Nine primitives, one region, one substrate version live at a time. Every workload runs inside a capacity envelope you commit to monthly. The orchestrator reads that envelope before it provisions anything, and refuses past it. The rest of this page is what sits behind that single rule.
vCPU, RAM, block storage, object storage. Pay-as-committed, in EUR. Resize on 30 days' notice with a co-signed addendum.
How far above quota the autoscaler may grow before it refuses. Three plain choices: +5%, +10%, +20%. Higher cap, higher reserved headroom on our side.
Provisioning calls return HTTP 429. The autoscaler does not grow the pool. The org owner receives an email within 30 seconds. The audit ledger gets a refusal line.
The policy gate sits between Prometheus and OneFlow. It reads the contract on every provisioning call, projects post-scale usage against the envelope, and either calls oneflow.scale() or returns 429. p50 trip-to-settled across prod-eu-a is 52 seconds; p99 is 71. 2,184 events fired in the trailing 30 days; none escalated to us.
Templated KVM domains on warm hosts. Two sizing families: general (1:4 vCPU:GiB) and compute (1:2). Per-vCPU NUMA pinning available on opt-in. Boot disk on Ceph RBD, ephemeral local NVMe on the larger sizes.
Opinionated clusters. One CNI (Cilium with BGP), one ingress (HAProxy via gateway-api), one CSI (Ceph). Diverging from the defaults requires an ADR, not a ticket. Cluster autoscaler reads the same envelope as VM autoscale.
One Ceph cluster behind everything. S3-compatible object via RGW, block via RBD, filesystem via CephFS when asked. Three-replica across zones a/b/c, weekly scrub, monthly deep scrub. EC pools available on request.
VIPs are BGP-announced from Cilium directly to our ToR switches; HAProxy 2.8 LTS terminates ingress and reloads through the runtime API with zero dropped connections. Each org gets a VRF; multi-tenant routing is enforced in eBPF, not in DNS.
L3/L4 mitigation at the edge, included on every plan, not a separately billed add-on. ACL surface is small and documented; rate limits are per-VIP and tunable per org. L7 protection is on the roadmap (ETA Q4 2026).
No managed observability tier behind a markup. We supply scrape configs for the substrate, a Prometheus per org, and the alertmanager templates we run for ourselves. Retention and routing are yours to decide.
No shared control planes. Per-org VRF for network, per-org Ceph user with a private set of pools, per-org Prometheus, per-org Kubernetes if you opt in. The blast radius of a noisy neighbour is the noisy neighbour.
Everything the console does, the API does — including the contract endpoints. No private verbs, no internal-only endpoints. Every response carries a signed request-id you can quote back to us. SDKs in Go and Python, a Terraform provider, and a CLI (virtscale).
vCPU, RAM, storage, the region you need, one paragraph on the failure modes you care about. We reply with a quota, a cap, and a substrate version. First reply is from the on-call engineer who would operate it.