLinePlaceholder":14},[606,23157,23158,23160],{"class":608,"line":499},[606,23159,2352],{"class":1601},[606,23161,1630],{"class":629},[606,23163,23164,23167],{"class":608,"line":650},[606,23165,23166],{"class":1601}," wordpress",[606,23168,1630],{"class":629},[606,23170,23171,23173,23175],{"class":608,"line":672},[606,23172,2366],{"class":1601},[606,23174,1605],{"class":629},[606,23176,23177],{"class":622}," wordpress:latest\n",[606,23179,23180,23182],{"class":608,"line":688},[606,23181,2376],{"class":1601},[606,23183,1630],{"class":629},[606,23185,23186,23188,23190,23192],{"class":608,"line":699},[606,23187,1888],{"class":629},[606,23189,14493],{"class":629},[606,23191,21698],{"class":622},[606,23193,14499],{"class":629},[606,23195,23196,23198],{"class":608,"line":709},[606,23197,2396],{"class":1601},[606,23199,1630],{"class":629},[606,23201,23202,23205,23207],{"class":608,"line":720},[606,23203,23204],{"class":1601}," WORDPRESS_DB_HOST",[606,23206,1605],{"class":629},[606,23208,2422],{"class":622},[606,23210,23211,23214,23216],{"class":608,"line":859},[606,23212,23213],{"class":1601}," WORDPRESS_DB_USER",[606,23215,1605],{"class":629},[606,23217,23218],{"class":622}," ${DB_USER}\n",[606,23220,23221,23224,23226],{"class":608,"line":875},[606,23222,23223],{"class":1601}," WORDPRESS_DB_PASSWORD",[606,23225,1605],{"class":629},[606,23227,23228],{"class":622}," ${DB_PASSWORD}\n",[606,23230,23231,23234,23236],{"class":608,"line":889},[606,23232,23233],{"class":1601}," WORDPRESS_DB_NAME",[606,23235,1605],{"class":629},[606,23237,23238],{"class":622}," wordpress\n",[606,23240,23241,23243],{"class":608,"line":898},[606,23242,2447],{"class":1601},[606,23244,1630],{"class":629},[606,23246,23247,23249],{"class":608,"line":912},[606,23248,1888],{"class":629},[606,23250,23251],{"class":622}," wordpress_data:\u002Fvar\u002Fwww\u002Fhtml\n",[606,23253,23254,23256],{"class":608,"line":917},[606,23255,2413],{"class":1601},[606,23257,1630],{"class":629},[606,23259,23260,23262],{"class":608,"line":923},[606,23261,1888],{"class":629},[606,23263,2422],{"class":622},[606,23265,23266,23268,23270],{"class":608,"line":939},[606,23267,21678],{"class":1601},[606,23269,1605],{"class":629},[606,23271,21995],{"class":622},[606,23273,23274],{"class":608,"line":953},[606,23275,647],{"emptyLinePlaceholder":14},[606,23277,23278,23280],{"class":608,"line":1116},[606,23279,2431],{"class":1601},[606,23281,1630],{"class":629},[606,23283,23284,23286,23288],{"class":608,"line":1136},[606,23285,2366],{"class":1601},[606,23287,1605],{"class":629},[606,23289,23290],{"class":622}," mysql:8.0\n",[606,23292,23293,23295],{"class":608,"line":1146},[606,23294,2396],{"class":1601},[606,23296,1630],{"class":629},[606,23298,23299,23302,23304],{"class":608,"line":1155},[606,23300,23301],{"class":1601}," MYSQL_DATABASE",[606,23303,1605],{"class":629},[606,23305,23238],{"class":622},[606,23307,23308,23311,23313],{"class":608,"line":1165},[606,23309,23310],{"class":1601}," MYSQL_USER",[606,23312,1605],{"class":629},[606,23314,23218],{"class":622},[606,23316,23317,23320,23322],{"class":608,"line":1171},[606,23318,23319],{"class":1601}," MYSQL_PASSWORD",[606,23321,1605],{"class":629},[606,23323,23228],{"class":622},[606,23325,23326,23329,23331],{"class":608,"line":1176},[606,23327,23328],{"class":1601}," MYSQL_ROOT_PASSWORD",[606,23330,1605],{"class":629},[606,23332,23333],{"class":622}," ${DB_ROOT_PASSWORD}\n",[606,23335,23336,23338],{"class":608,"line":1182},[606,23337,2447],{"class":1601},[606,23339,1630],{"class":629},[606,23341,23342,23344],{"class":608,"line":1200},[606,23343,1888],{"class":629},[606,23345,23346],{"class":622}," db_data:\u002Fvar\u002Flib\u002Fmysql\n",[606,23348,23349,23351,23353],{"class":608,"line":1205},[606,23350,21678],{"class":1601},[606,23352,1605],{"class":629},[606,23354,21995],{"class":622},[606,23356,23357],{"class":608,"line":1211},[606,23358,647],{"emptyLinePlaceholder":14},[606,23360,23361,23363],{"class":608,"line":1253},[606,23362,2481],{"class":1601},[606,23364,1630],{"class":629},[606,23366,23367,23370],{"class":608,"line":1258},[606,23368,23369],{"class":1601}," wordpress_data",[606,23371,1630],{"class":629},[606,23373,23374,23376],{"class":608,"line":1264},[606,23375,22264],{"class":1601},[606,23377,1630],{"class":629},[56,23379,23380],{},"Here's how to start it on your server:",[598,23382,23384],{"className":600,"code":23383,"language":602,"meta":490,"style":490},"# Upload Docker Compose file\nscp docker-compose.yml root@your-server.com:\u002Fopt\u002Fwordpress\u002F\n\n# On the server\nssh root@your-server.com\ncd \u002Fopt\u002Fwordpress\necho \"DB_USER=wpuser\" > .env\necho \"DB_PASSWORD=secure-password\" >> .env\necho \"DB_ROOT_PASSWORD=even-more-secure-password\" >> .env\n\n# Start\ndocker-compose up -d\n",[554,23385,23386,23391,23402,23406,23411,23419,23426,23443,23459,23474,23478,23483],{"__ignoreMap":490},[606,23387,23388],{"class":608,"line":609},[606,23389,23390],{"class":612},"# Upload Docker Compose file\n",[606,23392,23393,23396,23399],{"class":608,"line":491},[606,23394,23395],{"class":618},"scp",[606,23397,23398],{"class":622}," docker-compose.yml",[606,23400,23401],{"class":622}," root@your-server.com:\u002Fopt\u002Fwordpress\u002F\n",[606,23403,23404],{"class":608,"line":499},[606,23405,647],{"emptyLinePlaceholder":14},[606,23407,23408],{"class":608,"line":650},[606,23409,23410],{"class":612},"# On the server\n",[606,23412,23413,23416],{"class":608,"line":672},[606,23414,23415],{"class":618},"ssh",[606,23417,23418],{"class":622}," root@your-server.com\n",[606,23420,23421,23423],{"class":608,"line":688},[606,23422,21383],{"class":21382},[606,23424,23425],{"class":622}," \u002Fopt\u002Fwordpress\n",[606,23427,23428,23431,23433,23436,23438,23440],{"class":608,"line":699},[606,23429,23430],{"class":21382},"echo",[606,23432,2385],{"class":629},[606,23434,23435],{"class":622},"DB_USER=wpuser",[606,23437,11414],{"class":629},[606,23439,1017],{"class":629},[606,23441,23442],{"class":622}," .env\n",[606,23444,23445,23447,23449,23452,23454,23457],{"class":608,"line":709},[606,23446,23430],{"class":21382},[606,23448,2385],{"class":629},[606,23450,23451],{"class":622},"DB_PASSWORD=secure-password",[606,23453,11414],{"class":629},[606,23455,23456],{"class":629}," >>",[606,23458,23442],{"class":622},[606,23460,23461,23463,23465,23468,23470,23472],{"class":608,"line":720},[606,23462,23430],{"class":21382},[606,23464,2385],{"class":629},[606,23466,23467],{"class":622},"DB_ROOT_PASSWORD=even-more-secure-password",[606,23469,11414],{"class":629},[606,23471,23456],{"class":629},[606,23473,23442],{"class":622},[606,23475,23476],{"class":608,"line":859},[606,23477,647],{"emptyLinePlaceholder":14},[606,23479,23480],{"class":608,"line":875},[606,23481,23482],{"class":612},"# Start\n",[606,23484,23485,23487,23489],{"class":608,"line":889},[606,23486,4226],{"class":618},[606,23488,21830],{"class":622},[606,23490,21833],{"class":622},[71,23492,23494],{"id":23493},"common-problems-and-solutions","Common Problems and Solutions",[56,23496,23497],{},[109,23498,23499],{},"Problem: Container won't start",[598,23501,23503],{"className":600,"code":23502,"language":602,"meta":490,"style":490},"docker-compose logs service-name\n",[554,23504,23505],{"__ignoreMap":490},[606,23506,23507,23509,23511],{"class":608,"line":609},[606,23508,4226],{"class":618},[606,23510,20667],{"class":622},[606,23512,23513],{"class":622}," service-name\n",[56,23515,23516],{},"Check the logs. Usually an environment variable is missing or a volume path doesn't exist.",[56,23518,23519,23522,23523,11110,23525,23528,23529],{},[109,23520,23521],{},"Problem: Port already in use","\nChange the port on the left side of the colon in ",[554,23524,21636],{},[554,23526,23527],{},"\"8080:80\""," instead of ",[554,23530,23531],{},"\"80:80\"",[56,23533,23534,23537],{},[109,23535,23536],{},"Problem: Container can't access other services","\nCheck if all services are in the same network and if the service names are spelled correctly.",[71,23539,23541],{"id":23540},"best-practices-for-docker-compose","Best Practices for Docker Compose",[3976,23543,23544,23553,23566,23575,23581],{},[106,23545,23546,23552],{},[109,23547,23548,23549],{},"Always use ",[554,23550,23551],{},"restart: unless-stopped","\nThis makes your containers start automatically after a server reboot",[106,23554,23555,23558,23559,23561,23562,23565],{},[109,23556,23557],{},"Separate development and production","\nUse separate Compose files: ",[554,23560,21636],{}," for development, ",[554,23563,23564],{},"docker-compose.prod.yml"," for production",[106,23567,23568,23571,23572,23574],{},[109,23569,23570],{},"Manage secrets securely","\nUse ",[554,23573,23031],{}," files for local development and Docker Secrets or environment variables for production",[106,23576,23577,23580],{},[109,23578,23579],{},"Use healthchecks","\nSo Docker automatically checks if your services are actually running",[106,23582,23583,23586],{},[109,23584,23585],{},"Limit resources","\nEspecially important on smaller VPS – prevents one container from consuming all resources",[71,23588,23590],{"id":23589},"from-local-to-production-the-deployment-workflow","From Local to Production: The Deployment Workflow",[56,23592,23593],{},"Here's what a typical workflow looks like:",[3976,23595,23596,23629,23667],{},[106,23597,23598,23601],{},[109,23599,23600],{},"Develop locally",[598,23602,23604],{"className":600,"code":23603,"language":602,"meta":490,"style":490},"docker-compose up -d\n# Make code changes, test\ndocker-compose restart webapp\n",[554,23605,23606,23614,23619],{"__ignoreMap":490},[606,23607,23608,23610,23612],{"class":608,"line":609},[606,23609,4226],{"class":618},[606,23611,21830],{"class":622},[606,23613,21833],{"class":622},[606,23615,23616],{"class":608,"line":491},[606,23617,23618],{"class":612},"# Make code changes, test\n",[606,23620,23621,23623,23626],{"class":608,"line":499},[606,23622,4226],{"class":618},[606,23624,23625],{"class":622}," restart",[606,23627,23628],{"class":622}," webapp\n",[106,23630,23631,23634],{},[109,23632,23633],{},"Deploy to server",[598,23635,23637],{"className":600,"code":23636,"language":602,"meta":490,"style":490},"# Push code to server (Git, rsync, scp)\nssh user@server\ndocker-compose pull\ndocker-compose up -d --build\n",[554,23638,23639,23644,23651,23657],{"__ignoreMap":490},[606,23640,23641],{"class":608,"line":609},[606,23642,23643],{"class":612},"# Push code to server (Git, rsync, scp)\n",[606,23645,23646,23648],{"class":608,"line":491},[606,23647,23415],{"class":618},[606,23649,23650],{"class":622}," user@server\n",[606,23652,23653,23655],{"class":608,"line":499},[606,23654,4226],{"class":618},[606,23656,22442],{"class":622},[606,23658,23659,23661,23663,23665],{"class":608,"line":650},[606,23660,4226],{"class":618},[606,23662,21830],{"class":622},[606,23664,659],{"class":622},[606,23666,23008],{"class":622},[106,23668,23669,23672],{},[109,23670,23671],{},"Monitor",[598,23673,23675],{"className":600,"code":23674,"language":602,"meta":490,"style":490},"docker-compose logs -f\ndocker-compose ps\n",[554,23676,23677,23685],{"__ignoreMap":490},[606,23678,23679,23681,23683],{"class":608,"line":609},[606,23680,4226],{"class":618},[606,23682,20667],{"class":622},[606,23684,22964],{"class":622},[606,23686,23687,23689],{"class":608,"line":491},[606,23688,4226],{"class":618},[606,23690,22387],{"class":622},[71,23692,23694],{"id":23693},"conclusion-docker-compose-for-selfhosting","Conclusion: Docker Compose for Selfhosting",[56,23696,23697],{},"Docker Compose transforms the chaos of individual containers into a well-organized system. It's the tool that takes you from \"playing around with Docker\" to \"running real production environments.\"",[56,23699,23700],{},[109,23701,23702],{},"The key advantages:",[103,23704,23705,23711,23717,23723],{},[106,23706,23707,23710],{},[109,23708,23709],{},"Everything in one place:"," The entire configuration is in one file",[106,23712,23713,23716],{},[109,23714,23715],{},"Isolated environments:"," You can run multiple projects in parallel on one server",[106,23718,23719,23722],{},[109,23720,23721],{},"Easy networking:"," Containers communicate via DNS names",[106,23724,23725,23728],{},[109,23726,23727],{},"Perfect for selfhosting:"," Ideal for VPS hosting on the provider of your choice",[56,23730,23731],{},"Whether you want to host a blog, a cloud storage solution, or a monitoring system, Docker Compose makes it simple, maintainable, and reproducible.",[56,23733,23734],{},[109,23735,23736],{},"Next steps:",[103,23738,23739,23742,23745,23748],{},[106,23740,23741],{},"Get yourself an affordable VPS",[106,23743,23744],{},"Install Docker and Docker Compose",[106,23746,23747],{},"Start with a simple hobby project",[106,23749,23750,23751,23754,23755,23758,23759,23762],{},"Gradually expand your infrastructure — ",[60,23752,23753],{"href":2523},"explore what Docker Swarm offers"," when you outgrow Compose, or understand the ",[60,23756,23757],{"href":4315},"differences between Kubernetes and Docker Swarm",", or see ",[60,23760,23761],{"href":2850},"Docker, Compose, Swarm, and Kubernetes compared"," side by side",[479,23764],{},[56,23766,23767],{},[2186,23768,23769],{},"Want to learn more about deployment strategies and selfhosting? Check out our hosting solutions at lowcloud.io – optimized for Docker and modern container workflows.",[1499,23771,23772],{},"html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}",{"title":490,"searchDepth":491,"depth":491,"links":23774},[23775,23776,23781,23782,23783,23784,23785,23786,23787,23788],{"id":22628,"depth":491,"text":22629},{"id":22658,"depth":491,"text":22659,"children":23777},[23778,23779,23780],{"id":22665,"depth":499,"text":22666},{"id":22682,"depth":499,"text":22683},{"id":22693,"depth":499,"text":22694},{"id":22898,"depth":491,"text":22899},{"id":23014,"depth":491,"text":23015},{"id":23086,"depth":491,"text":23087},{"id":23130,"depth":491,"text":23131},{"id":23493,"depth":491,"text":23494},{"id":23540,"depth":491,"text":23541},{"id":23589,"depth":491,"text":23590},{"id":23693,"depth":491,"text":23694},"2025-12-16","Learn Docker Compose from scratch - This tutorial explains how to manage multi-container applications with a single YAML file and why Docker Compose is essential for selfhosting.",{"src":23792},"\u002Fimages\u002Fblog\u002Fdocker_compose_multi_container_applications.jpeg",{},{"title":22591,"description":23790},"en\u002F3.blog\u002F4.docker-compose-for-beginners","Economy, Information Technology","I3QNR9cpxjhiTio06y8apBhS-rtTDcl99G2hxjtTjEs",{"id":23799,"title":23800,"authors":23801,"badge":10,"body":23804,"date":24675,"description":24676,"extension":510,"image":24677,"lastUpdated":6920,"meta":24679,"navigation":14,"path":22653,"published":14,"seo":24680,"stem":24681,"tags":24682,"__hash__":24683},"posts\u002Fen\u002F3.blog\u002F3.self-hosted-n8n-on-hetzner.md","Self-Host n8n on Hetzner: Complete Docker Setup Guide",[23802],{"name":13,"to":523,"avatar":23803},{"src":8},{"type":48,"value":23805,"toc":24654},[23806,23810,23813,23819,23823,23826,23830,23836,23842,23848,23851,23859,23863,23866,23872,23878,23884,23890,23894,23900,23904,23915,23919,23927,24064,24070,24076,24080,24083,24087,24093,24099,24105,24111,24114,24139,24143,24146,24150,24153,24173,24177,24183,24470,24474,24480,24486,24489,24493,24496,24509,24516,24520,24526,24532,24537,24598,24604,24623,24627,24630,24633,24639,24641,24651],[51,23807,23809],{"id":23808},"automation-made-easy-self-hosting-n8n","Automation made easy: Self-hosting n8n",[56,23811,23812],{},"Every day, companies juggle dozens of different tools. From CRM to Slack to Google Sheets. The problem: These applications rarely talk to each other. The result? Manual work, lost time, and unnecessary errors.",[56,23814,23815,23816,23818],{},"The solution is workflow automation. This article shows how to automate processes with ",[109,23817,22654],{}," in just a few steps. And best of all, the self-hosted version of n8n can be operated for free, with only server costs incurred.",[71,23820,23822],{"id":23821},"what-is-n8n-and-why-should-you-self-host-it","What is n8n and why should you self-host it?",[56,23824,23825],{},"n8n is a node-based workflow automation platform that allows you to connect various services and APIs. Unlike cloud-based alternatives like Zapier, self-hosting n8n offers complete control over data and workflows.",[187,23827,23829],{"id":23828},"how-n8n-works-simply","How n8n works simply:",[56,23831,23832,23835],{},[109,23833,23834],{},"Nodes"," are the building blocks. Every service, be it Slack, Gmail, a CRM system, or a simple HTTP request, is represented as a node.",[56,23837,23838,23841],{},[109,23839,23840],{},"Workflows"," are created by visually connecting these nodes via drag-and-drop. No code is required, but JavaScript or Python can be used if needed.",[56,23843,23844,23847],{},[109,23845,23846],{},"Triggers"," start workflows automatically. This can be a new email, a webhook call, or a time-based trigger like \"Every Monday at 9 AM\".",[56,23849,23850],{},"The big advantage of self-hosting n8n: Sensitive business data never leaves your own infrastructure. The solution is GDPR-compliant and can be adapted to specific requirements.",[56,23852,23853,23854],{},"Here is a simple example of a workflow:\n",[23855,23856],"img",{"alt":23857,"src":23858},"n8n Workflow Example","\u002Fimages\u002Fblog\u002Fn8n-workflow-example.png",[71,23860,23862],{"id":23861},"practical-use-cases-for-n8n","Practical Use Cases for n8n",[56,23864,23865],{},"Here are some concrete examples of how n8n can simplify your daily work:",[56,23867,23868,23871],{},[109,23869,23870],{},"Automate Lead Management",": A new contact fills out a web form. n8n receives the data via webhook, checks the email address for validity, and automatically creates a new entry in the CRM – including a notification to the sales team via Slack.",[56,23873,23874,23877],{},[109,23875,23876],{},"Improve Internal Communication",": As soon as a new entry appears in the Airtable project database, n8n automatically sends a formatted message to the relevant Slack channel with all relevant details.",[56,23879,23880,23883],{},[109,23881,23882],{},"Accelerate Content Workflows",": After publishing a new blog article in WordPress, n8n automatically posts an engaging link to LinkedIn and Twitter accounts – with individually adapted text for each platform.",[56,23885,23886,23889],{},[109,23887,23888],{},"Synchronize Data",": Keep customer master data synchronized between the shop system and accounting software, even if both systems do not offer native integration.",[71,23891,23893],{"id":23892},"self-hosting-n8n-with-docker-the-technical-foundation","Self-hosting n8n with Docker: The Technical Foundation",[56,23895,23896,23897,415],{},"If n8n is to be installed on your own server, Docker is the recommended method. Docker ensures that n8n runs in an isolated environment and brings all dependencies with it. A small tutorial on Docker fundamentals is available in our ",[60,23898,23899],{"href":2179},"Docker basics guide",[187,23901,23903],{"id":23902},"basic-requirements","Basic Requirements:",[103,23905,23906,23909,23912],{},[106,23907,23908],{},"A server or VPS (recommended: at least 2 GB RAM)",[106,23910,23911],{},"Installed Docker Engine",[106,23913,23914],{},"A domain for access via HTTPS",[187,23916,23918],{"id":23917},"a-minimal-docker-setup","A Minimal Docker Setup",[56,23920,2493,23921,23923,23924,23926],{},[60,23922,2625],{"href":2333},", n8n can be started with just a few lines of configuration. A simple ",[554,23925,21636],{}," looks like this:",[598,23928,23930],{"className":1592,"code":23929,"language":1594,"meta":490,"style":490},"version: '3.8'\nservices:\n n8n:\n image: n8nio\u002Fn8n\n container_name: n8n\n restart: always\n ports:\n - '5678:5678'\n environment:\n - N8N_HOST=your-domain.de\n - N8N_PORT=5678\n - N8N_PROTOCOL=https\n - WEBHOOK_URL=https:\u002F\u002Fyour-domain.de\u002F\n volumes:\n - n8n_data:\u002Fhome\u002Fnode\u002F.n8n\n\nvolumes:\n n8n_data:\n",[554,23931,23932,23944,23950,23957,23966,23975,23983,23989,24000,24006,24013,24020,24027,24034,24040,24047,24051,24057],{"__ignoreMap":490},[606,23933,23934,23936,23938,23940,23942],{"class":608,"line":609},[606,23935,2955],{"class":1601},[606,23937,1605],{"class":629},[606,23939,14493],{"class":629},[606,23941,22716],{"class":622},[606,23943,14499],{"class":629},[606,23945,23946,23948],{"class":608,"line":491},[606,23947,2352],{"class":1601},[606,23949,1630],{"class":629},[606,23951,23952,23955],{"class":608,"line":499},[606,23953,23954],{"class":1601}," n8n",[606,23956,1630],{"class":629},[606,23958,23959,23961,23963],{"class":608,"line":650},[606,23960,2366],{"class":1601},[606,23962,1605],{"class":629},[606,23964,23965],{"class":622}," n8nio\u002Fn8n\n",[606,23967,23968,23970,23972],{"class":608,"line":672},[606,23969,21668],{"class":1601},[606,23971,1605],{"class":629},[606,23973,23974],{"class":622}," n8n\n",[606,23976,23977,23979,23981],{"class":608,"line":688},[606,23978,21678],{"class":1601},[606,23980,1605],{"class":629},[606,23982,21683],{"class":622},[606,23984,23985,23987],{"class":608,"line":699},[606,23986,2376],{"class":1601},[606,23988,1630],{"class":629},[606,23990,23991,23993,23995,23998],{"class":608,"line":709},[606,23992,1888],{"class":629},[606,23994,14493],{"class":629},[606,23996,23997],{"class":622},"5678:5678",[606,23999,14499],{"class":629},[606,24001,24002,24004],{"class":608,"line":720},[606,24003,2396],{"class":1601},[606,24005,1630],{"class":629},[606,24007,24008,24010],{"class":608,"line":859},[606,24009,1888],{"class":629},[606,24011,24012],{"class":622}," N8N_HOST=your-domain.de\n",[606,24014,24015,24017],{"class":608,"line":875},[606,24016,1888],{"class":629},[606,24018,24019],{"class":622}," N8N_PORT=5678\n",[606,24021,24022,24024],{"class":608,"line":889},[606,24023,1888],{"class":629},[606,24025,24026],{"class":622}," N8N_PROTOCOL=https\n",[606,24028,24029,24031],{"class":608,"line":898},[606,24030,1888],{"class":629},[606,24032,24033],{"class":622}," WEBHOOK_URL=https:\u002F\u002Fyour-domain.de\u002F\n",[606,24035,24036,24038],{"class":608,"line":912},[606,24037,2447],{"class":1601},[606,24039,1630],{"class":629},[606,24041,24042,24044],{"class":608,"line":917},[606,24043,1888],{"class":629},[606,24045,24046],{"class":622}," n8n_data:\u002Fhome\u002Fnode\u002F.n8n\n",[606,24048,24049],{"class":608,"line":923},[606,24050,647],{"emptyLinePlaceholder":14},[606,24052,24053,24055],{"class":608,"line":939},[606,24054,2481],{"class":1601},[606,24056,1630],{"class":629},[606,24058,24059,24062],{"class":608,"line":953},[606,24060,24061],{"class":1601}," n8n_data",[606,24063,1630],{"class":629},[56,24065,24066,24067,24069],{},"With the command ",[554,24068,23120],{},", the n8n instance is started. The data is stored persistently in a Docker Volume and is not lost even after restarts.",[56,24071,24072,24075],{},[109,24073,24074],{},"Important",": For production use, a reverse proxy like Caddy or Nginx is additionally required to handle SSL certificates.",[71,24077,24079],{"id":24078},"setting-up-n8n-on-hetzner-vps-german-server-meets-workflow-automation","Setting up n8n on Hetzner VPS: German Server meets Workflow Automation",[56,24081,24082],{},"For self-hosting n8n, a reliable server provider is important. Hetzner offers an excellent combination of performance, price, and data protection.",[187,24084,24086],{"id":24085},"why-hetzner-is-ideal-for-n8n","Why Hetzner is ideal for n8n:",[56,24088,24089,24092],{},[109,24090,24091],{},"Data Centers in Germany",": Data remains in Germany and is thus subject to strict GDPR guidelines. This is ideal for companies with high compliance requirements.",[56,24094,24095,24098],{},[109,24096,24097],{},"Docker-Ready Images",": Hetzner offers pre-configured cloud servers with Docker already installed. This saves manual installation and allows you to start deployment directly.",[56,24100,24101,24104],{},[109,24102,24103],{},"Fair Pricing",": Cloud servers (Cloud VPS) start at just a few Euros per month. You only pay for the time actually used. This is perfect for testing and for small to medium-sized projects.",[56,24106,24107,24110],{},[109,24108,24109],{},"Scalable",": If automation requirements grow, the Hetzner server can be easily scaled up without having to start completely from scratch.",[56,24112,24113],{},"A typical configuration for n8n on Hetzner:",[103,24115,24116,24122,24128,24134],{},[106,24117,24118,24121],{},[109,24119,24120],{},"Server Type",": CX23 (2 vCPU, 4 GB RAM, 40 GB SSD)",[106,24123,24124,24127],{},[109,24125,24126],{},"Location",": Nuremberg or Falkenstein (Germany)",[106,24129,24130,24133],{},[109,24131,24132],{},"Image",": Docker CE App",[106,24135,24136,24138],{},[109,24137,14198],{},": From approx. €3.49 per month",[71,24140,24142],{"id":24141},"practical-example-n8n-with-caddy-as-reverse-proxy","Practical Example: n8n with Caddy as Reverse Proxy",[56,24144,24145],{},"Manually setting up n8n requires a few technical steps. Here is a complete example that anyone can replicate. With automatic SSL certificates through Caddy.",[187,24147,24149],{"id":24148},"step-1-prepare-server","Step 1: Prepare Server",[56,24151,24152],{},"After logging into the Hetzner server, first create the necessary directories:",[598,24154,24156],{"className":600,"code":24155,"language":602,"meta":490,"style":490},"mkdir -p ~\u002Fn8n-setup\ncd ~\u002Fn8n-setup\n\n",[554,24157,24158,24167],{"__ignoreMap":490},[606,24159,24160,24162,24164],{"class":608,"line":609},[606,24161,619],{"class":618},[606,24163,623],{"class":622},[606,24165,24166],{"class":622}," ~\u002Fn8n-setup\n",[606,24168,24169,24171],{"class":608,"line":491},[606,24170,21383],{"class":21382},[606,24172,24166],{"class":622},[187,24174,24176],{"id":24175},"step-2-create-docker-compose-file","Step 2: Create Docker Compose File",[56,24178,24179,24180,24182],{},"A complete ",[554,24181,21636],{}," with n8n and Caddy as Reverse Proxy:",[598,24184,24186],{"className":1592,"code":24185,"language":1594,"meta":490,"style":490},"version: '3.8'\n\nservices:\n caddy:\n image: caddy:2-alpine\n container_name: caddy\n restart: always\n ports:\n - '80:80'\n - '443:443'\n volumes:\n - .\u002FCaddyfile:\u002Fetc\u002Fcaddy\u002FCaddyfile\n - caddy_data:\u002Fdata\n - caddy_config:\u002Fconfig\n networks:\n - n8n-network\n\n n8n:\n image: n8nio\u002Fn8n\n container_name: n8n\n restart: always\n environment:\n - N8N_HOST=automation.your-domain.de\n - N8N_PORT=5678\n - N8N_PROTOCOL=https\n - NODE_ENV=production\n - WEBHOOK_URL=https:\u002F\u002Fautomation.your-domain.de\u002F\n - GENERIC_TIMEZONE=Europe\u002FBerlin\n volumes:\n - n8n_data:\u002Fhome\u002Fnode\u002F.n8n\n networks:\n - n8n-network\n\nvolumes:\n n8n_data:\n caddy_data:\n caddy_config:\n\nnetworks:\n n8n-network:\n driver: bridge\n",[554,24187,24188,24200,24204,24210,24217,24226,24235,24243,24249,24259,24269,24275,24282,24289,24296,24302,24309,24313,24319,24327,24335,24343,24349,24356,24362,24368,24375,24382,24389,24395,24401,24407,24413,24417,24423,24429,24436,24443,24447,24453,24460],{"__ignoreMap":490},[606,24189,24190,24192,24194,24196,24198],{"class":608,"line":609},[606,24191,2955],{"class":1601},[606,24193,1605],{"class":629},[606,24195,14493],{"class":629},[606,24197,22716],{"class":622},[606,24199,14499],{"class":629},[606,24201,24202],{"class":608,"line":491},[606,24203,647],{"emptyLinePlaceholder":14},[606,24205,24206,24208],{"class":608,"line":499},[606,24207,2352],{"class":1601},[606,24209,1630],{"class":629},[606,24211,24212,24215],{"class":608,"line":650},[606,24213,24214],{"class":1601}," caddy",[606,24216,1630],{"class":629},[606,24218,24219,24221,24223],{"class":608,"line":672},[606,24220,2366],{"class":1601},[606,24222,1605],{"class":629},[606,24224,24225],{"class":622}," caddy:2-alpine\n",[606,24227,24228,24230,24232],{"class":608,"line":688},[606,24229,21668],{"class":1601},[606,24231,1605],{"class":629},[606,24233,24234],{"class":622}," caddy\n",[606,24236,24237,24239,24241],{"class":608,"line":699},[606,24238,21678],{"class":1601},[606,24240,1605],{"class":629},[606,24242,21683],{"class":622},[606,24244,24245,24247],{"class":608,"line":709},[606,24246,2376],{"class":1601},[606,24248,1630],{"class":629},[606,24250,24251,24253,24255,24257],{"class":608,"line":720},[606,24252,1888],{"class":629},[606,24254,14493],{"class":629},[606,24256,21698],{"class":622},[606,24258,14499],{"class":629},[606,24260,24261,24263,24265,24267],{"class":608,"line":859},[606,24262,1888],{"class":629},[606,24264,14493],{"class":629},[606,24266,21709],{"class":622},[606,24268,14499],{"class":629},[606,24270,24271,24273],{"class":608,"line":875},[606,24272,2447],{"class":1601},[606,24274,1630],{"class":629},[606,24276,24277,24279],{"class":608,"line":889},[606,24278,1888],{"class":629},[606,24280,24281],{"class":622}," .\u002FCaddyfile:\u002Fetc\u002Fcaddy\u002FCaddyfile\n",[606,24283,24284,24286],{"class":608,"line":898},[606,24285,1888],{"class":629},[606,24287,24288],{"class":622}," caddy_data:\u002Fdata\n",[606,24290,24291,24293],{"class":608,"line":912},[606,24292,1888],{"class":629},[606,24294,24295],{"class":622}," caddy_config:\u002Fconfig\n",[606,24297,24298,24300],{"class":608,"line":917},[606,24299,21743],{"class":1601},[606,24301,1630],{"class":629},[606,24303,24304,24306],{"class":608,"line":923},[606,24305,1888],{"class":629},[606,24307,24308],{"class":622}," n8n-network\n",[606,24310,24311],{"class":608,"line":939},[606,24312,647],{"emptyLinePlaceholder":14},[606,24314,24315,24317],{"class":608,"line":953},[606,24316,23954],{"class":1601},[606,24318,1630],{"class":629},[606,24320,24321,24323,24325],{"class":608,"line":1116},[606,24322,2366],{"class":1601},[606,24324,1605],{"class":629},[606,24326,23965],{"class":622},[606,24328,24329,24331,24333],{"class":608,"line":1136},[606,24330,21668],{"class":1601},[606,24332,1605],{"class":629},[606,24334,23974],{"class":622},[606,24336,24337,24339,24341],{"class":608,"line":1146},[606,24338,21678],{"class":1601},[606,24340,1605],{"class":629},[606,24342,21683],{"class":622},[606,24344,24345,24347],{"class":608,"line":1155},[606,24346,2396],{"class":1601},[606,24348,1630],{"class":629},[606,24350,24351,24353],{"class":608,"line":1165},[606,24352,1888],{"class":629},[606,24354,24355],{"class":622}," N8N_HOST=automation.your-domain.de\n",[606,24357,24358,24360],{"class":608,"line":1171},[606,24359,1888],{"class":629},[606,24361,24019],{"class":622},[606,24363,24364,24366],{"class":608,"line":1176},[606,24365,1888],{"class":629},[606,24367,24026],{"class":622},[606,24369,24370,24372],{"class":608,"line":1182},[606,24371,1888],{"class":629},[606,24373,24374],{"class":622}," NODE_ENV=production\n",[606,24376,24377,24379],{"class":608,"line":1200},[606,24378,1888],{"class":629},[606,24380,24381],{"class":622}," WEBHOOK_URL=https:\u002F\u002Fautomation.your-domain.de\u002F\n",[606,24383,24384,24386],{"class":608,"line":1205},[606,24385,1888],{"class":629},[606,24387,24388],{"class":622}," GENERIC_TIMEZONE=Europe\u002FBerlin\n",[606,24390,24391,24393],{"class":608,"line":1211},[606,24392,2447],{"class":1601},[606,24394,1630],{"class":629},[606,24396,24397,24399],{"class":608,"line":1253},[606,24398,1888],{"class":629},[606,24400,24046],{"class":622},[606,24402,24403,24405],{"class":608,"line":1258},[606,24404,21743],{"class":1601},[606,24406,1630],{"class":629},[606,24408,24409,24411],{"class":608,"line":1264},[606,24410,1888],{"class":629},[606,24412,24308],{"class":622},[606,24414,24415],{"class":608,"line":22159},[606,24416,647],{"emptyLinePlaceholder":14},[606,24418,24419,24421],{"class":608,"line":22167},[606,24420,2481],{"class":1601},[606,24422,1630],{"class":629},[606,24424,24425,24427],{"class":608,"line":22174},[606,24426,24061],{"class":1601},[606,24428,1630],{"class":629},[606,24430,24431,24434],{"class":608,"line":22181},[606,24432,24433],{"class":1601}," caddy_data",[606,24435,1630],{"class":629},[606,24437,24438,24441],{"class":608,"line":22186},[606,24439,24440],{"class":1601}," caddy_config",[606,24442,1630],{"class":629},[606,24444,24445],{"class":608,"line":22194},[606,24446,647],{"emptyLinePlaceholder":14},[606,24448,24449,24451],{"class":608,"line":22204},[606,24450,21760],{"class":1601},[606,24452,1630],{"class":629},[606,24454,24455,24458],{"class":608,"line":22213},[606,24456,24457],{"class":1601}," n8n-network",[606,24459,1630],{"class":629},[606,24461,24462,24465,24467],{"class":608,"line":22220},[606,24463,24464],{"class":1601}," driver",[606,24466,1605],{"class":629},[606,24468,24469],{"class":622}," bridge\n",[187,24471,24473],{"id":24472},"step-3-create-caddyfile","Step 3: Create Caddyfile",[56,24475,24476,24477,1605],{},"In the same directory, create a file named ",[554,24478,24479],{},"Caddyfile",[598,24481,24484],{"className":24482,"code":24483,"language":1696},[1694],"automation.your-domain.de {\n reverse_proxy n8n:5678\n}\n\n",[554,24485,24483],{"__ignoreMap":490},[56,24487,24488],{},"Caddy automatically takes care of SSL certificates from Let's Encrypt. No manual configuration is necessary.",[187,24490,24492],{"id":24491},"step-4-start-and-test","Step 4: Start and Test",[56,24494,24495],{},"Start the entire setup with a simple command:",[598,24497,24499],{"className":600,"code":24498,"language":602,"meta":490,"style":490},"docker-compose up -d\n\n",[554,24500,24501],{"__ignoreMap":490},[606,24502,24503,24505,24507],{"class":608,"line":609},[606,24504,4226],{"class":618},[606,24506,21830],{"class":622},[606,24508,21833],{"class":622},[56,24510,24511,24512,24515],{},"After about 30 seconds, n8n is accessible at ",[554,24513,24514],{},"https:\u002F\u002Fautomation.your-domain.de",". An admin account is created upon the first visit.",[187,24517,24519],{"id":24518},"important-notes-for-production-operation","Important Notes for Production Operation",[56,24521,24522,24525],{},[109,24523,24524],{},"DNS Configuration",": The domain must point to the server's IP address. An A-record with the server IP value is sufficient.",[56,24527,24528,24531],{},[109,24529,24530],{},"Firewall",": Ports 80 and 443 must be open. In Hetzner Cloud, this can be done via the firewall settings.",[56,24533,24534,24536],{},[109,24535,14104],{},": Regular backups of the n8n_data volume secure all workflows:",[598,24538,24540],{"className":600,"code":24539,"language":602,"meta":490,"style":490},"docker run --rm -v n8n-setup_n8n_data:\u002Fdata -v $(pwd):\u002Fbackup alpine tar czf \u002Fbackup\u002Fn8n-backup-$(date +%Y%m%d).tar.gz \u002Fdata\n\n",[554,24541,24542],{"__ignoreMap":490},[606,24543,24544,24546,24548,24551,24554,24557,24559,24562,24565,24567,24570,24573,24576,24579,24582,24585,24588,24591,24593,24596],{"class":608,"line":609},[606,24545,653],{"class":618},[606,24547,656],{"class":622},[606,24549,24550],{"class":622}," --rm",[606,24552,24553],{"class":622}," -v",[606,24555,24556],{"class":622}," n8n-setup_n8n_data:\u002Fdata",[606,24558,24553],{"class":622},[606,24560,24561],{"class":629}," $(",[606,24563,24564],{"class":21382},"pwd",[606,24566,5903],{"class":629},[606,24568,24569],{"class":622},":\u002Fbackup",[606,24571,24572],{"class":622}," alpine",[606,24574,24575],{"class":622}," tar",[606,24577,24578],{"class":622}," czf",[606,24580,24581],{"class":622}," \u002Fbackup\u002Fn8n-backup-",[606,24583,24584],{"class":629},"$(",[606,24586,24587],{"class":618},"date",[606,24589,24590],{"class":622}," +%Y%m%d",[606,24592,5903],{"class":629},[606,24594,24595],{"class":622},".tar.gz",[606,24597,726],{"class":622},[56,24599,24600,24603],{},[109,24601,24602],{},"Updates",": n8n can be updated with just a few commands:",[598,24605,24607],{"className":600,"code":24606,"language":602,"meta":490,"style":490},"docker-compose pull\ndocker-compose up -d\n\n",[554,24608,24609,24615],{"__ignoreMap":490},[606,24610,24611,24613],{"class":608,"line":609},[606,24612,4226],{"class":618},[606,24614,22442],{"class":622},[606,24616,24617,24619,24621],{"class":608,"line":491},[606,24618,4226],{"class":618},[606,24620,21830],{"class":622},[606,24622,21833],{"class":622},[71,24624,24626],{"id":24625},"conclusion-workflow-automation-without-compromises","Conclusion: Workflow Automation without Compromises",[56,24628,24629],{},"Installing n8n on your own server offers maximum flexibility and data control. With over 400 integrations, practically any service can be integrated into automations. The difference to cloud solutions: You don't pay per workflow execution, but only for the server resources.",[56,24631,24632],{},"Combined with the reliability of Hetzner servers and the simplicity of the LowCloud template, nothing stands in the way of your automation strategy.",[56,24634,24635,24638],{},[109,24636,24637],{},"Ready for your first automation?"," Start now with the n8n template in LowCloud and experience how easy professional workflow automation can be.",[479,24640],{},[56,24642,24643],{},[2186,24644,24645,24646,24650],{},"Further information on n8n can be found in the ",[60,24647,22556],{"href":24648,"rel":24649},"https:\u002F\u002Fdocs.n8n.io\u002F",[64],". If you have questions about deployment or DevOps-as-a-Service solutions, the lowcloud team is happy to help.",[1499,24652,24653],{},"html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}",{"title":490,"searchDepth":491,"depth":491,"links":24655},[24656,24659,24660,24664,24667,24674],{"id":23821,"depth":491,"text":23822,"children":24657},[24658],{"id":23828,"depth":499,"text":23829},{"id":23861,"depth":491,"text":23862},{"id":23892,"depth":491,"text":23893,"children":24661},[24662,24663],{"id":23902,"depth":499,"text":23903},{"id":23917,"depth":499,"text":23918},{"id":24078,"depth":491,"text":24079,"children":24665},[24666],{"id":24085,"depth":499,"text":24086},{"id":24141,"depth":491,"text":24142,"children":24668},[24669,24670,24671,24672,24673],{"id":24148,"depth":499,"text":24149},{"id":24175,"depth":499,"text":24176},{"id":24472,"depth":499,"text":24473},{"id":24491,"depth":499,"text":24492},{"id":24518,"depth":499,"text":24519},{"id":24625,"depth":491,"text":24626},"2025-12-09","Step-by-step: deploy n8n with Docker on a Hetzner VPS. Covers reverse proxy, SSL, backups, and data sovereignty — no managed cloud needed.",{"src":24678},"\u002Fimages\u002Fblog\u002Fn8n_workflow_blog_title.jpeg",{},{"title":23800,"description":24676},"en\u002F3.blog\u002F3.self-hosted-n8n-on-hetzner","Hetzner, n8n, Docker","yuWRSvYkz2cRYmy5mdO4wLy-FawhrlhEq4L9pbt3RUM",{"id":24685,"title":24686,"authors":24687,"badge":10,"body":24690,"date":25273,"description":25274,"extension":510,"image":25275,"lastUpdated":3942,"meta":25277,"navigation":14,"path":2179,"published":14,"seo":25278,"stem":25279,"tags":23796,"__hash__":25280},"posts\u002Fen\u002F3.blog\u002F2.how-docker-works.md","Docker Fundamentals - Understanding Container Virtualization",[24688],{"name":13,"to":523,"avatar":24689},{"src":8},{"type":48,"value":24691,"toc":25252},[24692,24696,24699,24701,24705,24722,24729,24734,24769,24771,24775,24785,24789,24795,24838,24842,24849,24901,24903,24907,24913,24917,24920,24990,25004,25008,25014,25050,25052,25056,25062,25066,25075,25081,25101,25105,25114,25132,25146,25148,25152,25166,25169,25173,25176,25200,25202,25206,25224,25242],[71,24693,24695],{"id":24694},"docker-fundamentals-understanding-container-virtualization","🐳 Docker Fundamentals: Understanding Container Virtualization",[56,24697,24698],{},"Start with Docker: This guide explains to technical readers how containers work, how they differ from VMs, and why they are the modern standard for achieving consistency and efficiency in DevOps.",[479,24700],{},[187,24702,24704],{"id":24703},"introduction-the-evolution-of-application-isolation","Introduction: The Evolution of Application Isolation",[56,24706,24707,24708,24711,24712,24715,24716,24719,24720,415],{},"Modern software development demands speed, consistency, and efficient resource utilization. The shift from monolithic applications to ",[109,24709,24710],{},"Microservices"," and the adoption of ",[109,24713,24714],{},"Continuous Integration and Continuous Delivery (CI\u002FCD)"," pipelines have made traditional deployment methods obsolete. This evolution has driven the widespread adoption of ",[109,24717,24718],{},"containerization",", championed by ",[109,24721,2156],{},[56,24723,24724,24725,24728],{},"This technical deep dive is tailored for DevOps engineers, IT architects, and technically savvy readers who need to grasp the foundational concepts of Docker and the compelling reasons why it has superseded ",[109,24726,24727],{},"Virtual Machines (VMs)"," in many core application deployment scenarios.",[56,24730,24731],{},[109,24732,24733],{},"Key Takeaways from This Article:",[103,24735,24736,24743,24756,24766],{},[106,24737,24738,24739,24742],{},"A clear understanding of the ",[109,24740,24741],{},"architectural differences"," between Docker containers and VMs.",[106,24744,24745,24746,733,24749,24752,24753,415],{},"How Docker radically improves ",[109,24747,24748],{},"resource efficiency",[109,24750,24751],{},"deployment speed"," (Time-to-Market) in modern ",[109,24754,24755],{},"DevOps workflows",[106,24757,24758,24759,733,24762,24765],{},"The crucial role of Linux Kernel features like ",[109,24760,24761],{},"Namespaces",[109,24763,24764],{},"cgroups"," in enabling container isolation.",[106,24767,24768],{},"Contextual use cases where containers excel and where VMs remain essential.",[479,24770],{},[71,24772,24774],{"id":24773},"_1-architectural-deep-dive-containers-vs-virtual-machines","1. Architectural Deep Dive: Containers vs. Virtual Machines",[56,24776,24777,24778,24781,24782,415],{},"While both Docker and VMs aim to isolate applications and ensure ",[109,24779,24780],{},"portability",", they achieve this through fundamentally different levels of abstraction. Understanding this difference is paramount for designing an optimal ",[109,24783,24784],{},"DevOps strategy",[187,24786,24788],{"id":24787},"_11-virtual-machines-vms-hardware-level-isolation","1.1 Virtual Machines (VMs): Hardware-Level Isolation",[56,24790,7445,24791,24794],{},[109,24792,24793],{},"Virtual Machine"," (VM) virtualizes the complete hardware stack.",[103,24796,24797,24811,24821],{},[106,24798,24799,24802,24803,24806,24807,24810],{},[109,24800,24801],{},"Architecture:"," VMs require a ",[109,24804,24805],{},"Hypervisor"," (Type 1 or Type 2) to emulate virtual hardware. On top of this virtual hardware, a ",[109,24808,24809],{},"full Guest Operating System (Guest OS)",", including its own kernel and user space, must be installed and booted.",[106,24812,24813,24816,24817,24820],{},[109,24814,24815],{},"Isolation:"," Isolation is strong because each VM possesses its ",[109,24818,24819],{},"own, dedicated kernel",". This provides the highest level of separation for workloads that require strict security boundaries or the ability to run different operating systems on a single host.",[106,24822,24823,24826,24827,24830,24831,24834,24835,415],{},[109,24824,24825],{},"Resources:"," VMs are ",[109,24828,24829],{},"resource-heavy",". The necessity of running a full Guest OS introduces significant ",[109,24832,24833],{},"overhead"," in terms of dedicated CPU, RAM, and most notably, the image size, which is typically measured in ",[109,24836,24837],{},"gigabytes (GBs)",[187,24839,24841],{"id":24840},"_12-docker-containers-operating-system-level-virtualization","1.2 Docker Containers: Operating System-Level Virtualization",[56,24843,24844,24845,24848],{},"Docker leverages ",[109,24846,24847],{},"Operating System (OS) virtualization",", primarily using features built into the Linux kernel.",[103,24850,24851,24867,24885],{},[106,24852,24853,24855,24856,24859,24860,24863,24864,415],{},[109,24854,24801],{}," Containers ",[109,24857,24858],{},"share the host operating system's kernel",". They only package the application and its required dependencies (libraries, binaries, configuration files) into an isolated ",[109,24861,24862],{},"User Space",". This self-contained, lightweight package is known as a ",[109,24865,24866],{},"Docker Image",[106,24868,24869,24871,24872,733,24874,24877,24878,24881,24882,415],{},[109,24870,24815],{}," Isolation is achieved using kernel features like ",[109,24873,24761],{},[109,24875,24876],{},"Control Groups (cgroups)"," (detailed below). While robust for application isolation, it is not as strong as the dedicated kernel isolation of a VM. Containers isolate ",[2186,24879,24880],{},"processes"," rather than entire ",[2186,24883,24884],{},"systems",[106,24886,24887,24889,24890,24893,24894,24897,24898,415],{},[109,24888,24825],{}," Containers are ",[109,24891,24892],{},"extremely lightweight",". Since they do not carry the overhead of a Guest OS, they can start in ",[109,24895,24896],{},"milliseconds"," and consume only the resources strictly necessary for the application process. Image sizes are reduced to ",[109,24899,24900],{},"megabytes (MBs)",[479,24902],{},[71,24904,24906],{"id":24905},"_2-performance-and-efficiency-the-cicd-accelerator","2. Performance and Efficiency: The CI\u002FCD Accelerator",[56,24908,24909,24910,24912],{},"In modern ",[109,24911,5264],{}," environments, the key metric is agility—the ability to build, test, and deploy rapidly. This is where Docker's design provides a competitive edge.",[187,24914,24916],{"id":24915},"_21-the-speed-advantage-startup-time-and-density","2.1 The Speed Advantage: Startup Time and Density",[56,24918,24919],{},"Docker's lightweight architecture translates directly into superior performance metrics:",[1305,24921,24922,24936],{},[1308,24923,24924],{},[1311,24925,24926,24930,24933],{},[1314,24927,24929],{"align":24928},"left","Feature",[1314,24931,24932],{"align":24928},"Docker Container",[1314,24934,24935],{"align":24928},"Virtual Machine (VM)",[1335,24937,24938,24951,24964,24977],{},[1311,24939,24940,24945,24948],{},[1340,24941,24942],{"align":24928},[109,24943,24944],{},"Startup Time",[1340,24946,24947],{"align":24928},"Milliseconds (Process Start)",[1340,24949,24950],{"align":24928},"Minutes (Full OS Boot)",[1311,24952,24953,24958,24961],{},[1340,24954,24955],{"align":24928},[109,24956,24957],{},"Resource Overhead",[1340,24959,24960],{"align":24928},"Minimal; shared Host Kernel",[1340,24962,24963],{"align":24928},"High; dedicated Guest OS",[1311,24965,24966,24971,24974],{},[1340,24967,24968],{"align":24928},[109,24969,24970],{},"Image Size",[1340,24972,24973],{"align":24928},"MBs (Application + Dependencies)",[1340,24975,24976],{"align":24928},"GBs (Application + Full OS)",[1311,24978,24979,24984,24987],{},[1340,24980,24981],{"align":24928},[109,24982,24983],{},"Host Density",[1340,24985,24986],{"align":24928},"Very High (many containers per host)",[1340,24988,24989],{"align":24928},"Lower (fewer VMs per host)",[56,24991,24992,24993,24996,24997,25000,25001,415],{},"This rapid startup time is critical for ",[109,24994,24995],{},"Continuous Integration (CI)",", where testing and building hundreds of images need to happen quickly to shorten feedback loops. The resulting high density allows businesses to run ",[109,24998,24999],{},"more workloads on the same hardware",", leading to significant cost savings and better ",[109,25002,25003],{},"resource utilization",[187,25005,25007],{"id":25006},"_22-portability-and-consistency-solving-the-works-on-my-machine-problem","2.2 Portability and Consistency: Solving the \"Works on My Machine\" Problem",[56,25009,25010,25011,25013],{},"Docker addresses the long-standing challenge of environmental inconsistencies. A ",[109,25012,24866],{}," acts as a reliable, executable package that includes everything needed to run the software.",[103,25015,25016,25030],{},[106,25017,25018,25021,25022,25025,25026,25029],{},[109,25019,25020],{},"Development to Production:"," The container running on a developer's local machine is ",[109,25023,25024],{},"functionally identical"," to the container deployed in staging or production. This ",[109,25027,25028],{},"environmental consistency"," eliminates configuration drift and bugs caused by differing OS versions, libraries, or dependencies.",[106,25031,25032,25035,25036,25040,25041,2283,25043,25045,25046,25049],{},[109,25033,25034],{},"Scalability:"," When paired with ",[109,25037,25038],{},[60,25039,16982],{"href":1542}," systems (like ",[60,25042,1543],{"href":1542},[60,25044,2628],{"href":2523},"), Docker enables efficient, automated ",[109,25047,25048],{},"scaling"," of microservices. The lightweight nature of containers is the prerequisite for rapidly creating and distributing instances across a cluster to meet fluctuating demand.",[479,25051],{},[71,25053,25055],{"id":25054},"_3-the-technical-underpinnings-namespaces-and-control-groups","3. The Technical Underpinnings: Namespaces and Control Groups",[56,25057,25058,25059,415],{},"The core magic of Docker lies in its intelligent utilization of powerful, pre-existing features within the Linux Kernel. Understanding these mechanisms is key for ",[109,25060,25061],{},"technically savvy readers",[187,25063,25065],{"id":25064},"_31-namespaces-the-key-to-isolation","3.1 Namespaces: The Key to Isolation",[56,25067,25068,25070,25071,25074],{},[109,25069,24761],{}," are the primary technology providing ",[109,25072,25073],{},"isolation"," in a containerized environment. They wrap a set of system resources and present them to a process as if they are solely dedicated to that process.",[56,25076,25077,25078,1605],{},"Namespaces partition the kernel, making global resources (like process IDs, network interfaces, and file systems) ",[109,25079,25080],{},"container-specific",[103,25082,25083,25089,25095],{},[106,25084,25085,25088],{},[109,25086,25087],{},"PID Namespace:"," Containers have their own process tree, starting with PID 1. Processes inside the container cannot see or interact with processes outside their namespace.",[106,25090,25091,25094],{},[109,25092,25093],{},"NET Namespace:"," Each container can have its own isolated network stack (interfaces, routing tables, firewalls).",[106,25096,25097,25100],{},[109,25098,25099],{},"Mount Namespace:"," Each container has its own view of the filesystem, ensuring changes are isolated and the root filesystem is distinct.",[187,25102,25104],{"id":25103},"_32-control-groups-cgroups-resource-governance","3.2 Control Groups (cgroups): Resource Governance",[56,25106,25107,25109,25110,25113],{},[109,25108,24876],{}," are the mechanism that governs and ",[109,25111,25112],{},"limits resource usage"," for a process or a group of processes.",[103,25115,25116,25122],{},[106,25117,25118,25121],{},[109,25119,25120],{},"Resource Management:"," Cgroups allow the Docker engine to allocate and restrict the resources (CPU, RAM, block I\u002FO) that a container can consume.",[106,25123,25124,25127,25128,25131],{},[109,25125,25126],{},"System Stability:"," This is vital for ",[109,25129,25130],{},"system stability",". It prevents a misbehaving or poorly coded application in one container from monopolizing the host's resources, thus safeguarding the performance of all other containers and the host OS itself.",[20152,25133,25134],{},[56,25135,25136],{},[2186,25137,25138,25139,25142,25143,415],{},"For a detailed look at the internal mechanics, including the ",[109,25140,25141],{},"Docker Daemon"," and the interactions between the Docker Client and Engine, we recommend consulting resources that provide a technical deep dive into ",[109,25144,25145],{},"how Docker actually works",[479,25147],{},[71,25149,25151],{"id":25150},"_4-lowlcoud-perspective-consistency-in-a-european-context","4. lowlcoud Perspective: Consistency in a European Context",[56,25153,25154,25155,25157,25158,25161,25162,25165],{},"For a ",[109,25156,5264],{}," platform like lowlcoud, which emphasizes ",[109,25159,25160],{},"data sovereignty"," and operating within a ",[109,25163,25164],{},"European framework",", containerization is a core component.",[56,25167,25168],{},"The reliability and consistency guaranteed by Docker Images are essential for providing a trustworthy service: if the deployment package is perfectly repeatable and standardized, it simplifies compliance and operational integrity. Furthermore, running containerized workloads efficiently means better resource allocation within a sovereign cloud infrastructure.",[187,25170,25172],{"id":25171},"when-to-stick-with-vms","When to Stick with VMs",[56,25174,25175],{},"Despite the clear benefits of Docker for application deployment, VMs retain their value in specific areas:",[3976,25177,25178,25188,25194],{},[106,25179,25180,25183,25184,25187],{},[109,25181,25182],{},"Strong Security Boundary:"," For highly sensitive, regulated workloads (e.g., handling critical personal data) that require the ",[109,25185,25186],{},"strongest possible isolation",", the dedicated kernel of a VM remains a superior choice.",[106,25189,25190,25193],{},[109,25191,25192],{},"OS Heterogeneity:"," If you need to run an application designed for a specific OS (e.g., Windows) on a host machine running a different OS (e.g., Linux), a VM is necessary to run the entire Guest OS.",[106,25195,25196,25199],{},[109,25197,25198],{},"Infrastructure Level:"," VMs are better suited for running entire infrastructure services, such as dedicated database servers, complex networking appliances, or foundational infrastructure that requires kernel-level access and stability.",[479,25201],{},[71,25203,25205],{"id":25204},"conclusion-agility-built-on-isolation","Conclusion: Agility Built on Isolation",[56,25207,25208,25209,25212,25213,25216,25217,25220,25221,415],{},"Docker has fundamentally changed the deployment landscape. By utilizing ",[109,25210,25211],{},"OS-level virtualization"," and powerful Linux Kernel features, ",[109,25214,25215],{},"DevOps engineers"," can package applications into ",[109,25218,25219],{},"instant, lightweight, and reproducible containers",". This foundational technology underpins the flexibility and scaling power of ",[109,25222,25223],{},"Microservices architectures",[56,25225,25226,25227,25230,25231,733,25233,25235,25236,25239,25240,415],{},"Mastering these ",[109,25228,25229],{},"Docker Fundamentals","—from the concept of Images and Containers to the underlying power of ",[109,25232,24761],{},[109,25234,24764],{},"—is not merely a ",[109,25237,25238],{},"best practice","; it is a necessity for modern software delivery. If you want to manage multi-container applications, check out our guide on ",[60,25241,2625],{"href":2333},[56,25243,25244,25245,25247,25248,25251],{},"If your team is seeking a streamlined path to leverage the efficiency of containers within a sovereign ",[109,25246,5264],{}," framework, particularly one prioritizing ",[109,25249,25250],{},"European data sovereignty",", embracing platform solutions that are built around these container principles will be the next logical step in scaling your development and operations maturity.",{"title":490,"searchDepth":491,"depth":491,"links":25253},[25254,25257,25261,25265,25269,25272],{"id":24694,"depth":491,"text":24695,"children":25255},[25256],{"id":24703,"depth":499,"text":24704},{"id":24773,"depth":491,"text":24774,"children":25258},[25259,25260],{"id":24787,"depth":499,"text":24788},{"id":24840,"depth":499,"text":24841},{"id":24905,"depth":491,"text":24906,"children":25262},[25263,25264],{"id":24915,"depth":499,"text":24916},{"id":25006,"depth":499,"text":25007},{"id":25054,"depth":491,"text":25055,"children":25266},[25267,25268],{"id":25064,"depth":499,"text":25065},{"id":25103,"depth":499,"text":25104},{"id":25150,"depth":491,"text":25151,"children":25270},[25271],{"id":25171,"depth":499,"text":25172},{"id":25204,"depth":491,"text":25205},"2025-12-02","Start with Docker - This guide explains to technical readers how containers work, how they differ from VMs, and why they are the modern standard.",{"src":25276},"\u002Fimages\u002Fblog\u002Fhow_docker_works_easy.jpeg",{},{"title":24686,"description":25274},"en\u002F3.blog\u002F2.how-docker-works","ZWjg2A6ZUrJU8EeEliS92WqLy3qnIOrUve0jVGsJSPA",{"id":25282,"title":25283,"authors":25284,"badge":10,"body":25287,"date":25547,"description":25548,"extension":510,"image":25549,"lastUpdated":10,"meta":25551,"navigation":14,"path":25552,"published":14,"seo":25553,"stem":25554,"tags":23796,"__hash__":25555},"posts\u002Fen\u002F3.blog\u002F1.build-with-loveable.md","Build and Deploy a Modern Website in 5 Minutes",[25285],{"name":13,"to":523,"avatar":25286},{"src":8},{"type":48,"value":25288,"toc":25539},[25289,25293,25304,25306,25309,25312,25314,25318,25321,25362,25364,25368,25383,25386,25392,25398,25401,25433,25439,25445,25448,25451,25454,25460,25463,25469,25472,25479,25482,25485,25491,25494,25497,25517,25523,25526,25528,25530,25533,25536],[18576,25290,25292],{"id":25291},"table-of-contents","Table of Contents",[103,25294,25295,25298,25301],{},[106,25296,25297],{},"Step 1: The Idea (Lovable)",[106,25299,25300],{},"Step 2: The Export (GitHub)",[106,25302,25303],{},"Step 3: The Deployment (lowcloud + Hetzner)",[479,25305],{},[56,25307,25308],{},"In this tutorial, you'll learn step by step how to easily create a website with Lovable and deploy it cost-effectively on German servers using lowcloud. By the end, you'll have your own website with a live URL and automatic SSL.",[56,25310,25311],{},"In the past, creating your own website was complicated. You needed a designer, a developer, a server admin, and a clunky CMS. Today, there's a new, elegant approach that combines the best of all worlds: AI-powered generation, full code control, and automated deployment on high-performance infrastructure.",[479,25313],{},[187,25315,25317],{"id":25316},"prerequisites-what-you-need","Prerequisites: What You Need",[56,25319,25320],{},"Don't worry, the list is short and you probably already have most of it:",[103,25322,25323,25333,25342,25350],{},[106,25324,25325,25332],{},[109,25326,25327,1605],{},[60,25328,25331],{"href":25329,"rel":25330},"https:\u002F\u002Flovable.dev\u002F",[64],"Lovable"," An AI builder that translates your ideas into code.",[106,25334,25335,25341],{},[109,25336,25337,1605],{},[60,25338,25],{"href":25339,"rel":25340},"https:\u002F\u002Fgithub.com",[64]," Your \"Single Source of Truth\" that owns your code.",[106,25343,25344,25349],{},[109,25345,25346,1605],{},[60,25347,299],{"href":5869,"rel":25348},[64]," A cloud deployment platform that connects Git repositories with cloud servers and automates deployments.",[106,25351,25352,25358,25359],{},[109,25353,25354,1605],{},[60,25355,5136],{"href":25356,"rel":25357},"https:\u002F\u002Fhetzner.cloud\u002F?ref=mitWXWhQuA0g",[64]," A German cloud hosting provider that offers powerful and cost-effective server infrastructure. If you create an account through our link, you'll receive €20 in starting credit ",[60,25360,5136],{"href":25356,"rel":25361},[64],[479,25363],{},[187,25365,25367],{"id":25366},"from-ai-design-to-live-server-in-10-minutes","From AI Design to Live Server in 10 Minutes",[56,25369,25370,25371,25374,25375,25378,25379,25382],{},"The process is divided into three logical phases that seamlessly work together: ",[109,25372,25373],{},"Create"," (with Lovable), ",[109,25376,25377],{},"Export"," (to Git), and ",[109,25380,25381],{},"Deploy"," (with lowcloud). This separation makes sense because each phase has its strengths: Lovable for rapid idea implementation, Git for full code control, and lowcloud for automated, sovereign hosting. This way, you combine the speed of AI tools with the freedom of open source and control over your infrastructure.",[187,25384,25297],{"id":25385},"step-1-the-idea-lovable",[56,25387,2493,25388,25391],{},[60,25389,25331],{"href":25329,"rel":25390},[64],", you can quickly turn your website idea into code. How Lovable works is simple: You open the platform and enter either a description of your idea or a URL in the chat input field. Lovable processes your input and automatically creates the corresponding code. You don't need to know a programming language or make complex settings, as the AI handles the technical implementation for you. After creation, you can see the result directly in your browser and make adjustments via chat if needed.",[56,25393,25394],{},[23855,25395],{"alt":25396,"src":25397},"Lovable AI Website Builder - Homepage with chat input and \"Build something Lovable\" headline","\u002Fimages\u002Fblog\u002Flovable.jpeg",[56,25399,25400],{},"There are two ways to create a website:",[3976,25402,25403,25419],{},[106,25404,25405,25408,25409,25412,25413],{},[109,25406,25407],{},"Generate an idea:"," You describe your website idea in natural language. Lovable can help create various types of projects: landing pages, SaaS applications, dashboards, e-commerce sites, or interactive web apps. You can describe design style, colors, layout, functionality, and even specific features. The AI generates a complete, functional project with clean code from this.",[25410,25411],"br",{},"Example prompt:",[598,25414,25417],{"className":25415,"code":25416,"language":1696,"meta":490},[1694],"Create a modern landing page for a SaaS app that automates email marketing.\nThe design should be dark with blue accent colors. The page should have the following sections:\n- Hero section with headline and CTA button\n- Features section with 3 main features\n- Pricing table with 3 plans\n- Customer testimonials\n- Footer with links and newsletter signup\n- The page should be responsive and use modern animations.\n",[554,25418,25416],{"__ignoreMap":490},[106,25420,25421,25424,25425,25412,25427],{},[109,25422,25423],{},"Copy existing:"," You can enter a URL of a website whose design you like. Lovable analyzes the page, extracts the design and structure, and creates a clean codebase from it. This is particularly useful if you have a specific design as inspiration or want to use an existing page as a starting point. You don't get copied code, but rather a clean, modern implementation with the same visual elements.",[25410,25426],{},[598,25428,25431],{"className":25429,"code":25430,"language":1696,"meta":490},[1694],"Copy the design from this URL:\nhttps:\u002F\u002Fexample.com\u002Flanding-page\n\nI want to:\n- Adopt the hero design\n- Keep the color palette\n- Adjust the navigation\n",[554,25432,25430],{"__ignoreMap":490},[56,25434,25435,25436,415],{},"The result isn't a \"website builder\" where you're trapped. The result is ",[109,25437,25438],{},"your own source code",[56,25440,25441],{},[23855,25442],{"alt":25443,"src":25444},"Lovable AI Website Builder - Example of a copied Apple page with live preview","\u002Fimages\u002Fblog\u002Flovable-apple-page.png",[56,25446,25447],{},"This example shows a copied Apple page. Small errors can be corrected via prompt, but the overall result is already impressive. The live preview shows the generated page in the Lovable editor. On the left, you can see AI suggestions for further improvements; on the right, the page preview. This way, you can work iteratively on the project and refine it step by step.",[187,25449,25300],{"id":25450},"step-2-the-export-github",[56,25452,25453],{},"This is the crucial step. Once you're satisfied with your design in Lovable, you export the project. The export process is simple. You connect your GitHub account with Lovable and choose which repository the code should be pushed to.",[56,25455,25456],{},[23855,25457],{"alt":25458,"src":25459},"Lovable GitHub Integration - Connect GitHub Dialog","\u002Fimages\u002Fblog\u002Fsync-github-1.png",[56,25461,25462],{},"In the first step, you open the GitHub dialog and click \"Connect GitHub\" to connect your account.",[56,25464,25465],{},[23855,25466],{"alt":25467,"src":25468},"Lovable GitHub Integration - Select organization and connect project","\u002Fimages\u002Fblog\u002Fsync-github-2.png",[56,25470,25471],{},"In the second step, you select your GitHub organization and connect the project. Lovable then automatically synchronizes the code in both directions.",[56,25473,25474,25475,25478],{},"Lovable automatically creates a clean project structure with all necessary files. Lovable 'pushes' all the code directly into a ",[109,25476,25477],{},"Git repository"," of your choice. The code is structured as a complete, functional project with build configuration and all source files. You can immediately clone the repository, continue developing locally, or deploy directly.",[56,25480,25481],{},"From this moment on, the code is 100% yours. It's no longer trapped in the Lovable platform. It's now a standard Next.js or React project that any developer understands and can continue working on. You have full control: You can modify the code, extend it, import it into other tools, or share it with your team. No vendor lock-in, no restrictions.",[187,25483,25303],{"id":25484},"step-3-the-deployment-lowcloud-hetzner",[56,25486,25487,25488,10916],{},"Now that your code is on GitHub, it should go live. This is where ",[60,25489,299],{"href":22541,"rel":25490},[64],[56,25492,25493],{},"lowcloud is a cloud deployment platform optimized specifically for hosting providers like Hetzner. The platform connects your Git repository with cloud servers and automates the entire deployment process. You don't need to manually configure servers or set up CI\u002FCD pipelines yourself, as lowcloud handles all of that for you. The platform automatically detects your framework (e.g., Next.js, React, or others), builds the application, and deploys it on a server at Hetzner. Additionally, lowcloud takes care of SSL certificates, domain management, and automatic updates.",[56,25495,25496],{},"The process is simple:",[3976,25498,25499,25505,25511],{},[106,25500,25501,25504],{},[109,25502,25503],{},"Connect Git:"," You link your GitHub account and select the repository exported from Lovable.",[106,25506,25507,25510],{},[109,25508,25509],{},"Connect Hetzner:"," You link your Hetzner account with lowcloud. lowcloud then acts on your behalf to create and manage servers (VMs).",[106,25512,25513,25516],{},[109,25514,25515],{},"Deploy:"," lowcloud deploys directly to your Hetzner account",[56,25518,25519],{},[23855,25520],{"alt":25521,"src":25522},"lowcloud Deployment Flow - Setup Your Application with 5-step process","\u002Fimages\u002Fblog\u002Flowcloud-flow.png",[56,25524,25525],{},"lowcloud guides you through a short, structured process. In the first step, you select the repository, i.e., the GitHub repository exported from Lovable. In the second step, you configure the build configuration. lowcloud automatically detects your framework and suggests the appropriate build settings. In the third step, you select the infrastructure. Here you choose Hetzner Cloud and the server location, for example Falkenstein in Germany. In the fourth step, you establish the connection. Here, the connection between lowcloud and Hetzner is established using an API token. In the final step, you see a summary of all configurations again. With a click on \"Complete Setup\", the deployment starts. From now on, your website is deployed directly under a live URL. You can, of course, also link your own domain with lowcloud afterward.",[479,25527],{},[187,25529,2102],{"id":2101},[56,25531,25532],{},"In just a few minutes, you've created a fully functional website that has gone from idea to going live.",[56,25534,25535],{},"With Lovable, you create in minutes what otherwise takes days or weeks, while the AI handles the technical implementation. Through the export to Git, all the code is 100% yours and you have full access at any time, can modify it, extend it, or share it with your team, without restrictions or vendor lock-in. Your website runs on German servers at Hetzner, is GDPR-compliant, and subject to European data protection regulations. No data transfer to third countries, no legal risks, no dependencies on US hyperscalers. Every Git push is automatically deployed with a click, so you never have to worry about manual server updates or deployment processes again. With Hetzner, you also have transparent pricing and full control over your server costs, without hidden fees or surprise bills.",[56,25537,25538],{},"This is the \"red thread\" for modern, efficient web development!",{"title":490,"searchDepth":491,"depth":491,"links":25540},[25541,25542,25543,25544,25545,25546],{"id":25316,"depth":499,"text":25317},{"id":25366,"depth":499,"text":25367},{"id":25385,"depth":499,"text":25297},{"id":25450,"depth":499,"text":25300},{"id":25484,"depth":499,"text":25303},{"id":2101,"depth":499,"text":2102},"2025-11-05","Learn how to create a modern website with Lovable and deploy it cost-effectively on German servers with lowcloud",{"src":25550},"\u002Fimages\u002Fblog\u002Fdeploy_lovable_app_on_lowcloud.png",{},"\u002Fen\u002Fblog\u002Fbuild-with-loveable",{"title":25283,"description":25548},"en\u002F3.blog\u002F1.build-with-loveable","yv1j1W--Wbu32ylsPY41a-DOqs7DWbI1z1ex3ZGhYu4",1776469309299]