True Cloud Sovereignty: Enforcing Regional Boundaries in Kubernetes - Seguridad Mania.com - España y América Latina

Sovereign cloud cannot rely on policy documents and network diagrams. It must be enforceable by design. Cloud providers are being asked a harder question: if a region is compromised—or a legal order is issued elsewhere—can you prove that customer data in another jurisdiction is technically unreachable? This session presents a pragmatic architecture implemented with k0rdent, a multi-cluster Kubernetes management platform, where sovereignty is enforced at three levels: • Network isolation: Regions operate default-deny. Connectivity exists only via explicit interconnect. There is no east–west trust. • Data in transit: Each region has its own certificate chain. mTLS is enforced with region-scoped intermediates. Cross-region authentication fails at the TLS layer—even if routing is present. • Data at rest: Control-plane secrets and configuration are encrypted with region-bound keys (HSM-backed via KMS v2). Object storage—S3, Blob, OpenStack Swift—stores encrypted artefacts only. Without the regional key, data cannot be decrypted. We will walk through practical implementation details: certificate lifecycle at scale, sovereign disaster recovery that rebuilds a region without violating residency, and operating across AWS, Azure, OpenStack, and national cloud providers. For cloud providers building EU or national sovereign offerings, this talk focuses on what you must implement—now—to make sovereignty technically defensible, not operationally assumed.