- Odyssey Platform Weekly
- Posts
- Odyssey Platform # 05
Odyssey Platform # 05
Another exciting week in the Platform Engineering ecosystem!
Editor's Note
Welcome to another edition of Odyssey Platform Weekly! This week, we’re diving into fresh insights, key events, and powerful stories shaping the future of platform engineering.🗞️ In this newsletter
🗓️ Events
🔦 Tool Spotlight
Kagent is an open‑source, Kubernetes‑native framework that lets you run AI agents straight in your cluster. It automates everything from troubleshooting and configuration to deployments, no YAML or CLI needed!
🔍️ Deep Dive
Discover how Workload identity works using the Kubernetes Service Account and Google Service Account
🎯 Stay Inspired - Case Studies
👀 In Case you missed it
Latest news & events in the platform engineering domain
📆 Upcoming Events
🚀 PlatformCon 2025
📅 Jun 23-27, 2025 – Virtual
The platform engineering event of the year is back 🔥
👉 Register here
🔦 Tool Spotlight
The Kagent is like having an AI-powered teammate inside your Kubernetes cluster. It gives you a flexible way to run intelligent agents that can troubleshoot issues, manage deployments, and automate tasks using natural language.
With built-in tools for Kubernetes, ArgoCD, Prometheus, Helm, and more, Kagent helps your platform handle everything from canary rollouts to security policy enforcement, without you needing to write custom scripts.
It’s built on open standards like the Model Context Protocol and Microsoft’s AutoGen, so you can plug in your favourite AI assistant and start getting real work done, faster and smarter.
🚀 Demystifying Kubernetes to Google Cloud Authentication: The Workload Identity Magic
Ever wondered how your Kubernetes pods securely access Google Cloud resources without managing service account keys?
In this edition, we explore the elegant dance of Workload Identity!
Kubernetes Service Account < - > Google Service Account
🎬 Act 1: The Pod Awakens
When your pod starts its journey, something special happens: Kubernetes automatically mounts a special token at /var/run/secrets/kubernetes.io/serviceaccount/token. Think of this as your pod's ID card and it proves who the pod claims to be! 🆔
🎪 Act 2: The Application Calls Home
Here's where it gets interesting. Your application code is beautifully simple:
from google.cloud import storage
client = storage.Client() # No credentials needed! ✨
bucket = client.bucket('my-bucket')No API keys. No JSON files. No secrets to rotate. Just pure simplicity! 🎯
🔄 Act 3: The Token Exchange Dance
Behind the scenes, an intricate ballet unfolds:
1. The Discovery 🔍
Google Cloud SDK detects it's running in GKE (smart, right?)
2. The Journey 🚶
Your KSA token travels to a special address: 169.254.169.254 (Fun fact: This IP is reserved globally for cloud metadata services!)
3. The Validation ✅
The metadata server performs three crucial checks:
Is this KSA token valid?
Which GSA is it linked to?
Does the IAM binding exist?
But wait - how do we set up this magical binding? One simple command:
gcloud iam service-accounts add-iam-policy-binding \
myapp-gsa@PROJECT_ID.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:PROJECT_ID.svc.id.goog[default/myapp-ksa]"🎁 Act 4: The Token Transformation
Once validated, the metadata server performs its magic:
This token carries all the GSA's permissions
Generates a short-lived Google Service Account token
Returns it to your application
This token carries all the GSA's permissions
Think of it as exchanging your company badge for a VIP pass! 🎫
🏁Act 5: The Grand Finale
Your application now holds the golden ticket:
Uses the GSA token for all API calls
Google Cloud APIs validate and honor it
Operations execute with proper permissions
The result? Seamless, secure access to Google Cloud resources without a single hardcoded credential! 🔐
💡 Why This Matters
Security Win: No more service account keys lying around
Ops Win: No more key rotation nightmares
Dev Win: Clean, simple code that just works
🎯 Key Takeaway
Workload Identity transforms the complex challenge of cross-platform authentication into an elegant, automated solution. It's like having a universal translator between Kubernetes and Google Cloud - they speak different languages, but Workload Identity makes them best friends! 🤝
🎯 Stay Inspired - Case Studies
Macquarie Bank’s next-generation Cloud Control Plane
Macquarie shares a 3-part deep dive into how they built their next-generation Cloud Control Plane—an internal developer platform that balances golden paths with governance, enabling scalable cloud self-service.
Why Macquarie needed a new control plane and how platform engineering became the foundation for scale, control, and speed.
Part 2: Workflow Bots & Golden Paths
A look at how Argo Workflows and bot-driven automation helped create structured and repeatable golden paths for developers.Part 3: Streamlining the Developer Experience
The final build: How Macquarie aligned tooling, user journeys, and governance guardrails to ship a polished platform experience.
👀 In Case You Missed It…
93% of teams report using GitOps practices, but only 35% have adopted advanced features like continuous reconciliation and auto-rollbacks. The survey shows growing interest, but maturity levels still vary widely.
The Gemini CLI is a new open-source tool built on Google's Gemini 1.5 Pro that brings AI-powered automation to the terminal. Unlike traditional CLI tools, it runs multi-turn conversations, reads local context, and executes shell commands safely within your environment. Designed to simplify DevOps workflows, it supports plugin-based extensibility, offline use, and audit logs—making it a powerful AI copilot for engineers who live in the terminal.
GitLab has rolled out major updates to its CI/CD platform, introducing unified pipeline execution across hybrid and multi-cloud environments. This enhancement allows jobs to run seamlessly across GitLab-hosted and self-managed runners, improving flexibility for regulated industries and distributed teams. The update also includes stronger security posture management, pipeline catalog enhancements, and tighter integration with GitLab Duo, its AI-powered assistant for DevSecOps workflows.
Till next time,