Pulumi

Come see Engin Diri in Austin May 15th at KCD Texas. Stop Wasting GPUs: How We Built a Golden Path for GPU Sharing on Kubernetes.

We were at KubeCon EU 2026 in Amsterdam last week. The big theme: Most organizations have experimented with AI workloads on Kubernetes, but very few run them in production daily. That gap between experimentation and production defined every conversation at KubeCon EU 2026 in Amsterdam. At our booth, we talked to hundreds of engineers over four days. Almost everyone had a proof of concept. Almost nobody had a production story they were happy with. 67% of AI compute now goes to inference, not training. And that's where the operational complexity lives. The CNCF donations tell the story: llm-d for distributed inference (IBM, Red Hat, Google, NVIDIA, and a dozen more backing it), NVIDIA's DRA driver for fractional GPU allocation, KAI Scheduler for GPU-aware placement, and kagenti giving AI agents cryptographic identity via SPIFFE. These aren't speculative. They're the skeleton of a GPU-native Kubernetes stack. 13,350 attendees, and the community is building fast. But GPU multi-tenancy is still unsolved, shadow AI governance is a growing problem, and sovereignty requirements are reshaping infrastructure architecture. The gap between what exists and what production demands is where the interesting work happens. https://lnkd.in/g4kwDTzu

Supply chain attacks on CI pipelines are getting real. If a GitHub Action in your pipeline is compromised… what does it get? For most teams: • Everything in secrets. • Long-lived credentials • Tokens that work for weeks We weren’t comfortable with that. So across 70+ repos, we removed all static GitHub Secrets. Now: • Credentials are short-lived (OIDC) • Nothing is stored • Nothing persists If something runs in CI that shouldn’t, there’s nothing useful to steal. https://lnkd.in/gvVXnDCH

Pulumi IAM just got a lot more powerful. Earlier this year when we launched custom IAM roles, the feedback we got was that while the model was just what was needed, applying it at scale (across hundreds of stacks, environments, and accounts) was still too manual. We've addressed that with three new capabilities: 🏷️ Tag-based access control: Create rules within a custom role that grant permissions based on entity tags — across IaC stacks, ESC environments, and Insights accounts. 👥 Team role assignments: Assign custom roles directly to teams. When someone joins, they inherit the team's roles automatically. 🙋 User role assignments: Assign custom roles directly to individual members. Permissions are additive, so a user on two teams gets the union of both teams’ roles, plus any role assigned directly to them. Available now! Read the full launch post here: https://lnkd.in/gzAK4bk9

We just launched Terraform State Backend support in Pulumi Cloud (public beta). Platform teams can now store and manage Terraform state alongside Pulumi stacks — no code changes required. Your team keeps using the Terraform or OpenTofu CLI while you get encrypted state, update history, state locking, RBAC, audit policies, and unified resource visibility through Pulumi Insights. Migration from S3, Azure Blob, or GCS takes minutes. Read more about how it works and how to get started. https://hubs.ly/Q045PJ7l0

We just launched Terraform State Backend support in Pulumi Cloud (public beta). Platform teams can now store and manage Terraform state alongside Pulumi stacks — no code changes required. Your team keeps using the Terraform or OpenTofu CLI while you get encrypted state, update history, state locking, RBAC, audit policies, and unified resource visibility through Pulumi Insights. Migration from S3, Azure Blob, or GCS takes minutes. Read more about how it works and how to get started. https://hubs.ly/Q045PJ7l0

Pulumi Insights gives you visibility and governance across your entire cloud footprint, but enterprises with strict data residency, private network, or regulatory requirements need that work to run in their own environments. Today, Pulumi Insights supports customer-managed workflow runners for both SaaS and self-hosted Pulumi Cloud. Discovery Scans: Catalog every resource across AWS, Azure, GCP, and more, even inside private VPCs. Policy Evaluations: Enforce compliance with CIS, NIST, PCI DSS, and other frameworks using policy-as-code. Data Residency: All scan execution and credential handling stays entirely within your network. Flexible Hosting: Run on Linux, macOS, Docker, or Kubernetes — wherever your infrastructure lives. Teams already using customer-managed runners for Pulumi Deployments can handle Insights workflows with no additional infrastructure. Read the full announcement: https://hubs.ly/Q045cBxC0

Managing infrastructure on #GoogleCloud often starts simply but becomes more complex as projects and environments grow. This hands-on workshop introduces Infrastructure as Code on Google Cloud using familiar programming languages and established software engineering practices. You will see how infrastructure can be defined, deployed, and managed as code, and how this approach connects application and infrastructure workflows. The session focuses on practical #GCP use cases and shows how teams manage infrastructure consistently across projects and environments. It is designed for engineers who want a clearer, more reliable foundation for working with Google Cloud. Demo code: https://lnkd.in/gVinH-eW #InfrastructureAsCode #DevOps

Every failed deployment starts with an undetected config error. Pulumi ESC fn::validate enforces JSON Schema when you save an environment so invalid values fail immediately, not during deploy or in production. Define your rules once. Catch misconfigurations before they break production. Learn how it works: https://hubs.ly/Q043qsBl0 #DevOps #InfrastructureAsCode #DevSecOps #CloudSecurity