# D2DO286: Scaling Kubernetes Across Clouds – Identity, DNS, and Security Page: https://stenobird.com/podcast/day-two-devops/d2do286-scaling-kubernetes-across-clouds-identity-dns-and-security Text version: https://stenobird.com/podcast/day-two-devops/d2do286-scaling-kubernetes-across-clouds-identity-dns-and-security.md Podcast: [Day Two DevOps](https://stenobird.com/podcast/day-two-devops) Published: 2025-11-05T21:54:14+00:00 Episode link: https://packetpushers.net/podcasts/day-two-devops/d2do286-scaling-kubernetes-across-clouds-identity-dns-and-security/ Audio file: https://feeds.packetpushers.net/link/20975/17203966/D2DO286.mp3 Processing state: processed JSON: https://stenobird.com/v1/public/podcasts/day-two-devops/episodes/d2do286-scaling-kubernetes-across-clouds-identity-dns-and-security Duration seconds: 2439 ## Resource Managing Kubernetes across multiple cloud providers introduces significant complexities in workload identity, DNS resolution, and security. This episode explores how to implement granular, short-lived credentials and efficient DNS strategies to maintain a secure, scalable multi-cloud architecture. ## Highlights - Main idea: Moving from static service account keys to workload identity reduces the blast radius of credential leaks - Practical takeaway: Use short-lived, unique tokens for each pod to establish a trust relationship with external cloud providers - Failure mode: Storing long-lived service account keys in local storage or 'wallets' creates a massive security vulnerability - Technical insight: Kubernetes DNS resolution follows a specific search path, which can be optimized by configuring name servers to prioritize external providers - Security takeaway: Implementing mTLS via a service mesh like Istio can automate pod identity verification and secure inter-service communication ## Topics Kubernetes, Multi-cloud, Workload Identity, DNS Resolution, Service Mesh, mTLS, Cloud Security, DevOps ## Chapters - 1:00 — From Bare Metal to Kubernetes: Goutam discusses the transition of Greenplum Database from tarball-based bare metal installations to containerized workloads. - 3:55 — Running Stateful Workloads in K8s: The challenges and opportunities of deploying databases and stateful services in an inherently ephemeral environment. - 13:05 — The Danger of Static Credentials: An analysis of the security risks associated with downloading and managing service account keys manually. - 16:25 — Implementing Workload Identity: How to use service accounts to create trust relationships with cloud providers using granular, revocable permissions. - 22:25 — DNS Resolution in Kubernetes: Understanding how Kubernetes uses naming conventions to abstract away ephemeral IP addresses. - 25:25 — Optimizing DNS Search Paths: Deep dive into the DNS lookup flow and how to prevent unnecessary internal search failures. - 37:40 — Securing Service Communication: Exploring mTLS and the role of service meshes like Istio in managing pod identity and encryption. ## Actions - request_transcript: `POST https://stenobird.com/v1/public/podcasts/day-two-devops/episodes/d2do286-scaling-kubernetes-across-clouds-identity-dns-and-security/transcription-requests` — Idempotently request low-priority transcript generation for this episode. - read_markdown: `GET https://stenobird.com/podcast/day-two-devops/d2do286-scaling-kubernetes-across-clouds-identity-dns-and-security.md` — Read the agent-friendly Markdown representation of this episode resource. A page view does not enqueue transcription. Agents should invoke `request_transcript` explicitly when they need this episode processed. ## Transcript Full transcripts are not published on public pages unless there is a clear rights basis.