The Kubiya Control Plane can be self-hosted on your own infrastructure, giving you full control over your agent orchestration platform with VPC-only access, compliance boundaries, and custom integrations.
Run Anywhere : Deploy on local machines, cloud VMs (AWS, GCP, Azure), Kubernetes clusters, or bare metal servers with full access to private resources.
Overview The Control Plane is a FastAPI-based REST API server that orchestrates your entire Kubiya infrastructure.
Key Responsibilities :
Manages agent lifecycle and configuration
Integrates with Temporal for workflow orchestration
Handles teams, projects, environments, and policies
Streams real-time execution events via WebSocket
Routes tasks to appropriate queues and workers
Quick Start
Create Database
createdb kubiya_control_plane
Configure Connection
export DATABASE_URL = 'postgresql://user:pass@localhost:5432/kubiya_control_plane'
URL-encode special characters : ! → %21, @ → %40, # → %23
Start Server
kubiya control-plane start
Automatically installs the latest version from PyPI.
Verify
curl http://localhost:7777/api/health
Visit http://localhost:7777/api/docs for interactive API documentation. Prerequisites System Requirements
Python 3.10+ (NOT 3.8+)PostgreSQL 13+ (required)Redis (optional, recommended)2GB RAM minimum (4GB recommended)
Database Setup Local PostgreSQL
Supabase
AWS RDS
Google Cloud SQL
# macOS brew install postgresql@15 brew services start postgresql@15 # Ubuntu/Debian sudo apt-get install postgresql-15 sudo systemctl start postgresql # Create database createdb kubiya_control_plane
Use your Supabase connection string with proper URL encoding: export DATABASE_URL = 'postgresql://user:[email protected] :5432/kubiya?sslmode=require'
export DATABASE_URL = 'postgresql://user:pass@/kubiya?host=/cloudsql/project:region:instance'
Optional: Redis # macOS brew install redis && brew services start redis # Ubuntu/Debian sudo apt-get install redis-server && sudo systemctl start redis # Docker docker run -d -p 6379:6379 redis:7-alpine
Configuration Package Installation By default, the CLI installs the latest version from PyPI automatically.
PyPI (Default)
Git Repository
Local Source
# Latest version kubiya control-plane start # Specific version kubiya control-plane start --package-version=0.6.0
# Main branch kubiya control-plane start \ --package-source=git+https://github.com/kubiyabot/control-plane-api.git@main # Specific commit kubiya control-plane start \ --package-source=kubiyabot/control-plane-api@abc123
kubiya control-plane start --package-source=/path/to/control-plane-api
Server Options # Default configuration kubiya control-plane start # Custom host/port kubiya control-plane start --host=127.0.0.1 --port=8080 # Production with 4 workers kubiya control-plane start --workers=4 # Development with hot reload kubiya control-plane start --development # With LiteLLM gateway kubiya control-plane start --litellm-gateway-url=http://localhost:4000
Production vs Development
Development Mode (--development):
Hot reloading on code changes
Single worker process
NOT for production Production Mode (--workers=N):
Gunicorn with multiple workers
Better performance and fault tolerance
Recommended: 4 workers
Route LLM requests through your own proxy: kubiya control-plane start \ --litellm-gateway-url=http://localhost:4000 \ --litellm-api-key=your-key
Benefits: centralized management, cost tracking, rate limiting Environment Variables Variable Required Default Description DATABASE_URL✅ - PostgreSQL connection string API_HOST❌ 0.0.0.0Server bind address API_PORT❌ 7777Server port SECRET_KEY⚠️ Auto JWT secret (set for production!) REDIS_URL❌ redis://localhost:6379/0Redis connection TEMPORAL_HOST❌ localhost:7233Temporal server LITELLM_API_KEY❌ - LiteLLM API key LITELLM_GATEWAY_URL❌ - LiteLLM gateway URL SUPABASE_URL❌ - Supabase project URL SUPABASE_SERVICE_KEY❌ - Supabase service key
Use CLI flags --workers and --development for worker count and hot reloading.
Production Security : Never use auto-generated SECRET_KEY in production!export SECRET_KEY = "$( openssl rand -base64 32 )"
Production Deployment Docker Dockerfile
Docker Compose
FROM python:3.11-slim RUN curl -fsSL https://cli.kubiya.ai/install.sh | sh WORKDIR /app ENV API_PORT=7777 HEALTHCHECK CMD curl -f http://localhost:7777/api/health || exit 1 CMD [ "kubiya" , "control-plane" , "start" ]
version : '3.8' services : postgres : image : postgres:15-alpine environment : POSTGRES_DB : kubiya POSTGRES_USER : kubiya POSTGRES_PASSWORD : ${POSTGRES_PASSWORD} volumes : - postgres_data:/var/lib/postgresql/data healthcheck : test : [ "CMD-SHELL" , "pg_isready -U kubiya" ] interval : 10s redis : image : redis:7-alpine command : redis-server --requirepass ${REDIS_PASSWORD} control-plane : build : . depends_on : postgres : condition : service_healthy environment : DATABASE_URL : postgresql://kubiya:${POSTGRES_PASSWORD}@postgres:5432/kubiya REDIS_URL : redis://:${REDIS_PASSWORD}@redis:6379/0 SECRET_KEY : ${SECRET_KEY} ports : - "7777:7777" restart : unless-stopped command : [ "kubiya" , "control-plane" , "start" , "--workers=4" ] volumes : postgres_data :
Kubernetes Deployment
Service
Secrets
apiVersion : apps/v1 kind : Deployment metadata : name : control-plane spec : replicas : 3 selector : matchLabels : app : control-plane template : metadata : labels : app : control-plane spec : containers : - name : control-plane image : your-registry/control-plane:latest ports : - containerPort : 7777 env : - name : DATABASE_URL valueFrom : secretKeyRef : name : control-plane-secrets key : database-url - name : SECRET_KEY valueFrom : secretKeyRef : name : control-plane-secrets key : secret-key resources : requests : memory : "512Mi" cpu : "250m" limits : memory : "2Gi" cpu : "1000m" livenessProbe : httpGet : path : /api/health port : 7777 initialDelaySeconds : 60 readinessProbe : httpGet : path : /api/health port : 7777 initialDelaySeconds : 30
apiVersion : v1 kind : Service metadata : name : control-plane spec : selector : app : control-plane ports : - port : 7777 targetPort : 7777 type : LoadBalancer
apiVersion : v1 kind : Secret metadata : name : control-plane-secrets type : Opaque stringData : database-url : "postgresql://user:pass@postgres:5432/kubiya" secret-key : "your-secret-key-here"
Nginx Reverse Proxy upstream control_plane { server localhost:7777; } server { listen 443 ssl http2; server_name api.your-domain.com; ssl_certificate /etc/ssl/certs/your-domain.crt; ssl_certificate_key /etc/ssl/private/your-domain.key; ssl_protocols TLSv1.2 TLSv1.3; location / { proxy_pass http://control_plane; proxy_http_version 1.1 ; proxy_set_header Upgrade $ http_upgrade ; proxy_set_header Connection "upgrade" ; proxy_set_header Host $ host ; proxy_set_header X-Real-IP $ remote_addr ; proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for ; proxy_set_header X-Forwarded-Proto $ scheme ; } }
Database Management Automatic Migrations Migrations run automatically on startup using Alembic:
kubiya control-plane start # [3/4] Running database migrations... # ✓ Database migrations complete
Backup & Restore # Backup pg_dump $DATABASE_URL > backup_ $( date +%Y%m%d_%H%M%S ) .sql # Restore psql $DATABASE_URL < backup_20260105_140000.sql # Automated backups (cron) 0 2 * * * pg_dump $DATABASE_URL | gzip > /backups/cp_ $( date + \% Y \% m \% d ) .sql.gz
Connection Pooling Use PgBouncer for production:
[databases] kubiya = host =localhost port =5432 dbname =kubiya [pgbouncer] listen_port = 6432 pool_mode = transaction max_client_conn = 1000 default_pool_size = 25
Monitoring Health Checks curl http://localhost:7777/api/health # {"status":"ok"}
API Documentation Once running, access:
Swagger UI : http://localhost:7777/api/docsReDoc : http://localhost:7777/api/redocOpenAPI Spec : http://localhost:7777/api/openapi.json
Built-in WebUI # Default (auto-assigned port) kubiya control-plane start # Custom port kubiya control-plane start --webui-port=9999 # Disable kubiya control-plane start --no-webui
The WebUI provides real-time logs, health status, and process info.
Logs tail -f ~/.kubiya/control-plane/logs/server.log cat ~/.kubiya/control-plane/logs/server.log | jq '.message'
docker-compose logs -f control-plane
kubectl logs -f deployment/control-plane kubectl logs -l app=control-plane --all-containers=true
Security Production Checklist Best Practices
Never use auto-generated keys in production: # Generate strong key export SECRET_KEY = "$( openssl rand -base64 32 )" # Use secret managers export SECRET_KEY = "$( aws secretsmanager get-secret-value \ --secret-id kubiya/control-plane/secret-key \ --query SecretString --output text)"
Never pass secrets via CLI flags (visible in process list)
Always use SSL/TLS: export DATABASE_URL = 'postgresql://user:pass@host:5432/db?sslmode=require'
Grant minimal permissions: CREATE USER kubiya_cp WITH PASSWORD 'secure_password' ; GRANT CONNECT ON DATABASE kubiya TO kubiya_cp; GRANT SELECT , INSERT , UPDATE , DELETE ON ALL TABLES IN SCHEMA public TO kubiya_cp;
Bind to localhost for local-only access: kubiya control-plane start --host=127.0.0.1
Always use reverse proxy for external access with:
SSL/TLS termination
Rate limiting
WAF protection
Troubleshooting
Database Connection Failed
Error : migration failed: connection refusedSolutions :
Verify PostgreSQL is running: pg_isready -h localhost -p 5432
Check DATABASE_URL format: echo $DATABASE_URL
Test connection: psql $DATABASE_URL -c "SELECT 1"
Check firewall: nc -zv postgres-host 5432
Error : server did not become healthySolutions :
Find process: lsof -i:7777
Kill process: lsof -ti:7777 | xargs kill
Use different port: --port=8888
Error : could not translate host nameCause : Special characters in password not encodedSolution : Encode special characters:
! → %21, @ → %40, # → %23, $ → %24, % → %25 # Wrong DATABASE_URL = 'postgresql://user:pass!word@host:5432/db' # Correct DATABASE_URL = 'postgresql://user:pass%21word@host:5432/db'
Or use Python: python3 -c "from urllib.parse import quote; print(quote('pass!word'))"
Error : ModuleNotFoundErrorSolutions :
Reinstall: kubiya control-plane start --no-cache
Specific version: kubiya control-plane start --package-version=0.6.0 --no-cache
Use Git: --package-source=git+https://github.com/kubiyabot/control-plane-api.git@main
Warning : Using auto-generated SECRET_KEY (not suitable for production)Solution :export SECRET_KEY = "$( openssl rand -base64 32 )" kubiya control-plane start
Debug Mode export LOG_LEVEL = DEBUG kubiya control-plane start tail -f ~/.kubiya/control-plane/logs/server.log | jq .
Next Steps 
