Governance-First VM Management for KubeVirt
Self-service virtual machine lifecycle management with structured approval workflows, role-based access control, and full audit trails across multiple Kubernetes clusters.
KubeVirt runs your VMs.
Who governs them?
KubeVirt solves "running VMs on Kubernetes". Shepherd solves what comes next: who can request a VM, who approves it, how are quotas enforced, and where is the audit trail?
Without Governance
- ⚠️Anyone can spin up VMs without approval
- ⚠️No visibility into who did what and when
- ⚠️Resource sprawl and orphaned instances
- ⚠️Compliance gaps in regulated environments
- ⚠️Vendor lock-in with commercial solutions
With Shepherd
- ✅Structured approval workflows for every VM operation
- ✅Complete audit trail for every resource change
- ✅Governed self-service — freedom with guardrails
- ✅Production-grade RBAC with environment scoping
- ✅No vendor lock-in — runs on any Kubernetes distribution
How Shepherd Compares
| Capability | OpenShift Virtualization | Shepherd |
|---|---|---|
| Multi-cluster management | Requires RHACM | ✔ Native |
| Approval workflows | ✔ | ✔ Built-in |
| Self-service portal | Operator-driven | ✔ Request → Approve → Deliver |
| Audit trail | OpenShift-integrated | ✔ Platform-native |
| Vendor lock-in | Strong (OpenShift) | None |
Production Governance Capabilities
Every capability balances platform control with user autonomy — structured enough for compliance, flexible enough for daily operations.
Approval Workflows
Structured request and multi-level approval for every VM lifecycle operation — create, modify, start, stop, delete.
Dual-Layer RBAC
Platform-facing RBAC for global capabilities, plus System membership that inherits down to Services and VMs with environment scoping.
Full Audit Trail
Complete operation history for every resource change. Know who did what, when, and why — compliance-ready from day one.
Multi-Cluster
Unified management plane across multiple Kubernetes clusters. No additional components like RHACM required.
VM Console Access
VNC and serial console access with approval-aware entrypoints. Direct browser-based console for managed virtual machines.
Internationalization
Chinese/English UI out of the box, extensible to additional languages. Auth Plugin SDK for LDAP, OIDC, and custom providers.
Engineering Approach
Contract-first API design, declarative schema migrations, and structured decision governance through Architecture Decision Records.
Contract-First API
OpenAPI spec drives code generation, docs, and client SDKs.
PostgreSQL-Only
No Redis, no external MQ. Minimal operational complexity.
ADR Governance
53 Architecture Decision Records with full context and rationale.
CI Gate Enforcement
Lint, test, type-check, build — all enforced. No bypass allowed.
Three Ways to Try Shepherd
From instant demo to full self-hosted deployment — pick the path that fits your needs.
Online Demo
Explore the full platform instantly — no setup required. Pre-seeded with sample data.
Try Demo →GitHub Codespaces
Full dev environment in the browser. Builds from source, boots the full platform stack with seed data.
Open in Codespaces →Self-Hosted (VPS)
Docker Compose one-click deploy. Full control on your own infrastructure with TLS and production config.
Deploy Guide →Built in the Open
Shepherd is Apache 2.0 licensed and developed in the open. We follow community best practices with transparent governance, Architecture Decision Records, and an enforced CI pipeline to ensure code quality.
We welcome all forms of feedback — bug reports, feature suggestions, usage stories, and governance ideas. Your input shapes the project direction.