Back to blog
Architecture
AdvancedForPlatform EngineersArchitectsCloud Security Engineers
7 min

Sovereign by Design: Building a Sovereign Platform on Kubernetes

A practical 2026 architecture for digital sovereignty: treat sovereign cloud as three layers — data, operational, technical — and use Kubernetes, external key custody, and a real exit path to make sovereignty a design property instead of a marketing sticker.

sovereign-clouddigital-sovereigntykubernetesdata-residencykey-managementplatform-engineeringvendor-lock-in
Cover image: Sovereign by Design: Building a Sovereign Platform on Kubernetes
Contents

“Sovereign cloud” is the loudest phrase in European IT right now, and most of it is a sticker. Vendors slap it on a region, a contract clause, or a compliance certificate and call the platform sovereign. But sovereignty is not something you buy at the checkout — it is a property of how you architect. If it is not designed in, no label puts it there.

This is a practical, vendor-neutral architecture for building a genuinely sovereign platform. The core idea: stop treating sovereignty as one thing to procure, and start treating it as three independent layers you design for — with Kubernetes as the portability spine that ties them together.

This builds on a security foundation rather than replacing it. If your platform is not hardened first, sovereignty is moot — start from the secure-by-default GKE reference architecture and layer sovereignty on top.

Sovereignty Is Three Layers, Not One

The single biggest mistake is treating “sovereign” as a binary you either have or lack. It is really three separate questions, and a platform can score high on one while failing another.

The three layers of sovereignty — data residency and access, operational control, and technical portability — and what keeps each one yours.

  • Data sovereignty — Where does the data physically live, and who can legally compel access to it? Residency is only half; the legal reach over the operator is the other half.
  • Operational sovereignty — Who runs the control plane? Who can read, administer, or be compelled to expose the running system?
  • Technical sovereignty — Can you leave? Are your workloads portable, or welded to one provider’s proprietary APIs?

A typical “sovereign cloud” offering covers one of these convincingly and waves at the rest. Real sovereignty means designing for all three — so let’s take them in the order that gives you the most leverage.

The Freedom to Leave: Portability as the Real Test

Technical sovereignty has a brutally simple test: what does it cost you to leave?

If leaving a provider means rewriting your applications and re-architecting around a different set of proprietary services, you are locked in — and lock-in is the exact opposite of sovereignty. If leaving means redeploying the same manifests onto a different conformant cluster, you are sovereign at the technical layer.

Portability as the freedom to leave: proprietary services force a rewrite, while Kubernetes manifests redeploy unchanged across GKE, EKS, AKS or an EU-hosted cluster.

This is where Kubernetes earns its place — not as a container scheduler, but as the portability layer. Standard Kubernetes manifests, OCI images, Helm charts and infrastructure-as-code are conformant across every major platform and on-premises. The workload does not change when the ground underneath it does.

Portability is not free, though. The workload core travels; the edges do not — storage classes, ingress controllers, load-balancer annotations, and cloud identity integration are provider-specific and have to be abstracted or swapped deliberately. Real portability means keeping that core clean and the provider-specific edges thin and replaceable, not pretending nothing changes when you move.

The discipline is to keep your critical path on portable, standards-based components and to treat every proprietary managed service as a deliberate trade. A queue expressed as a Kubernetes workload moves anywhere; a queue that is a provider-specific API is an anchor.

# Portable: the workload is a standard object, not a vendor API.
# The same manifest runs on GKE, EKS, AKS, or an EU-hosted cluster.
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingest
spec:
replicas: 3
template:
spec:
containers:
- name: ingest
image: registry.example.eu/ingest:1.8.0 # your registry, your region
envFrom:
- secretRef:
name: ingest-config

Portability does not mean never using a managed service. It means knowing, for each one, exactly what leaving would cost — so “we could move” is a measured exit plan, not a comforting slogan.

Who Holds the Keys: Residency Is Not Custody

Here is the trap that sinks most “our data is in an EU region, so we’re sovereign” claims.

Data residency chooses where the bytes sit. It says nothing about who can read them. A provider operating under a foreign legal regime — the US CLOUD Act is the canonical example — can be compelled to hand over data regardless of which region it lives in. Residency alone does not stop that.

Key custody vs the CLOUD Act: when you hold the keys in an external manager, the provider stores only ciphertext and legal reach yields nothing readable.

The control that actually changes the outcome is key custody. The pattern that truly delivers it is HYOK (hold your own key) — an external key manager such as Google’s External Key Manager (EKM) or AWS XKS, where the provider calls out to your key service to decrypt and never holds the key material itself. Plain BYOK, where you import a key into the provider’s own KMS, is weaker: the provider does hold the key, so it defends against a different and smaller threat. With true external custody:

  • The provider stores your data encrypted, and ciphertext without your key is noise.
  • If they are legally compelled to hand data over, what they can produce is that same worthless ciphertext.
  • Revoke access to the key and new decryptions stop everywhere at once — already-cached data keys age out shortly after — which is effectively crypto-shredding the data.

Residency and key custody are complementary: residency answers “where,” custody answers “who can read it.” Custody is the one that turns a legal request into a non-event.

Keys are the whole game at the identity layer too. The same “no long-lived secret to seize” principle applies to workload credentials — see Kill Your Service Account Keys with Workload Identity Federation.

Operational Sovereignty: Who Can Read and Run It

The quietest layer is operational. Even with portable workloads and customer-held keys, sovereignty leaks if the people operating the plane can silently read or administer your systems from outside your jurisdiction.

Designing for operational sovereignty means:

  • EU-only operations for regulated workloads — support and administration performed within the jurisdiction, not routed globally.
  • Access transparency — every provider-side access to your environment is logged and visible to you, so “trust us” becomes “verify.”
  • Least privilege and just-in-time access — no standing administrative access; elevation is scoped, time-boxed, and audited.
  • Your own audit trail — logs shipped to storage you control, so the record of who did what does not depend on the provider’s goodwill.

None of this is exotic. It is the same access-control discipline you already apply to your own teams, extended to the provider as an untrusted operator.

Sovereignty Without Dogma: A Decision Framework

The failure mode on the other side is treating sovereignty as a purity test and paying a heavy velocity tax to make a marketing brochure with zero real workloads. Sovereignty is a spectrum, and you apply it by classification, not by reflex.

A pragmatic frame:

  1. Classify the workload. Regulated or high-sensitivity data, or a system whose compromise is existential? It earns the full treatment: portable components, external key custody, operational controls. A stateless internal tool with no sensitive data? A convenient managed service is a perfectly rational trade.
  2. Measure the lock-in, don’t assume it. For each proprietary dependency in the critical path, write down the real cost of leaving. Some are cheap to swap; some are anchors. You cannot manage what you have not measured.
  3. Design the exit before you need it. Portability that has never been exercised is a hope, not a capability. Keep the option real: standard manifests, your own registry, keys you hold, infrastructure-as-code that can target a second platform.

Applied this way, sovereignty stops being a religious argument and becomes an engineering trade-off you make consciously, workload by workload.

The Honest Limits

Sovereignty has a cost, and pretending otherwise is how you end up resenting it. Portable, standards-based components sometimes mean giving up the slickest proprietary service. External key custody adds operational complexity and a failure mode of its own — lose the key and the data really is gone. Full operational sovereignty can raise support costs. And no architecture removes the legal reality that if you run on a provider at all, you are trusting something.

The point is not maximal sovereignty everywhere. It is that sovereignty becomes a property you designed on purpose — measured, classified, and exercised — instead of a sticker someone sold you. Build the three layers deliberately, keep the exit real, hold your own keys, and “sovereign” stops being a claim you hope survives scrutiny and becomes one you can actually demonstrate.

Frequently asked questions

What does 'sovereign cloud' actually mean technically?

It is not a single product or certificate. Technically, sovereignty splits into three independent layers. Data sovereignty is about where data physically lives and, more importantly, who can legally compel access to it. Operational sovereignty is about who runs the control plane and who can read or administer the system. Technical sovereignty is about portability — whether you can leave a provider without rewriting your workloads. A 'sovereign cloud' offering usually addresses one of these strongly and the others weakly, which is why you have to design for all three rather than trust a label.

Is data residency enough for sovereignty?

No. Residency decides where the bytes are stored, but not who can read them. A provider subject to a foreign legal regime (for example the US CLOUD Act) can be compelled to hand over data regardless of the region it sits in. The control that actually matters is key custody: if you hold the encryption keys in an external key manager or HSM that the provider cannot export, then what the provider stores and could be compelled to hand over is ciphertext — worthless without your key. Residency plus external key custody together are far stronger than residency alone.

How does Kubernetes help with digital sovereignty?

Kubernetes, together with OCI container images and infrastructure-as-code, is the portability layer. When your workloads are expressed as standard manifests rather than wired into one provider's proprietary services, leaving becomes redeploying the same artifacts on another conformant cluster — GKE, EKS, AKS, or an EU-hosted / on-prem cluster — instead of re-architecting. That freedom to leave is the technical half of sovereignty. It does not solve data or operational sovereignty by itself, but it removes the lock-in that makes those choices impossible to act on.

Does a sovereign platform mean giving up managed cloud services?

Not entirely, but it changes how you choose them. Every proprietary managed service you adopt trades some technical sovereignty for velocity. The pragmatic approach is to classify workloads: for high-sensitivity or regulated data, prefer portable, standards-based components and external key custody; for low-risk workloads, using a convenient managed service is a perfectly reasonable trade. Sovereignty is a spectrum you apply deliberately, not an all-or-nothing purity test.

Where should I start making an existing platform more sovereign?

Start with key custody, because it gives the largest reduction in exposure for the least architectural change: move encryption keys to an external key manager you control so that residency actually means something. Next, inventory your lock-in — list every proprietary service in the critical path and note the cost of leaving it — so 'portability' stops being a slogan and becomes a measured exit plan. Then address operational sovereignty (who can read and administer the plane) and only re-platform workloads where the risk classification justifies the effort.

From the community

Discussion on the Fediverse

Replies from Mastodon and Bluesky — straight from the open web, no tracking.

Loading replies …

ENDE