Platform teams that hand off raw Kubernetes clusters to developers create hidden risk. Without baked-in policy, observability, and access controls, every team’s cluster becomes a governance exception waiting to fail in production. As AI agents begin interacting with infrastructure directly, the blast radius of an unconstrained cluster grows significantly larger.
In this interview on TFiR, Corey McGalliard, Engineering Manager at Akamai Cloud, walks through how Akamai provisions opinionated, production-ready Kubernetes clusters using a CNCF-native stack, covering GitOps automation, policy enforcement, and full-stack observability.
Guest: Corey McGalliard, Engineering Manager at Akamai Cloud
Show: TFiR
Here is what every platform engineer and infrastructure team needs to know.
Technical Deep Dive
Q: What does the CNCF and open source stack look like inside Akamai Cloud?
Corey McGalliard, Engineering Manager at Akamai Cloud, explains that Akamai’s internal platform stack is built on Kubernetes and uses a combination of Crossplane and Argo CD to provision clusters internally. The observability layer runs OpenTelemetry, Grafana, Loki, and Prometheus as standard components. Kyverno handles policy enforcement across all cluster interactions.
“The stack that we’re working on is obviously built on Kubernetes. Right now we’re using a combination of Crossplane, Argo CD to kind of provision clusters internally.” — Corey McGalliard, Engineering Manager, Akamai Cloud
Q: Why does Akamai treat Kubernetes clusters as cheap and hand them directly to teams?
McGalliard describes a model where clusters are inexpensive enough to assign per team, giving each team full ownership of its build surface. The goal is a faster time to delivery and a shorter path to production. Rather than sharing cluster resources across teams, this approach isolates blast radius and lets teams move independently.
“Clusters are cheap, so we hand them to teams and the teams are able to build on top of that.” — Corey McGalliard, Engineering Manager, Akamai Cloud
Q: What capabilities are built into every cluster before it reaches an engineering team?
McGalliard clarifies that teams do not receive a vanilla cluster. Every cluster arrives with expectations already enforced: defined communication policies, observability tooling already configured, and access controls applied. The platform team’s job is to build these capabilities in at provisioning time so the engineering team can focus entirely on their workload.
“You don’t just get a cluster. We have expectations of what that cluster looks like, who can communicate with it. You get a position to where you have all of these capabilities built into it that we then hand to the engineer.” — Corey McGalliard, Engineering Manager, Akamai Cloud
Q: How does Akamai use Kyverno to enforce policy across Kubernetes clusters?
McGalliard positions Kyverno as the policy enforcement layer that governs what can be applied to a cluster regardless of who or what initiates the action. The explicit scope includes interns, senior engineers, and AI agents. This consistent enforcement model ensures that policy is not a manual review step but a structural constraint at the cluster level.
“It doesn’t matter whether it’s an intern, a senior engineer or an AI agent that’s thinking about interacting with these clusters. How do we make sure that what is applied against the cluster is safe to go out into production.” — Corey McGalliard, Engineering Manager, Akamai Cloud
Q: What observability tools does Akamai standardize on for its Kubernetes platform?
McGalliard describes the observability stack as a standard combination of OpenTelemetry for instrumentation, Prometheus for metrics collection, Grafana for visualization, and Loki for log aggregation. He characterizes this stack as typical and treats it as a baseline capability included in every cluster handed to an engineering team.
“The observability stack, that’s pretty typical. So OpenTelemetry, Grafana, Loki, Prometheus.” — Corey McGalliard, Engineering Manager, Akamai Cloud
Resources & Documentation
- Akamai Cloud, cloud computing platform from Akamai Technologies
- Crossplane, CNCF project for provisioning and managing cloud infrastructure using Kubernetes APIs
- Argo CD, declarative GitOps continuous delivery tool for Kubernetes
- Kyverno, CNCF policy engine designed for Kubernetes
- OpenTelemetry, CNCF observability framework for traces, metrics, and logs
- Prometheus, CNCF open source metrics monitoring and alerting toolkit
- Grafana, open source observability and data visualization platform
- Loki, log aggregation system designed to work with Grafana
***
👇 Click to Read Full Raw Transcript
Swapnil Bhartiya: Since you mentioned CNCF tool. So I would also love to know what does the CNCF or open source stack looks like inside Akamai and Akamai Cloud? So the stack that we’re working on is obviously built on Kubernetes. Right. Right now we’re using a combination of crossplane, Argo CD to kind of provision clusters internally. And the way we approach it is clusters are cheap, so we hand them to teams and the teams are able to build on top of that. But the core of what we’re looking at is you don’t just get a cluster. We have expectations of what that cluster looks like, allow us to get against it, who can communicate with it. You have the ability to focus on the observability aspects of it, just get a vanilla cluster. But you get a position to where you have all of these capabilities built into it that we then hand to the engineer. Right. And so we’re trying to give you a faster time to delivery, like a faster path to production. And that’s kind of, kind of the goal. So that looks like again, Argo, Crossplane. You asked me about the things we’re using Crossplane, the observability stack. That’s pretty typical. So OpenTelemetry, Grafana, Loki, Prometheus. I’m trying to think of some of the. Oh Kyberno as a policy agent like. So again, we need to be very aware of kind of what’s happening in our cluster and Right. Policies so that it doesn’t matter whether it’s an intern, a senior engineer or an AI agent that’s thinking about like interacting with these clusters. How do we make sure that what is applied against the cluster is like safe, safe to go out into production.





