Hello, What are the thoughts of building a single control plane architecture for shared, dedicated and BYOC ( bring your own cluster ) models ? A push design ( control plane pushed upgrades/installs ) vs pull based ( agents deployed on data planes pull software updates etc ).

One argument I've heard in favor of pull-based is that if you do pull-based, the data plane in BYOC doesn't have to expose any ports to the public internet, which makes it more secure.

+1 @Colt McNealy - pull unlocks uni-directional networking with PrivateLink as well.

Pull is also MUCH easier for infosec teams to grok and approve

Agreed ! Thanks for the replies. I wonder if the control plane itself can be de-attached from the SAAS layers and the control plane itself can be shipped runs on the data planes. IMHO to create a network/storage/k8s CP still need to push to create Initial infra, post infra setup agents can pull in configs.

Yes. probably as a secondary step if you plan to have customers in the government space or HIPAA

Exactly ! IMHO the service provisioning layer can be abstracted out. Thanks @Mitch