Kubernetes

A Shared Kernel Is a Shared Trust Domain

Containers isolate processes, not trust boundaries. When your platform runs untrusted code, the architectural question is where you place the kernel boundary, and what that costs in memory, latency, and operational complexity.

Inside GKE Workload Identity: How Kubernetes Identities Become GCP Service Accounts

GKE Behind the Scenes: Understanding the Interaction Between Kubernetes and GCP Service Accounts Through The Metadata Server.