Platform Mesh

kcp

kcp is a Kubernetes-style API server with the container orchestration removed. It keeps the declarative API control plane — workspaces, CRDs, RBAC, the watch/list/reconcile model — and turns it into a substrate for managing arbitrary services through KRM.

Platform Mesh runs on top of kcp. Every Platform Mesh account, organization, provider, and marketplace surface is a kcp workspace; every cross-account interaction goes through APIExport / APIBinding; every authentication and authorization decision passes through kcp’s chain.

Why kcp

• One API per account. Each kcp workspace is an isolated Kubernetes-shaped API endpoint with its own resources, RBAC, and identity. Platform Mesh maps the account model directly onto the workspace tree.
• Cheap multi-tenancy. Workspaces share a single process and etcd, isolated by storage prefix. No per-tenant cluster.
• Cross-workspace API sharing. Service providers publish APIs once via APIExport; consumers bind them into their workspace and use them like native resources. See API sharing.
• Pluggable identity and authorization. OIDC plugs into the front proxy, OpenFGA plugs into the authorizer chain via the rebac-authz-webhook. See Identity and authorization.
• Workspace-aware controllers. api-syncagent, account-operator, and security-operator reconcile across workspaces using kcp’s virtual-workspace endpoints. See Watch and sync and Virtual workspaces.

What Platform Mesh uses from kcp

Topic	What it covers
Workspaces	Workspace, WorkspaceType, LogicalCluster, hierarchical paths, the orgs and account types Platform Mesh defines.
API sharing	APIExport, APIBinding, APIResourceSchema, permission claims, identity hash, APIExportEndpointSlice.
Identity and authorization	Front proxy, OIDC (AuthenticationConfiguration + WorkspaceAuthenticationConfiguration), AuthorizationConfiguration chain, rebac-authz-webhook wiring.
Virtual workspaces	/services/apiexport/... endpoints, reading APIExportEndpointSlice.status, terminating-phase URLs from WorkspaceType.status.virtualWorkspaces.
Watch and sync	multicluster-provider, pathaware and apiexport flavors, mcreconcile.Request, manager.GetCluster().
Sharding	Sharded topology in Platform Mesh local setup and production.

kcp-operator deploys kcp itself: RootShard, Shard, FrontProxy, CacheServer, and Kubeconfig CRs. It is a sibling component, not part of kcp.

kcp.io annotations Platform Mesh reads or writes

Annotation	Set by	Used by
kcp.io/cluster	kcp on objects returned through wildcard / virtual-workspace reads	Platform Mesh controllers to identify the source workspace
kcp.io/path	kcp on LogicalCluster	Platform Mesh controllers for routing and Workspace.spec.type.path references
authorization.kcp.io/required-groups	platform owners, on workspaces	kcp authorizer chain (required-groups stage)
authentication.kcp.io/scopes	tooling	kcp front proxy / authentication

Repository

• Upstream: kcp-dev/kcp
• Operator: kcp-dev/kcp-operator — see kcp-operator
• Multi-cluster client: kcp-dev/multicluster-provider
• Upstream docs: docs.kcp.io

Related

• Control planes and workspaces
• API sharing
• Identity and authorization
• Architecture

This site is open source. Improve this page.