KubarosAlpha
Back to site

Documentation

Everything you need to install, operate and integrate Kubaros — plus a full REST API reference for your portal and billing.

Overview

Kubaros turns your existing Proxmox VE infrastructure into a managed Kubernetes-as-a-Service platform. You install Kubaros on a VM in your network; it provisions Talos Linux clusters on Proxmox, manages public IP pools, and exposes every action through a REST API so you can wire it into your portal and billing.

Architecture

Kubaros is the control plane: a FastAPI backend (MongoDB) and a React console, fronted by Caddy for automatic HTTPS. It talks to the Proxmox VE API to create VMs and to talosctl to bootstrap Kubernetes. It governs itself locally from a signed license and only phones home to validate that license and report installation telemetry.

API-first by design: everything in the console is a documented REST endpoint, so providers can fully automate provisioning, tenant management and billing.

Reaching Talos

Kubaros supports two ways to reach the internal Talos nodes of a Proxmox site (set per site):

1) Local Appliance mode — Kubaros runs on-site and reaches the Talos node IPs directly over a management network (SDN or an existing bridge).

2) Remote Connector mode — for a centrally-hosted Kubaros, it provisions a tiny WireGuard connector VM on the Proxmox site. The connector holds one public IP (the WireGuard endpoint) and securely tunnels Kubaros into the internal, per-tenant Talos subnets. No manual setup — Kubaros generates the keys and cloud-init.

Tenant isolation: each tenant gets a dedicated VLAN and node subnet, carved from a provider supernet. Cluster pod/service CIDRs default to /16 (10.244.0.0/16 pod, 10.96.0.0/12 service) so Kubernetes never runs out of pod IPs — a /24 pod CIDR is far too small. Sizes are configurable globally and per cluster.

Installation

Install on a fresh Debian/Ubuntu VM (2 vCPU / 4 GB RAM is enough to start). The installer sets up Docker, pulls the Kubaros images and starts the stack behind Caddy.

curl -fsSL https://install.kubaros.io | sudo bash

For a production domain with a real Let's Encrypt certificate, pass your domain and ACME email:

KUBAROS_DOMAIN=console.example.com KUBAROS_ACME_EMAIL=admin@example.com \
  curl -fsSL https://install.kubaros.io | sudo -E bash

Manage Kubaros afterwards with the kubaros CLI:

kubaros status   # show containers
kubaros update   # pull the latest release
kubaros logs     # follow logs
kubaros url      # print the console URL

Prefer Kubernetes? A Helm chart is included (deploy/charts/kubaros) to run the appliance (backend + frontend + MongoDB + Redis) on your own cluster. Images are multi-arch (amd64 + arm64).

helm install kubaros ./deploy/charts/kubaros \
  --namespace kubaros --create-namespace \
  --set baseUrl=https://kubaros.example.com \
  --set ingress.host=kubaros.example.com

First steps

Open the console URL the installer prints and follow the first-run wizard:

  1. 1Create your admin account in the Setup Wizard.
  2. 2Connect Proxmox: paste your PVE API token — Kubaros validates the version, single-server-vs-cluster, SDN and Ceph.
  3. 3Register your public IP pools per Proxmox site.
  4. 4Create your first Talos cluster and download its kubeconfig.
Storage note: when you create your first cluster (and when you provision a Remote Connector), Kubaros automatically downloads the required Talos Linux and Debian cloud images to your Proxmox storage — plan for roughly 3–5 GB of free space on the target storage. The images are fetched once and reused for later clusters.

Authentication

All API calls require a bearer token. Use the admin JWT for interactive use, or create a scoped API token (Settings → API Tokens) for automation and billing integrations.

# 1) Get a JWT
TOKEN=$(curl -s -X POST https://console.example.com/api/auth/login \
  -H 'Content-Type: application/json' \
  -d '{"email":"admin@example.com","password":"••••••"}' \
  | jq -r .access_token)

# 2) Call the API
curl -s https://console.example.com/api/clusters \
  -H "Authorization: Bearer $TOKEN"

Scoped tokens carry only the permissions you grant (e.g. usage:read, clusters:write). List available scopes via GET /api/api-tokens/scopes.

Billing modes

Kubaros supports two billing models, switchable in Settings → Billing & limits:

  1. 1Fixed limits (quota): per-tenant quotas for clusters, nodes and storage are enforced; provisioning is blocked once a quota is reached.
  2. 2Usage-based (pay-as-you-go): tenant limits are advisory only and never block — bill your customers from GET /api/usage/clusters.
Per-tenant quotas are optional: leave any limit empty for unlimited.

Operations

Observability: open any cluster and switch to the Metrics tab for live per-cluster and per-node CPU, memory and pod usage. The same data is available at GET /api/clusters/{id}/metrics for your own dashboards.

etcd backups: the Backups tab takes point-in-time etcd snapshots of the control plane and restores them after a failure. Set an automatic schedule (off / daily / weekly), or trigger a manual snapshot before risky changes. Restores are disruptive and ask for confirmation.

White-label: under Settings → White-label & branding you can set the product name, a logo URL, an accent color and optionally hide the "Powered by Kubaros" line. Branding applies to the appliance console your customers log into; the public Kubaros website is unaffected.

Multiple Proxmox sites: connect as many Proxmox clusters as you like under Proxmox, then pick the default site for new clusters under Settings → Provisioning defaults.

API reference

Base URL: https://<your-console>/api · interactive Swagger UI lives in your Kubaros console at /api/docs · all responses are JSON.

Authentication

Obtain a JWT, inspect the current principal.

POST/api/auth/login
Log in with email + password, returns a JWT access_token.
GET/api/auth/me
Return the authenticated user / token principal.

Setup

First-run bootstrap of a fresh Kubaros install.

GET/api/setup/status
Whether setup is complete and an admin exists.
POST/api/setup/initialize
Create the first admin and Kubaros identity.

Proxmox

Connect Proxmox sites and discover their resources.

GET/api/proxmox/connections
List configured Proxmox connections.
POST/api/proxmox/connections
Add a Proxmox connection (API token, encrypted at rest).
GET/api/proxmox/connections/{id}
Get a single connection.
PATCH/api/proxmox/connections/{id}
Update a connection (name, default node, connection_mode local/remote_connector).
DELETE/api/proxmox/connections/{id}
Remove a connection.
POST/api/proxmox/test
Test connectivity + credentials.
POST/api/proxmox/validate
Read-only readiness check (version, cluster/HA, SDN, Ceph).
GET/api/proxmox/resources
Discover nodes, storage and network bridges.

Public IP pools

Register the public IPs that belong to each Proxmox site.

GET/api/ip-pools
List public IP pools.
POST/api/ip-pools
Create a pool (CIDR or start/end range, gateway, VLAN).
DELETE/api/ip-pools/{id}
Delete a pool.

Public IPs (IPAM)

Book public IPs from a pool and assign them to clusters — providers, or tenants within their max_public_ips quota.

GET/api/public-ips
List booked public IPs (tenant-scoped; filter by ?cluster_id=, ?status=).
GET/api/public-ips/available-pools
Pools with availability counts, for the booking UI.
POST/api/public-ips
Book one or more addresses (auto-allocate count or specific addresses); optionally assign to a cluster.
POST/api/public-ips/{id}/assign
Assign a reserved IP to a cluster's MetalLB pool.
POST/api/public-ips/{id}/unassign
Detach an IP from its cluster (back to reserved).
DELETE/api/public-ips/{id}
Release a booked public IP.

Management networks

The network Talos nodes use and that Kubaros must reach (provider admin).

GET/api/management-networks
List management networks (optionally ?connection_id=).
POST/api/management-networks
Define a management network (mode sdn or bridge).
PATCH/api/management-networks/{id}
Update a network / set it as the default.
DELETE/api/management-networks/{id}
Delete a management network.
POST/api/management-networks/{id}/reachability
Probe reachability from Kubaros to the subnet.

Remote connectors

WireGuard connector VMs that proxy a remotely-hosted Kubaros into a site's internal Talos networks (provider admin).

GET/api/connectors
List all remote connectors with status.
GET/api/connectors/{connection_id}
Connector status for a Proxmox site.
GET/api/connectors/{connection_id}/cloudinit
Rendered connector cloud-init (WireGuard + nftables).
POST/api/connectors/{connection_id}
Provision the connector (books 1 public IP, generates keys) — sets the site to remote_connector.
POST/api/connectors/{connection_id}/test
Test the WireGuard tunnel / handshake.
POST/api/connectors/{connection_id}/sync
Re-sync the routed internal subnets.
DELETE/api/connectors/{connection_id}
Deprovision the connector (site back to local).

Network isolation

Per-tenant VLAN/subnet allocation and global network defaults (provider admin; tenants can read their own networks).

GET/api/network-config
Read network defaults (supernet, VLAN range, pod/service CIDRs).
PUT/api/network-config
Update network defaults.
GET/api/tenant-networks
List tenant networks (tenant-scoped; ?proxmox_connection_id=).
POST/api/tenant-networks
Allocate a dedicated VLAN + node subnet for a tenant on a site.
DELETE/api/tenant-networks/{id}
Release a tenant network (must be unused).

Clusters

Provision, scale and delete Talos Kubernetes clusters.

GET/api/clusters
List clusters (scoped to the caller's tenant).
POST/api/clusters
Create a cluster (control-plane + workers, sizing, placement).
GET/api/clusters/{id}
Cluster detail incl. status and endpoint.
GET/api/clusters/{id}/nodes
List the cluster's nodes.
POST/api/clusters/{id}/scale
Scale worker nodes up or down.
POST/api/clusters/{id}/delete
Delete the cluster (robust, always removable).
GET/api/clusters/{id}/kubeconfig
Download the cluster kubeconfig.
GET/api/clusters/{id}/metrics
Observability: per-cluster + per-node CPU / memory / pod usage.
GET/api/clusters/{id}/backups
List etcd snapshots + the cluster's backup schedule.
POST/api/clusters/{id}/backups
Take an etcd snapshot now (manual).
POST/api/clusters/{id}/backups/{backupId}/restore
Restore etcd from a snapshot (disruptive).
DELETE/api/clusters/{id}/backups/{backupId}
Delete an etcd snapshot.
PUT/api/clusters/{id}/backup-schedule
Set automatic snapshot schedule (off / daily / weekly).
GET/api/bandwidth-tiers
List internet-gateway bandwidth tiers (name + Mbit/s).
POST/api/bandwidth-tiers
Create a bandwidth tier (provider admin).
PATCH/api/bandwidth-tiers/{id}
Edit a bandwidth tier (provider admin).
DELETE/api/bandwidth-tiers/{id}
Delete a bandwidth tier (provider admin).
POST/api/clusters/{id}/gateway
Add/change a cluster's internet gateway — pick a bandwidth tier; NAT + throttling run on the shared per-site edge VM (reuses the Remote Connector VM; one public IP per site).
DELETE/api/clusters/{id}/gateway
Remove the cluster's internet gateway (the cluster network becomes internal / isolated).

Tenants

Your customers, their quotas and user accounts (provider admin).

GET/api/tenants
List tenants with usage stats.
POST/api/tenants
Create a tenant with optional quotas (empty = unlimited).
GET/api/tenants/{id}
Get a tenant.
PATCH/api/tenants/{id}
Update name, status (active/suspended) and quotas.
DELETE/api/tenants/{id}
Delete a tenant (must have no active clusters).
GET/api/tenants/{id}/users
List the tenant's user accounts.
POST/api/tenants/{id}/users
Add a tenant_admin or tenant_member.
DELETE/api/tenants/{id}/users/{userId}
Remove a tenant user.

Projects

Group clusters within a tenant.

GET/api/projects
List projects (tenant-scoped).
POST/api/projects
Create a project.
GET/api/projects/{id}
Get a project.
PATCH/api/projects/{id}
Rename / describe a project.
DELETE/api/projects/{id}
Delete a project.

Usage & billing

The data basis for your billing integration.

GET/api/usage/summary
Totals + the active billing_mode (quota / usage).
GET/api/usage/report
Per-tenant usage report (JSON, or ?format=csv) — pay-as-you-go billing basis. Provider only.
GET/api/usage/clusters
Per-cluster usage with customer/billing references.
GET/api/usage/nodes
Per-node vCPU / memory / disk allocation.

License

Activate the plan bought on kubaros.io.

GET/api/license/status
Current tier, limits and usage.
POST/api/license/activate
Activate a KBRS- key (phones home to the license server).
POST/api/license/deactivate
Revert to the free Community tier.
POST/api/license/refresh
Re-validate the license against the server.

Updates

Self-updater (operator-configured channel).

GET/api/updates/status
Installed + latest version, channel, progress.
POST/api/updates/check
Check GitHub releases for a newer version.
POST/api/updates/apply
Apply the available update (preflight + backup).
GET/api/updates/events
Update log / event stream.

API tokens

Scoped credentials for automation and billing.

GET/api/api-tokens/scopes
List all available permission scopes.
GET/api/api-tokens
List issued tokens (metadata only).
POST/api/api-tokens
Create a scoped token (shown once).
DELETE/api/api-tokens/{id}
Revoke a token.

Jobs, audit & settings

Operational endpoints.

GET/api/jobs
List provisioning jobs.
GET/api/jobs/{id}
Job detail incl. live events.
GET/api/audit-logs
Immutable audit trail of critical actions.
GET/api/settings
Read Kubaros settings + defaults.
PUT/api/settings
Update settings incl. billing_mode, white-label branding (brand_name/brand_logo_url/brand_accent_color/brand_hide_powered_by) and default_proxmox_connection_id.

Branding

Public white-label identity of the appliance (name, logo, accent).

GET/api/branding
Public: brand name, logo URL, accent color, hide-powered-by (read by the login/setup screens). Edited via PUT /api/settings (provider admin).