Kubernetes Management with Wayfinder

Fast and secure container deployment for cloud

A unified experience across multiple clouds with secure and automated Kubernetes and developer self-service cloud resources.

Help teams be highly efficient when scaling Kubernetes

Wayfinder reduces your time to market by simplifying Kubernetes management. Create and manage best in class EKS/AKS/GKE clusters, in-cluster services and security policies to enable self service for developers that is secure, consistent and repeatable.

Why Wayfinder?

  • Simplicity

    An abstraction layer over EKS, GKE, and AKS that speeds time to value, minimises cloud-specific learning curves, and makes your existing teams more efficient.

  • Expertise

    Cluster templates that include cluster services and networking, and ensure best practices for security, resilience and workload isolation.

  • Control

    Centralized policy and configuration minimizes management overhead, while reducing risk.

  • Secure

    Automated, dynamic RBAC, based on principles of least privilege, fine-grained control, and time limited to ensure secure user access.

  • Self-service

    Teams can help themselves within guardrails, removing internal dependencies, bottlenecks and handoffs.

  • Self-hosted

    You retain control over all of your infrastructure with no external dependencies.

Appvia has provided a consistently high-quality product and service to the Home Office. They have shown a drive to not just innovate but provide guidance and assistance to the Home Office, promoting agile delivery.

Matt Philpott
Director, Enterprise Technology,
UK Home Office

    Our customers

    Wayfinder Quick Start for Developers

    Wayfinder gives you a safe, secure, scalable and repeatable way to manage your AKS, EKS and GKE Kubernetes clusters. Removing your operational SRE overheads and accelerating project delivery with safe self service management tools.

    Start using Wayfinder today

    Get started with our free plan. 
Unlimited users. Up to 3 clusters and 50 vCPUs

    What you actually get

    Out of the box defaults

    Wayfinder aligns with each cloud provider’s best practice guidelines to create and manage all supporting infrastructure (such as networking, gateways, and security groups) required to use that provider’s managed Kubernetes service. It ensures that the Kubernetes service itself is configured appropriately, supporting both private and public clusters on the supported cloud providers.

    Cluster plans

    Set default values then control and constrain how much, or how little, you want teams to be able to customise their clusters when creating or managing them for their workspaces.

    Default plans are provided for each provider; additional plans can be created with ease and allocated to specific workspaces or available to all, with fine-grained control over how parameters can be changed by end users.

    User access

    Wayfinder mediates access into all of your clusters in a consistent way, orchestrated by the powerful wf access cluster command allowing a user to assume a specific scoped and time-bound role for accessing a namespace or cluster. The command works consistently across all supported cloud providers and integrates with your existing identity provider.

    Flexible assumption policies allow tight control over who can access which roles, with time, network and duration constraints supported.

    Cluster services and add ons

    Wayfinder provides built-in add-ons for clusters, giving easy out-of-the-box ingress controllers, HTTPS certificate management, and DNS support, letting your development teams get going quickly.

    Wayfinder can also deliver your own configured workloads to some or all of your clusters using a simple but powerful templating and targeting system to install and manage industry-standard Helm charts on clusters as soon as they are created. This allows installation of custom logging agents, monitoring stacks and more.


    Aligned with the cloud provider’s own best-practice guidelines for network layout for their managed Kubernetes services, Wayfinder creates and manages networks, subnets and more as needed. It can automatically peer these networks together, allowing access to and from private clusters within your cloud estate.


    Wayfinder enforces short-lived access to users, manages robot access, and enforces environment-specific policy controls across the team's infrastructure.

    Command line, Web UI, or Gitops

    Wayfinder can be controlled and configured from a flexible CLI, an intuitive web user interface, or for a Gitops approach you can configure all Wayfinder features directly by applying Kubernetes custom resources.

    All of these approaches will result in the same outcomes allowing you to use the right approach for your organisation.

    Frequently asked questions

    Why is Wayfinder better than directly using a Kubernetes managed service?

    Managed services (AKS, EKS, or GKE) substantially reduce the overhead of managing Kubernetes. Wayfinder goes further. With a managed service, you still need to design your cluster architecture, deploy cloud provider specific cluster dependencies, configure your cluster services and addons, manage RBAC, and countless other tasks. And there’s always a risk that there’ll be a flaw in your implementation that impacts security or resilience.

    If you’re using any managed services, and you want your team to be able to do more with less, Wayfinder can help. The more time you save means more time can be spent integrating with other cloud services, and improving app deployment capabilities.

    How is Wayfinder different from competitors?

    Most Kubernetes management tools are differentiated on their level of “opinionatedness”. That is, how much they guide you towards a particular way of doing things. Wayfinder doesn’t have strong opinions about the way you work - you can use whatever works for you. Wayfinder does have strong opinions about how cluster, cluster services, cloud accounts, access and permissions are configured so that you get security and resilience out of the box. No one else does this to the same extent.

    This approach is informed by our first hand experience of setting up and running Kubernetes in multiple different organisations. We want to automate as much of what is standard and common across different organisations, while also allowing the freedom to work in different ways.

    Public cloud focus vs Hybrid?

    Most other Kubernetes management tools support hybrid infrastructure - public cloud, private clouds on prem, and edge. While this gives you breadth of coverage, it also keeps the level of integration shallow, at the same time as giving most customers unnecessary functionality and complexity. Wayfinder is cloud native, and focussed on public clouds. This allows us to develop much deeper integrations with other cloud services such as AWS Control Tower, or Azure Active Directory Pod Identity, so you can be truly cloud native from Day 1.

    How does Wayfinder work with AKS, EKS or GKE?

    Wayfinder is another level of abstraction on top of AKS, EKS, and GKE. You can set guardrails in policy and cluster templates so teams can self-serve their own clusters within agreed constraints. Your teams then get instant access to well designed, resilient clusters, with the appropriate cluster services provisioned at the same time - optionally Cert Manager, ExternalDNS and an Ingress controller (NGINX) all deployed and automatically configured with the right level of cloud access for each provider. Networks and assigned network ranges are also configured. Finally, you also get full user access management and automated RBAC, all based on principles of least privilege and time bound. Wayfinder also works the same way, whether it’s for EKS, AKS or GKE, so you don’t need cloud specific knowledge for each managed service you’re using.