Cozystack
Turn bare metal servers into a fully managed cloud platform with a single Kubernetes-native REST API.
Cozystack is a free, open-source Platform-as-a-Service framework and CNCF Sandbox project that transforms bare metal servers into a fully functional private or public cloud. Built on Kubernetes, it provides a unified REST API for provisioning managed Kubernetes clusters, virtual machines, databases, object storage, load balancers, and HTTP caching services — all from a single control plane.
At its core, Cozystack acts as a cloud orchestrator: operators define infrastructure through YAML manifests, and the platform’s custom API server translates those high-level PaaS resource types into underlying FluxCD HelmReleases. KubeVirt handles VM lifecycle, Talos Linux provides immutable bare-metal OS images via PXE or ISO boot, Cilium and KubeOVN manage networking, and Linstor with SeaweedFS deliver block and object storage.
Cozystack ships with a comprehensive managed application catalog — PostgreSQL, MariaDB, ClickHouse, MongoDB, Redis, Kafka, RabbitMQ, FoundationDB, and more — each with automated backups, Grafana dashboards, and alerting out of the box. A built-in web dashboard makes deployment accessible without requiring deep CLI expertise, while the REST API enables programmatic provisioning for hosting providers building public cloud offerings.
The project targets infrastructure teams, hosting providers, and enterprises seeking to escape vendor lock-in by building production-grade cloud infrastructure on standard, community-maintained open-source components.
What You Get
- Managed Kubernetes-as-a-Service - Provision isolated tenant Kubernetes clusters (versions 1.30–1.35) with worker nodes running as KubeVirt VMs, each with its own kubeconfig, load balancer support, and persistent volume provisioning.
- Virtual Machine Management - Deploy and manage Linux VMs via KubeVirt using the same Kubernetes API, with configurable instance types, storage classes, VPC networking, and VPN access per tenant.
- Databases-as-a-Service - Spin up production-ready PostgreSQL, MariaDB, ClickHouse, MongoDB, Redis, Kafka, RabbitMQ, FoundationDB, and Qdrant instances with automated backups, Grafana dashboards, and alerting rules pre-configured.
- Object Storage with SeaweedFS - Deploy tiered S3-compatible object storage pools with per-user access credentials, WORM/locking support, and multi-zone topology for data placement across SSD, HDD, and NVMe tiers.
- FluxCD GitOps Package Delivery - All platform components and managed applications are Helm charts delivered and reconciled by FluxCD, enabling GitOps-based upgrades, rollbacks, and variant management (Talos, generic Kubernetes, hosted).
- Multi-Tenant Isolation with Tenant Namespaces - Efficient control plane resource allocation across isolated tenant environments, each with its own secrets, network policies, load balancer IPs, and module configuration.
- Declarative Backup Framework - Application-aware backup CRDs (BackupJob, Plan, BackupClass) with pluggable per-database strategies — CNPG, Altinity, etcd, FoundationDB, Velero — using Restic encryption and S3 artifact storage.
- Web Dashboard for App Deployment - A visual interface for deploying and managing all catalog applications, with StorageClass dropdowns, BackupClass selectors, and secret viewing, reducing dependence on kubectl.
- Bare Metal Bootstrapping via Talos - PXE and ISO-based provisioning of immutable Talos Linux nodes using talos-bootstrap, eliminating OS configuration drift and enabling reproducible cluster builds.
- Built-in Monitoring and Alerting - Pre-configured Grafana dashboards and Prometheus alert rules deployed automatically per service instance, with tenant-level and cluster-level monitoring aggregation.
Common Use Cases
- Building a public cloud offering - A hosting provider deploys Cozystack on their bare metal fleet to offer managed Kubernetes clusters, VMs, and databases to customers via the REST API, with tenant isolation and per-namespace billing hooks.
- Private cloud for enterprise teams - An enterprise IT department replaces expensive cloud subscriptions with Cozystack on owned hardware, giving product teams self-service access to Kubernetes environments and managed databases without cloud vendor dependency.
- Kubernetes distribution for bare metal - A DevOps team uses Cozystack as a standardized bare metal Kubernetes distribution across multiple data centers, leveraging Talos for immutable nodes and FluxCD for consistent cluster configuration.
- Cost-effective development environments - A startup provisions isolated Kubernetes clusters and PostgreSQL instances per developer or feature branch using the Cozystack dashboard, dramatically reducing cloud spending during development and testing cycles.
- Edge computing infrastructure - A manufacturing company runs Cozystack on localized server racks at factory sites, deploying latency-sensitive workloads as VMs or Kubernetes pods without relying on WAN-connected public cloud services.
Under The Hood
Architecture Cozystack implements a layered Kubernetes-native architecture where a custom API server — built on the standard k8s.io/apiserver library — serves as the PaaS abstraction boundary. The server translates high-level resource types (Applications, TenantModules, TenantNamespaces, TenantSecrets) into underlying FluxCD HelmRelease objects, decoupling the user-facing API contract from the GitOps delivery mechanism. The operator subsystem in internal/operator reconciles Package and PackageSource resources, injecting cluster-wide cozystack-values secrets and assembling HelmRelease specs with environment-specific overrides. A separate controller layer handles ApplicationDefinition lifecycle with debounce logic to prevent reconciliation storms. The backup subsystem stands as an independent domain with its own CRD group (backups.cozystack.io) and dedicated per-strategy controllers for each supported database engine, enabling application-aware lifecycle management without cross-domain coupling.
Tech Stack The control plane is written in Go 1.26 using controller-runtime and kubebuilder patterns for all operator and controller components. FluxCD’s Helm Controller serves as the GitOps delivery engine, managing extensive Helm chart packages for both system components and managed applications. The infrastructure layer combines KubeVirt for virtual machine management, Talos Linux for immutable bare-metal OS provisioning, Cilium and KubeOVN for CNI networking, Linstor for block storage, and SeaweedFS for S3-compatible object storage. Kamaji provides lightweight managed Kubernetes control planes. The backup framework integrates Velero and Restic for application-agnostic snapshot strategies. The cozypkg CLI is a multi-platform Cobra-based binary for package management. Ginkgo and Gomega handle integration and unit testing across Go and Helm unittest for chart validation.
Code Quality The codebase demonstrates comprehensive testing discipline with extensive test files covering operator reconcilers, backup controllers, template utilities, and CRD installation logic. Each backup strategy controller (CNPG, Altinity, etcd, FoundationDB, MariaDB, Velero, job-based) has dedicated unit tests, reflecting a strong culture of per-component test coverage. Error handling follows Kubernetes idioms — typed client errors, explicit status condition updates, and structured logging via zap. The OpenSSF Best Practices badge indicates adherence to community security and quality standards. Consistent naming conventions align with Kubernetes and Helm community standards throughout the monorepo, and code generation pipelines (zz_generated.deepcopy.go, CRD generation) ensure schema consistency.
What Makes It Unique Cozystack’s most distinctive technical contribution is its declarative, multi-strategy backup framework embedded directly into the platform as first-class CRDs. Rather than delegating backup concerns to external tools, BackupStrategy, BackupClass, BackupJob, Plan, and RestoreJob resources form a complete, operator-driven backup lifecycle with pluggable drivers per database engine. A second standout design is the custom Kubernetes API extension server that exposes a coherent PaaS API surface while remaining agnostic to the underlying delivery mechanism — operators interact with familiar kubectl-compatible APIs while the system transparently manages FluxCD HelmReleases beneath. The combination of Talos-based immutable bare-metal bootstrapping, KubeVirt VM management, and Kamaji-powered tenant Kubernetes control planes into a single cohesive PaaS framework is also uncommon in the open-source ecosystem.
Self-Hosting
Cozystack is licensed under the Apache License 2.0, one of the most permissive open-source licenses available. This means you can use it freely for any purpose — including commercial deployments and public cloud offerings — modify the source code, and redistribute it without any copyleft obligations. There are no open-core or license-gated features: the full platform, including all managed application packages and operator components, is available under the same terms. Commercial support is available from third-party vendors listed on the official website, but this is entirely optional.
Running Cozystack yourself demands real infrastructure commitment. The platform is designed for bare metal deployments using Talos Linux, requiring servers with IPMI or network boot capability for initial provisioning. You are responsible for all operational concerns: hardware procurement and maintenance, network configuration (BGP for MetalLB, KubeOVN overlay setup), storage backend management (Linstor DRBD replication, SeaweedFS volume pools), certificate rotation, and cluster upgrades. Upgrades follow a structured migration path (v0.41 → v1.0 required a specific migration script), and breaking changes do occur between minor releases. The platform has active development with multiple releases per month, which means staying current requires attention to changelogs and migration guides.
Compared to managed alternatives such as AWS EKS, Google GKE, or DigitalOcean Kubernetes, self-hosting Cozystack means you own all operational responsibility — no managed SLAs, no automated cloud backups of the control plane, and no 24/7 vendor support unless purchased separately. What you gain is complete control over your infrastructure, no per-resource usage fees, and the ability to offer cloud services to your own customers at hardware-cost economics. For teams with strong Kubernetes operational experience and bare metal access, Cozystack delivers genuine private cloud capabilities that would otherwise require expensive commercial platforms.
Related Apps
Netdata
Monitoring · Devops
Real-time per-second metrics, ML-powered anomaly detection, and zero-config observability for any infrastructure.
Netdata
GPL 3.0Caddy
Devops · Security
The only web server that obtains and renews TLS certificates automatically, with HTTP/1-2-3 support and zero dependency on external runtimes.
Caddy
Apache 2.0Docker (Moby)
Devops · Developer Tools
The open-source container engine at the heart of Docker — a modular toolkit of runtime, build, and networking components for assembling container-based systems.