clust

A self-healing container runtime with built-in mTLS mesh. Zero external dependencies.

GitHub

What it does

No external dependencies.

Consensus, identity, and networking are part of the runtime. Nothing else to install.

One command to deploy.

Placement, networking, and certificates are handled.

Reconciles drift.

Nodes fail. Containers crash. The runtime closes the gap.

Deny by default.

Workloads can't talk to each other or to the internet unless a policy says so. Unauthorized traffic is dropped at the edge. Egress goes through a gateway that enforces per-workload allowlists by identity.

mTLS on every connection.

Every connection between nodes is mutual TLS over HTTP/2. gRPC and HTTP share the path with per-request load balancing. No sidecars. No SDK. No TLS config in your app.

Open standards.

SPIFFE workload identity. X.509 mTLS. Raft consensus. CloudEvents 1.0. OCI containers. OpenMetrics. W3C Trace Context.

Install

curl -sfL https://raw.githubusercontent.com/clustrun/install/main/install.sh | sh

Installs to ~/.clust/bin. Override with INSTALL_DIR.

© 2026 clust.run