Rathsted

Foundations - a Kubernetes baseline you can control, explain, and defend

When customers, auditors, or procurement start asking hard questions about how your systems are run, the answers should already be there.

Rathsted Foundations is a validated single-node k3s baseline on supported Linux hosts. It combines Git-based change control, policy enforcement, and verification output so teams have something concrete to review before they scale the model further.

Who controls infrastructure matters. It affects privacy, accountability, and who can answer for changes.

If you cannot show who has access, what changed, and what is running, the case gets weaker quickly. Rathsted Foundations gives teams something concrete to review instead of rebuilding the story during an audit or customer review.

It is the base layer underneath your applications and services, helping you set rules, review changes, and show what was deployed.

The repo, docs, and verification output are public, so teams can evaluate the baseline directly without going through a sales process first.

When It Fits

Not every team needs this. For some teams, the driver is jurisdictional: where workloads run and where data lands. For others it is organizational: who governs the environment, who approves changes, and who holds operational responsibility. Often it is both.

Regulated organizations

You need a system you can explain clearly when auditors, security reviewers, procurement teams, or customers start asking questions.

Customer-owned delivery

You deliver into infrastructure your customer controls and need a cleaner handoff and fewer surprises later.

Jurisdiction-sensitive operations

You need to know where workloads and data land, and whether that fits your contracts, customers, or region.

Teams that need more operational control

You need more control over how systems are managed and who approves changes.

If one of those sounds familiar, Rathsted Foundations is the kind of starting point worth evaluating.

What It Does

  • Baseline rules are active from the start. Policy checks and workload admission rules are in place before new deployments are allowed to run.
  • Changes follow a clear review path. Git-based updates are versioned, repeatable, and easier to trace back to a decision.
  • You can show what was shipped. Signed release records and software inventory help explain what is running and where it came from.
  • You have something better than promises. Reviewers get records they can inspect instead of screenshots and hand-waving.

Why Control Matters

When a customer asks where their workloads run, where their data is stored or processed, who approved the last deployment or policy change, or how you would respond to a breach, can your team answer clearly? These are not hypothetical questions. They come up in security reviews, procurement due diligence, and audit conversations. Rathsted Foundations gives you a system where the answers are part of the running infrastructure, not assembled during a review.

What Rathsted Foundations Does Not Do

  • Not full platform outsourcing. It does not take over operation of your environment or remove every infrastructure decision.
  • Not automatic compliance. It helps you produce controls, records, and verification output. It does not replace auditors, legal review, procurement, or internal governance decisions.
  • Not enough on its own. It does not make a cloud or hosting provider meet your control, governance, or jurisdiction requirements on its own.
  • Not every layer at once. It does not solve every follow-on need in the stack. Secrets, monitoring, backup, and other adjacent decisions still require deliberate choices for your environment.

Open by Default

  • Full source, no gates. The entire baseline is open source under Apache 2.0 - read every line, fork the repo, and run it without asking permission.
  • Compliance mappings published. A published set of baseline controls is mapped to CIS Kubernetes Benchmark, NIST 800-53, and SOC 2. The mappings live in the public repo.
  • Sample verification output. Output from real validated runs is available on the site and in the repo.
  • Based in Canada. Built for teams that care where operational responsibility sits.
Get started Proof & compliance