What does a dental practice have in common with a data center? At first glance, not much — but if you ask Bogdan Mitrea, Architect at Dentsply Sirona, Kubernetes is bridging that gap.
In a joint talk at KubeCon Europe 2024, Mitrea and Kevin Reeuwijk, Principal Architect at Spectro Cloud, shared how they’ve teamed up to deploy thousands of Kubernetes clusters at the edge — specifically, in dental clinics. The goal? Powering real-time 3D scanning and AI workflows to transform patient care, without burdening dental staff with IT complexity.
“We had all these beautiful tools in the cloud-native ecosystem,” said Mitrea, “and the idea was, can we take them into a dentist’s office — a place with zero IT support, unpredictable networks, and no tolerance for downtime?”
The answer was yes — but it required rethinking how Kubernetes works at the edge.
Real-time AI, right next to the dentist chair
A scan becomes a 3D model, processed locally at the edge
Dentsply Sirona’s Primescan® intraoral scanner captures detailed digital impressions of a patient’s mouth. This isn’t just a high-tech photo — it’s high-volume 3D data that must be processed immediately and locally.
“You scan the mouth, and the data goes to an edge device — a little fanless box under the desk — that uses GPU acceleration to reconstruct the 3D model in real time,” explained Mitrea. “This happens within seconds, and then the dentist sees the model and works with it on their PC.”
This real-time loop is essential to patient comfort and clinical workflows. But it also means the compute can’t live in the cloud — it must live at the edge. And that’s where the complexity starts.
Edge Kubernetes — in the wild
Unreliable networks, no local IT, strict security needs — edge K8s is not your typical deployment
Running Kubernetes in a dentist’s office is not like running it in a data center. Devices are deployed into unmanaged, often consumer-grade networks. IPs change. Proxies pop up. There’s no SSH access, no on-site IT, and no display on the device itself.
"You have a black box, no screen, no keyboard. It’s expected to just power on and work,” said Mitrea. “And because it holds protected health data, it has to be secure — HIPAA, GDPR — everything.”
Maintaining those clusters was another challenge. If a device failed, a field technician couldn’t just show up to fix it — replacements had to be shipped and re-provisioned remotely.
“Software drifts. Clusters age. But we can’t log in and fix them. Everything has to be self-healing, centrally controlled, and designed for failure.”
From requirements to reality
The edge environment drove a long list of technical requirements:
Zero-touch onboarding via smartphone app
Remote updates and lifecycle management
Strong encryption at rest and in transit
Trusted boot, full disk encryption, and tamper resistance
Fleet-wide observability and policy enforcement
" There’s no guarantee the device will always be online, or that it will come back to the same network. So our clusters needed to survive that kind of chaos,” said Mitrea.
Spectro Cloud’s Palette platform became the backbone of this architecture. With it, the Dentsply team could define profiles, manage upgrades, monitor fleet health, and ensure consistency across thousands of edge nodes.
Invisible Kubernetes — powered by Palette
Devices enroll with Palette through a mobile app — no manual config required
Kevin Reeuwijk from Spectro Cloud described their mission this way:
" Our job was to make Kubernetes invisible. That’s what edge really means. We wanted to build a solution that the dentist never sees — it just works.”
Each device is preloaded at the factory, shipped to the clinic, plugged in, and then activated via a Dentsply Sirona mobile app. Behind the scenes, the device connects to Palette, which assigns the right cluster profile and orchestrates a full-stack deployment — from the OS up through Kubernetes and application layers.
To make this possible, Dentsply standardized on Kairos, an immutable Linux distribution optimized for edge. It supports trusted boot, secure partitions (A/B updates), and remote management.
" We don’t patch OSes in place,” Mitrea explained. “We flip to a new partition. If it boots cleanly, great. If not, it rolls back.”
Security — by design, not as an afterthought
Zero trust, encryption, and centralized response — security built in from day one
With sensitive health data in play, security was non-negotiable. That meant full disk encryption, remote attestation, and zero-trust principles.
" There’s no physical control over these devices once they’re deployed,” said Mitrea. “So we have to assume they could be compromised — and design accordingly.”
That includes:
TPM-based key management
No SSH access ever
Live kernel patching
Policy-based access control
Automated anomaly detection and alerting
Reeuwijk added that the system was designed for rapid incident response: “You can’t prevent every exploit. But you can be ready. We built in the ability to rotate keys, revoke access, and restore trust quickly — without touching the device.”
Lessons learned from the edge
The team has deployed thousands of devices already — and they’re still learning.
“Managing edge devices is way harder than you think,” said Mitrea. “You’re dealing with unknown networks, weird failures, and no local support. Everything breaks in new and interesting ways.”
Observability was critical — not just to know when something failed, but to catch it before a dentist called support.
“You want alerts that are actionable, not noisy,” said Reeuwijk. “Smart thresholds. Anomaly detection. AI in the loop.”
One of the biggest takeaways? Avoid vendor lock-in.
“Change is the only constant,” Mitrea said. “That’s why we bet on open source, flexibility, and declarative infrastructure.”
A cleaner patient experience — and a cleaner architecture
Today, Dentsply Sirona’s fleet of edge Kubernetes clusters is running around the world — securely, quietly, and invisibly. For patients, the benefits are tangible: faster, more comfortable dental procedures. For clinics, the tech just works.
“We took all the mess of cloud-native infrastructure,” said Mitrea, “and made it look simple — like magic. That’s the real success here.”
Reeuwijk summed it up with a grin: “It didn’t hurt a bit.”