Azure Kubernetes Service
Fellowmind Managed Platform for AKS — a secure, multi-tenant Kubernetes platform with networking, identity, security, and day-2 cluster operations built in.
What we deliver
Kubernetes, fully managed by Fellowmind
FMP AKS provides a secure, operable Kubernetes platform that application teams can consume immediately. We handle the cluster baseline, networking, identity, security, and multi-tenant isolation — so your developers focus on shipping applications, not managing infrastructure.
- ✓ Secure AKS baseline with Entra ID, Azure RBAC, and Microsoft Defender
- ✓ Multi-tenant namespace isolation with resource quotas and network policies
- ✓ Workload Identity (OIDC federation) — no secrets in the cluster
- ✓ Istio Gateway API for per-namespace HTTP(S) service publishing
- ✓ Platform-managed Key Vault, ACR, and backup per namespace
- ✓ Automatic upgrades with scheduled maintenance windows
- ✓ All resources deployed into your tenant via Infrastructure as Code
Why FMP for AKS
Platform engineering, not cluster administration
Running Kubernetes in production requires far more than provisioning a cluster. FMP AKS delivers the entire platform engineering baseline — networking, identity, security posture, multi-tenancy, and day-2 operations — as a managed service so your developers can focus on shipping code.
- ✓ Teams get a namespace in minutes, not weeks
- ✓ Great developer experience — deploy with familiar CI/CD, no cluster plumbing required
- ✓ Security and compliance are built in from day one
- ✓ 15 Architecture Decision Records aligned with Azure WAF
- ✓ Consistent across all tenants and environments
Innovation on a solid foundation
The platform your AI solutions need
FMP AKS is the infrastructure backbone for building and running innovative AI solutions. Products like Fellowminds Hive AI run on top of FMP AKS — benefiting from its secure multi-tenant isolation, workload identity, and managed operations without any cluster overhead. Whether you are shipping a production AI service or experimenting with new models, FMP AKS gives your teams a ready-to-use, enterprise-grade platform from day one.
- ✓ Run AI workloads with GPU node pool support and autoscaling
- ✓ Secure model serving with Workload Identity and Key Vault integration
- ✓ Isolate AI teams and services in dedicated namespaces with resource quotas
- ✓ Deploy and iterate rapidly — the platform handles security, networking, and compliance
- ✓ Proven foundation: powering Fellowmind Hive AI in production
For Developers
You shouldn't need to be a Kubernetes infrastructure expert to deploy your app. Here's what FMP AKS handles for you — so you can focus on the code that actually matters to your users.
Set up namespace isolation, RBAC, network policies, and resource quotas yourself — and keep them consistent across environments
Your namespace ships with RBAC, network policies, quotas, Key Vault, and Workload Identity — all provisioned consistently via IaC
Manage Kubernetes secrets, configure Workload Identity, wire up OIDC federation, and rotate credentials
Per-namespace Key Vault with CSI driver and a managed identity with federated credentials — no long-lived credentials in the cluster
Set up Istio, Gateway API CRDs, load balancers, and write Cilium network policies from scratch
Default network policies just work — create a Gateway + HTTPRoute and you're live with an auto-provisioned load balancer
Set up cluster monitoring, configure platform alerts, and worry about Kubernetes upgrades breaking your workloads
Container Insights and platform alerts on from day one — automatic upgrades with scheduled maintenance windows handled by the platform team
Manage node pools, handle Kubernetes version upgrades, patch OS images, and keep the control plane healthy
Cluster provisioning, node pool scaling, K8s upgrades (stable channel), and OS patching are all managed by the platform — you never touch the cluster
Onboarding your cluster
From zero to production-ready Kubernetes — a structured, repeatable process.
Running FMP platform
FMP AKS requires an active Fellowmind Managed Platform Azure foundation — governance, identity, and connectivity must be in place before cluster deployment.
Cluster provisioning
We deploy a fully configured AKS cluster into your subscription — networking, identity, security, and monitoring included.
Project & namespace setup
Define your projects and namespaces. We provision Entra ID groups, RBAC bindings, resource quotas, and workload identities.
Team onboarding
Application teams receive namespace access, deployment guides, and Key Vault integration — ready to deploy from day one.
Operate & evolve
Continuous upgrades, security patching, monitoring, and platform evolution — we manage the platform while you ship applications.
Services
Platform services that keep your AKS clusters secure, compliant, and evergreen.
Features
Overview of capabilities delivered by the FMP AKS module — from cluster baseline to multi-tenant consumption model.
Cluster Baseline
Core AKS cluster configuration including upgrade strategy, networking, and security hardening — deployed consistently across all tenants.
Cluster Baseline
Core AKS cluster configuration including upgrade strategy, networking, and security hardening — deployed consistently across all tenants.
| Feature | Description |
|---|---|
| Azure RBAC with Entra ID | Cluster authorization via Azure RBAC integrated with Microsoft Entra ID — no local Kubernetes accounts. |
| Auto-upgrade (stable channel) | AKS clusters automatically upgrade to the latest stable Kubernetes version with scheduled maintenance windows. |
| Node OS patching | Node OS images are kept current via the NodeImage upgrade channel, applied during planned maintenance windows. |
| Azure CNI Overlay with Cilium | Overlay networking with per-node-pool subnet prefixes and Cilium eBPF dataplane for high-performance network policy enforcement. |
| Microsoft Defender for Containers | Defender profile enabled on every cluster for runtime threat detection, image vulnerability scanning, and security posture management. |
| Azure Policy add-on | Azure Policy add-on enabled to enforce organisational guardrails (pod security, image registries, resource limits). |
| Container Insights | Azure Monitor / Container Insights via Log Analytics for cluster and workload observability. |
| KEDA autoscaling | KEDA enabled cluster-wide, allowing workloads to scale based on event-driven metrics (queues, custom metrics, scheduled scaling). |
Multi-Tenant Consumption Model
Shared clusters with managed namespaces — isolating workloads through projects, resource quotas, network policies, and RBAC.
Multi-Tenant Consumption Model
Shared clusters with managed namespaces — isolating workloads through projects, resource quotas, network policies, and RBAC.
| Feature | Description |
|---|---|
| Projects and namespaces | Hierarchical project → namespace model with standardised naming conventions and lifecycle management via IaC. |
| Resource quotas | Default CPU/memory request and limit quotas enforced per namespace to prevent resource contention. |
| Network policies | Default ingress and egress network policies per namespace, enforced by Cilium to isolate workload traffic. |
| Cost attribution | Standard labels and Azure tags for ownership and cost attribution at the project and namespace level. |
| Cluster network modes | Configurable isolated or public networking modes — isolated routes all egress through a firewall; public allows direct internet access. |
Identity & Access
Platform-managed identity, RBAC groups, and workload identity — zero standing access, no long-lived secrets.
Identity & Access
Platform-managed identity, RBAC groups, and workload identity — zero standing access, no long-lived secrets.
| Feature | Description |
|---|---|
| Three-tier RBAC model | Admin, Contributor, and Reader roles at both project and namespace level, mapped to Entra ID groups provisioned automatically. |
| Automatic group provisioning | Entra ID security groups for RBAC are created and maintained by the deployment pipeline — no manual group management. |
| Workload Identity (OIDC federation) | Per-namespace managed identity with federated credentials and Kubernetes service account — no secrets stored in the cluster. |
| Key Vault per namespace | Mandatory Azure Key Vault per namespace with Azure Key Vault Secrets Provider add-on and automatic secret rotation. |
Ingress & Service Publishing
Istio-based ingress using the Kubernetes Gateway API for secure, per-namespace HTTP(S) service publishing.
Ingress & Service Publishing
Istio-based ingress using the Kubernetes Gateway API for secure, per-namespace HTTP(S) service publishing.
| Feature | Description |
|---|---|
| Istio Gateway API | Per-namespace Gateway and HTTPRoute resources — project teams publish services without cluster-admin privileges. |
| TLS termination | TLS certificates managed per Gateway with Kubernetes Secrets — supports both platform-provided and team-managed certificates. |
| vWAN firewall integration | Internal load balancers with DNAT rules for isolated clusters, solving asymmetric routing through the hub firewall. |
Platform-Managed Azure Resources
Azure resources provisioned and governed by the platform — separation of duties between platform and workload teams.
Platform-Managed Azure Resources
Azure resources provisioned and governed by the platform — separation of duties between platform and workload teams.
| Feature | Description |
|---|---|
| Azure Key Vault integration | Per-namespace Key Vault with CSI Secret Store driver, private endpoints (when applicable), and automatic credential injection. |
| Azure Container Registry | Shared ACR for container images and Helm charts, integrated with the cluster for pull access. |
| AKS Backup | Platform-managed backup policies with configurable tiers (operational and vault), failure notifications, and documented restore procedures. |
| Separation of duties | Clear persona-based access model: platform deployment identity, workload identity, CI/CD delivery identity, and human operators. |
Architecture & Reliability
All architectural decisions are documented as ADRs (Architecture Decision Records) with WAF traceability. Architectural decisions aligned with the Azure Well-Architected Framework across reliability, security, cost, operations, and performance.
Architecture & Reliability
Architectural decisions aligned with the Azure Well-Architected Framework across reliability, security, cost, operations, and performance.
| Feature | Description |
|---|---|
| Node pool topology | Dedicated system and user node pools with optional availability zone support for high availability. |
| API Server VNet integration | Optional private API server access via VNet integration — no public endpoint exposure for sensitive environments. |
| Managed maintenance windows | Scheduled maintenance windows for control plane and node upgrades to minimise disruption. |
| 15 documented ADRs | Architecture Decision Records covering upgrade strategy, networking, security, cost controls, autoscaling, and operational patterns. |
Responsibilities
Clear separation of duties between the FMP platform team and application teams.
| Area | FMP Platform Team | Application Team |
|---|---|---|
| Cluster provisioning | Deploys AKS cluster, node pools, networking, and add-ons via IaC | — |
| Kubernetes upgrades | Auto-upgrade (stable channel) with scheduled maintenance windows | Test application compatibility before upgrade windows |
| Node OS patching | NodeImage upgrade channel applied during maintenance windows | — |
| Namespace provisioning | Creates namespaces, quotas, network policies, and RBAC bindings | Requests namespaces via service request |
| RBAC & Entra ID groups | Provisions and maintains Entra ID groups and Azure RBAC assignments | Requests group membership changes |
| Workload Identity | Creates managed identity, federated credential, and K8s service account per namespace | Requests role assignments to their workload identity for Azure resources |
| Key Vault | Provisions per-namespace Key Vault with CSI driver integration | Manages secrets and references within their Key Vault |
| Network policies | Deploys default ingress/egress policies per namespace | Applies additional policies within their namespace as needed |
| Ingress (Istio Gateway API) | Deploys Istio add-on, manages Gateway API CRDs and load balancers | Creates Gateway and HTTPRoute resources in their namespace |
| Monitoring | Container Insights, platform alerts, node health monitoring | Application-level logging and custom metrics |
| Security posture | Defender for Containers, Azure Policy, image scanning | Remediates application-level security findings |
| Backup | Configures AKS Backup policies and restore infrastructure | Verifies backups; documents project data for restore requests |
| Application deployment | Provides deployment guides and CI/CD integration patterns | Builds, tests, and deploys applications into assigned namespaces |
| Resource quotas | Sets default CPU/memory quotas per namespace | Requests quota changes when workloads require more resources |
Architecture
Reference architecture for the FMP-managed AKS platform showing cluster topology, networking, identity, and platform-managed Azure resources.