Data residency requirements dictate where data can be stored and processed. For organizations running multi-cloud Kubernetes, this creates complex placement constraints that go far beyond simple region selection.
Why Data Residency Matters
Regulations like GDPR (EU), LGPD (Brazil), PIPL (China), and sector-specific rules (financial, healthcare) require:
- Data at rest: Must be stored within specific geographic boundaries
- Data in transit: May not traverse certain jurisdictions
- Data processing: Computation must happen where the data resides
- Data sovereignty: Government access laws vary by jurisdiction
Violating these requirements carries fines up to 4% of global revenue (GDPR) or criminal penalties (PIPL).
Architecture Patterns
Pattern 1: Regional Clusters
Deploy separate Kubernetes clusters per region:
clusters:
eu-west:
provider: AWS
region: eu-west-1
data_classification: [EU-PII, GDPR]
us-east:
provider: Azure
region: eastus
data_classification: [US-PII, HIPAA]
ap-southeast:
provider: GCP
region: asia-southeast1
data_classification: [APAC-PII, PDPA]Pattern 2: Namespace-Level Isolation
Single cluster with namespace-based data boundaries:
apiVersion: v1
kind: Namespace
metadata:
name: eu-data
labels:
data-residency: eu
compliance: gdpr
annotations:
scheduler.alpha.kubernetes.io/node-selector: topology.kubernetes.io/region=eu-west-1Pattern 3: Policy-as-Code Enforcement
Use OPA/Gatekeeper or Kyverno to enforce residency:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: enforce-data-residency
spec:
rules:
- name: eu-data-stays-in-eu
match:
resources:
kinds: [Pod]
namespaces: ["eu-*"]
validate:
message: "EU data workloads must run on EU nodes"
pattern:
spec:
nodeSelector:
topology.kubernetes.io/region: "eu-*"Multi-Cloud Considerations
Cross-Region Communication
When services in different regions need to communicate:
- Data minimization: Send only necessary fields, strip PII before cross-region calls
- Tokenization: Replace sensitive data with tokens, keep token-to-data mapping in the origin region
- Edge processing: Process and aggregate data locally, send only anonymized results
Database Strategy
- Per-region databases: Each region has its own database instance. Simplest for compliance, hardest for global queries.
- CockroachDB or YugabyteDB: Distributed SQL with row-level geo-partitioning.
- Vitess: MySQL-compatible sharding with region-aware routing.
Service Mesh for Residency
Istio or Linkerd can enforce cross-region traffic policies:
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
name: eu-data-locality
spec:
host: user-service
trafficPolicy:
outlierDetection:
consecutiveErrors: 3
connectionPool:
http:
h2UpgradePolicy: UPGRADE
subsets:
- name: eu
labels:
region: eu
trafficPolicy:
loadBalancer:
localityLbSetting:
enabled: true
failover:
- from: eu-west-1
to: eu-central-1Compliance Monitoring
Continuous verification that data stays where it should:
- Network flow logs: Monitor all cross-region traffic
- Storage audits: Verify data locations match policies
- Certificate pinning: Ensure TLS connections stay within approved regions
- Regular penetration testing: Validate that residency controls hold under adversarial conditions
