Search
Tech

Building a cloud native platform from the ground up with Kairos, k0rdent, and bindy

A pioneering financial institution's cloud native transformation gains momentum as RBC Capital Markets leverages Kairos, k0rdent, and bindy to build a scalable, Kubernetes-based platform from the ground up, augmenting its existing FluxCD deployment foundation with a robust, GitOps-driven infrastructure management system. By integrating these tools, the institution aims to streamline its cloud operations and improve application delivery. The result is a highly automated, cloud-agnostic platform.

Noah V (AI-assisted) 2 min read EN

Based on reporting from Source.

RBC Capital Markets has built a cloud-native platform that manages over 50 Kubernetes clusters across on-premises VMware and multiple clouds using three open-source projects: Kairos, k0rdent, and bindy. The platform is designed to meet the compliance requirements of a regulated financial institution while eliminating manual operations at the node, cluster, and DNS layers.

The problem: Three gaps in a growing platform

RBC Capital Markets had already adopted FluxCD for GitOps-based deployment. But as the fleet grew past 50 clusters, three operational gaps became critical:

  • Node configuration drift: VM-based nodes patched and mutated over time became impossible to reason about.
  • Cluster provisioning: Spinning up new clusters for trading desks or risk teams was a multi-day manual exercise with no single source of truth.
  • DNS integration: Every new service or ingress endpoint required a manual ticket to the network team, creating a bottleneck and an audit trail outside the GitOps workflow.

The team decided to solve each gap from the ground up, using cloud-native projects where they existed and building their own where they did not.

Kairos: Immutable OS for reproducible nodes

Kairos, a CNCF Sandbox project, provides a Linux distribution designed to be immutable, declaratively configured, and reproducible. Every node in the fleet boots from an OCI image built from a RHEL-derived base, baked with approved security configuration, and published to an internal registry.

The cloud-config model defines node behavior — SSH keys, network configuration, SSSD authentication against Active Directory, Kubernetes agent registration — as versioned YAML that flows through FluxCD like any other platform component.

A CI/CD pipeline treats Kairos images exactly like application container images: every change triggers a GitHub Actions pipeline that builds the image, runs integration tests against a live VM, and publishes a new OCI tag only on a clean pass. Nightly builds catch upstream regressions in base packages or the Kairos framework itself before they reach production.

For VM provisioning, the team uses VirtRigaud, a Kubernetes operator that provides declarative VM management across multiple hypervisors (vSphere, Libvirt/KVM, and Proxmox) through a unified CRD API. Kairos-built OCI images are registered as VMImage CRDs, and VMs are expressed as VirtualMachine CRDs referencing that image. FluxCD reconciles these manifests like any other platform resource. Provisioning a new Kairos node on vSphere is a pull request, reviewed, merged, and reconciled automatically.

k0rdent: Cluster lifecycle management as code

k0rdent, built on Cluster API (CAPI), provides a Kubernetes-native control plane for managing Kubernetes clusters. Combined with k0smotron for in-cluster control planes, the entire cluster topology is expressed declaratively, and FluxCD reconciles that state continuously.

The team chose k0s, a CNCF Sandbox project, as the Kubernetes distribution for workload clusters. k0s is a fully self-contained, single-binary distribution with no host OS dependencies beyond the kernel. That property matters when nodes run an immutable OS: k0s installs cleanly into a Kairos image without requiring package managers or systemd unit file manipulation at runtime.

The architecture uses a hub-and-spoke model:

  • A management cluster runs k0rdent, k0smotron, and the CAPI controllers.
  • Workload clusters run k0s, provisioned and decommissioned through CRD manifests stored in Git.
  • MetalLB handles load-balancing on bare-metal segments; Traefik provides ingress with consistent configuration across all spoke clusters.

Day-two operations are transformed: cluster upgrades are a pull request, cluster templates standardize configurations for common use cases (trading desk, risk compute, tooling), and compliance posture is consistent by default because every cluster is expressed as code.

bindy: Kubernetes-native DNS operations

DNS was the gap where no existing project fully covered the requirements. At RBC Capital Markets, DNS infrastructure runs on Infoblox, an enterprise DDI platform. Previously, every DNS record request went through a ticketing workflow routed to the network team, processed on a timescale of hours or days.

bindy, built by Erick Bourgeois, is a Kubernetes operator written in Rust using kube-rs that manages DNS zones and records as first-class Kubernetes resources. The core design philosophy: make DNS a GitOps citizen with the same reconciliation guarantees applied to everything else on the platform.

Key design elements:

  • Zones and records are CRDs. A DNSZone or ARecord manifest in Git is the source of truth, reconciled continuously by bindy's controllers.
  • RFC 2136 dynamic updates allow bindy to push record changes to the DNS backend without manual intervention or ticket queues.
  • bindcar, a sidecar REST API, provides an RNDC interface for zone lifecycle operations (creation, deletion, reload) alongside dynamic updates.
  • A multi-controller architecture with strict write boundaries prevents split-brain scenarios.

The impact: DNS records for new services are created automatically as part of the same GitOps workflow that deploys the service itself. Provisioning time drops from hours to seconds, and the audit trail is Git history, not a ticket system.

How the three fit together

The stack is coherent because each layer builds on the same foundational principle: everything is code, reconciled continuously, with no manual state.

  • Git is the source of truth.
  • FluxCD is the reconciliation engine.
  • Kairos ensures every node boots from a known, auditable image.
  • k0rdent ensures every cluster is expressed and managed declaratively.
  • bindy ensures every DNS record is a versioned artifact.

Drift — at the node, cluster, or network level — is structurally prevented rather than operationally managed.

Challenges and lessons learned

  • Immutable OS adoption requires patience with enterprise integration. SSSD, NetworkManager, and corporate CA trust chains all need explicit attention when baking immutable images.
  • CRD-based cluster management shifts responsibility left. When cluster provisioning is a pull request, platform teams need to invest in review processes and template governance up front.
  • Building operators in Rust is the right long-term call, but the ecosystem is still maturing. kube-rs is excellent, but patterns for multi-controller architectures with reflector/store caching require deliberate design decisions.

Looking ahead

The platform continues to evolve. Active development areas include SPIRE/SPIFFE integration for workload identity across all 50+ clusters, an internal self-service API layer called Foundry built in Rust, and Kairos-based spot computing using k0smotron and Kata Containers to absorb donated physical server capacity dynamically.

Bottom line

RBC Capital Markets has demonstrated that a regulated financial institution can build a fully GitOps-native Kubernetes platform using open-source projects. The combination of Kairos for immutable nodes, k0rdent for declarative cluster lifecycle, and bindy for DNS-as-code eliminates manual operations and provides the audit trail that compliance requires. The key insight: treat every layer — OS, cluster, DNS — as code reconciled through a single GitOps pipeline.

Sources 1

  1. 01 Source https://www.cncf.io/blog/2026/05/13/building-a-cloud-native-platform-from-the-ground-up-with-kairos-k0rdent-and-bindy/
Similar Articles

More articles like this

Tech 1 min

CockroachDB Brings Distributed SQL to IBM Power and IBM Cloud

IBM's hybrid infrastructure gets a critical boost as CockroachDB expands support to IBM Power and IBM Cloud, enabling distributed SQL workloads to scale across the entire platform, including high-performance Power9 servers and cloud-based services, with implications for large-scale, mission-critical applications and real-time analytics. This move positions CockroachDB as a key component for enterprises seeking to unify their data management across on-premises and cloud environments. The integration leverages PostgreSQL's ACID compliance and CockroachDB's built-in conflict-free replication.
Tech 1 min

SEALSQ Positioned for Leadership in Orbital Quantum Security and Space-Based Data Centers with Post-Quantum Semiconductor Technology

As quantum computing's threat to public-key cryptography looms, SEALSQ Corp is poised to dominate the emerging market for orbital quantum security and space-based data centers with its post-quantum semiconductor technology, leveraging homomorphic encryption and lattice-based cryptography to safeguard sensitive spaceborne data. The company's strategic positioning hinges on its ability to integrate quantum-resistant hardware with trusted execution environments and secure key management systems. This move could secure SEALSQ's status as a foundational provider for the next generation of space-based infrastructure.
Tech 1 min

SOFTBANK ROBOTICS AMERICA AND DIRECT SUPPLY EXPAND STRATEGIC PARTNERSHIP FOR SENIOR LIVING COMMUNITIES

SoftBank Robotics America and Direct Supply deepen their alliance to optimize senior living operations through AI-driven physical systems, integrating robotic solutions with Direct Supply's logistics expertise to streamline workflows and enhance resident care in over 1,000 facilities nationwide. The partnership leverages SoftBank's Pepper and NAO robots, equipped with computer vision and machine learning capabilities, to automate tasks and improve operational efficiency. This expanded collaboration aims to set a new standard for senior living facilities.
Tech 1 min

Opsera Named a Leader in the 2026 Gartner® Magic Quadrant™ for Developer Productivity Insight Platforms

Developer productivity platforms have a new benchmark, as Opsera's comprehensive AI-driven software development lifecycle (AI-SDLC) capabilities have earned it a coveted Leader position in the 2026 Gartner Magic Quadrant. Opsera's recognition is a testament to its ability to integrate artificial intelligence, machine learning, and DevOps to streamline development workflows. This milestone solidifies Opsera's position as a top player in the developer productivity insight market.
Tech 1 min

Kai Earns Gold APA Labs Digital Badge for Conversational AI Mental Health Platform

A Clinically Validated AI Platform Earns Gold Standard Digital Badge for Mental Health Innovation, Demonstrating Excellence in Safety, Usability, and Accessibility Across Six Key Criteria. Kai.ai's conversational AI platform has been recognized by APA Labs for its rigorous adherence to scientific principles, robust security measures, and user-centric design. This prestigious digital badge underscores the platform's potential to revolutionize mental health support.
Tech 1 min

UnqorkAI Ends the Chaos of Enterprise AI Code Sprawl

Enterprise AI development just got a much-needed reboot as UnqorkAI tackles the code sprawl plaguing large-scale AI deployments, leveraging a novel, model-driven architecture to streamline application development and deployment, and eliminate the need for custom coding in low-code environments. This strategic shift promises to reduce development time by up to 80% and operational costs by 90%. By decoupling AI logic from underlying infrastructure, UnqorkAI aims to democratize AI-driven innovation within the enterprise.