Validation bootstrap
Product validation with pilot teams and the base YAML definition.
2025
yas_ open platform
The missing layer between Kubernetes and real project evolution.
Kubernetes orchestrates containers. Other tools describe applications. YAS lets you evolve a project's infrastructure declaratively.
It is an open-source, Kubernetes-native application platform designed to deploy and operate APIs, web applications, cron jobs, and databases across multiple isolation and compliance profiles, with a one-click GitOps-driven development experience. It provides a GitOps workflow on Kubernetes, without sacrificing control, portability, or extensibility.
From shared to network isolation and compliance, everything is controlled from a single declarative source.
Open source. Extensible. Built to grow.
project.yaml
project: acme-store
deploymentMode: network-ovn
services:
api:
source: git@github.com:acme/store-api
type: api
env: prod
web:
source: git@github.com:acme/store-web
type: static
env: prod
jobs:
nightly-sync:
type: cronjob
schedule: '0 2 * * *'
databases:
main:
engine: postgres
backups: enabled
pitr: enabled Managed services
Components with resources, high availability, and defined operations
Each service type exposes clear parameters: replicas, HA, backups, and limits. The goal is for teams to choose criticality without reinventing operations.
Web
Frontend / Static
HTTP service with edge caching and atomic deployments.
- Replicas: 2-4 (HA)
- Autoscaling by CPU / RPS
API
Backend
Business services with network policies and resource limits.
- Replicas: 2-6 (HA)
- Defined requests/limits
- Ingress mTLS / auth
Cron / Jobs
Scheduled tasks
Jobs with concurrency control and retries.
- Limited concurrency
- Retries and backoff
- Failure alerts
DB
Managed PostgreSQL
Managed cluster with backups and replication.
- HA: 3 replicas (1 primary + 2 standby)
- Daily backups + PITR
Deployment modes
Four deployment modes: cost, isolation, and security as project properties
YAS standardizes how projects run without forcing a single model. Isolation level is a single choice, not a re-architecture.
Shared Runtime
Multiple projects share cluster base services. Ideal for dev/staging at low cost.
- No dedicated namespace (convention or shared namespace)
- Basic RBAC and limits
- Fast provisioning and deploys
CI/CD shared
CI/CD
Tekton
Projects 2 namespaces
FT namespace
FT-WEB
NGINX
ft-web.example.com
FT-API
replica 1
ft-api.example.com
FT-API
replica 2
ft-api.example.com
DB · FT
CloudNativePG
db-ft.internal.example.com
EC namespace
EC-WEB
NGINX
ec-web.example.com
EC-API
single
ec-api.example.com
EC-CRONJOB
scheduled
DB · EC
CloudNativePG
db-ec.internal.example.com
Network isolation
CI/CD
Tekton
FT namespace
VPC OVN
10.10.0.0/24 · gw 10.10.0.1 FT-WEB
NGINX
ft-web.example.com
10.10.0.10
FT-API
replica 1
ft-api.example.com
10.10.0.20
FT-API
replica 2
ft-api.example.com
10.10.0.21
DB · FT
CloudNativePG
db-ft.internal.example.com
10.10.0.30
EC namespace
VPC · Clients OVN
10.20.10.0/24 · gw 10.20.10.1 EC-WEB
NGINX
ec-web.example.com
10.20.10.10
EC-API
single
ec-api.example.com
10.20.10.20
EC-CRONJOB
scheduled
10.20.10.25
DB · EC
CloudNativePG
db-ec.internal.example.com
10.20.10.30
VPC · Internal OVN
10.20.20.0/24 · gw 10.20.20.1 EC-INT-WEB
NGINX
int.ec.internal.example.com
10.20.20.10
EC-INT-API
int-api.ec.internal.example.com
10.20.20.20
DB · EC-INT
CloudNativePG
db-int.ec.internal.example.com
10.20.20.30
Compliance zone
LOGGING / AUDITS
IAM / SSO
SECRETS / KMS
CI/CD
Tekton
MONITORING
NETWORK RULES
FT namespace
VPC OVN
10.10.0.0/24 - gw 10.10.0.1 Subnet public 10.10.0.0/28
Security Group sg-ft-web
FT-WEB
NGINX
10.10.0.10
Subnet private 10.10.0.16/28
Security Group sg-ft-api
FT-API
replica 1
10.10.0.20
Security Group sg-ft-api
FT-API
replica 2
10.10.0.21
Subnet private 10.10.0.32/28
Security Group sg-ft-db
DB - FT
CloudNativePG
10.10.0.30
EC namespace
VPC - Clients OVN
10.20.10.0/24 - gw 10.20.10.1 Subnet public 10.20.10.0/28
Security Group sg-ec-web
EC-WEB
NGINX
10.20.10.10
Subnet private 10.20.10.16/28
Security Group sg-ec-api
EC-API
single
10.20.10.20
Security Group sg-ec-cron
EC-CRONJOB
scheduled
10.20.10.25
Subnet private 10.20.10.32/28
Security Group sg-ec-db
DB - EC
CloudNativePG
10.20.10.30
VPC - Internal OVN
10.20.20.0/24 - gw 10.20.20.1 Subnet public 10.20.20.0/28
Security Group sg-ec-int-web
EC-INT-WEB
10.20.20.10
Subnet private 10.20.20.16/28
Security Group sg-ec-int-api
EC-INT-API
10.20.20.20
Subnet private 10.20.20.32/28
Security Group sg-ec-int-db
DB - EC-INT
CloudNativePG
10.20.20.30
How it works
A layer on top of Kubernetes, built with cloud-native components
YAS does not replace Kubernetes: it turns it into a projects API. From a single manifest, it creates pipelines, runtime resources, databases, and infrastructure, applying the chosen isolation profile.
Builds and automation
Tekton pipelines run build, test, push, and triggers on code changes.
Reproducible pipelines - Registry integration - GitOps strategies
Declarative infra
Provision dependencies with Crossplane (DNS, buckets, queues, etc.) through a consistent API.
Multi-cloud / on-prem - Reusable compositions - Platform/app separation
Operated PostgreSQL
Managed PostgreSQL with CloudNativePG: backups and PITR built in.
Scheduled backups - PITR (WAL) - Kubernetes-native operations
GitOps-first
Designed for Argo CD/Flux: traceable changes, environment promotion, and clear rollbacks.
Git audit - Controlled promotion - Predictable rollbacks
Network isolation
Kube-OVN mode for per-project segmentation and ingress/egress control.
Default-deny - Per-service allowlists - Serious multi-tenant
Policies and security
Profiles apply limits, RBAC, and policies at each level without rewriting manifests.
Per-project profiles - PSA/OPA/Kyverno - Compliance roadmap
Roadmap
Phased deliveries focused on validation and real adoption
We prioritize early value: product validation and the Project contract first, then integrations and advanced isolation modes.
Current 2026 - Q1
API/CRD Project + status + basic modes
Stable API for Project, states, and shared/namespace modes as the operational base.
2026
Q1
Current
Tekton integration (builds), Argo CD templates
Build pipelines and GitOps templates for continuous delivery.
Kube-OVN isolation mode
Network isolation with default-deny policies and ingress/egress control.
Compliance-ready profile
Hardening, audit evidence, and controls for regulated environments.
yas_ open platform
The missing layer between Kubernetes and real project evolution.
Kubernetes orchestrates containers. Other tools describe applications. YAS lets you evolve a project's infrastructure declaratively.
It is an open-source, Kubernetes-native application platform designed to deploy and operate APIs, web applications, cron jobs, and databases across multiple isolation and compliance profiles, with a one-click GitOps-driven development experience. It provides a GitOps workflow on Kubernetes, without sacrificing control, portability, or extensibility.
From shared to network isolation and compliance, everything is controlled from a single declarative source.
Open source. Extensible. Built to grow.
project.yaml
project: acme-store
deploymentMode: network-ovn
services:
api:
source: git@github.com:acme/store-api
type: api
env: prod
web:
source: git@github.com:acme/store-web
type: static
env: prod
jobs:
nightly-sync:
type: cronjob
schedule: '0 2 * * *'
databases:
main:
engine: postgres
backups: enabled
pitr: enabled Managed services
Components with resources, high availability, and defined operations
Each service type exposes clear parameters: replicas, HA, backups, and limits. The goal is for teams to choose criticality without reinventing operations.
Web
Frontend / Static
HTTP service with edge caching and atomic deployments.
- Replicas: 2-4 (HA)
- Autoscaling by CPU / RPS
API
Backend
Business services with network policies and resource limits.
- Replicas: 2-6 (HA)
- Defined requests/limits
- Ingress mTLS / auth
Cron / Jobs
Scheduled tasks
Jobs with concurrency control and retries.
- Limited concurrency
- Retries and backoff
- Failure alerts
DB
Managed PostgreSQL
Managed cluster with backups and replication.
- HA: 3 replicas (1 primary + 2 standby)
- Daily backups + PITR
Deployment modes
Four deployment modes: cost, isolation, and security as project properties
YAS standardizes how projects run without forcing a single model. Isolation level is a single choice, not a re-architecture.
Shared
Shared Runtime
Multiple projects share cluster base services. Ideal for dev/staging at low cost.
- No dedicated namespace (convention or shared namespace)
- Basic RBAC and limits
- Fast provisioning and deploys
Namespace
Namespace Isolation
Logical isolation per project with quotas, RBAC, and policies. Balanced for multi-team environments.
- Dedicated namespace per project
- ResourceQuotas / LimitRanges
- Policy profiles (OPA/Kyverno/PSA)
Network (OVN)
Network Isolation (Kube-OVN)
Network isolation between projects with default-deny and ingress/egress control.
- Per-project network segmentation
- Default-deny NetworkPolicies + allowlists
- Fit for multi-tenant workloads with sensitive data
Compliance
Compliance-Ready (roadmap)
Profile designed for audit and certification requirements. Built for hardening and traceable evidence.
- Supply-chain (SBOM/provenance) and image control
- Audit logging and retention
- Strict policies and hardening (CIS/PSA)
How it works
A layer on top of Kubernetes, built with cloud-native components
YAS does not replace Kubernetes: it turns it into a projects API. From a single manifest, it creates pipelines, runtime resources, databases, and infrastructure, applying the chosen isolation profile.
Builds and automation
Tekton pipelines run build, test, push, and triggers on code changes.
Reproducible pipelines - Registry integration - GitOps strategies
Declarative infra
Provision dependencies with Crossplane (DNS, buckets, queues, etc.) through a consistent API.
Multi-cloud / on-prem - Reusable compositions - Platform/app separation
Operated PostgreSQL
Managed PostgreSQL with CloudNativePG: backups and PITR built in.
Scheduled backups - PITR (WAL) - Kubernetes-native operations
GitOps-first
Designed for Argo CD/Flux: traceable changes, environment promotion, and clear rollbacks.
Git audit - Controlled promotion - Predictable rollbacks
Network isolation
Kube-OVN mode for per-project segmentation and ingress/egress control.
Default-deny - Per-service allowlists - Serious multi-tenant
Policies and security
Profiles apply limits, RBAC, and policies at each level without rewriting manifests.
Per-project profiles - PSA/OPA/Kyverno - Compliance roadmap
Roadmap
Phased deliveries focused on validation and real adoption
We prioritize early value: product validation and the Project contract first, then integrations and advanced isolation modes.
Current 2026 - Q1
Validation bootstrap
Product validation with pilot teams and the base YAML definition.
API/CRD Project + status + basic modes
Stable API for Project, states, and shared/namespace modes as the operational base.
Q1
Tekton integration (builds), Argo CD templates
Build pipelines and GitOps templates for continuous delivery.
Kube-OVN isolation mode
Network isolation with default-deny policies and ingress/egress control.
Compliance-ready profile
Hardening, audit evidence, and controls for regulated environments.