[insomniacity]

I feel like this completely misses the security and compliance reasons - it may in fact be easier to build a Kubernetes platform internally than to do all the work necessary to safely host confidential/HIPAA/mission critical information in the public cloud.

And of course some organisations do both - public cloud for new stuff which can be secure from day 1, and internal platforms for the keys to the kingdom or legacy stuff.

[xenophonf]

Considering how many security controls my FISMA Moderate-classed SaaS inherits from my cloud vendor, I very much doubt it's easier to build any platform internally, if we're only considering regulatory compliance.

[Terretta]

There’s paperwork compliance, and then there’s security and risk controls performance validated compliance.

It may be more difficult if “we signed a contrast, trust the compliance report” is not an acceptable answer for a particular risk management audit or regulator.

[xenophonf]

If we're in "we can't rely the 3PAO's assessment or the JAB's (or DISA's) review of this cloud vendor" territory, then we're probably dealing with workloads far more sensitive than FISMA High or Secret, in which case it absolutely makes sense to DIY.

But most workloads aren't that special.