Secure Kubernetes Reference Architecture for Enterprise and Artificial Intelligence Workloads

The shift to enterprise Kubernetes has transformed the responsibility of platform teams from cluster operators to overseers of multi-tenancy products with security-by-default policies. AI workloads alongside application services bring high-value assets with unique security properties to the platform, such as training datasets, model artifacts, and inference endpoints. We present a vendor-neutral reference architecture for Kubernetes-based platforms for traditional workloads and AI. Using design science research methodology, we integrate known security frameworks, research on compliance automation, and findings from practitioner literature. Trust boundary segmentation, tenant isolation, control plane hardening, policy-based workload control, and evidence-ready observability form the core components. In particular, it accounts for inference security for artificial intelligence pipelines and model-serving services, including verification of artifact provenance and segmentation of access to training and evaluation datasets. Architecture components are verified against industry security benchmarks and recognized governance frameworks. A progressive roadmap is defined, from baseline security controls to operation in a mature, continuously validated state across multiple teams and environments. The contribution extends Kubernetes security documentation, addressing emerging needs for enterprise governance of artificial intelligence workloads deployed on Kubernetes.