Kubernetes Podcast from Google – Episode: Platform Engineering, GitOps and AI with Pierre-Gilles Mialon and Glenn Yu

Release Date: July 25, 2025

In this enlightening episode of the Kubernetes Podcast from Google, hosts Abdel Sighiwar and Kaslin Fields engage in a comprehensive discussion with Google Developer Experts Pierre-Gilles Mialon and Glenn Yu. The conversation delves deep into the realms of platform engineering, GitOps, and AI, offering valuable insights for Kubernetes enthusiasts and professionals alike.

1. Exploring GitOps: Principles and Practices

The episode kicks off with an in-depth exploration of GitOps, a methodology centered around using Git as the single source of truth for infrastructure and application deployments.

Pierre-Gilles Mialon explains, “GitOps is a practice that exists for nearly seven or eight years. The tools have changed during this period and now we have a great way to ensure that what is running is really what we want.” [03:26]

Abdel Sighiwar connects GitOps to Kubernetes, noting its reliance on reconciliation: “GitOps just leverages the reconciliation concept in Kubernetes, right?”

Pierre-Gilles elaborates on GitOps’ advantages, emphasizing traceability and consistency. “GitHub ensures you all the git principles so you know that if something changes, someone has committed something. And so you have traceability, you have reversibility because you can roll back.” [04:00]

2. GitOps Tools: KRM vs. Terraform/Pulumi

A significant portion of the discussion contrasts Kubernetes Resource Model (KRM) with traditional infrastructure-as-code tools like Terraform and Pulumi.

Pierre-Gilles advocates for KRM, highlighting its ability to avoid configuration drift and its purely declarative nature: “YAML is not the best thing in the world, but it's purely declarative. So there is no language. This is a description.” [05:45]

He further critiques Terraform’s maintenance overhead: “One of the most issue with Terraform... you have to update your code when the cloud provider changes their API.” [06:28]

In contrast, KRM offers seamless reconciliation aligned with Kubernetes’ principles. “It's a Kubernetes spirit. So even if it doesn't work, your resource cannot be ready for one hour because it took many times to reconcile the dependency of this resource.” [06:59]

3. Kubernetes Resource Orchestrator (Kero)

The conversation transitions to Kero, the Kubernetes Resource Orchestrator, which addresses dependency management within Kubernetes.

Pierre-Gilles praises Kero’s abstraction capabilities: “You can abstract the provider and through YAML and the second one is collection of YAML you need is abstracted too.” [10:49]

He underscores Kero’s role in enforcing security and best practices by restricting developers from creating unauthorized resources: “There is a security issue behind this because you can offer the opportunity to your developers to deploy my database type CRD but ensure that they won't be able to create cloud SQL instances.” [10:49]

Abdel concurs, appreciating Kero’s ability to hide certain security configurations: “That's actually one of the features I like about Kero, which is simplifying or hiding certain security things that I don't want developers to create.” [09:34]

4. Security Challenges in Platform Engineering

Shifting focus to security, the guests discuss the concept of Shift Down Security and the limitations of Shift Left approaches.

Glenn Yu introduces the topic: “Policy as code takes that principle, that infrastructure as code solved for infrastructure. And I was applying it to securing and hardening the resources that you've already deployed.” [11:15]

He emphasizes that security is a collective responsibility: “Security is everybody's responsibility. It's not just developers, but also platform teams, the security teams, they need to do their part to make sure everything's secure.” [14:06]

Pierre-Gilles adds, “One of the issues with Kubernetes is when it was created to ensure that you can run everything. Running everything is not a good idea... the default policy on a Kubernetes server are far too permissive.” [16:12]

5. Policy as Code and Tools like Caverno

The discussion delves into Policy as Code, with Glenn Yu highlighting tools like Caverno that enforce policies within Kubernetes clusters.

Glenn explains, “You can use policies in your Kubernetes clusters. Let's say you have to have a certain tag, it needs to have a service account or it cannot be in the default namespace...” [12:25]

These policies act as automated guards, ensuring that deployments adhere to predefined standards without constant manual oversight.

6. Alternative Orchestrators: Nomad

Abdel introduces the topic of HashiCorp Nomad, questioning its relevance in the Kubernetes-dominated landscape.

Pierre-Gilles provides context on Nomad’s niche usage: “It's got a really small market share... some niche industries do use it.” [17:04]

Glenn Yu adds, “Nomad was a good, easier alternative, especially for smaller companies back then. Who didn't have the knowledge to handle or the people to handle the complexity of Kubernetes.” [17:09]

They acknowledge Nomad’s position between Docker Swarm and Kubernetes in terms of complexity and functionality.

7. GitOps Tools Showdown: FluxCD vs. Argo CD

The final major topic compares two leading GitOps tools: FluxCD and Argo CD.

Pierre-Gilles champions FluxCD for its adherence to Kubernetes principles: “It's in the spirit of Kubernetes. It respects everything. The role-based access control of Kubernetes is that we wrote something above it.” [18:32]

Glenn Yu shares his preference, appreciating FluxCD’s command-line interface: “I really like the command line aspect of FluxCD a lot more. Argo CD is a little bit more visual...” [18:45]

Pierre-Gilles emphasizes FluxCD’s seamless integration with CI/CD pipelines: “The idea is that you don't want to lose your time opening a web UI because normally if everything is good, continue to work on your... if it succeeds you have a notification that tell you the development is okay.” [19:11]

8. Conclusion

The episode wraps up with the hosts expressing gratitude to Pierre-Gilles and Glenn for their valuable insights. They highlight the importance of adopting robust GitOps practices, leveraging the right tools, and prioritizing security within platform engineering.

Key Takeaways:

• GitOps offers a declarative, version-controlled approach to infrastructure and application management, ensuring consistency and traceability.

• KRM is favored over tools like Terraform for its seamless reconciliation with Kubernetes and reduced maintenance overhead.

• Kero enhances Kubernetes’ capability by managing dependencies and enforcing security policies through abstraction.

• Shift Down Security advocates for security-by-design within platforms, distributing responsibility across teams rather than solely relying on developers.

• Policy as Code tools like Caverno are essential for automating and enforcing security standards within Kubernetes environments.

• FluxCD and Argo CD represent two robust GitOps tools, each with its own strengths catering to different use cases and preferences.

This episode provides a wealth of knowledge for those looking to optimize their Kubernetes deployments, implement effective GitOps strategies, and ensure robust security within their platform engineering practices.