Services
Senior platform engineers who run EKS, GKE, AKS, and bare-metal clusters in production for a living — not a slide deck. We design cluster topology, build internal developer platforms, write the GitOps pipeline, harden security to CIS Benchmark, cut cloud bills by 30–45% with FinOps, and stand on-call with your team through the first three releases. Dedicated platform teams from 12,000 EUR/month. Migration and upgrade sprints from 35,000 EUR fixed.
Kubernetes is not the product — the paved road your engineers walk every day is. Most teams arrive with the same three problems: a cluster that grew organically and nobody fully owns, a cloud bill that doubled when traffic only grew 30%, and a deploy process that still requires a senior engineer holding the keyboard. We fix all three. Week 1 is an architecture and FinOps audit with a written ADR. Week 2 onwards we ship: GitOps with Argo CD, Karpenter or Autopilot for compute, Cilium for network and observability, Kyverno for policy, External Secrets for credentials, and Backstage for self-service. Your engineers stop writing YAML and start shipping features.
EKS, GKE, AKS, or on-prem (kubeadm, Talos, Rancher RKE2). Multi-AZ control plane, node-group strategy, namespace tenancy model, multi-cluster federation with Cluster API when scale demands it. Written ADRs against your SLOs.
Argo CD or Flux with App-of-Apps, Helm + Kustomize per environment, signed images via Cosign and Sigstore, Renovate for upstream bumps, progressive delivery with Argo Rollouts or Flagger (canary, blue/green, traffic-shifted).
Pod Security Standards restricted, Kyverno or OPA Gatekeeper admission, Cilium network policies default-deny, IRSA/Workload Identity, Falco runtime detection, External Secrets via Vault or AWS/GCP secret manager, CIS Benchmark v1.9 evidence pack.
Kubecost or OpenCost for chargeback, Karpenter or Autopilot for elastic compute, spot/preemptible adoption with PDBs, VPA-driven right-sizing, HPA with KEDA custom metrics. Typical first-quarter saving 30–45% on six-figure cluster bills.
OpenTelemetry collectors, Prometheus + Thanos or Grafana Mimir for long-term metrics, Loki or Elastic for logs, Tempo or Jaeger for traces, Grafana for dashboards, Alertmanager wired to PagerDuty/Opsgenie/Slack. SLO-driven alerts, not CPU spikes.
Backstage developer portal, Crossplane or Terraform-controller for self-service infra claims, golden-path templates per workload type, paved-road docs in Backstage TechDocs. Service onboarding drops from two weeks to one PR.
Week 1: cluster topology review, kube-bench & kubescape scan, Kubecost install, IaC inventory, on-call interviews. We deliver a written ADR pack with the top 10 risks and the top 10 cost wins ranked by impact.
Weeks 2–4: GitOps pipeline live, Pod Security Standards restricted enforced, Kyverno policies merged, External Secrets cut over from plaintext, Karpenter or Autopilot rolled out behind a feature flag.
Weeks 5–12: IDP build — Backstage portal, golden-path templates, Crossplane claims for the five most-requested infra primitives, OpenTelemetry pipeline, SLO-based alerting. Co-built with your platform team, not over the wall.
90-day post-go-live support window. Weekly platform review, on-call rotation alongside your team, runbooks in Backstage TechDocs, monthly FinOps report with savings tracked against baseline.
Two-week fixed-scope audit. Cluster topology, security baseline, FinOps, GitOps maturity, observability gaps. Written ADR pack with prioritised remediation roadmap. From 18,000 EUR fixed.
8–12 week fixed-scope sprint: lift-and-shift from VMs/ECS/App Service to EKS/GKE/AKS, or v1.24-to-v1.31 upgrade across a fleet. Written SOW, milestone invoicing, 90-day post-cutover support. From 35,000 EUR fixed.
2 senior platform engineers + tech lead, embedded with your team, CET workday with US East-Coast overlap. Runs the platform, builds the IDP, stands on-call. From 12,000 EUR/month per dedicated team.
Three-month minimum on retainers, month-to-month thereafter with 30 days notice. NDA, DPA, and IP assignment signed before kickoff.
Consumer WireGuard VPN app for iOS and Android with zero-log architecture, launched across the US and EU.
Android + iOS refactor and rebuild for a German last-mile logistics operator — multi-point route planning, real-time driver tracking and in-app invoicing live in the EU.
Native iOS and Android e-signature clients with a Symfony + React CRM for a cross-border law firm — KYC onboarding and a defensible evidence trail for US & EU matters.
GDPR-aligned · ISO 27001 ready · SOC 2 Type II in progress · GDPR Schrems II + SCC + EU data residency
Every senior on the engagement has been on-call for production Kubernetes for 5+ years — CKA/CKS certified, contributors to upstream CNCF projects, and the people who debug etcd at 3am, not the people who draw boxes on slides.
We run EKS, GKE, AKS, and on-prem in production and have no commercial preference. The ADR you get in week 1 is scored against your workload — not against whichever cloud rebated us last quarter.
CIS Kubernetes Benchmark v1.9, SOC 2 Type II evidence packs, ISO 27001 Annex A controls, HIPAA technical safeguards, EU data residency with Schrems II and SCC clauses written into the DPA — we have shipped all of them.
For regulated workloads (fintech, healthtech, govtech) we stand up clusters with EU-only data plane, customer-managed encryption keys (KMS BYOK), and an auditable Kyverno policy bundle ready for the next ISO or SOC 2 audit.
It is rarely about the control plane (all three are conformant and stable) and almost always about what surrounds it. Pick EKS if your data plane already lives in AWS — VPC CNI, IRSA for IAM, ALB Ingress, Karpenter for autoscaling, and EBS CSI are first-class and integrate with the rest of the AWS estate. Pick GKE if you need the most opinionated experience: Autopilot removes node management entirely, Workload Identity is the cleanest service-account-to-IAM binding on the market, and the upgrade cadence is the most aggressive. Pick AKS if you are an enterprise on Entra ID and Azure Policy — the IAM and compliance story is the smoothest. For greenfield without an existing cloud bias we usually recommend GKE Autopilot. We do the eval as week one of every engagement and write up an ADR with concrete trade-offs scored against your workload.
We default to Argo CD for app delivery and Flux for cluster bootstrap, both with the App-of-Apps pattern. Cluster infrastructure (VPC, node groups, IAM, KMS keys, IRSA roles) is Terraform or Pulumi, stored in a separate repo with OPA/Conftest policy gates in CI. Application manifests live in Helm charts wrapped by Kustomize overlays per environment. Image promotion goes through a signed registry (Cosign + Sigstore) with a Renovate bot opening PRs against the GitOps repo. PR merged to main triggers Argo sync. Rollback is a git revert. We never let humans kubectl apply in production.
Six controls, non-negotiable. (1) Pod Security Standards set to restricted with Kyverno or OPA Gatekeeper enforcement. (2) Network policies default-deny with Cilium or Calico, traffic explicitly allowed per namespace. (3) IRSA on EKS or Workload Identity on GKE/AKS — never long-lived static credentials in secrets. (4) Image signing via Cosign with Kyverno verifyImages admission policy. (5) Runtime detection via Falco or Tetragon shipping to your SIEM. (6) Secrets via External Secrets Operator backed by AWS/GCP/Azure secret manager or HashiCorp Vault — no plaintext secrets in git, ever. We harden against CIS Kubernetes Benchmark v1.9 and provide the audit evidence pack for SOC 2 and ISO 27001.
Yes, and Kubernetes FinOps is most of where we save money on EKS and GKE clients. Standard play: install Kubecost or OpenCost for namespace-level chargeback, switch overprovisioned static node groups to Karpenter or GKE Autopilot, move stateless workloads to spot/preemptible with PodDisruptionBudgets and topology spread constraints, right-size requests and limits using Vertical Pod Autoscaler recommendations, and add HPA with custom metrics from KEDA rather than CPU-only. Typical first-quarter saving on a 100k EUR/month EKS bill is 30 to 45 percent without touching reliability targets. We share the savings model with finance in a monthly written report.
Yes — this is most engagements that go past six months. A typical IDP stack: Backstage for the developer portal, Crossplane or Terraform-controller for self-service infrastructure claims, Argo CD for delivery, Argo Workflows for batch and ML, Tekton or GitHub Actions runners for CI, Istio or Linkerd for service mesh, Cilium Hubble for observability, OpenTelemetry collectors shipping to your APM. We do not invent abstractions — we glue best-of-breed CNCF projects into a paved road and document it in Backstage. Onboarding a new service drops from two weeks of YAML to a Backstage template + one PR.
Two engagement shapes. Dedicated platform team (2 senior SRE/platform engineers + tech lead) from 12,000 EUR/month per dedicated team, three-month minimum then month-to-month with 30 days notice. Fixed-scope migration sprint (lift-and-shift from VMs/ECS/App Service to EKS/GKE/AKS, or v1.24-to-v1.31 upgrade across a fleet) from 35,000 EUR fixed for an 8-week engagement with a written SOW, milestone-based invoicing, and a 90-day post-cutover support window included. We do not bill for travel inside EU, and US on-site is billed at cost with no markup.
