Why Sugau's Bare-Metal Kubernetes Checks Five Boxes No Cloud Vendor Can
An infrastructure decision-maker's guide to what you actually get when you own the stack.
There is a pattern in enterprise IT that almost nobody talks about openly. When CTOs evaluate cloud versus on-premises infrastructure, they compare the wrong things. They compare managed node groups against self-managed clusters, shared responsibility policies against their own security teams, and monthly invoices against capital expenditure spreadsheets. What they rarely compare is the actual operational capability set — what the infrastructure can do, at what latency, under whose control.
When you build Kubernetes on bare metal using ZFS and KVM as the foundation, five capabilities emerge that no hyperscaler will ever offer you in the same package, at the same price, under the same roof.
1. Node provisioning in minutes, not a managed console queue
Cloud vendors sell elasticity. What they deliver, beneath the marketing, is a queue. You request a node, a scheduler somewhere allocates capacity from a pool, an image is hydrated, and a VM joins your cluster — a process measured in minutes on a good day, much longer during regional capacity events.
On a Sugau bare-metal deployment, a new Kubernetes node is a ZFS clone of a golden image. The operation is nearly instantaneous at the dataset level. KVM presents that clone as a new virtual machine, cloud-init or Ignition handles the join process, and the node is registered and scheduling workloads within minutes. Crucially, this is the same mechanism used to migrate a node from one physical host to another. A zfs send | zfs receive pipeline, a VM definition handed to the destination hypervisor, and the node reappears. No rehydration, no waiting on a managed API, no dependency on upstream capacity.
For regulated environments, disaster recovery simulation, or hardware replacement under pressure, this is not a marginal improvement. It is an architectural difference in kind.
2. KVM loses roughly five percent of bare metal performance — and that is the full cost
The honest performance case for virtualisation has been settled for years, but the numbers are rarely stated plainly in vendor literature. A KVM-hosted virtual machine running on modern hardware with properly configured VirtIO drivers, CPU pinning, and NUMA-aware memory allocation will exhibit roughly three to five percent overhead compared to a workload running directly on the host kernel. For the vast majority of enterprise Kubernetes workloads — API services, databases, model inference — this delta is operationally invisible.
What this means in practice is that you get the full operational benefit of virtualisation: live migration, snapshot-backed provisioning, hardware fault isolation, the ability to co-locate multiple node types on a single physical server without kernel contention — at a cost that is essentially rounding error against your actual compute budget.
Contrast this with the cloud model, where you have no visibility into the hypervisor, no control over noisy-neighbour effects, and no ability to tune the virtualisation layer for your workload profile. The five percent overhead you pay on a Sugau deployment is known, tunable, and entirely yours to optimise.
3. VM creation, backup, and restoration are fully automated — and the API is open
One of the least discussed costs in cloud infrastructure is operational coupling: the gradual accumulation of procedures, runbooks, and institutional knowledge that only work through a vendor's console, CLI, or managed API. When that API changes, your automation breaks. When the vendor sunsets a service, your operational model breaks with it.
The Sugau stack is built on libvirt and the KVM hypervisor, both of which expose stable, open APIs that have not changed meaningfully in over a decade. Ansible orchestrates the full VM lifecycle — provisioning from golden images, configuration management, snapshot scheduling, backup verification, and restoration testing. Every operation that a cloud vendor wraps in a managed service and charges for as a line item is expressed in version-controlled playbooks that you own, can audit, and can run on any Linux host with KVM support.
When a VM needs to be restored — whether from operator error, hardware failure, or a ransomware event — the process is the same automation path that runs in CI. There is no support ticket, no managed restore workflow with a four-hour SLA, and no data egress charge. The recovery is as fast as your network and storage can move bytes.
4. Continuous data protection is a feature of the storage layer, not a product you buy
Backup is one of the most over-productised problems in enterprise infrastructure. There are dozens of commercial backup platforms, cloud-native snapshot services, and third-party data protection vendors, each adding licensing cost, operational complexity, and another dependency surface. Most of them are, at their core, reimplementations of functionality that ZFS has provided for twenty years.
ZFS snapshots are atomic, instantaneous, and space-efficient. A snapshot of a dataset containing a Kubernetes worker node — its persistent volumes, its OS disk, its application state — takes milliseconds and consumes storage proportional only to the data that changes after the snapshot is created. Snapshots can be scheduled at any frequency, replicated off-site continuously using zfs send, and restored to any point in history without unmounting the live dataset.
On a Sugau deployment, this is not a backup product. It is the storage subsystem doing what storage subsystems should do. The result is continuous data protection across every node, every persistent volume, and every VM in the cluster, with off-site replication included in the base architecture — not sold as an add-on tier.
5. Encryption at rest with keys held entirely off-site renders stolen hardware silent
Hardware theft is an underweighted threat in most enterprise risk models. It tends to be dismissed as a physical security problem — the domain of locks, CCTV, and data centre access policies. This thinking is reasonable until a drive tray leaves a colocation facility in someone's bag, or a server is seized by a jurisdiction you did not plan for.
ZFS provides native dataset-level encryption with key management that is entirely decoupled from the data it protects. Combined with LUKS at the block device layer where needed, a Sugau deployment can be configured so that no decryption key ever resides on the physical hardware. Keys are held in a remote escrow — an HSM, a key management service, or an air-gapped system under your control — and are fetched at boot over an authenticated channel. If the hardware is physically removed and powered on without access to the key escrow network, every dataset it contains is opaque. There is nothing to read, nothing to recover, and nothing to report to a regulator.
This is not a feature that cloud vendors can offer you, because in the cloud model, the encryption keys ultimately reside in infrastructure that the vendor controls. The Sugau model puts key custody entirely in the operator's hands — geographically, jurisdictionally, and operationally separated from the data it protects.
The architecture that delivers all five
None of these capabilities are speculative or experimental. They are the direct result of building Kubernetes on a mature hypervisor stack with a mature copy-on-write filesystem as the foundation. ZFS and KVM have been production-grade for over a decade. The innovation in the Sugau approach is not the components — it is their deliberate composition into an architecture where provisioning speed, performance efficiency, operational automation, data protection, and physical security are all first-class properties of the base layer, not afterthought integrations.
Cloud vendors will offer you managed equivalents for some of these capabilities, individually, as paid features with usage pricing and API rate limits. What they cannot offer is ownership: the certainty that your infrastructure model works the same way at two in the morning when a node fails, when hardware is replaced, when a jurisdiction changes its data residency requirements, or when a vendor decides to deprecate a service.
That certainty is what bare metal delivers. And it is exactly what Sugau is built to provide.
Sugau Infrastructure specialises in bare-metal Kubernetes deployments, cloud repatriation, and sovereign AI infrastructure for enterprises that require operational ownership of their compute stack.