When you deploy Kubernetes "add-ons" like Helm's tillerd or https://github.com/jetstack/cert-manager/, the active containers of those get deployed to the management node, no?

No.

Yeah, none of the rest of the big three are asking you to pay anything for those masters at this point, though. "They're your nodes, you paid for them" seems like a reasonable position to take here.

> "They're your nodes, you paid for them" seems like a reasonable position to take here.

If that were a reasonable position, you'd think AWS RDS and Google Cloud SQL would give you superuser access to your database instances to do things like installing Postgres extensions.

It seems a lot of people are happy to pay for instances they can't even SSH into. :/

Sure, I guess so, it's a value add. Your engineers can't mess anything up if they have no access at all.

You underestimate our engineers :-)

I don't even want to SSH to instances that I control and have provisioned, why would I want to SSH into instances managed by AWS?

Unless the point of your server is to provide SSH (you are using it as a development box, maybe?), having to SSH means that you are lacking in the tooling department.

At work we are guilty of that. We are actively trying to improve on this.

In this case, it's not so much "SSH" as the ability to install files, as root, onto the server. For RDS/Cloud SQL, the inability to do that both restricts you from installing your own extensions; and restricts you from being able to use the Postgres COPY command with local/network-mounted (rather than network-streamed-to-STDIN) CSV files, majorly increasing the overhead of the operation and preventing parallelism.