Managed Kubernetes vs Self-Managed: Which Should You Pick?

The Core Difference: Who Runs the Control Plane?

Kubernetes splits cleanly into two halves. The control plane is the brain — the API server, scheduler, controller manager, and the etcd database that stores cluster state. The worker nodes are the muscle, where your containers actually run. In both models you deploy with the same kubectl, the same Helm charts, the same YAML. What changes is who keeps the brain alive.

With managed Kubernetes, the provider runs and guarantees the control plane for you: etcd backups, API server availability, version upgrades, and certificate rotation are their problem. You manage workloads and (usually) the worker nodes. With self-managed Kubernetes, you stand up and operate the entire cluster yourself — typically with kubeadm, k3s, Cluster API, or a distribution like Rancher or OpenShift — on VMs or bare metal you control end to end.

So the decision is rarely about Kubernetes itself. It's about how much of the undifferentiated operational heavy lifting you want to own versus hand off.

• Control plane = API server + scheduler + controllers + etcd (the part that's painful to operate)
• Managed = provider runs the control plane; you run workloads
• Self-managed = you run everything, from etcd backups to OS patching

What Self-Managed Really Costs You (Beyond the Bill)

On paper, self-managed looks cheaper: you only pay for the raw compute. There's no per-cluster control plane fee, and open-source Kubernetes is free. For a single non-critical cluster run by an engineer who already knows the ropes, that math can genuinely work.

The hidden cost is operational. A production-grade self-managed cluster means you own etcd backups and disaster recovery, quarterly version upgrades (Kubernetes ships a new minor release roughly every 4 months and supports each for about 14 months, so you cannot skip them), CVE patching on the OS and the control plane, certificate rotation, and high-availability across three control-plane nodes so a single failure doesn't take down your API. None of that ships your product. Realistically, keeping one HA cluster healthy is a meaningful slice of a platform engineer's week — and that salaried time usually dwarfs any infrastructure savings.

The trap is that self-managed feels free until the first 2 a.m. incident: a failed upgrade, an etcd disk filling up, or an expired certificate that locks you out of your own API server.

What You Gain — and Give Up — With Managed Kubernetes

Managed Kubernetes trades a slice of control for a large reduction in toil. The provider absorbs control-plane availability, upgrades, patching, and node lifecycle, and typically backs it with an uptime SLA (often around 99.95%). Your team stops being on call for etcd and starts shipping features. For most teams, that's the entire point.

The trade-off is reduced low-level access. You generally don't SSH into control-plane nodes or hand-tune API server flags, and you're working within the provider's supported versions and upgrade cadence. For 95% of workloads that's a non-issue — but if you need exotic admission controllers, a custom CNI at the control-plane level, or air-gapped on-prem compliance, self-managed gives you that reach.

Watch one line item closely: many clouds bill a separate control-plane fee of roughly \$0.10/hour — about \$73/month per cluster — before you've run a single workload. That adds up fast across dev, staging, and per-team clusters, so it belongs in any honest comparison.

A Simple Decision Framework

Strip away the tribalism and the choice comes down to three questions: Do you have dedicated platform/SRE staff? Is the cluster carrying revenue-critical traffic? And do you have unusual control or compliance requirements that a managed service can't meet?

If you have a real ops team, deep Kubernetes expertise, and a hard requirement for control-plane-level customization or an air-gapped environment, self-managed earns its keep. If your engineers are better spent on product, uptime is business-critical, or you simply don't want to own etcd backups and upgrade nights, managed wins — and it's the right default for the large majority of teams.

• Choose self-managed: dedicated SRE team, deep k8s skills, control-plane customization, or air-gapped/on-prem compliance
• Choose managed: lean team, revenue-critical uptime, no appetite for upgrade nights or etcd babysitting
• Either way, insist on upstream, CNCF-conformant Kubernetes so your manifests stay portable and you keep an exit

The Hybrid Reality: You Don't Have to Choose Forever

This isn't a one-way door. A common, sensible path is to start self-managed on a cheap k3s cluster while you're learning and pre-revenue, then move to managed once uptime starts to matter and the ops burden outgrows the savings. Others run managed in production and a small self-managed cluster for experimentation.

Portability is what keeps that door open. Because conformant Kubernetes is the same Kubernetes everywhere, your Helm charts and YAML travel with you — provided you avoid deep lock-in to proprietary, provider-specific add-ons. Keep your manifests clean and your CNI and ingress choices standard, and switching models (or providers) stays a migration, not a rewrite.

Where NordicVentures Fits

If you've decided the operational toil isn't worth owning, the managed path should still respect your wallet and your freedom to leave. NordicVentures runs production-grade managed Kubernetes on NVMe nodes across Stockholm, Frankfurt, and Ashburn — with a high-availability control plane included free (no \$73/month per-cluster tax), a financially backed 99.95% uptime SLA, horizontal pod and cluster autoscaling, and hands-off version upgrades and CVE patching.

Because it's pure upstream, CNCF-conformant Kubernetes, your existing manifests and Helm charts are portable, migration is free and handled by our engineers, and you keep your exit options. Plans start at \$29/month and you pay for worker nodes, not a control-plane surcharge.

If managed is the right call for your team, explore managed Kubernetes and see the exact specs and pricing before you commit — no hype, no lock-in.