Skip to main content
Akua’s ownership model is split on purpose. Akua operates the control plane, and your workloads run on dedicated worker environments: Akua-managed machines, BYOM machines in your cloud account, manually attached workers, or imported clusters. That keeps the line clear between platform operations and your runtime environment.

What Akua manages

Akua manages the platform control plane. It stores workspace settings, deployment configuration, policy state, and the references needed to operate your clusters and credentials. Today, that managed control plane is the default model. A customer-hosted control plane is a future dedicated-mode option, not the standard deployment model.

What you keep

Your worker environment keeps the parts that matter most to your business:
  • Worker machines and imported clusters: manually attached workers, BYOM-provisioned machines, and clusters you import into Akua continue to run in your infrastructure.
  • Application runtime data: databases, files, queues, user content, and other live application data stay where your workloads run.
  • Cloud accounts: when you use BYOM, your cloud provider account pays for the compute and owns the underlying resources.
  • Secret plaintext: Akua stores workspace-scoped secret references. Plaintext is only accessed through explicit secret access paths and is audited.

BYOM cloud credentials

BYOM is Akua’s bring-your-own-machine path. When you use it for managed provisioning, you connect a workspace-scoped cloud key so Akua can create and manage compute in your account. The credential is not a shared platform secret; it is tied to your workspace, and Akua uses it only for the operations you permit. This model is useful when you want:
  • Billing to stay in your own cloud account.
  • Region or provider choice to stay under your control.
  • A clear boundary between Akua’s management layer and your infrastructure.

What may pass through Akua

Some features need to process specific data outside your worker environment when you enable them. Those features are opt-in, and you can decide whether the tradeoff fits your compliance posture.
  • Log streaming: container output passes through Akua so you can inspect and search logs.
  • Preview domains: HTTP requests and responses pass through the edge delivery path that powers previews.
  • Dashboard access and API proxying: cluster metadata, status, and command responses can pass through Akua to support remote inspection.
  • AI code execution: code you submit and the output it produces are processed to provide the feature.
If you need a strict boundary, keep those features turned off and work directly against your own infrastructure.

Security

See the residency caveats, secret handling, and access model in one place.

Add workers

Connect your own servers to an Akua-managed cluster.

Compute overview

Compare Akua-managed compute with BYOM compute.

Private container registries

Keep image credentials scoped to your workspace.