Kubernetes: Kubernetes Container Orchestration

Definition

Core Capabilities for Identity Infrastructure

Kubernetes provides several capabilities that are directly relevant to operating EUDI Wallet infrastructure at scale. Automatic horizontal scaling allows services to dynamically add or remove instances based on demand. During peak periods -- such as when a new credential type is launched or a Member State begins mass issuance -- Kubernetes automatically scales up the issuance services to handle the increased load, then scales back down when demand subsides.

Self-healing ensures that if a container crashes or a node becomes unhealthy, Kubernetes automatically restarts the failed component on a healthy node. For EUDI Wallet services that must maintain high availability (as citizen identity services are considered critical infrastructure), this capability significantly reduces downtime and manual intervention requirements.

Rolling updates enable zero-downtime deployments, allowing operators to update EUDI Wallet services with security patches, feature updates, or configuration changes without interrupting service availability. Kubernetes gradually replaces old instances with new ones, automatically rolling back if the new version fails health checks.

Service discovery and load balancing are built into Kubernetes, automatically distributing incoming requests across healthy instances of each service. This eliminates the need for external load balancing configuration and ensures efficient resource utilization across the cluster.

EUDI Wallet Microservices on Kubernetes

EUDI Wallet backends are typically architected as microservices, with each functional component running as a separate Kubernetes deployment. The credential issuance service handles OpenID4VCI protocol interactions. The presentation verification service processes OpenID4VP requests from relying parties. Status services manage credential validity and revocation lists.

Each microservice is packaged as a container image with its dependencies, configuration, and runtime environment. Kubernetes manages the lifecycle of these containers through Deployments (ensuring the desired number of replicas are running), Services (providing stable network endpoints), ConfigMaps and Secrets (managing configuration and sensitive data), and Ingress controllers (routing external traffic to the appropriate services).

The EU reference implementation of the EUDI Wallet provides Kubernetes deployment manifests (YAML configurations) and Helm charts that Member States can use as starting points for their national wallet infrastructure deployments. These templates include recommended resource limits, health check configurations, and security policies tailored to EUDI Wallet operational requirements.

Security and Compliance Considerations

Operating EUDI Wallet infrastructure on Kubernetes requires careful attention to security. Network policies define which services can communicate with each other, implementing the principle of least privilege at the network level. The credential issuance service might need to communicate with the key management service and the database, but should be isolated from the monitoring stack.

Kubernetes Secrets management handles sensitive configuration like database credentials, API keys, and cryptographic key material. For EUDI Wallet deployments, external secret management solutions (like HashiCorp Vault or cloud provider KMS services) are typically integrated with Kubernetes to provide hardware-backed secret storage and audit logging.

Service mesh technologies like Istio or Linkerd can be deployed on Kubernetes to provide mTLS between all services automatically, ensuring that inter-service communication is encrypted and authenticated without requiring changes to application code. This is particularly important for EUDI Wallet infrastructure where sensitive identity data flows between services.

Related Terms