From 2cd739e8b292939e71c69d0117c4b37094dd3c25 Mon Sep 17 00:00:00 2001
From: Philipp Matthes <p.matthes@sap.com>
Date: Tue, 25 Nov 2025 10:46:46 +0100
Subject: [PATCH 1/3] Implement multicluster support

---
 Tiltfile                                      |  14 +-
 api/v1alpha1/datasource_types.go              |   3 +
 api/v1alpha1/decision_types.go                |   3 +
 api/v1alpha1/descheduling_types.go            |   3 +
 api/v1alpha1/knowledge_types.go               |   3 +
 api/v1alpha1/kpi_types.go                     |   3 +
 api/v1alpha1/pipeline_types.go                |   3 +
 api/v1alpha1/reservation_types.go             |   3 +
 api/v1alpha1/step_types.go                    |   3 +
 cmd/main.go                                   |  89 +++--
 docs/guides/multicluster/cortex-home-crb.yaml |  12 +
 docs/guides/multicluster/cortex-home.yaml     |  23 ++
 .../multicluster/cortex-remote-crb.yaml       |  18 +
 docs/guides/multicluster/cortex-remote.yaml   |  27 ++
 docs/guides/multicluster/readme.md            | 104 ++++++
 .../cortex-ironcore/templates/pipelines.yaml  |   1 -
 .../datasources/openstack/controller.go       |   5 +-
 .../datasources/prometheus/controller.go      |   5 +-
 internal/knowledge/extractor/controller.go    |   5 +-
 internal/knowledge/extractor/trigger.go       |  20 +-
 internal/knowledge/kpis/controller.go         |  33 +-
 .../reservations/controller/controller.go     |   5 +-
 .../decisions/cinder/pipeline_controller.go   |  53 +--
 .../decisions/explanation/controller.go       |   5 +-
 .../decisions/machines/pipeline_controller.go |  53 +--
 .../decisions/manila/pipeline_controller.go   |  53 +--
 .../decisions/nova/pipeline_controller.go     |  53 +--
 .../nova/pipeline_controller_test.go          |  27 --
 .../scheduling/descheduling/nova/cleanup.go   |   5 +-
 .../scheduling/descheduling/nova/executor.go  |   5 +-
 .../descheduling/nova/executor_test.go        |  15 -
 .../descheduling/nova/pipeline_controller.go  |  35 +-
 .../nova/pipeline_controller_test.go          |  32 --
 pkg/conf/conf.go                              |  16 +
 pkg/multicluster/builder.go                   |  49 +++
 pkg/multicluster/builder_test.go              |  61 ++++
 pkg/multicluster/client.go                    | 310 ++++++++++++++++++
 pkg/multicluster/client_test.go               |  99 ++++++
 38 files changed, 985 insertions(+), 271 deletions(-)
 create mode 100644 docs/guides/multicluster/cortex-home-crb.yaml
 create mode 100644 docs/guides/multicluster/cortex-home.yaml
 create mode 100644 docs/guides/multicluster/cortex-remote-crb.yaml
 create mode 100644 docs/guides/multicluster/cortex-remote.yaml
 create mode 100644 docs/guides/multicluster/readme.md
 create mode 100644 pkg/multicluster/builder.go
 create mode 100644 pkg/multicluster/builder_test.go
 create mode 100644 pkg/multicluster/client.go
 create mode 100644 pkg/multicluster/client_test.go

diff --git a/Tiltfile b/Tiltfile
index 1ec900932..965581e7f 100644
--- a/Tiltfile
+++ b/Tiltfile
@@ -17,7 +17,11 @@ if not os.getenv('TILT_VALUES_PATH'):
     fail("TILT_VALUES_PATH is not set.")
 if not os.path.exists(os.getenv('TILT_VALUES_PATH')):
     fail("TILT_VALUES_PATH "+ os.getenv('TILT_VALUES_PATH') + " does not exist.")
-tilt_values = os.getenv('TILT_VALUES_PATH')
+tilt_values = [os.getenv('TILT_VALUES_PATH')]
+
+tilt_overrides = os.getenv('TILT_OVERRIDES_PATH')
+if tilt_overrides and os.path.exists(tilt_overrides):
+    tilt_values.append(tilt_overrides)
 
 load('ext://helm_resource', 'helm_resource', 'helm_repo')
 helm_repo(
@@ -106,7 +110,7 @@ k8s_yaml(helm('./helm/bundles/cortex-crds', name='cortex-crds', set=[
 
 if 'nova' in ACTIVE_DEPLOYMENTS:
     print("Activating Cortex Nova bundle")
-    k8s_yaml(helm('./helm/bundles/cortex-nova', name='cortex-nova', values=[tilt_values]))
+    k8s_yaml(helm('./helm/bundles/cortex-nova', name='cortex-nova', values=tilt_values))
     k8s_resource('cortex-nova-postgresql', labels=['Cortex-Nova'], port_forwards=[
         port_forward(8000, 5432),
     ])
@@ -125,7 +129,7 @@ if 'nova' in ACTIVE_DEPLOYMENTS:
 
 if 'manila' in ACTIVE_DEPLOYMENTS:
     print("Activating Cortex Manila bundle")
-    k8s_yaml(helm('./helm/bundles/cortex-manila', name='cortex-manila', values=[tilt_values]))
+    k8s_yaml(helm('./helm/bundles/cortex-manila', name='cortex-manila', values=tilt_values))
     k8s_resource('cortex-manila-postgresql', labels=['Cortex-Manila'], port_forwards=[
         port_forward(8002, 5432),
     ])
@@ -142,7 +146,7 @@ if 'manila' in ACTIVE_DEPLOYMENTS:
     )
 
 if 'cinder' in ACTIVE_DEPLOYMENTS:
-    k8s_yaml(helm('./helm/bundles/cortex-cinder', name='cortex-cinder', values=[tilt_values]))
+    k8s_yaml(helm('./helm/bundles/cortex-cinder', name='cortex-cinder', values=tilt_values))
     k8s_resource('cortex-cinder-postgresql', labels=['Cortex-Cinder'], port_forwards=[
         port_forward(8004, 5432),
     ])
@@ -160,7 +164,7 @@ if 'cinder' in ACTIVE_DEPLOYMENTS:
 
 if 'ironcore' in ACTIVE_DEPLOYMENTS:
     print("Activating Cortex IronCore bundle")
-    k8s_yaml(helm('./helm/bundles/cortex-ironcore', name='cortex-ironcore', values=[tilt_values]))
+    k8s_yaml(helm('./helm/bundles/cortex-ironcore', name='cortex-ironcore', values=tilt_values))
     k8s_resource('cortex-ironcore-controller-manager', labels=['Cortex-IronCore'])
     # Deploy resources in machines/samples
     k8s_yaml('samples/ironcore/machinepool.yaml')
diff --git a/api/v1alpha1/datasource_types.go b/api/v1alpha1/datasource_types.go
index c994a2424..9ab0e3aa9 100644
--- a/api/v1alpha1/datasource_types.go
+++ b/api/v1alpha1/datasource_types.go
@@ -293,6 +293,9 @@ type DatasourceList struct {
 	Items           []Datasource `json:"items"`
 }
 
+func (*Datasource) URI() string     { return "datasources.cortex.cloud/v1alpha1" }
+func (*DatasourceList) URI() string { return "datasources.cortex.cloud/v1alpha1" }
+
 func init() {
 	SchemeBuilder.Register(&Datasource{}, &DatasourceList{})
 }
diff --git a/api/v1alpha1/decision_types.go b/api/v1alpha1/decision_types.go
index ea71c60ff..0e4399ed1 100644
--- a/api/v1alpha1/decision_types.go
+++ b/api/v1alpha1/decision_types.go
@@ -155,6 +155,9 @@ type DecisionList struct {
 	Items           []Decision `json:"items"`
 }
 
+func (*Decision) URI() string     { return "decisions.cortex.cloud/v1alpha1" }
+func (*DecisionList) URI() string { return "decisions.cortex.cloud/v1alpha1" }
+
 func init() {
 	SchemeBuilder.Register(&Decision{}, &DecisionList{})
 }
diff --git a/api/v1alpha1/descheduling_types.go b/api/v1alpha1/descheduling_types.go
index 060a7c56d..a4b05bd76 100644
--- a/api/v1alpha1/descheduling_types.go
+++ b/api/v1alpha1/descheduling_types.go
@@ -102,6 +102,9 @@ type DeschedulingList struct {
 	Items           []Descheduling `json:"items"`
 }
 
+func (*Descheduling) URI() string     { return "deschedulings.cortex.cloud/v1alpha1" }
+func (*DeschedulingList) URI() string { return "deschedulings.cortex.cloud/v1alpha1" }
+
 func init() {
 	SchemeBuilder.Register(&Descheduling{}, &DeschedulingList{})
 }
diff --git a/api/v1alpha1/knowledge_types.go b/api/v1alpha1/knowledge_types.go
index cba0d026c..7e90ff7a9 100644
--- a/api/v1alpha1/knowledge_types.go
+++ b/api/v1alpha1/knowledge_types.go
@@ -174,6 +174,9 @@ type KnowledgeList struct {
 	Items           []Knowledge `json:"items"`
 }
 
+func (*Knowledge) URI() string     { return "knowledges.cortex.cloud/v1alpha1" }
+func (*KnowledgeList) URI() string { return "knowledges.cortex.cloud/v1alpha1" }
+
 func init() {
 	SchemeBuilder.Register(&Knowledge{}, &KnowledgeList{})
 }
diff --git a/api/v1alpha1/kpi_types.go b/api/v1alpha1/kpi_types.go
index 59dee1b74..93ccd5f18 100644
--- a/api/v1alpha1/kpi_types.go
+++ b/api/v1alpha1/kpi_types.go
@@ -97,6 +97,9 @@ type KPIList struct {
 	Items           []KPI `json:"items"`
 }
 
+func (*KPI) URI() string     { return "kpis.cortex.cloud/v1alpha1" }
+func (*KPIList) URI() string { return "kpis.cortex.cloud/v1alpha1" }
+
 func init() {
 	SchemeBuilder.Register(&KPI{}, &KPIList{})
 }
diff --git a/api/v1alpha1/pipeline_types.go b/api/v1alpha1/pipeline_types.go
index 20495b150..a54b68ca7 100644
--- a/api/v1alpha1/pipeline_types.go
+++ b/api/v1alpha1/pipeline_types.go
@@ -98,6 +98,9 @@ type PipelineList struct {
 	Items           []Pipeline `json:"items"`
 }
 
+func (*Pipeline) URI() string     { return "pipelines.cortex.cloud/v1alpha1" }
+func (*PipelineList) URI() string { return "pipelines.cortex.cloud/v1alpha1" }
+
 func init() {
 	SchemeBuilder.Register(&Pipeline{}, &PipelineList{})
 }
diff --git a/api/v1alpha1/reservation_types.go b/api/v1alpha1/reservation_types.go
index 03386d932..56fdafea0 100644
--- a/api/v1alpha1/reservation_types.go
+++ b/api/v1alpha1/reservation_types.go
@@ -97,6 +97,9 @@ type ReservationList struct {
 	Items           []Reservation `json:"items"`
 }
 
+func (*Reservation) URI() string     { return "reservations.cortex.cloud/v1alpha1" }
+func (*ReservationList) URI() string { return "reservations.cortex.cloud/v1alpha1" }
+
 func init() {
 	SchemeBuilder.Register(&Reservation{}, &ReservationList{})
 }
diff --git a/api/v1alpha1/step_types.go b/api/v1alpha1/step_types.go
index d4866fc31..012034e28 100644
--- a/api/v1alpha1/step_types.go
+++ b/api/v1alpha1/step_types.go
@@ -129,6 +129,9 @@ type StepList struct {
 	Items           []Step `json:"items"`
 }
 
+func (*Step) URI() string     { return "steps.cortex.cloud/v1alpha1" }
+func (*StepList) URI() string { return "steps.cortex.cloud/v1alpha1" }
+
 func init() {
 	SchemeBuilder.Register(&Step{}, &StepList{})
 }
diff --git a/cmd/main.go b/cmd/main.go
index 42ac2742a..64d6cf6ca 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -22,6 +22,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/cluster"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/metrics"
@@ -54,6 +55,7 @@ import (
 	"github.com/cobaltcore-dev/cortex/pkg/conf"
 	"github.com/cobaltcore-dev/cortex/pkg/db"
 	"github.com/cobaltcore-dev/cortex/pkg/monitoring"
+	"github.com/cobaltcore-dev/cortex/pkg/multicluster"
 	"github.com/sapcc/go-bits/httpext"
 	"github.com/sapcc/go-bits/must"
 	corev1 "k8s.io/api/core/v1"
@@ -243,6 +245,33 @@ func main() {
 		os.Exit(1)
 	}
 
+	homeCluster, err := cluster.New(restConfig, func(o *cluster.Options) { o.Scheme = scheme })
+	if err != nil {
+		setupLog.Error(err, "unable to create home cluster")
+		os.Exit(1)
+	}
+	if err := mgr.Add(homeCluster); err != nil {
+		setupLog.Error(err, "unable to add home cluster")
+		os.Exit(1)
+	}
+	multiclusterClient := &multicluster.Client{
+		HomeCluster:    homeCluster,
+		HomeRestConfig: restConfig,
+		HomeScheme:     scheme,
+	}
+	for _, override := range config.APIServerOverrides {
+		cluster, err := multiclusterClient.AddRemote(override.Resource, override.Host, override.CACert)
+		if err != nil {
+			setupLog.Error(err, "unable to create cluster for apiserver override", "apiserver", override.Host)
+			os.Exit(1)
+		}
+		// Also tell the manager about this cluster so that controllers can use it.
+		if err := mgr.Add(cluster); err != nil {
+			setupLog.Error(err, "unable to add cluster for apiserver override", "apiserver", override.Host)
+			os.Exit(1)
+		}
+	}
+
 	// Our custom monitoring registry can add prometheus labels to all metrics.
 	// This is useful to distinguish metrics from different deployments.
 	metrics.Registry = monitoring.WrapRegistry(metrics.Registry, config.Monitoring)
@@ -265,14 +294,14 @@ func main() {
 			Conf:    config,
 		}
 		// Inferred through the base controller.
-		decisionController.Client = mgr.GetClient()
+		decisionController.Client = multiclusterClient
 		decisionController.OperatorName = config.Operator
-		if err := (decisionController).SetupWithManager(mgr); err != nil {
+		if err := (decisionController).SetupWithManager(mgr, multiclusterClient); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "DecisionReconciler")
 			os.Exit(1)
 		}
 		novashims.NewAPI(config, decisionController).Init(mux)
-		go decisionsnova.CleanupNovaDecisionsRegularly(ctx, mgr.GetClient(), config)
+		go decisionsnova.CleanupNovaDecisionsRegularly(ctx, multiclusterClient, config)
 	}
 	if slices.Contains(config.EnabledControllers, "nova-deschedulings-pipeline-controller") {
 		// Deschedulings controller
@@ -284,18 +313,18 @@ func main() {
 			CycleDetector: deschedulingnova.NewCycleDetector(),
 		}
 		// Inferred through the base controller.
-		deschedulingsController.Client = mgr.GetClient()
+		deschedulingsController.Client = multiclusterClient
 		deschedulingsController.OperatorName = config.Operator
-		if err := (deschedulingsController).SetupWithManager(mgr); err != nil {
+		if err := (deschedulingsController).SetupWithManager(mgr, multiclusterClient); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "DeschedulingsReconciler")
 			os.Exit(1)
 		}
 		go deschedulingsController.CreateDeschedulingsPeriodically(ctx)
 		// Deschedulings cleanup on startup
 		if err := (&deschedulingnova.Cleanup{
-			Client: mgr.GetClient(),
+			Client: multiclusterClient,
 			Scheme: mgr.GetScheme(),
-		}).SetupWithManager(mgr); err != nil {
+		}).SetupWithManager(mgr, multiclusterClient); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "Cleanup")
 			os.Exit(1)
 		}
@@ -306,14 +335,14 @@ func main() {
 			Conf:    config,
 		}
 		// Inferred through the base controller.
-		controller.Client = mgr.GetClient()
+		controller.Client = multiclusterClient
 		controller.OperatorName = config.Operator
-		if err := (controller).SetupWithManager(mgr); err != nil {
+		if err := (controller).SetupWithManager(mgr, multiclusterClient); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "DecisionReconciler")
 			os.Exit(1)
 		}
 		manilashims.NewAPI(config, controller).Init(mux)
-		go decisionsmanila.CleanupManilaDecisionsRegularly(ctx, mgr.GetClient(), config)
+		go decisionsmanila.CleanupManilaDecisionsRegularly(ctx, multiclusterClient, config)
 	}
 	if slices.Contains(config.EnabledControllers, "cinder-decisions-pipeline-controller") {
 		controller := &decisionscinder.DecisionPipelineController{
@@ -321,14 +350,14 @@ func main() {
 			Conf:    config,
 		}
 		// Inferred through the base controller.
-		controller.Client = mgr.GetClient()
+		controller.Client = multiclusterClient
 		controller.OperatorName = config.Operator
-		if err := (controller).SetupWithManager(mgr); err != nil {
+		if err := (controller).SetupWithManager(mgr, multiclusterClient); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "DecisionReconciler")
 			os.Exit(1)
 		}
 		cindershims.NewAPI(config, controller).Init(mux)
-		go decisionscinder.CleanupCinderDecisionsRegularly(ctx, mgr.GetClient(), config)
+		go decisionscinder.CleanupCinderDecisionsRegularly(ctx, multiclusterClient, config)
 	}
 	if slices.Contains(config.EnabledControllers, "ironcore-decisions-pipeline-controller") {
 		controller := &decisionsmachines.DecisionPipelineController{
@@ -336,9 +365,9 @@ func main() {
 			Conf:    config,
 		}
 		// Inferred through the base controller.
-		controller.Client = mgr.GetClient()
+		controller.Client = multiclusterClient
 		controller.OperatorName = config.Operator
-		if err := (controller).SetupWithManager(mgr); err != nil {
+		if err := (controller).SetupWithManager(mgr, multiclusterClient); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "DecisionReconciler")
 			os.Exit(1)
 		}
@@ -347,23 +376,23 @@ func main() {
 		// Setup a controller which will reconcile the history and explanation for
 		// decision resources.
 		explanationController := &explanation.Controller{
-			Client:       mgr.GetClient(),
+			Client:       multiclusterClient,
 			OperatorName: config.Operator,
 		}
-		if err := explanationController.SetupWithManager(mgr); err != nil {
+		if err := explanationController.SetupWithManager(mgr, multiclusterClient); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "ExplanationController")
 			os.Exit(1)
 		}
 	}
 	if slices.Contains(config.EnabledControllers, "reservations-controller") {
-		monitor := reservationscontroller.NewControllerMonitor(mgr.GetClient())
+		monitor := reservationscontroller.NewControllerMonitor(multiclusterClient)
 		metrics.Registry.MustRegister(&monitor)
 		if err := (&reservationscontroller.ReservationReconciler{
-			Client:           mgr.GetClient(),
+			Client:           multiclusterClient,
 			Scheme:           mgr.GetScheme(),
 			Conf:             config,
 			HypervisorClient: reservationscontroller.NewHypervisorClient(),
-		}).SetupWithManager(mgr); err != nil {
+		}).SetupWithManager(mgr, multiclusterClient); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "Reservation")
 			os.Exit(1)
 		}
@@ -372,20 +401,20 @@ func main() {
 		monitor := datasources.NewMonitor()
 		metrics.Registry.MustRegister(&monitor)
 		if err := (&openstack.OpenStackDatasourceReconciler{
-			Client:  mgr.GetClient(),
+			Client:  multiclusterClient,
 			Scheme:  mgr.GetScheme(),
 			Monitor: monitor,
 			Conf:    config,
-		}).SetupWithManager(mgr); err != nil {
+		}).SetupWithManager(mgr, multiclusterClient); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "OpenStackDatasourceReconciler")
 			os.Exit(1)
 		}
 		if err := (&prometheus.PrometheusDatasourceReconciler{
-			Client:  mgr.GetClient(),
+			Client:  multiclusterClient,
 			Scheme:  mgr.GetScheme(),
 			Monitor: monitor,
 			Conf:    config,
-		}).SetupWithManager(mgr); err != nil {
+		}).SetupWithManager(mgr, multiclusterClient); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "PrometheusDatasourceReconciler")
 			os.Exit(1)
 		}
@@ -394,29 +423,29 @@ func main() {
 		monitor := extractor.NewMonitor()
 		metrics.Registry.MustRegister(&monitor)
 		if err := (&extractor.KnowledgeReconciler{
-			Client:  mgr.GetClient(),
+			Client:  multiclusterClient,
 			Scheme:  mgr.GetScheme(),
 			Monitor: monitor,
 			Conf:    config,
-		}).SetupWithManager(mgr); err != nil {
+		}).SetupWithManager(mgr, multiclusterClient); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "KnowledgeReconciler")
 			os.Exit(1)
 		}
 		if err := (&extractor.TriggerReconciler{
-			Client: mgr.GetClient(),
+			Client: multiclusterClient,
 			Scheme: mgr.GetScheme(),
 			Conf:   config,
-		}).SetupWithManager(mgr); err != nil {
+		}).SetupWithManager(mgr, multiclusterClient); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "TriggerReconciler")
 			os.Exit(1)
 		}
 	}
 	if slices.Contains(config.EnabledControllers, "kpis-controller") {
 		if err := (&kpis.Controller{
-			Client:              mgr.GetClient(),
+			Client:              multiclusterClient,
 			SupportedKPIsByImpl: kpis.SupportedKPIsByImpl,
 			OperatorName:        config.Operator,
-		}).SetupWithManager(mgr); err != nil {
+		}).SetupWithManager(mgr, multiclusterClient); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "KPIController")
 			os.Exit(1)
 		}
diff --git a/docs/guides/multicluster/cortex-home-crb.yaml b/docs/guides/multicluster/cortex-home-crb.yaml
new file mode 100644
index 000000000..1854084f2
--- /dev/null
+++ b/docs/guides/multicluster/cortex-home-crb.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: grant-cortex-remote-oidc-access
+subjects:
+- kind: User
+  apiGroup: rbac.authorization.k8s.io
+  name: system:anonymous
+roleRef:
+  kind: ClusterRole
+  name: system:service-account-issuer-discovery
+  apiGroup: rbac.authorization.k8s.io
diff --git a/docs/guides/multicluster/cortex-home.yaml b/docs/guides/multicluster/cortex-home.yaml
new file mode 100644
index 000000000..c1e093807
--- /dev/null
+++ b/docs/guides/multicluster/cortex-home.yaml
@@ -0,0 +1,23 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+name: cortex-home
+nodes:
+  - role: worker
+  - role: control-plane
+    extraPortMappings:
+    - containerPort: 6443
+      hostPort: 8443
+    kubeadmConfigPatches:
+      - |
+        kind: ClusterConfiguration
+        apiServer:
+          extraArgs:
+            service-account-issuer: "https://host.docker.internal:8443"
+            service-account-jwks-uri: "https://host.docker.internal:8443/openid/v1/jwks"
+          certSANs:
+            - api-proxy
+            - api-proxy.default.svc
+            - api-proxy.default.svc.cluster.local
+            - localhost
+            - 127.0.0.1
+            - host.docker.internal
diff --git a/docs/guides/multicluster/cortex-remote-crb.yaml b/docs/guides/multicluster/cortex-remote-crb.yaml
new file mode 100644
index 000000000..47ea9aa81
--- /dev/null
+++ b/docs/guides/multicluster/cortex-remote-crb.yaml
@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: grant-cortex-cluster-admin
+subjects:
+- kind: User
+  apiGroup: rbac.authorization.k8s.io
+  name: "https://host.docker.internal:8443#system:serviceaccount:default:cortex-nova-knowledge-controller-manager"
+- kind: User
+  apiGroup: rbac.authorization.k8s.io
+  name: "https://host.docker.internal:8443#system:serviceaccount:default:cortex-nova-scheduling-controller-manager"
+- kind: User
+  apiGroup: rbac.authorization.k8s.io
+  name: "https://host.docker.internal:8443#system:serviceaccount:default:cortex-nova-reservations-controller-manager"
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/docs/guides/multicluster/cortex-remote.yaml b/docs/guides/multicluster/cortex-remote.yaml
new file mode 100644
index 000000000..675a14063
--- /dev/null
+++ b/docs/guides/multicluster/cortex-remote.yaml
@@ -0,0 +1,27 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+name: cortex-remote
+nodes:
+  - role: control-plane
+    extraPortMappings:
+    - containerPort: 6443
+      hostPort: 8444
+    extraMounts:
+      - hostPath: /tmp/root-ca-home.pem
+        containerPath: /etc/ca-certificates/root-ca.pem
+    kubeadmConfigPatches:
+      - |
+        kind: ClusterConfiguration
+        apiServer:
+          extraArgs:
+            oidc-client-id: "https://host.docker.internal:8443" # = audience
+            oidc-issuer-url: "https://host.docker.internal:8443"
+            oidc-username-claim: sub
+            oidc-ca-file: /etc/ca-certificates/root-ca.pem
+          certSANs:
+            - api-proxy
+            - api-proxy.default.svc
+            - api-proxy.default.svc.cluster.local
+            - localhost
+            - 127.0.0.1
+            - host.docker.internal
\ No newline at end of file
diff --git a/docs/guides/multicluster/readme.md b/docs/guides/multicluster/readme.md
new file mode 100644
index 000000000..fa0fd3c83
--- /dev/null
+++ b/docs/guides/multicluster/readme.md
@@ -0,0 +1,104 @@
+# Cortex Multi-Cluster Testing
+
+Cortex provides support for multi-cluster deployments, where a "home" cluster hosts the cortex pods and one or more "remote" clusters are used to persist CRDs. A typical use case for this would be to offload the etcd storage for Cortex CRDs to a remote cluster, reducing the resource usage on the home cluster.
+
+This guide will walk you through setting up a multi-cluster Cortex deployment using [kind](https://kind.sigs.k8s.io/). We will create two kind clusters: `cortex-home` and `cortex-remote`. The `cortex-home` cluster will host the Cortex control plane, while the `cortex-remote` cluster will be used to store CRDs.
+
+To store its CRDs in the `cortex-remote` cluster, the `cortex-home` cluster needs to be able to authenticate to the `cortex-remote` cluster's API server. We will achieve this by configuring the `cortex-remote` cluster to trust the service account tokens issued by the `cortex-home` cluster. In this way, no external OIDC provider is needed, because the `cortex-home` cluster's own OIDC issuer for service accounts acts as the identity provider.
+
+Here is a diagram illustrating the authentication flow:
+
+```mermaid
+sequenceDiagram
+    participant Home as cortex-home
+    participant Remote as cortex-remote
+    Home->>Home: Service Account Token Issued
+    Home->>Remote: API Request with Token
+    Remote->>Remote: Token Verified Against Home's OIDC Issuer
+    Remote->>Home: API Response
+```
+
+## Home Cluster Setup
+
+First we set up the `cortex-home` cluster. The provided kind configuration file `cortex-home.yaml` sets up the cluster with the necessary port mappings to allow communication between the two clusters. `cortex-home` will expose its API server on port `8443`, which `cortex-remote` will use to verify service account tokens through `https://host.docker.internal:8443`.
+
+```bash
+kind create cluster --config docs/guides/multicluster/cortex-home.yaml
+```
+
+Next, we need to expose the OIDC issuer endpoint of the `cortex-home` cluster's API server to the `cortex-remote` cluster. We do this by creating a `ClusterRoleBinding` that grants the `system:service-account-issuer-discovery` role to the `kube-system` service account in the `cortex-home` cluster.
+
+```bash
+kubectl --context kind-cortex-home apply -f docs/guides/multicluster/cortex-home-crb.yaml
+```
+
+To talk back to the `cortex-home` cluster's OIDC endpoint, the `cortex-remote` cluster needs to trust the root CA certificate used by the `cortex-home` cluster's API server. We can extract this certificate from the `extension-apiserver-authentication` config map in the `kube-system` namespace, and save it to a temporary file for later use.
+
+```bash
+kubectl --context kind-cortex-home --namespace kube-system \
+  get configmap extension-apiserver-authentication \
+  -o jsonpath="{.data['client-ca-file']}" > /tmp/root-ca-home.pem
+```
+
+## Remote Cluster Setup
+
+With all the prerequisites in place, we can now set up the `cortex-remote` cluster. We create the cluster using the provided kind configuration file `cortex-remote.yaml`. This configuration will tell the `cortex-remote` cluster to trust the `cortex-home` cluster's API server as OIDC issuer for service account token verification. Also, the `cortex-remote` cluster will trust the root CA certificate we extracted earlier. The `cortex-remote` apiserver will be accessible at `https://host.docker.internal:8444`.
+
+```bash
+kind create cluster --config docs/guides/multicluster/cortex-remote.yaml
+```
+
+Next, we need to create a `ClusterRoleBinding` in the `cortex-remote` cluster that grants service accounts coming from the `cortex-home` cluster access to the appropriate resources. We do this by applying the provided `cortex-remote-crb.yaml` file.
+
+```bash
+kubectl --context kind-cortex-remote apply -f docs/guides/multicluster/cortex-remote-crb.yaml
+```
+
+## Deploying Cortex
+
+Before we launch cortex make sure that the CRDs are installed in the `cortex-remote` cluster.
+
+```bash
+kubectl config use-context kind-cortex-remote
+helm install helm/bundles/cortex-crds --generate-name
+```
+
+Also, we need to extract the root CA certificate used by the `cortex-remote` cluster's API server, so that we can configure the cortex pods in the `cortex-home` cluster to trust it.
+
+```bash
+kubectl --context kind-cortex-remote --namespace kube-system \
+  get configmap extension-apiserver-authentication \
+  -o jsonpath="{.data['client-ca-file']}" > /tmp/root-ca-remote.pem
+```
+
+Now we can deploy cortex to the `cortex-home` cluster, configuring it to use the `cortex-remote` cluster for CRD storage. We create a temporary Helm values override file that specifies the API server URL and root CA certificate for the `cortex-remote` cluster. In this example, we are configuring the `decisions.cortex.cloud/v1alpha1` resource to be stored in the `cortex-remote` cluster.
+
+```bash
+export TILT_OVERRIDES_PATH=/tmp/cortex-values.yaml
+tee $TILT_OVERRIDES_PATH <<EOF
+global:
+  conf:
+    apiServerOverrides:
+    - resource: decisions.cortex.cloud/v1alpha1
+      host: https://host.docker.internal:8444
+      caCert: |
+$(cat /tmp/root-ca-remote.pem | sed 's/^/        /')
+EOF
+```
+
+Now we can start Cortex using Tilt, which will pick up the Helm values override file we just created.
+
+```bash
+kubectl config use-context kind-cortex-home
+tilt up
+```
+
+## Outcome
+
+With Cortex running in the `cortex-home` cluster and configured to use the `cortex-remote` cluster for CRD storage, we can verify that everything is working as expected with the following command:
+
+```bash
+kubectl --context kind-cortex-remote get decisions
+```
+
+This command should return the list of `Decision` resources stored in the `cortex-remote` cluster, confirming that Cortex is successfully using the remote cluster for CRD persistence.
diff --git a/helm/bundles/cortex-ironcore/templates/pipelines.yaml b/helm/bundles/cortex-ironcore/templates/pipelines.yaml
index 6b087bfbf..4a1cdea43 100644
--- a/helm/bundles/cortex-ironcore/templates/pipelines.yaml
+++ b/helm/bundles/cortex-ironcore/templates/pipelines.yaml
@@ -8,7 +8,6 @@ spec:
   description: |
     This pipeline is used to schedule ironcore machines onto machinepools.
   type: filter-weigher
-  createDecisions: true
   steps:
     - ref: {name: machinepools-noop}
       mandatory: false
diff --git a/internal/knowledge/datasources/openstack/controller.go b/internal/knowledge/datasources/openstack/controller.go
index c6af39bcd..ea4238b4b 100644
--- a/internal/knowledge/datasources/openstack/controller.go
+++ b/internal/knowledge/datasources/openstack/controller.go
@@ -20,6 +20,7 @@ import (
 	"github.com/cobaltcore-dev/cortex/pkg/conf"
 	"github.com/cobaltcore-dev/cortex/pkg/db"
 	"github.com/cobaltcore-dev/cortex/pkg/keystone"
+	"github.com/cobaltcore-dev/cortex/pkg/multicluster"
 	"github.com/cobaltcore-dev/cortex/pkg/sso"
 	"github.com/sapcc/go-bits/jobloop"
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -252,8 +253,8 @@ func (r *OpenStackDatasourceReconciler) Reconcile(ctx context.Context, req ctrl.
 	return ctrl.Result{RequeueAfter: time.Until(nextTime)}, nil
 }
 
-func (r *OpenStackDatasourceReconciler) SetupWithManager(mgr manager.Manager) error {
-	return ctrl.NewControllerManagedBy(mgr).
+func (r *OpenStackDatasourceReconciler) SetupWithManager(mgr manager.Manager, mcl *multicluster.Client) error {
+	return multicluster.BuildController(mcl, mgr).
 		Named("cortex-openstack-datasource").
 		For(
 			&v1alpha1.Datasource{},
diff --git a/internal/knowledge/datasources/prometheus/controller.go b/internal/knowledge/datasources/prometheus/controller.go
index 4bca46ad7..a7d4ca3ce 100644
--- a/internal/knowledge/datasources/prometheus/controller.go
+++ b/internal/knowledge/datasources/prometheus/controller.go
@@ -13,6 +13,7 @@ import (
 	"github.com/cobaltcore-dev/cortex/internal/knowledge/datasources"
 	"github.com/cobaltcore-dev/cortex/pkg/conf"
 	"github.com/cobaltcore-dev/cortex/pkg/db"
+	"github.com/cobaltcore-dev/cortex/pkg/multicluster"
 	"github.com/cobaltcore-dev/cortex/pkg/sso"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -188,8 +189,8 @@ func (r *PrometheusDatasourceReconciler) Reconcile(ctx context.Context, req ctrl
 	return ctrl.Result{RequeueAfter: time.Until(nextSync)}, nil
 }
 
-func (r *PrometheusDatasourceReconciler) SetupWithManager(mgr manager.Manager) error {
-	return ctrl.NewControllerManagedBy(mgr).
+func (r *PrometheusDatasourceReconciler) SetupWithManager(mgr manager.Manager, mcl *multicluster.Client) error {
+	return multicluster.BuildController(mcl, mgr).
 		Named("cortex-prometheus-datasource").
 		For(
 			&v1alpha1.Datasource{},
diff --git a/internal/knowledge/extractor/controller.go b/internal/knowledge/extractor/controller.go
index d973ff38c..21990da6b 100644
--- a/internal/knowledge/extractor/controller.go
+++ b/internal/knowledge/extractor/controller.go
@@ -17,6 +17,7 @@ import (
 	"github.com/cobaltcore-dev/cortex/internal/knowledge/extractor/plugins/vmware"
 	"github.com/cobaltcore-dev/cortex/pkg/conf"
 	"github.com/cobaltcore-dev/cortex/pkg/db"
+	"github.com/cobaltcore-dev/cortex/pkg/multicluster"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -243,8 +244,8 @@ func (r *KnowledgeReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 	return ctrl.Result{}, nil
 }
 
-func (r *KnowledgeReconciler) SetupWithManager(mgr manager.Manager) error {
-	return ctrl.NewControllerManagedBy(mgr).
+func (r *KnowledgeReconciler) SetupWithManager(mgr manager.Manager, mcl *multicluster.Client) error {
+	return multicluster.BuildController(mcl, mgr).
 		Named("cortex-knowledge").
 		For(
 			&v1alpha1.Knowledge{},
diff --git a/internal/knowledge/extractor/trigger.go b/internal/knowledge/extractor/trigger.go
index b08523efd..a9603bcae 100644
--- a/internal/knowledge/extractor/trigger.go
+++ b/internal/knowledge/extractor/trigger.go
@@ -9,11 +9,11 @@ import (
 
 	"github.com/cobaltcore-dev/cortex/api/v1alpha1"
 	"github.com/cobaltcore-dev/cortex/pkg/conf"
+	"github.com/cobaltcore-dev/cortex/pkg/multicluster"
 
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -246,26 +246,26 @@ func (r *TriggerReconciler) mapKnowledgeToKnowledge(ctx context.Context, obj cli
 }
 
 // SetupWithManager sets up the controller with the Manager
-func (r *TriggerReconciler) SetupWithManager(mgr manager.Manager) error {
-	return ctrl.NewControllerManagedBy(mgr).
-		Named("cortex-knowledge-trigger").
+func (r *TriggerReconciler) SetupWithManager(mgr manager.Manager, mcl *multicluster.Client) error {
+	return multicluster.BuildController(mcl, mgr).
 		// Watch datasource changes and map them to trigger reconciliation
-		Watches(
+		WatchesMulticluster(
 			&v1alpha1.Datasource{},
 			handler.EnqueueRequestsFromMapFunc(r.mapDatasourceToKnowledge),
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				ds := obj.(*v1alpha1.Datasource)
 				return ds.Spec.Operator == r.Conf.Operator
-			})),
+			}),
 		).
 		// Watch knowledge changes and map them to trigger reconciliation
-		Watches(
+		WatchesMulticluster(
 			&v1alpha1.Knowledge{},
 			handler.EnqueueRequestsFromMapFunc(r.mapKnowledgeToKnowledge),
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				k := obj.(*v1alpha1.Knowledge)
 				return k.Spec.Operator == r.Conf.Operator
-			})),
+			}),
 		).
+		Named("cortex-knowledge-trigger").
 		Complete(r)
 }
diff --git a/internal/knowledge/kpis/controller.go b/internal/knowledge/kpis/controller.go
index dc87d2342..9d7101ee7 100644
--- a/internal/knowledge/kpis/controller.go
+++ b/internal/knowledge/kpis/controller.go
@@ -16,6 +16,7 @@ import (
 	"github.com/cobaltcore-dev/cortex/internal/knowledge/kpis/plugins/vmware"
 	"github.com/cobaltcore-dev/cortex/pkg/conf"
 	"github.com/cobaltcore-dev/cortex/pkg/db"
+	"github.com/cobaltcore-dev/cortex/pkg/multicluster"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -438,46 +439,46 @@ func (c *Controller) handleKnowledgeDeleted(
 	c.handleKnowledgeChange(ctx, kn, queue)
 }
 
-func (c *Controller) SetupWithManager(mgr manager.Manager) error {
+func (c *Controller) SetupWithManager(mgr manager.Manager, mcl *multicluster.Client) error {
 	if err := mgr.Add(manager.RunnableFunc(c.InitAllKPIs)); err != nil {
 		return err
 	}
-	return ctrl.NewControllerManagedBy(mgr).
-		Named("cortex-kpis").
-		For(
-			&v1alpha1.KPI{},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
-				// Only react to datasources matching the operator.
-				ds := obj.(*v1alpha1.KPI)
-				return ds.Spec.Operator == c.OperatorName
-			})),
-		).
+	return multicluster.BuildController(mcl, mgr).
 		// Watch datasource changes so that we can reconfigure kpis as needed.
-		Watches(
+		WatchesMulticluster(
 			&v1alpha1.Datasource{},
 			handler.Funcs{
 				CreateFunc: c.handleDatasourceCreated,
 				UpdateFunc: c.handleDatasourceUpdated,
 				DeleteFunc: c.handleDatasourceDeleted,
 			},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				// Only react to datasources matching the operator.
 				ds := obj.(*v1alpha1.Datasource)
 				return ds.Spec.Operator == c.OperatorName
-			})),
+			}),
 		).
 		// Watch knowledge changes so that we can reconfigure kpis as needed.
-		Watches(
+		WatchesMulticluster(
 			&v1alpha1.Knowledge{},
 			handler.Funcs{
 				CreateFunc: c.handleKnowledgeCreated,
 				UpdateFunc: c.handleKnowledgeUpdated,
 				DeleteFunc: c.handleKnowledgeDeleted,
 			},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				// Only react to knowledges matching the operator.
 				kn := obj.(*v1alpha1.Knowledge)
 				return kn.Spec.Operator == c.OperatorName
+			}),
+		).
+		Named("cortex-kpis").
+		For(
+			&v1alpha1.KPI{},
+			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+				// Only react to datasources matching the operator.
+				ds := obj.(*v1alpha1.KPI)
+				return ds.Spec.Operator == c.OperatorName
 			})),
 		).
 		Complete(c)
diff --git a/internal/reservations/controller/controller.go b/internal/reservations/controller/controller.go
index f61e942f8..68dcd4756 100644
--- a/internal/reservations/controller/controller.go
+++ b/internal/reservations/controller/controller.go
@@ -24,6 +24,7 @@ import (
 	schedulerdelegationapi "github.com/cobaltcore-dev/cortex/api/delegation/nova"
 	"github.com/cobaltcore-dev/cortex/api/v1alpha1"
 	"github.com/cobaltcore-dev/cortex/pkg/conf"
+	"github.com/cobaltcore-dev/cortex/pkg/multicluster"
 )
 
 // ReservationReconciler reconciles a Reservation object
@@ -180,13 +181,13 @@ func (r *ReservationReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 }
 
 // SetupWithManager sets up the controller with the Manager.
-func (r *ReservationReconciler) SetupWithManager(mgr ctrl.Manager) error {
+func (r *ReservationReconciler) SetupWithManager(mgr ctrl.Manager, mcl *multicluster.Client) error {
 	if err := mgr.Add(manager.RunnableFunc(func(ctx context.Context) error {
 		return r.Init(ctx, mgr.GetClient(), r.Conf)
 	})); err != nil {
 		return err
 	}
-	return ctrl.NewControllerManagedBy(mgr).
+	return multicluster.BuildController(mcl, mgr).
 		For(&v1alpha1.Reservation{}).
 		Named("reservation").
 		WithOptions(controller.Options{
diff --git a/internal/scheduling/decisions/cinder/pipeline_controller.go b/internal/scheduling/decisions/cinder/pipeline_controller.go
index f0d66ed1e..70b155f0e 100644
--- a/internal/scheduling/decisions/cinder/pipeline_controller.go
+++ b/internal/scheduling/decisions/cinder/pipeline_controller.go
@@ -17,6 +17,7 @@ import (
 
 	"github.com/cobaltcore-dev/cortex/internal/scheduling/lib"
 	"github.com/cobaltcore-dev/cortex/pkg/conf"
+	"github.com/cobaltcore-dev/cortex/pkg/multicluster"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
@@ -128,55 +129,39 @@ func (c *DecisionPipelineController) InitPipeline(
 	return lib.NewPipeline(ctx, c.Client, name, supportedSteps, steps, c.Monitor)
 }
 
-func (c *DecisionPipelineController) SetupWithManager(mgr manager.Manager) error {
+func (c *DecisionPipelineController) SetupWithManager(mgr manager.Manager, mcl *multicluster.Client) error {
 	c.Initializer = c
 	if err := mgr.Add(manager.RunnableFunc(c.InitAllPipelines)); err != nil {
 		return err
 	}
-	return ctrl.NewControllerManagedBy(mgr).
-		Named("cortex-cinder-decisions").
-		For(
-			&v1alpha1.Decision{},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
-				decision := obj.(*v1alpha1.Decision)
-				if decision.Spec.Operator != c.Conf.Operator {
-					return false
-				}
-				// Ignore already decided schedulings.
-				if decision.Status.Result != nil {
-					return false
-				}
-				// Only handle cinder decisions.
-				return decision.Spec.Type == v1alpha1.DecisionTypeCinderVolume
-			})),
-		).
+	return multicluster.BuildController(mcl, mgr).
 		// Watch pipeline changes so that we can reconfigure pipelines as needed.
-		Watches(
+		WatchesMulticluster(
 			&v1alpha1.Pipeline{},
 			handler.Funcs{
 				CreateFunc: c.HandlePipelineCreated,
 				UpdateFunc: c.HandlePipelineUpdated,
 				DeleteFunc: c.HandlePipelineDeleted,
 			},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				pipeline := obj.(*v1alpha1.Pipeline)
 				// Only react to pipelines matching the operator.
 				if pipeline.Spec.Operator != c.Conf.Operator {
 					return false
 				}
 				return pipeline.Spec.Type == v1alpha1.PipelineTypeFilterWeigher
-			})),
+			}),
 		).
 		// Watch step changes so that we can turn on/off pipelines depending on
 		// unready steps.
-		Watches(
+		WatchesMulticluster(
 			&v1alpha1.Step{},
 			handler.Funcs{
 				CreateFunc: c.HandleStepCreated,
 				UpdateFunc: c.HandleStepUpdated,
 				DeleteFunc: c.HandleStepDeleted,
 			},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				step := obj.(*v1alpha1.Step)
 				// Only react to steps matching the operator.
 				if step.Spec.Operator != c.Conf.Operator {
@@ -188,21 +173,37 @@ func (c *DecisionPipelineController) SetupWithManager(mgr manager.Manager) error
 					v1alpha1.StepTypeWeigher,
 				}
 				return slices.Contains(supportedTypes, step.Spec.Type)
-			})),
+			}),
 		).
 		// Watch knowledge changes so that we can reconfigure pipelines as needed.
-		Watches(
+		WatchesMulticluster(
 			&v1alpha1.Knowledge{},
 			handler.Funcs{
 				CreateFunc: c.HandleKnowledgeCreated,
 				UpdateFunc: c.HandleKnowledgeUpdated,
 				DeleteFunc: c.HandleKnowledgeDeleted,
 			},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				knowledge := obj.(*v1alpha1.Knowledge)
 				// Only react to knowledge matching the operator.
 				return knowledge.Spec.Operator == c.Conf.Operator
+			}),
+		).
+		For(
+			&v1alpha1.Decision{},
+			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+				decision := obj.(*v1alpha1.Decision)
+				if decision.Spec.Operator != c.Conf.Operator {
+					return false
+				}
+				// Ignore already decided schedulings.
+				if decision.Status.Result != nil {
+					return false
+				}
+				// Only handle cinder decisions.
+				return decision.Spec.Type == v1alpha1.DecisionTypeCinderVolume
 			})),
 		).
+		Named("cortex-cinder-decisions").
 		Complete(c)
 }
diff --git a/internal/scheduling/decisions/explanation/controller.go b/internal/scheduling/decisions/explanation/controller.go
index aca1cb692..816399fc8 100644
--- a/internal/scheduling/decisions/explanation/controller.go
+++ b/internal/scheduling/decisions/explanation/controller.go
@@ -8,6 +8,7 @@ import (
 	"sort"
 
 	"github.com/cobaltcore-dev/cortex/api/v1alpha1"
+	"github.com/cobaltcore-dev/cortex/pkg/multicluster"
 	corev1 "k8s.io/api/core/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
@@ -182,7 +183,7 @@ func (c *Controller) StartupCallback(ctx context.Context) error {
 }
 
 // This function sets up the controller with the provided manager.
-func (c *Controller) SetupWithManager(mgr manager.Manager) error {
+func (c *Controller) SetupWithManager(mgr manager.Manager, mcl *multicluster.Client) error {
 	// Index the decisions by ResourceID for efficient lookup.
 	if !c.SkipIndexFields {
 		if err := mgr.GetFieldIndexer().IndexField(
@@ -200,7 +201,7 @@ func (c *Controller) SetupWithManager(mgr manager.Manager) error {
 	if err := mgr.Add(manager.RunnableFunc(c.StartupCallback)); err != nil {
 		return err
 	}
-	return ctrl.NewControllerManagedBy(mgr).
+	return multicluster.BuildController(mcl, mgr).
 		Named("explanation-controller").
 		For(
 			&v1alpha1.Decision{},
diff --git a/internal/scheduling/decisions/machines/pipeline_controller.go b/internal/scheduling/decisions/machines/pipeline_controller.go
index 599063f0b..da4adee97 100644
--- a/internal/scheduling/decisions/machines/pipeline_controller.go
+++ b/internal/scheduling/decisions/machines/pipeline_controller.go
@@ -15,6 +15,7 @@ import (
 	ironcorev1alpha1 "github.com/cobaltcore-dev/cortex/api/delegation/ironcore/v1alpha1"
 	"github.com/cobaltcore-dev/cortex/api/v1alpha1"
 	"github.com/cobaltcore-dev/cortex/pkg/conf"
+	"github.com/cobaltcore-dev/cortex/pkg/multicluster"
 
 	"github.com/cobaltcore-dev/cortex/internal/scheduling/lib"
 	corev1 "k8s.io/api/core/v1"
@@ -209,33 +210,17 @@ func (c *DecisionPipelineController) handleMachine() handler.EventHandler {
 	}
 }
 
-func (c *DecisionPipelineController) SetupWithManager(mgr manager.Manager) error {
+func (c *DecisionPipelineController) SetupWithManager(mgr manager.Manager, mcl *multicluster.Client) error {
 	c.Initializer = c
 	if err := mgr.Add(manager.RunnableFunc(c.InitAllPipelines)); err != nil {
 		return err
 	}
-	return ctrl.NewControllerManagedBy(mgr).
-		Named("cortex-machine-scheduler").
-		For(
-			&v1alpha1.Decision{},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
-				decision := obj.(*v1alpha1.Decision)
-				if decision.Spec.Operator != c.Conf.Operator {
-					return false
-				}
-				// Ignore already decided schedulings.
-				if decision.Status.Result != nil {
-					return false
-				}
-				// Only handle ironcore machine decisions.
-				return decision.Spec.Type == v1alpha1.DecisionTypeIroncoreMachine
-			})),
-		).
-		Watches(
+	return multicluster.BuildController(mcl, mgr).
+		WatchesMulticluster(
 			&ironcorev1alpha1.Machine{},
 			c.handleMachine(),
 			// Only schedule machines that have the custom scheduler set.
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				machine := obj.(*ironcorev1alpha1.Machine)
 				if machine.Spec.MachinePoolRef != nil {
 					// Skip machines that already have a machine pool assigned.
@@ -246,35 +231,35 @@ func (c *DecisionPipelineController) SetupWithManager(mgr manager.Manager) error
 				// We subscribe to all machines without a scheduler set for now.
 				// Otherwise when deployed the machine scheduler won't do anything.
 				return machine.Spec.Scheduler == ""
-			})),
+			}),
 		).
 		// Watch pipeline changes so that we can reconfigure pipelines as needed.
-		Watches(
+		WatchesMulticluster(
 			&v1alpha1.Pipeline{},
 			handler.Funcs{
 				CreateFunc: c.HandlePipelineCreated,
 				UpdateFunc: c.HandlePipelineUpdated,
 				DeleteFunc: c.HandlePipelineDeleted,
 			},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				pipeline := obj.(*v1alpha1.Pipeline)
 				// Only react to pipelines matching the operator.
 				if pipeline.Spec.Operator != c.Conf.Operator {
 					return false
 				}
 				return pipeline.Spec.Type == v1alpha1.PipelineTypeFilterWeigher
-			})),
+			}),
 		).
 		// Watch step changes so that we can turn on/off pipelines depending on
 		// unready steps.
-		Watches(
+		WatchesMulticluster(
 			&v1alpha1.Step{},
 			handler.Funcs{
 				CreateFunc: c.HandleStepCreated,
 				UpdateFunc: c.HandleStepUpdated,
 				DeleteFunc: c.HandleStepDeleted,
 			},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				step := obj.(*v1alpha1.Step)
 				// Only react to steps matching the operator.
 				if step.Spec.Operator != c.Conf.Operator {
@@ -286,6 +271,22 @@ func (c *DecisionPipelineController) SetupWithManager(mgr manager.Manager) error
 					v1alpha1.StepTypeWeigher,
 				}
 				return slices.Contains(supportedTypes, step.Spec.Type)
+			}),
+		).
+		Named("cortex-machine-scheduler").
+		For(
+			&v1alpha1.Decision{},
+			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+				decision := obj.(*v1alpha1.Decision)
+				if decision.Spec.Operator != c.Conf.Operator {
+					return false
+				}
+				// Ignore already decided schedulings.
+				if decision.Status.Result != nil {
+					return false
+				}
+				// Only handle ironcore machine decisions.
+				return decision.Spec.Type == v1alpha1.DecisionTypeIroncoreMachine
 			})),
 		).
 		Complete(c)
diff --git a/internal/scheduling/decisions/manila/pipeline_controller.go b/internal/scheduling/decisions/manila/pipeline_controller.go
index b1628e12a..7541cf1c0 100644
--- a/internal/scheduling/decisions/manila/pipeline_controller.go
+++ b/internal/scheduling/decisions/manila/pipeline_controller.go
@@ -17,6 +17,7 @@ import (
 
 	"github.com/cobaltcore-dev/cortex/internal/scheduling/lib"
 	"github.com/cobaltcore-dev/cortex/pkg/conf"
+	"github.com/cobaltcore-dev/cortex/pkg/multicluster"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
@@ -128,55 +129,39 @@ func (c *DecisionPipelineController) InitPipeline(
 	return lib.NewPipeline(ctx, c.Client, name, supportedSteps, steps, c.Monitor)
 }
 
-func (c *DecisionPipelineController) SetupWithManager(mgr manager.Manager) error {
+func (c *DecisionPipelineController) SetupWithManager(mgr manager.Manager, mcl *multicluster.Client) error {
 	c.Initializer = c
 	if err := mgr.Add(manager.RunnableFunc(c.InitAllPipelines)); err != nil {
 		return err
 	}
-	return ctrl.NewControllerManagedBy(mgr).
-		Named("cortex-manila-decisions").
-		For(
-			&v1alpha1.Decision{},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
-				decision := obj.(*v1alpha1.Decision)
-				if decision.Spec.Operator != c.Conf.Operator {
-					return false
-				}
-				// Ignore already decided schedulings.
-				if decision.Status.Result != nil {
-					return false
-				}
-				// Only handle manila decisions.
-				return decision.Spec.Type == v1alpha1.DecisionTypeManilaShare
-			})),
-		).
+	return multicluster.BuildController(mcl, mgr).
 		// Watch pipeline changes so that we can reconfigure pipelines as needed.
-		Watches(
+		WatchesMulticluster(
 			&v1alpha1.Pipeline{},
 			handler.Funcs{
 				CreateFunc: c.HandlePipelineCreated,
 				UpdateFunc: c.HandlePipelineUpdated,
 				DeleteFunc: c.HandlePipelineDeleted,
 			},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				pipeline := obj.(*v1alpha1.Pipeline)
 				// Only react to pipelines matching the operator.
 				if pipeline.Spec.Operator != c.Conf.Operator {
 					return false
 				}
 				return pipeline.Spec.Type == v1alpha1.PipelineTypeFilterWeigher
-			})),
+			}),
 		).
 		// Watch step changes so that we can turn on/off pipelines depending on
 		// unready steps.
-		Watches(
+		WatchesMulticluster(
 			&v1alpha1.Step{},
 			handler.Funcs{
 				CreateFunc: c.HandleStepCreated,
 				UpdateFunc: c.HandleStepUpdated,
 				DeleteFunc: c.HandleStepDeleted,
 			},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				step := obj.(*v1alpha1.Step)
 				// Only react to steps matching the operator.
 				if step.Spec.Operator != c.Conf.Operator {
@@ -188,20 +173,36 @@ func (c *DecisionPipelineController) SetupWithManager(mgr manager.Manager) error
 					v1alpha1.StepTypeWeigher,
 				}
 				return slices.Contains(supportedTypes, step.Spec.Type)
-			})),
+			}),
 		).
 		// Watch knowledge changes so that we can reconfigure pipelines as needed.
-		Watches(
+		WatchesMulticluster(
 			&v1alpha1.Knowledge{},
 			handler.Funcs{
 				CreateFunc: c.HandleKnowledgeCreated,
 				UpdateFunc: c.HandleKnowledgeUpdated,
 				DeleteFunc: c.HandleKnowledgeDeleted,
 			},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				knowledge := obj.(*v1alpha1.Knowledge)
 				// Only react to knowledge matching the operator.
 				return knowledge.Spec.Operator == c.Conf.Operator
+			}),
+		).
+		Named("cortex-manila-decisions").
+		For(
+			&v1alpha1.Decision{},
+			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+				decision := obj.(*v1alpha1.Decision)
+				if decision.Spec.Operator != c.Conf.Operator {
+					return false
+				}
+				// Ignore already decided schedulings.
+				if decision.Status.Result != nil {
+					return false
+				}
+				// Only handle manila decisions.
+				return decision.Spec.Type == v1alpha1.DecisionTypeManilaShare
 			})),
 		).
 		Complete(c)
diff --git a/internal/scheduling/decisions/nova/pipeline_controller.go b/internal/scheduling/decisions/nova/pipeline_controller.go
index b71b3256c..59aefb97a 100644
--- a/internal/scheduling/decisions/nova/pipeline_controller.go
+++ b/internal/scheduling/decisions/nova/pipeline_controller.go
@@ -17,6 +17,7 @@ import (
 
 	"github.com/cobaltcore-dev/cortex/internal/scheduling/lib"
 	"github.com/cobaltcore-dev/cortex/pkg/conf"
+	"github.com/cobaltcore-dev/cortex/pkg/multicluster"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
@@ -128,55 +129,39 @@ func (c *DecisionPipelineController) InitPipeline(
 	return lib.NewPipeline(ctx, c.Client, name, supportedSteps, steps, c.Monitor)
 }
 
-func (c *DecisionPipelineController) SetupWithManager(mgr manager.Manager) error {
+func (c *DecisionPipelineController) SetupWithManager(mgr manager.Manager, mcl *multicluster.Client) error {
 	c.Initializer = c
 	if err := mgr.Add(manager.RunnableFunc(c.InitAllPipelines)); err != nil {
 		return err
 	}
-	return ctrl.NewControllerManagedBy(mgr).
-		Named("cortex-nova-decisions").
-		For(
-			&v1alpha1.Decision{},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
-				decision := obj.(*v1alpha1.Decision)
-				if decision.Spec.Operator != c.Conf.Operator {
-					return false
-				}
-				// Ignore already decided schedulings.
-				if decision.Status.Result != nil {
-					return false
-				}
-				// Only handle nova decisions.
-				return decision.Spec.Type == v1alpha1.DecisionTypeNovaServer
-			})),
-		).
+	return multicluster.BuildController(mcl, mgr).
 		// Watch pipeline changes so that we can reconfigure pipelines as needed.
-		Watches(
+		WatchesMulticluster(
 			&v1alpha1.Pipeline{},
 			handler.Funcs{
 				CreateFunc: c.HandlePipelineCreated,
 				UpdateFunc: c.HandlePipelineUpdated,
 				DeleteFunc: c.HandlePipelineDeleted,
 			},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				pipeline := obj.(*v1alpha1.Pipeline)
 				// Only react to pipelines matching the operator.
 				if pipeline.Spec.Operator != c.Conf.Operator {
 					return false
 				}
 				return pipeline.Spec.Type == v1alpha1.PipelineTypeFilterWeigher
-			})),
+			}),
 		).
 		// Watch step changes so that we can turn on/off pipelines depending on
 		// unready steps.
-		Watches(
+		WatchesMulticluster(
 			&v1alpha1.Step{},
 			handler.Funcs{
 				CreateFunc: c.HandleStepCreated,
 				UpdateFunc: c.HandleStepUpdated,
 				DeleteFunc: c.HandleStepDeleted,
 			},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				step := obj.(*v1alpha1.Step)
 				// Only react to steps matching the operator.
 				if step.Spec.Operator != c.Conf.Operator {
@@ -188,20 +173,36 @@ func (c *DecisionPipelineController) SetupWithManager(mgr manager.Manager) error
 					v1alpha1.StepTypeWeigher,
 				}
 				return slices.Contains(supportedTypes, step.Spec.Type)
-			})),
+			}),
 		).
 		// Watch knowledge changes so that we can reconfigure pipelines as needed.
-		Watches(
+		WatchesMulticluster(
 			&v1alpha1.Knowledge{},
 			handler.Funcs{
 				CreateFunc: c.HandleKnowledgeCreated,
 				UpdateFunc: c.HandleKnowledgeUpdated,
 				DeleteFunc: c.HandleKnowledgeDeleted,
 			},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				knowledge := obj.(*v1alpha1.Knowledge)
 				// Only react to knowledge matching the operator.
 				return knowledge.Spec.Operator == c.Conf.Operator
+			}),
+		).
+		Named("cortex-nova-decisions").
+		For(
+			&v1alpha1.Decision{},
+			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+				decision := obj.(*v1alpha1.Decision)
+				if decision.Spec.Operator != c.Conf.Operator {
+					return false
+				}
+				// Ignore already decided schedulings.
+				if decision.Status.Result != nil {
+					return false
+				}
+				// Only handle nova decisions.
+				return decision.Spec.Type == v1alpha1.DecisionTypeNovaServer
 			})),
 		).
 		Complete(c)
diff --git a/internal/scheduling/decisions/nova/pipeline_controller_test.go b/internal/scheduling/decisions/nova/pipeline_controller_test.go
index 69900a16d..abaea5ec1 100644
--- a/internal/scheduling/decisions/nova/pipeline_controller_test.go
+++ b/internal/scheduling/decisions/nova/pipeline_controller_test.go
@@ -754,30 +754,3 @@ func TestDecisionPipelineController_ProcessNewDecisionFromAPI(t *testing.T) {
 		})
 	}
 }
-
-func TestDecisionPipelineController_SetupWithManager(t *testing.T) {
-	scheme := runtime.NewScheme()
-	if err := v1alpha1.AddToScheme(scheme); err != nil {
-		t.Fatalf("Failed to add v1alpha1 scheme: %v", err)
-	}
-
-	controller := &DecisionPipelineController{
-		Conf: conf.Config{
-			Operator: "test-operator",
-		},
-	}
-
-	// This test verifies that SetupWithManager method exists and has the correct signature
-	// We can't easily test the actual setup without a real manager, so we just verify the panic
-	// is handled gracefully when called with nil
-	defer func() {
-		if r := recover(); r == nil {
-			t.Error("Expected panic when calling SetupWithManager with nil manager")
-		}
-	}()
-
-	err := controller.SetupWithManager(nil)
-	if err != nil {
-		t.Errorf("Unexpected error from SetupWithManager: %v", err)
-	}
-}
diff --git a/internal/scheduling/descheduling/nova/cleanup.go b/internal/scheduling/descheduling/nova/cleanup.go
index c395ea489..0ba9ddaf3 100644
--- a/internal/scheduling/descheduling/nova/cleanup.go
+++ b/internal/scheduling/descheduling/nova/cleanup.go
@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/cobaltcore-dev/cortex/api/v1alpha1"
+	"github.com/cobaltcore-dev/cortex/pkg/multicluster"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -90,11 +91,11 @@ func (r *Cleanup) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result,
 	return ctrl.Result{}, nil
 }
 
-func (r *Cleanup) SetupWithManager(mgr ctrl.Manager) error {
+func (r *Cleanup) SetupWithManager(mgr ctrl.Manager, mcl *multicluster.Client) error {
 	if err := mgr.Add(&CleanupOnStartup{r}); err != nil {
 		return err
 	}
-	return ctrl.NewControllerManagedBy(mgr).
+	return multicluster.BuildController(mcl, mgr).
 		For(&v1alpha1.Descheduling{}).
 		Named("descheduler-cleanup").
 		WithOptions(controller.Options{
diff --git a/internal/scheduling/descheduling/nova/executor.go b/internal/scheduling/descheduling/nova/executor.go
index 6db281e2e..476e1f8b1 100644
--- a/internal/scheduling/descheduling/nova/executor.go
+++ b/internal/scheduling/descheduling/nova/executor.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/cobaltcore-dev/cortex/api/v1alpha1"
 	"github.com/cobaltcore-dev/cortex/pkg/conf"
+	"github.com/cobaltcore-dev/cortex/pkg/multicluster"
 
 	"github.com/sapcc/go-bits/jobloop"
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -235,8 +236,8 @@ func (e *Executor) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result
 	return ctrl.Result{}, nil
 }
 
-func (s *Executor) SetupWithManager(mgr manager.Manager) error {
-	return ctrl.NewControllerManagedBy(mgr).
+func (s *Executor) SetupWithManager(mgr manager.Manager, mcl *multicluster.Client) error {
+	return multicluster.BuildController(mcl, mgr).
 		Named("cortex-descheduler").
 		For(
 			&v1alpha1.Descheduling{},
diff --git a/internal/scheduling/descheduling/nova/executor_test.go b/internal/scheduling/descheduling/nova/executor_test.go
index bae05af3c..ea54a390f 100644
--- a/internal/scheduling/descheduling/nova/executor_test.go
+++ b/internal/scheduling/descheduling/nova/executor_test.go
@@ -427,18 +427,3 @@ func TestExecutor_ReconcileNotFound(t *testing.T) {
 		t.Error("expected no requeue for not found resource")
 	}
 }
-
-func TestExecutor_SetupWithManager(t *testing.T) {
-	// This test verifies that SetupWithManager can be called without errors
-	// We can't easily test the full controller setup without a real manager
-	executor := &Executor{}
-
-	// This would typically be tested in integration tests with a real manager
-	// For unit tests, we just verify the method exists and can be called
-	// Test that SetupWithManager method exists by calling it with a nil manager
-	// This will return an error, but confirms the method exists
-	err := executor.SetupWithManager(nil)
-	if err == nil {
-		t.Error("SetupWithManager should return an error when called with nil manager")
-	}
-}
diff --git a/internal/scheduling/descheduling/nova/pipeline_controller.go b/internal/scheduling/descheduling/nova/pipeline_controller.go
index 403eda6eb..385525bad 100644
--- a/internal/scheduling/descheduling/nova/pipeline_controller.go
+++ b/internal/scheduling/descheduling/nova/pipeline_controller.go
@@ -13,6 +13,7 @@ import (
 
 	"github.com/cobaltcore-dev/cortex/internal/scheduling/lib"
 	"github.com/cobaltcore-dev/cortex/pkg/conf"
+	"github.com/cobaltcore-dev/cortex/pkg/multicluster"
 	"github.com/sapcc/go-bits/jobloop"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
@@ -78,7 +79,7 @@ func (c *DeschedulingsPipelineController) Reconcile(ctx context.Context, req ctr
 	return ctrl.Result{}, nil
 }
 
-func (c *DeschedulingsPipelineController) SetupWithManager(mgr ctrl.Manager) error {
+func (c *DeschedulingsPipelineController) SetupWithManager(mgr ctrl.Manager, mcl *multicluster.Client) error {
 	c.Initializer = c
 	if err := mgr.Add(manager.RunnableFunc(func(ctx context.Context) error {
 		// Initialize the cycle detector.
@@ -89,41 +90,34 @@ func (c *DeschedulingsPipelineController) SetupWithManager(mgr ctrl.Manager) err
 	if err := mgr.Add(manager.RunnableFunc(c.InitAllPipelines)); err != nil {
 		return err
 	}
-	return ctrl.NewControllerManagedBy(mgr).
-		Named("cortex-nova-deschedulings").
-		For(
-			&v1alpha1.Descheduling{},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
-				return false // This controller does not reconcile Descheduling resources directly.
-			})),
-		).
+	return multicluster.BuildController(mcl, mgr).
 		// Watch pipeline changes so that we can reconfigure pipelines as needed.
-		Watches(
+		WatchesMulticluster(
 			&v1alpha1.Pipeline{},
 			handler.Funcs{
 				CreateFunc: c.HandlePipelineCreated,
 				UpdateFunc: c.HandlePipelineUpdated,
 				DeleteFunc: c.HandlePipelineDeleted,
 			},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				pipeline := obj.(*v1alpha1.Pipeline)
 				// Only react to pipelines matching the operator.
 				if pipeline.Spec.Operator != c.Conf.Operator {
 					return false
 				}
 				return pipeline.Spec.Type == v1alpha1.PipelineTypeDescheduler
-			})),
+			}),
 		).
 		// Watch step changes so that we can turn on/off pipelines depending on
 		// unready steps.
-		Watches(
+		WatchesMulticluster(
 			&v1alpha1.Step{},
 			handler.Funcs{
 				CreateFunc: c.HandleStepCreated,
 				UpdateFunc: c.HandleStepUpdated,
 				DeleteFunc: c.HandleStepDeleted,
 			},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				step := obj.(*v1alpha1.Step)
 				// Only react to steps matching the operator.
 				if step.Spec.Operator != c.Conf.Operator {
@@ -134,20 +128,27 @@ func (c *DeschedulingsPipelineController) SetupWithManager(mgr ctrl.Manager) err
 					v1alpha1.StepTypeDescheduler,
 				}
 				return slices.Contains(supportedTypes, step.Spec.Type)
-			})),
+			}),
 		).
 		// Watch knowledge changes so that we can reconfigure pipelines as needed.
-		Watches(
+		WatchesMulticluster(
 			&v1alpha1.Knowledge{},
 			handler.Funcs{
 				CreateFunc: c.HandleKnowledgeCreated,
 				UpdateFunc: c.HandleKnowledgeUpdated,
 				DeleteFunc: c.HandleKnowledgeDeleted,
 			},
-			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+			predicate.NewPredicateFuncs(func(obj client.Object) bool {
 				knowledge := obj.(*v1alpha1.Knowledge)
 				// Only react to knowledge matching the operator.
 				return knowledge.Spec.Operator == c.Conf.Operator
+			}),
+		).
+		Named("cortex-nova-deschedulings").
+		For(
+			&v1alpha1.Descheduling{},
+			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+				return false // This controller does not reconcile Descheduling resources directly.
 			})),
 		).
 		Complete(c)
diff --git a/internal/scheduling/descheduling/nova/pipeline_controller_test.go b/internal/scheduling/descheduling/nova/pipeline_controller_test.go
index 42fc19158..89d8f4268 100644
--- a/internal/scheduling/descheduling/nova/pipeline_controller_test.go
+++ b/internal/scheduling/descheduling/nova/pipeline_controller_test.go
@@ -150,35 +150,3 @@ func TestDeschedulingsPipelineController_Reconcile(t *testing.T) {
 		t.Error("expected no requeue")
 	}
 }
-
-func TestDeschedulingsPipelineController_SetupWithManager(t *testing.T) {
-	scheme := runtime.NewScheme()
-	err := v1alpha1.AddToScheme(scheme)
-	if err != nil {
-		t.Fatalf("Failed to add v1alpha1 scheme: %v", err)
-	}
-
-	client := fake.NewClientBuilder().WithScheme(scheme).Build()
-
-	controller := &DeschedulingsPipelineController{
-		BasePipelineController: lib.BasePipelineController[*Pipeline]{
-			Client: client,
-		},
-		Conf: conf.Config{
-			Operator: "test-operator",
-		},
-	}
-
-	// Test that SetupWithManager method exists by calling it with nil manager
-	// This will panic with nil pointer dereference, so we recover and verify
-	defer func() {
-		if r := recover(); r == nil {
-			t.Error("SetupWithManager should panic when called with nil manager")
-		}
-	}()
-
-	err = controller.SetupWithManager(nil)
-	if err != nil {
-		t.Errorf("unexpected error: %v", err)
-	}
-}
diff --git a/pkg/conf/conf.go b/pkg/conf/conf.go
index a7bcb3664..be607bfd0 100644
--- a/pkg/conf/conf.go
+++ b/pkg/conf/conf.go
@@ -29,6 +29,19 @@ type DBConfig struct {
 	Password string `json:"password"`
 }
 
+// Config which maps a kubernetes resource URI to a remote kubernetes apiserver.
+// This override config can be used to manage CRDs in a different kubernetes cluster.
+// It is assumed that the remote apiserver accepts the serviceaccount tokens
+// issued by the local cluster.
+type APIServerOverrideConfig struct {
+	// The resource URI, e.g. "steps.cortex.cloud/v1alpha1"
+	Resource string `json:"resource"`
+	// The remote kubernetes apiserver url, e.g. "https://my-apiserver:6443"
+	Host string `json:"host"`
+	// The root CA certificate to verify the remote apiserver.
+	CACert string `json:"caCert,omitempty"`
+}
+
 // Configuration for the monitoring module.
 type MonitoringConfig struct {
 	// The labels to add to all metrics.
@@ -89,6 +102,9 @@ type Config struct {
 
 	// Monitoring configuration
 	Monitoring MonitoringConfig `json:"monitoring"`
+
+	// Apiserver overrides.
+	APIServerOverrides []APIServerOverrideConfig `json:"apiServerOverrides,omitempty"`
 }
 
 // Create a new configuration from the default config json file.
diff --git a/pkg/multicluster/builder.go b/pkg/multicluster/builder.go
new file mode 100644
index 000000000..f0ec0df4c
--- /dev/null
+++ b/pkg/multicluster/builder.go
@@ -0,0 +1,49 @@
+// Copyright 2025 SAP SE
+// SPDX-License-Identifier: Apache-2.0
+
+package multicluster
+
+import (
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+)
+
+// Build a multicluster controller using the multicluster client.
+// Use this builder to watch resources across multiple clusters.
+func BuildController(c *Client, mgr manager.Manager) MulticlusterBuilder {
+	return MulticlusterBuilder{
+		Builder:            ctrl.NewControllerManagedBy(mgr),
+		multiclusterClient: c,
+	}
+}
+
+// Builder which provides special methods to watch resources across multiple clusters.
+type MulticlusterBuilder struct {
+	// Wrapped builder provided by controller-runtime.
+	*builder.Builder
+	// The multicluster client to use for watching resources.
+	multiclusterClient *Client
+}
+
+// Watch resources across multiple clusters.
+//
+// If the object implements Resource, we pick the right cluster based on the
+// resource URI. If your builder needs this method, pass it to the builder
+// as the first call and then proceed with other builder methods.
+func (b MulticlusterBuilder) WatchesMulticluster(object client.Object, eventHandler handler.TypedEventHandler[client.Object, reconcile.Request], predicates ...predicate.Predicate) MulticlusterBuilder {
+	resource, ok := object.(Resource)
+	if !ok {
+		b.Builder = b.Watches(object, eventHandler, builder.WithPredicates(predicates...))
+		return b
+	}
+	cl := b.multiclusterClient.ClusterForResource(resource.URI())
+	clusterCache := cl.GetCache()
+	b.Builder = b.WatchesRawSource(source.Kind(clusterCache, object, eventHandler, predicates...))
+	return b
+}
diff --git a/pkg/multicluster/builder_test.go b/pkg/multicluster/builder_test.go
new file mode 100644
index 000000000..ac008adb5
--- /dev/null
+++ b/pkg/multicluster/builder_test.go
@@ -0,0 +1,61 @@
+// Copyright 2025 SAP SE
+// SPDX-License-Identifier: Apache-2.0
+
+package multicluster
+
+import (
+	"testing"
+
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+type mockResource struct {
+	client.Object
+	uri string
+}
+
+func (m *mockResource) URI() string {
+	return m.uri
+}
+
+type mockNonResource struct {
+	client.Object
+}
+
+func TestBuilder_ResourceInterface(t *testing.T) {
+	// Test that our mock resource implements the Resource interface
+	var _ Resource = &mockResource{}
+
+	resource := &mockResource{uri: "test-uri"}
+	if resource.URI() != "test-uri" {
+		t.Errorf("Expected URI 'test-uri', got '%s'", resource.URI())
+	}
+}
+
+func TestResource_TypeAssertion(t *testing.T) {
+	tests := []struct {
+		name       string
+		object     client.Object
+		isResource bool
+	}{
+		{
+			name:       "resource object",
+			object:     &mockResource{uri: "test-uri"},
+			isResource: true,
+		},
+		{
+			name:       "non-resource object",
+			object:     &mockNonResource{},
+			isResource: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, ok := tt.object.(Resource)
+			if ok != tt.isResource {
+				t.Errorf("Expected isResource=%v, got %v", tt.isResource, ok)
+			}
+		})
+	}
+}
diff --git a/pkg/multicluster/client.go b/pkg/multicluster/client.go
new file mode 100644
index 000000000..be6e9873f
--- /dev/null
+++ b/pkg/multicluster/client.go
@@ -0,0 +1,310 @@
+// Copyright 2025 SAP SE
+// SPDX-License-Identifier: Apache-2.0
+
+package multicluster
+
+import (
+	"context"
+	"sync"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/rest"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/cluster"
+)
+
+type Resource interface{ URI() string }
+
+type Client struct {
+	// The cluster in which cortex is deployed.
+	HomeCluster cluster.Cluster
+	// The REST config for the home cluster in which cortex is deployed.
+	HomeRestConfig *rest.Config
+	// The scheme for the home cluster in which cortex is deployed.
+	// This scheme should include all types used in the remote clusters.
+	HomeScheme *runtime.Scheme
+
+	// Remote clusters to use by resource URI.
+	// The clusters provided are expected to accept the home cluster's
+	// service account tokens and know about the resources being managed.
+	remoteClusters map[string]cluster.Cluster
+	// Mutex to protect access to remoteClusters.
+	remoteClustersMu sync.RWMutex
+}
+
+// Add a remote cluster which uses the same REST config as the home cluster,
+// but a different host, for the given resource URI.
+//
+// This can be used when the remote cluster accepts the home cluster's service
+// account tokens. See the kubernetes documentation on structured auth to
+// learn more about jwt-based authentication across clusters.
+func (c *Client) AddRemote(uri, host, caCert string) (cluster.Cluster, error) {
+	homeRestConfig := *c.HomeRestConfig
+	restConfigCopy := homeRestConfig
+	restConfigCopy.Host = host
+	// This must be the CA data for the remote apiserver.
+	restConfigCopy.CAData = []byte(caCert)
+	cl, err := cluster.New(&restConfigCopy, func(o *cluster.Options) {
+		o.Scheme = c.HomeScheme
+	})
+	if err != nil {
+		return nil, err
+	}
+	c.remoteClustersMu.Lock()
+	defer c.remoteClustersMu.Unlock()
+	if c.remoteClusters == nil {
+		c.remoteClusters = make(map[string]cluster.Cluster)
+	}
+	c.remoteClusters[uri] = cl
+	return cl, nil
+}
+
+// Get the cluster for the given resource URI.
+//
+// If this URI does not have a remote cluster configured, the home cluster
+// is returned.
+func (c *Client) ClusterForResource(uri string) cluster.Cluster {
+	c.remoteClustersMu.RLock()
+	defer c.remoteClustersMu.RUnlock()
+	cl, ok := c.remoteClusters[uri]
+	if ok {
+		return cl
+	}
+	return c.HomeCluster
+}
+
+// Get the client for the given resource URI.
+//
+// If this URI does not have a remote cluster configured, the home cluster's
+// client is returned.
+func (c *Client) ClientForResource(uri string) client.Client {
+	return c.ClusterForResource(uri).GetClient()
+}
+
+// Pick the right cluster based on the resource URI and perform a Get operation.
+// If the object does not implement Resource or no custom cluster is configured,
+// the home cluster is used.
+func (c *Client) Get(ctx context.Context, key client.ObjectKey, obj client.Object, opts ...client.GetOption) error {
+	resource, ok := obj.(Resource)
+	if !ok {
+		return c.HomeCluster.GetClient().Get(ctx, key, obj, opts...)
+	}
+	cl := c.ClusterForResource(resource.URI())
+	return cl.GetClient().Get(ctx, key, obj, opts...)
+}
+
+// Pick the right cluster based on the resource URI and perform a List operation.
+// If the object does not implement Resource or no custom cluster is configured,
+// the home cluster is used.
+func (c *Client) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) error {
+	resource, ok := list.(Resource)
+	if !ok {
+		return c.HomeCluster.GetClient().List(ctx, list, opts...)
+	}
+	cl := c.ClusterForResource(resource.URI())
+	return cl.GetClient().List(ctx, list, opts...)
+}
+
+// Pick the right cluster based on the resource URI and perform an Apply operation.
+// If the object does not implement Resource or no custom cluster is configured,
+// the home cluster is used.
+func (c *Client) Apply(ctx context.Context, obj runtime.ApplyConfiguration, opts ...client.ApplyOption) error {
+	resource, ok := obj.(Resource)
+	if !ok {
+		return c.HomeCluster.GetClient().Apply(ctx, obj, opts...)
+	}
+	cl := c.ClusterForResource(resource.URI())
+	return cl.GetClient().Apply(ctx, obj, opts...)
+}
+
+// Pick the right cluster based on the resource URI and perform a Create operation.
+// If the object does not implement Resource or no custom cluster is configured,
+// the home cluster is used.
+func (c *Client) Create(ctx context.Context, obj client.Object, opts ...client.CreateOption) error {
+	resource, ok := obj.(Resource)
+	if !ok {
+		return c.HomeCluster.GetClient().Create(ctx, obj, opts...)
+	}
+	cl := c.ClusterForResource(resource.URI())
+	return cl.GetClient().Create(ctx, obj, opts...)
+}
+
+// Pick the right cluster based on the resource URI and perform a Create operation.
+// If the object does not implement Resource or no custom cluster is configured,
+// the home cluster is used.
+func (c *Client) Delete(ctx context.Context, obj client.Object, opts ...client.DeleteOption) error {
+	resource, ok := obj.(Resource)
+	if !ok {
+		return c.HomeCluster.GetClient().Delete(ctx, obj, opts...)
+	}
+	cl := c.ClusterForResource(resource.URI())
+	return cl.GetClient().Delete(ctx, obj, opts...)
+}
+
+// Pick the right cluster based on the resource URI and perform an Update operation.
+// If the object does not implement Resource or no custom cluster is configured,
+// the home cluster is used.
+func (c *Client) Update(ctx context.Context, obj client.Object, opts ...client.UpdateOption) error {
+	resource, ok := obj.(Resource)
+	if !ok {
+		return c.HomeCluster.GetClient().Update(ctx, obj, opts...)
+	}
+	cl := c.ClusterForResource(resource.URI())
+	return cl.GetClient().Update(ctx, obj, opts...)
+}
+
+// Pick the right cluster based on the resource URI and perform a Patch operation.
+// If the object does not implement Resource or no custom cluster is configured,
+// the home cluster is used.
+func (c *Client) Patch(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.PatchOption) error {
+	resource, ok := obj.(Resource)
+	if !ok {
+		return c.HomeCluster.GetClient().Patch(ctx, obj, patch, opts...)
+	}
+	cl := c.ClusterForResource(resource.URI())
+	return cl.GetClient().Patch(ctx, obj, patch, opts...)
+}
+
+// Pick the right cluster based on the resource URI and perform a DeleteAllOf operation.
+// If the object does not implement Resource or no custom cluster is configured,
+// the home cluster is used.
+func (c *Client) DeleteAllOf(ctx context.Context, obj client.Object, opts ...client.DeleteAllOfOption) error {
+	resource, ok := obj.(Resource)
+	if !ok {
+		return c.HomeCluster.GetClient().DeleteAllOf(ctx, obj, opts...)
+	}
+	cl := c.ClusterForResource(resource.URI())
+	return cl.GetClient().DeleteAllOf(ctx, obj, opts...)
+}
+
+// Return the scheme of the home cluster.
+func (c *Client) Scheme() *runtime.Scheme {
+	return c.HomeCluster.GetClient().Scheme()
+}
+
+// Return the RESTMapper of the home cluster.
+func (c *Client) RESTMapper() meta.RESTMapper {
+	return c.HomeCluster.GetClient().RESTMapper()
+}
+
+// Return the GroupVersionKind for the given object using the home cluster's RESTMapper.
+func (c *Client) GroupVersionKindFor(obj runtime.Object) (schema.GroupVersionKind, error) {
+	return c.HomeCluster.GetClient().GroupVersionKindFor(obj)
+}
+
+// Return true if the GroupVersionKind of the object is namespaced using the home cluster's RESTMapper.
+func (c *Client) IsObjectNamespaced(obj runtime.Object) (bool, error) {
+	return c.HomeCluster.GetClient().IsObjectNamespaced(obj)
+}
+
+// Provide a wrapper around the status subresource client which picks the right cluster
+// based on the resource URI.
+func (c *Client) Status() client.StatusWriter { return &statusClient{multiclusterClient: c} }
+
+// Wrapper around the status subresource client which picks the right cluster
+// based on the resource URI.
+type statusClient struct{ multiclusterClient *Client }
+
+// Pick the right cluster based on the resource URI and perform a Create operation.
+// If the object does not implement Resource or no custom cluster is configured,
+// the home cluster is used.
+func (c *statusClient) Create(ctx context.Context, obj, subResource client.Object, opts ...client.SubResourceCreateOption) error {
+	resource, ok := obj.(Resource)
+	if !ok {
+		return c.multiclusterClient.HomeCluster.GetClient().Status().Create(ctx, obj, subResource, opts...)
+	}
+	cl := c.multiclusterClient.ClusterForResource(resource.URI())
+	return cl.GetClient().Status().Create(ctx, obj, subResource, opts...)
+}
+
+// Pick the right cluster based on the resource URI and perform an Update operation.
+// If the object does not implement Resource or no custom cluster is configured,
+// the home cluster is used.
+func (c *statusClient) Update(ctx context.Context, obj client.Object, opts ...client.SubResourceUpdateOption) error {
+	resource, ok := obj.(Resource)
+	if !ok {
+		return c.multiclusterClient.HomeCluster.GetClient().Status().Update(ctx, obj, opts...)
+	}
+	cl := c.multiclusterClient.ClusterForResource(resource.URI())
+	return cl.GetClient().Status().Update(ctx, obj, opts...)
+}
+
+// Pick the right cluster based on the resource URI and perform a Patch operation.
+// If the object does not implement Resource or no custom cluster is configured,
+// the home cluster is used.
+func (c *statusClient) Patch(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.SubResourcePatchOption) error {
+	resource, ok := obj.(Resource)
+	if !ok {
+		return c.multiclusterClient.HomeCluster.GetClient().Status().Patch(ctx, obj, patch, opts...)
+	}
+	cl := c.multiclusterClient.ClusterForResource(resource.URI())
+	return cl.GetClient().Status().Patch(ctx, obj, patch, opts...)
+}
+
+// Provide a wrapper around the given subresource client which picks the right cluster
+// based on the resource URI.
+func (c *Client) SubResource(subResource string) client.SubResourceClient {
+	return &subResourceClient{
+		multiclusterClient: c,
+		subResource:        subResource,
+	}
+}
+
+// Wrapper around a subresource client which picks the right cluster
+// based on the resource URI.
+type subResourceClient struct {
+	// The parent multicluster client.
+	multiclusterClient *Client
+	// The name of the subresource.
+	subResource string
+}
+
+// Pick the right cluster based on the resource URI and perform a Get operation.
+// If the object does not implement Resource or no custom cluster is configured,
+// the home cluster is used.
+func (c *subResourceClient) Get(ctx context.Context, obj, subResource client.Object, opts ...client.SubResourceGetOption) error {
+	resource, ok := obj.(Resource)
+	if !ok {
+		return c.multiclusterClient.HomeCluster.GetClient().SubResource(c.subResource).Get(ctx, obj, subResource, opts...)
+	}
+	cl := c.multiclusterClient.ClusterForResource(resource.URI())
+	return cl.GetClient().SubResource(c.subResource).Get(ctx, obj, subResource, opts...)
+}
+
+// Pick the right cluster based on the resource URI and perform a Create operation.
+// If the object does not implement Resource or no custom cluster is configured,
+// the home cluster is used.
+func (c *subResourceClient) Create(ctx context.Context, obj, subResource client.Object, opts ...client.SubResourceCreateOption) error {
+	resource, ok := obj.(Resource)
+	if !ok {
+		return c.multiclusterClient.HomeCluster.GetClient().SubResource(c.subResource).Create(ctx, obj, subResource, opts...)
+	}
+	cl := c.multiclusterClient.ClusterForResource(resource.URI())
+	return cl.GetClient().SubResource(c.subResource).Create(ctx, obj, subResource, opts...)
+}
+
+// Pick the right cluster based on the resource URI and perform an Update operation.
+// If the object does not implement Resource or no custom cluster is configured,
+// the home cluster is used.
+func (c *subResourceClient) Update(ctx context.Context, obj client.Object, opts ...client.SubResourceUpdateOption) error {
+	resource, ok := obj.(Resource)
+	if !ok {
+		return c.multiclusterClient.HomeCluster.GetClient().SubResource(c.subResource).Update(ctx, obj, opts...)
+	}
+	cl := c.multiclusterClient.ClusterForResource(resource.URI())
+	return cl.GetClient().SubResource(c.subResource).Update(ctx, obj, opts...)
+}
+
+// Pick the right cluster based on the resource URI and perform a Patch operation.
+// If the object does not implement Resource or no custom cluster is configured,
+// the home cluster is used.
+func (c *subResourceClient) Patch(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.SubResourcePatchOption) error {
+	resource, ok := obj.(Resource)
+	if !ok {
+		return c.multiclusterClient.HomeCluster.GetClient().SubResource(c.subResource).Patch(ctx, obj, patch, opts...)
+	}
+	cl := c.multiclusterClient.ClusterForResource(resource.URI())
+	return cl.GetClient().SubResource(c.subResource).Patch(ctx, obj, patch, opts...)
+}
diff --git a/pkg/multicluster/client_test.go b/pkg/multicluster/client_test.go
new file mode 100644
index 000000000..632c17424
--- /dev/null
+++ b/pkg/multicluster/client_test.go
@@ -0,0 +1,99 @@
+// Copyright 2025 SAP SE
+// SPDX-License-Identifier: Apache-2.0
+
+package multicluster
+
+import (
+	"testing"
+
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+type testResource struct {
+	client.Object
+	uri string
+}
+
+func (t *testResource) URI() string {
+	return t.uri
+}
+
+type testNonResource struct {
+	client.Object
+}
+
+func TestResource_Interface(t *testing.T) {
+	// Test that our test resource implements the Resource interface
+	var _ Resource = &testResource{}
+
+	resource := &testResource{uri: "test-uri"}
+	if resource.URI() != "test-uri" {
+		t.Errorf("Expected URI 'test-uri', got '%s'", resource.URI())
+	}
+}
+
+func TestClient_ResourceTypeDetection(t *testing.T) {
+	tests := []struct {
+		name        string
+		object      client.Object
+		isResource  bool
+		expectedURI string
+	}{
+		{
+			name:        "resource with URI",
+			object:      &testResource{uri: "test-uri"},
+			isResource:  true,
+			expectedURI: "test-uri",
+		},
+		{
+			name:        "resource with empty URI",
+			object:      &testResource{uri: ""},
+			isResource:  true,
+			expectedURI: "",
+		},
+		{
+			name:        "non-resource object",
+			object:      &testNonResource{},
+			isResource:  false,
+			expectedURI: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			resource, ok := tt.object.(Resource)
+			if ok != tt.isResource {
+				t.Errorf("Expected isResource=%v, got %v", tt.isResource, ok)
+			}
+
+			if ok {
+				uri := resource.URI()
+				if uri != tt.expectedURI {
+					t.Errorf("Expected URI '%s', got '%s'", tt.expectedURI, uri)
+				}
+			}
+		})
+	}
+}
+
+func TestClient_ClusterForResource_NilSafety(t *testing.T) {
+	// Test that ClusterForResource handles nil home cluster gracefully
+	client := &Client{}
+
+	cluster := client.ClusterForResource("any-uri")
+	if cluster != nil {
+		t.Error("Expected nil cluster when home cluster is nil")
+	}
+}
+
+func TestClient_ClusterForResource_EmptyRemoteClusters(t *testing.T) {
+	// Test behavior with nil remote clusters map
+	client := &Client{
+		remoteClusters: nil,
+	}
+
+	cluster := client.ClusterForResource("any-uri")
+	if cluster != nil {
+		t.Error("Expected nil cluster when both home and remote clusters are nil")
+	}
+}

From be272188a1db7f62f25007517932f0cb35c66f84 Mon Sep 17 00:00:00 2001
From: Philipp <27271818+PhilippMatthes@users.noreply.github.com>
Date: Tue, 25 Nov 2025 14:56:09 +0100
Subject: [PATCH 2/3] Revert change in pipelines.yaml

---
 helm/bundles/cortex-ironcore/templates/pipelines.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/helm/bundles/cortex-ironcore/templates/pipelines.yaml b/helm/bundles/cortex-ironcore/templates/pipelines.yaml
index 4a1cdea43..6b087bfbf 100644
--- a/helm/bundles/cortex-ironcore/templates/pipelines.yaml
+++ b/helm/bundles/cortex-ironcore/templates/pipelines.yaml
@@ -8,6 +8,7 @@ spec:
   description: |
     This pipeline is used to schedule ironcore machines onto machinepools.
   type: filter-weigher
+  createDecisions: true
   steps:
     - ref: {name: machinepools-noop}
       mandatory: false

From 6febba469b1b7de532cbfd2a52a846b96cb9b6f9 Mon Sep 17 00:00:00 2001
From: Philipp Matthes <p.matthes@sap.com>
Date: Tue, 25 Nov 2025 15:55:15 +0100
Subject: [PATCH 3/3] Add ironcore serviceaccount to guide crb

---
 docs/guides/multicluster/cortex-remote-crb.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/guides/multicluster/cortex-remote-crb.yaml b/docs/guides/multicluster/cortex-remote-crb.yaml
index 47ea9aa81..9928720d7 100644
--- a/docs/guides/multicluster/cortex-remote-crb.yaml
+++ b/docs/guides/multicluster/cortex-remote-crb.yaml
@@ -12,6 +12,9 @@ subjects:
 - kind: User
   apiGroup: rbac.authorization.k8s.io
   name: "https://host.docker.internal:8443#system:serviceaccount:default:cortex-nova-reservations-controller-manager"
+- kind: User
+  apiGroup: rbac.authorization.k8s.io
+  name: "https://host.docker.internal:8443#system:serviceaccount:default:cortex-ironcore-controller-manager"
 roleRef:
   kind: ClusterRole
   name: cluster-admin