Skip to main content
Version: 1.5


Wayfinder is a management system for Kubernetes infrastructure. It lets DevOps or developers quickly self-serve infrastructure such as clusters, DNS zones, and networks. Security, resilience and workload isolation are baked into the cluster architecture so you can focus on application delivery. We also include tools to estimate and track the costs of your infrastructure.

Wayfinder provides a robust, highly configurable policy-based engine to manage access to Wayfinder and to the clusters it manages, and leverages Kubernetes RBAC for user and robot/service account access.

Wayfinder has an API, a CLI, and a UI that serve three primary areas of responsibility, which can be covered by various job titles:

  • Platform administrator–Responsible for centralized DevOps, site reliability, and security

  • DevOps engineer–Embedded in, or supporting, applications teams. Responsible for building and maintaining infrastructure to enable fast development and release of software

  • Sofware engineer–Responsible for building great applications

Our customers self-host Wayfinder on their public cloud of choice. See Recommended cloud configuration below.


Wayfinder's most powerful features are:

  • Self-serve Kubernetes–provides clusters configured with best practices.
  • Cluster provisioning–provides secure and consistent provisioning of Kubernetes environments for developers.
  • Accounts and account users–we provide a single source for access and control across the estate.
  • Plans and policies–let administrators define the type and shape of resources for developers to consume.
  • Cloud account automation and management–provisions cloud accounts for your developers on demand.

See also Wayfinder architecture below.

Supported public clouds​

  • Amazon Web Services (AWS)
  • Google Cloud Platform (GCP)
  • Microsoft Azure (Azure)

Free version​

The Wayfinder free version does not expire, but limits you to provisioning 3 clusters and 50 vCPUs. You can use the installer to test out Wayfinder's free version now. To chat with one of our specialists, please use this contact form, or send us a message on Slack.

For information on how much it might cost to run the free version, see the FAQ section here.


When you use the Wayfinder free version to provision clusters in your cloud provider, keep in mind that you still incur the costs of those resources in the cloud provider.

Using cloud services with Wayfinder​

If you need to connect some cloud services to Wayfinder, please use this contact form to speak to one of our Solutions Architects.


This section provides a high-level overview of Wayfinder's architecture. Along with the components described below, Wayfinder also uses industry standard tools and frameworks such as OPA and OIDC, and Kubernetes open source projects such as flux, ingress-nginx, external-dns, and cert-manager.

Wayfinder components​

Wayfinder is hosted by the customer, and can run on Kubernetes in AWS, GCP, and Azure public clouds. At a high level, Wayfinder consists of three elements:

  • API server

    The API server sits in front of Kubernetes, and handles API access to Wayfinder functionality, as well as single-sign-on (SSO).

  • Kubernetes

    Wayfinder is deployed into a Kubernetes cluster. We use Kubernetes to deploy and run Wayfinder, and we extend the Kubernetes APIs with Custom Resource Definitions (CRDs). Wayfinder makes use of several open source Kubernetes projects, including controller-runtime, cert-manager, flux, ingress-nginx, external-dns, kaniko, gatekeeper, fluentd, and elgo-oidc.

  • MySQL or Postgres database

    The database stores information about users and workspaces, security events, and audit and cost information.

The following diagram shows the high-level Wayfinder stack.


Once configured, the Wayfinder platform handles:

  • Cloud account management
  • Kubernetes cluster creation
  • Cluster Security and resilience
  • Container builds
  • DNS and HTTPS
  • Cost tracking

Wayfinder automation allows a single admin to support many teams/workspaces. Behind the scenes, the platform:

  • Creates isolated cloud accounts following least privilege best practices
  • Sets up role-based access control (RBAC) for both Wayfinder itself and the Kubernetes clusters created using Wayfinder
  • Turns off insecure options when creating Kubernetes clusters, adds network and pod security policies, and turns on auto-scaling, using Appvia's best practices. This ensures that the public cloud Kubernetes services are configured correctly for enterprise security needs.

Component detail​

The following diagram shows a more detailed view of how Wayfinder components interact with each other and with Kubernetes.

  • Wayfinder is deployed into a Kubernetes cluster. The installation creates Wayfinder's Management Cluster, shown on the left side of this diagram. This cluster uses a MySQL or Postgres database to store data such as Wayfinder users, workspaces, events, etc.

  • The Management Cluster acts as the control plane, and interacts with the Kubernetes (k8s) clusters created by your developers using Wayfinder, shown on the right side of the diagram.

  • Wayfinder is organized around developer workspaces, the cloud infrastructure available to them, and the access policies and permissions they have. So in addition to other components, Wayfinder's Management Cluster has a namespace for each workspace created in Wayfinder, as shown in the bottom centre of the diagram.

lower level architecture

You can use Wayfinder on multiple clouds. For example, you can install Wayfinder/Management Cluster on one public cloud, and have workspace members provision their Kubernetes clusters in a different public cloud.

Regardless of this choice, we recommend the following cloud configuration:

  • Use a dedicated cluster to host Wayfinder because it creates and manages namespaces as workspaces are created.
  • Install Wayfinder into a cluster that is not running other workloads.
  • Install only a single instance of Wayfinder into a cluster.
  • Set up Wayfinder to run using credentials managed entirely by AWS on EKS.

For more information, see the installation prerequisites.

The platform administrator interface​

Using the administrator interface, the Wayfinder administrator:

  • Sets up cloud credentials and cloud account automation so that workspace members can have isolated development environments, following least privilege best practices for security
  • Sets up default cluster plans that comply with enterprise policy, and specifies which cluster parameters are allowed to be changed by workspace members.
  • Makes DNS available to workspace clusters so that they have default domains for their apps
  • Configures cost integrations with the cloud provider, so that estimated and actual cloud running costs can be viewed in the Wayfinder UI

For more information, see Get Started as a Wayfinder Administrator.

The DevOps/developer interface​

With the infrastructure and cluster plans put in place by the Wayfinder administrator, workspace members can easily provision Kubernetes clusters using a self-service model.

Using the developer interface, workspace members:

  • Provisions Kubernetes clusters and namespaces, choosing from the available cloud providers and cluster plans
  • Uses default domains set up by the Wayfinder administrator, or sets up custom domains for their workloads
  • Configures container builds. This lets their existing CI pipeline request Wayfinder to build their software as a container image from their git repository, and make it available in their cluster.
  • Configures robots (service accounts) to run builds or deployments manually or using CI
  • Views actual and projected cloud running costs
  • Manages workspace members and roles, and views audit log of actions taken by workspace members
  • Is able to have direct access to the Kubernetes cluster using the Kubernetes CLI, kubectl, to deploy their apps manually, or have a Wayfinder robot deploy them, to the infrastructure managed by Wayfinder

For more information, see Get Started Using Wayfinder.

Documentation conventions​

These orthographic conventions are used in Wayfinder documentation:

FormatUsed for
BoldUI elements: menu items, tabs, links, buttons
CodeFile names, parameters, commands, or anything else that a user types into a field, file, or CLI
CAPITALSWithin commands or scripts, user-provided values are in all capital letters. For example:
  • wf apply -f PATH-TO-FILE.yaml
  • wf create policy assignment --plan PLAN-NAME

Getting Started​

Contact and community​

You can contact us using:

Also follow us on: