SYSTEM Cited by 1 source
Fly Kubernetes (FKS)¶
Fly Kubernetes (FKS) is Fly.io's managed Kubernetes service — announced in early-access 2023, moved to closed beta 2024-03-07. The "blessed path" for running Kubernetes workloads backed by Fly.io infrastructure.
Architecture¶
FKS composes an unusually small stack:
| Kubernetes primitive | FKS implementation |
|---|---|
| API server / control plane | K3s |
| Kubelet / Node | Virtual Kubelet provider (Go, in-house) |
| Container runtime (CRI) | flyd + Firecracker + Fly init |
| CNI / pod networking | internal IPv6 WireGuard mesh |
| Pods | Fly Machines (micro-VMs) |
| Secrets | Fly Secrets ("only not the base64'd kind") |
| Services | Fly Proxy |
| Cluster DNS | CoreDNS (flagged for replacement with a custom internal DNS) |
| Persistent Volumes | Fly Volumes (roadmap at beta) |
Instance of patterns/primitive-mapping-k8s-to-cloud and patterns/virtual-kubelet-provider. Canonical wiki example of concepts/nodeless-kubernetes — "a key thing to notice above is that there's no Node." The burden of host capacity planning moves from the cluster operator to Fly.io.
How a kubectl run works¶
kubectl run --image=<img> kuardlands at the K3s API server.- K3s schedules the Pod against the fake "Virtual Kubelet" Node.
- The Virtual-Kubelet provider translates the Pod spec to a Machines API call and creates a Fly Machine in the cluster's region.
- flyd places the Machine on a host and boots it via Firecracker + Fly init (the Docker image → micro-VM transmogrification).
- The Machine joins the org's WireGuard mesh; its IPv6 address is reported back up to the Virtual Kubelet and surfaces as the Pod IP.
fly machine list --app fks-default-<cluster-id> exposes the Pod as
a Machine — the wiki's canonical instance of
concepts/micro-vm-as-pod.
Services + DNS¶
kubectl expose pod kuard --port=8080 creates a ClusterIP Service with
an IPv6 ClusterIP (e.g. fdaa:0:48c8:0:1::1a). Annotations
observed on the Service include
fly.io/clusterip-allocator: configured and
service.fly.io/sync-version: <n>, indicating a bespoke
Service-to-Fly Proxy reconciliation loop.
Three equivalent access paths from inside the org's 6PN WireGuard network:
- Direct IPv6:
http://[fdaa:0:48c8:0:1::1a]:8080. - flycast:
http://<service>.svc.<app>.flycast:8080. - CoreDNS (in-cluster):
<service>.<namespace>.svc.cluster.local.
Pricing¶
- Free during beta.
- $75 / month / cluster post-beta, plus Fly Machines + Fly Volumes metering at the standard rates.
Beta support matrix¶
| Supported | Not supported at beta |
|---|---|
| Deployments, ReplicaSets | Multi-container Pods (roadmap: coming months) |
| ClusterIP Services + K8s DNS | StatefulSets |
| Ephemeral + persistent volumes | NetworkPolicies |
| Standard Secrets / ConfigMaps | Horizontal Pod Autoscaling (roadmap: coming weeks) |
| GPU workloads, multi-region clusters | emptyDir volumes (roadmap: coming weeks) |
fly ext k8s create CLI |
kubectl exec, kubectl port-forward (use flyctl) |
Seen in¶
- sources/2024-03-07-flyio-fly-kubernetes-does-more-now — beta launch post. Source of the architecture table above, pricing, beta gap list, and the explicit conformance concession ("this isn't Kubernetes!" — "we agree!").
Caveats¶
- Not CNCF conformance-certified; post flags conformance tests as "maybe-later".
- Beta gaps (StatefulSets, NetworkPolicies, multi-container Pods) exclude many real-world charts.
- No public numbers on Pod-create latency, cluster-size ceilings, K3s control-plane HA posture, or cross-region cluster scoping.