For teams running 3+ Kubernetes clusters

You don't run three clusters.
Three clusters run you.

Upgrades, policies, on-call, drift — every cluster multiplies the burden. With 5 clusters, you're already burning 45% of platform capacity on duplication, not product.

// cost calculator — move the sliders
4.4 engineers on duplication, not product
$506K/year
avg $115K fully loaded · Spot by NetApp, CNCF 2025
Sound familiar?
Debugging why it works in AWS but fails in Azure
Friday afternoon reconciling config drift
3 GitOps pipelines doing the same job
Paged at 2 AM for cross-cluster networking
Book 15-min Architecture Review See where you're losing ↓
Engineer-to-engineer. No slides.
The hidden cost

Where your Kubernetes budget actually goes

Your cloud bill shows compute and networking. The real cost lives in the engineering time everyone accepts as status quo.

What's on your cloud bill
  • Compute instances
  • Storage volumes
  • Network transfer
  • Load balancers
  • Managed services & add-ons

"Config drift between our 5 clusters is the #1 cause of outages. Every damn sprint we fix something that broke because of drift."

r/kubernetes · 200+ upvotes
The fix

One cluster. All your clouds.
One engineering cost.

Same team. Same clouds. Different math.

Metric Today (5 clusters) With emma (1 cluster)
Upgrades, policies, RBAC, on-call, GitOps all × 5 all × 1
FTEs on cluster ops 4.4 ~1
FTEs for product work 3.6 ~7
You
kubectl · Helm · ArgoCD · Terraform
kubeconfig
Managed by emma
Control plane, networking, upgrades, monitoring — subscription. Costs less than one engineer.
Control Plane
etcd · API Server · Scheduler · Cilium CNI · Upgrades · Monitoring
Network Fabric (BGP/VXLAN · Cisco Catalyst 8000v)
AWS
node pool
GCP
node pool
Azure
node pool
+7
providers
⚡ Multi-Cloud Autoscaling · spot/preemptible fallback across clouds
Technical Deep Dive — For Your Engineers
Architecture your platform team needs to validate. Read inline or download as PDF.
Open Deep Dive
Kubernetes

Upstream 1.29+. No fork. Standard API server, scheduler, etcd. Your existing manifests, Helm charts, and operators work unchanged.

kubectl get nodes → nodes across AWS, GCP, Azure
Networking

Cilium CNI (eBPF) on top of emma's multi-cloud fabric (BGP/VXLAN, Cisco Catalyst 8000v). One network policy layer across all clouds. No VPN stitching.

kubectl get cnp → same policies, all clouds
Storage

Unified emma CSI driver across all clouds. Abstracts EBS, PD, Managed Disks behind one interface. Data stays in-region. No cross-cloud replication unless you configure it.

kubectl get sc → emma-storage (works across AWS, GCP, Azure)
Control Plane

Hosted in Luxembourg (EU). emma manages etcd, API server, scheduler, monitoring. You get kubeconfig with full RBAC. Control plane outage ≠ workload outage.

Hosted in Luxembourg · dedicated per tenant
IaC / Terraform

Official Terraform provider on registry. Cluster and node groups as HCL. CI/CD friendly. emma operates what Terraform creates.

resource "emma_kubernetes" "prod" { ... }
Node Pools

Per-provider node pools in the same cluster. Isolated failure domains. Move workloads between providers with node affinity, not re-architecture.

nodeSelector: topology.emma.ms/cloud: aws
# One cluster. Three clouds. Standard Terraform. resource "emma_kubernetes" "production" { name = "prod-multi-cloud" worker_nodes = [ { name = "aws-pool", data_center = "eu-west-1", vcpu = 4, ram_gb = 16 }, { name = "gcp-pool", data_center = "europe-west1", vcpu = 4, ram_gb = 16 }, { name = "azure-pool", data_center = "westeurope", vcpu = 4, ram_gb = 16 }, ] } # terraform apply → 1 cluster, 3 clouds, 3 node pools # Networking handled by emma. No VPN, no peering.
Hard questions your engineers will ask
Latency? Follows cloud-region topology. No forced traffic routing through a central control plane. Cross-cloud latency = typical inter-region latency.
Networking details? Cilium on eBPF. BGP/VXLAN, Cisco Catalyst 8000v. Direct inter-cloud connectivity. No VPN stitching, no provider peering dependencies.
Blast radius? Node pools isolated per cloud provider. Failure in AWS doesn't cascade to GCP or Azure. Control plane outage doesn't affect running workloads.
Debugging? Standard kubectl exec, logs, port-forward. Works identically regardless of which cloud the pod runs on. Prometheus, Grafana, PagerDuty — same endpoints.
K8s version? 1.29+. Upstream. No fork. If it works on EKS/GKE/AKS, it works on emma.
Migration? Namespace-level. kubectl apply your manifests. Keep old clusters live while validating. Typical PoC: 2–4 weeks.
When NOT a fit? Regulations requiring separate control planes per environment, or sub-5ms inter-node latency requirements. We'll tell you honestly on the first call.
Download as PDF
Migration

What changes for your team

The #1 concern: "What do my people need to change?" Here's the honest answer.

✓ What stays the same
  • kubectl, Helm, ArgoCD — same CLI, same charts, same workflows
  • CI/CD pipelines — change one cluster endpoint, everything else stays
  • Namespaces & RBAC — your isolation model carries over
  • Monitoring — Prometheus, Grafana, PagerDuty — same endpoints
  • Manifests — deploy as-is, no refactoring
↻ What changes
  • Cluster endpoint — one kubeconfig instead of N
  • Infra abstraction — emma manages control plane, you manage workloads
  • On-call scope — one cluster to monitor, not five
That's it. Three changes. Everything else stays.
Proof

From 7 clusters to 1.
3.2 FTEs reclaimed.

Series B Fintech · 45 engineers
AWS + Azure · DORA-regulated · EU-based
7
clusters before
1
cluster after
3.2
FTEs reclaimed
Where the time came back: upgrade choreography across 7 clusters → 1 upgrade path (1.1 FTE). Cross-cloud policy sync and drift fixes → single policy set (0.9 FTE). Duplicate monitoring and on-call per cluster → unified observability (1.2 FTE). Those 3.2 engineers now work on internal developer platform.
"We thought we needed 2 more hires. Turned out we needed fewer clusters." — Head of Platform · name under NDA
They're built for a world with many clusters. emma is built for a world with one.
Security & Compliance

Your data stays where you put it.

What your security team needs before they'll approve.

Control plane

Hosted in Luxembourg, EU. emma operates the control plane — you retain full RBAC and audit log access.

Data residency

Workloads and data stay in the regions you choose. No cross-border replication unless you configure it. Node pools pinned to specific cloud regions.

Tenant isolation

Your cluster runs across clouds — but it's yours alone. Dedicated control plane, no shared etcd, no other tenants. Network isolation via Cilium eBPF policies.

DORA-compatible GDPR-aligned EU jurisdiction SOC 2 in progress
Technical controls
  • Encryption in transit — TLS 1.3 for all API and inter-node traffic
  • Encryption at rest — per-provider native (EBS encryption, GCP CMEK, Azure SSE)
  • Access model — customer-controlled RBAC. emma engineers: control plane only, no workload access without explicit grant
  • Audit logs — full Kubernetes audit log stream, exportable to your SIEM
$40M
Invested
90
Engineers
LU
Luxembourg, EU
7+
Cloud providers
Backed by BlackRock · RTP Global · Smartfin · deep.vc · Altair · CircleRock Capital
Questions

What you're thinking right now

What happens to my platform team?
They shift from cluster maintenance to product platform work. Same people, fewer clusters to babysit, more capacity for features.
How long does migration take?
Namespace-level. Move one workload at a time. Keep old clusters running while you validate. Typical PoC: 2–4 weeks.
What's the risk?
Start with one workload. No commitment. No long-term contract. Keep old clusters live. If the math doesn't work — walk away.
How much does it cost?
Subscription per cluster. Typically costs less than one engineer. Free tier to start, no credit card. See pricing →
Do my engineers need to learn new tools?
No. kubectl, Helm, ArgoCD, Prometheus — everything stays. No retraining, no new abstractions. Teams onboard in a day.
Data residency?
Control plane hosted in Luxembourg, EU. Workloads run in whatever regions you choose. Relevant for DORA and GDPR requirements.
When is this NOT a fit?
Two cases: (1) regulations requiring physically separate control planes per environment, and (2) workloads needing sub-5ms inter-node latency — cross-cloud adds hops. We'll tell you on the first call if either applies.
Book a call

One cluster. All your clouds.
Your team ships product.

15 minutes. We'll review your cluster architecture and show where consolidation saves engineering time.

Book 15-min Architecture Review
Free tier. No credit card. Start with one workload.
Not ready for a call yet? Leave your email.
Config drift
Upgrade overhead
Cloud cost
Compliance / DORA

✓ Got it

We'll get back to you within 24 hours.

Typical PoC: 2–4 weeks.
Your old clusters stay live until you're ready.
The risk of NOT acting

Every new engineer you hire goes partly to cluster overhead. The problem compounds with each cloud you add.

The benefit of one cluster

Your engineers work on product. One upgrade path. One on-call rotation. One compliance surface.

"We thought we needed 2 more hires. Turned out we needed fewer clusters." — Head of Platform