content(what-is): expand the IaC for Kubernetes explainer

[alexleventer]

Summary

Rewrites content/what-is/infrastructure-as-code-for-kubernetes.md from a short overview into a deeper reference covering both layers of Kubernetes-as-code: the cluster lifecycle and the workload lifecycle.

What changed

• Opening definition — quotable one-paragraph definition followed by a short lead-in framing Kubernetes as already declarative inside the cluster, with IaC supplying the engineering discipline around it.
• Why Kubernetes needs IaC — three concrete drivers (scale, drift, day-2 changes).
• Two-layer table — cluster lifecycle vs. workload lifecycle, with typical change cadence and a note on when teams split them across repos.
• Managed objects list — cluster shape, networking, identity, workloads, configuration, exposure, storage, CRDs.
• IaC vs. GitOps comparison table — explicit recommendation that the two are complementary, with Pulumi + ArgoCD as the common production combination.
• Kubernetes IaC toolchain table — 8 categories with representative tools.
• Eight best practices — including no-naked-pods, IRSA/Workload Identity, secrets-at-runtime, environment isolation, policy enforcement.
• Pulumi-Kubernetes section — unified programs, adoption helpers (ConfigFile, ConfigGroup, Chart), Crosswalk for managed Kubernetes, strong typing, CrossGuard, ESC, automation API.
• FAQ — ten doubt-removers covering Pulumi vs. Helm, Pulumi vs. ArgoCD, importing manifests, secrets handling, testing, naked pods, multi-cluster, compliance, migration.
• Learn-more cross-links — IaC, DevOps, platform engineering, infrastructure testing, configuration management, Kubernetes secrets.

Test plan

• `make serve`; visit `/what-is/infrastructure-as-code-for-kubernetes/` and confirm both tables and headings render correctly
• Spot-check cross-links to `/docs/iac/clouds/kubernetes/`, `/docs/insights/policy/`, `/product/esc/`, the other what-is pages
• CI lint + pinned review

🤖 Generated with Claude Code

[pulumi-bot]

Your site preview for commit 8cf29eb is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-19148-8cf29ebc.s3-website.us-west-2.amazonaws.com

[github-actions]

Pre-merge Review — Last updated 2026-05-19T19:00:00Z

Tip

Summary: This PR rewrites content/what-is/infrastructure-as-code-for-kubernetes.md from a short overview into a full what-is explainer, paralleling sibling pages like what-is-infrastructure-as-code.md and what-is-configuration-management.md (bold lead, question-driven TOC, comparison tables, FAQ, related-reading list). All 5 CrossGuard references replaced with "Pulumi policy as code" at @CamSoper's request (8cf29eb). Only L176 (HITRUST bundling) remains open by the author's choice.

Review confidence:

Dimension	Level	Notes
mechanics	HIGH
facts	HIGH	All contradicted claims resolved; L176 (HITRUST bundling) remains unverified in ⚠️ for author citation.

Investigation log

• Cross-sibling reads: not run (not in a templated section)
• External claim verification: 24 of 43 claims verified (8 unverifiable, 4 contradicted) · 4 specialists (numerical, cross-reference, capability, framing); 0 cross-specialist corroborations · routed: 1 inline, 31 Pass 1, 0 Pass 2, 11 Pass 3 (verified 3, contradicted 3, unverifiable 5).
• Cited-claim spot-checks: not run (no cited claims)
• Frontmatter sweep: ran on body + meta_desc
• Temporal-trigger sweep: ran (recency words present in diff; spot-check in-review)
• Code execution: not run (no static/programs/ change)
• Code-examples checks: not run (no fenced code blocks in content files)
• Editorial-balance pass: not run (not under content/blog/)

🚨 Outstanding	⚠️ Low-confidence	💡 Pre-existing	✅ Resolved
0	1	0	11

🔍 Verification trail

43 claims extracted · 24 verified · 8 unverifiable · 4 contradicted

• L122 in content/what-is/infrastructure-as-code-for-kubernetes.md "* Codify policy. No naked pods, no privileged containers, no :latest tags in production, mandatory resource requests and limits, mandatory liveness/readi…" → ➖ not-a-claim (evidence: :latest is a Docker image tag, not a recency claim)
• L34 in content/what-is/infrastructure-as-code-for-kubernetes.md "Kubernetes is itself already declarative. Every object you create is described as a desired state that the control plane reconciles. The job of [infrastructure…" → ➖ not-a-claim (evidence: The claim is about an internal hyperlink /what-is/what-is-infrastructure-as-code/ embedded in prose text. The linked page exists at content/what-is/what-is-infrastructure-as-code.md and is a valid IaC explainer page. This is a URL refe…; source: repo:content/what-is/what-is-infrastructure-as-code.md)
• L49 in content/what-is/infrastructure-as-code-for-kubernetes.md "Kubernetes is the densest, most fast-changing layer of most cloud-native stacks. A single production cluster can hold thousands of objects across hundreds of n…" → ➖ not-a-claim (framing: The claim is the PR author's own editorial positioning of Kubernetes complexity — a rhetorical setup for why IaC is needed — not a third-party-attributed asser…; evidence: The text is a positioning/editorial statement in Pulumi's own documentation describing Kubernetes complexity to motivate IaC adoption. It makes general characterizations ("densest, most fast-changing layer," "thousands of objects across hu…; source: WebSearch ran query "Kubernetes production cluster thousands of objects hundreds of namespaces IaC"; results confirm large-scale Kubernetes clusters routinely involve hundreds of services/namespaces but no authoritative source makes the exact "densest layer" or specific numeric claims the PR attributes to a third party.)
• L51 in content/what-is/infrastructure-as-code-for-kubernetes.md "* Scale. Even one production cluster crosses any threshold where hand-edited YAML is workable. With multiple clusters, the only way to keep them consistent…" → ➖ not-a-claim (framing: The broader industry consensus (e.g., Mirantis, Palo Alto Networks, The New Stack) does support the general idea that hand-managing YAML at scale is problemati…; evidence: The statement is an editorial/positioning assertion made by the PR author in their own Pulumi documentation page, arguing that hand-edited YAML doesn't scale for production Kubernetes clusters and that multiple clusters require code-derive…; source: WebSearch ran query "Kubernetes YAML management scale multiple clusters infrastructure as code")
• L53 in content/what-is/infrastructure-as-code-for-kubernetes.md "* Day-2 changes. Most of a platform team's work isn't standing up new clusters; it's rolling node-group upgrades, swapping CNIs, rotating certificates, cha…" → ➖ not-a-claim (evidence: This is an editorial description of general platform engineering practices (day-2 operations, code review benefits), not a falsifiable assertion about a specific Pulumi feature, version, price, or named capability. It reflects the PR autho…; source: content/what-is/infrastructure-as-code-for-kubernetes.md L53)
• L72 in content/what-is/infrastructure-as-code-for-kubernetes.md "IRSA (IAM Roles for Service Accounts) is the per-workload identity mechanism on EKS, Workload Identity is the mechanism on GKE, and Azure AD is the mechanism o…" → ✅ verified (framing: strengthened — "Azure AD" is a slight simplification; the full mechanism name is "Azure AD Workload Identity" (now "Microsoft Entra Workload Identity"), but th…; evidence: The file at L72 (Identity and access bullet) states: "IAM roles for the cluster and workloads (IRSA on EKS, Workload Identity on GKE, Azure AD on AKS)" — directly matching the claim's framing for all three platforms.; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md)
• L74 in content/what-is/infrastructure-as-code-for-kubernetes.md "Pulumi ESC can be used to pull secret values into Kubernetes at deploy time, avoiding storing secret values in code." → ✅ verified (evidence: The file itself at the "Configuration" bullet states: "ConfigMaps and Secrets (with the actual secret values pulled from a vault like Pulumi ESC, not stored in code)." Pulumi ESC is also listed in the Secrets row of the tools table, confir…; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md)
• L74 in content/what-is/infrastructure-as-code-for-kubernetes.md "* Configuration. ConfigMaps and Secrets (with the actual secret values pulled from a vault like Pulumi ESC, not stored in code)." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L79 in content/what-is/infrastructure-as-code-for-kubernetes.md "Pulumi's Kubernetes provider supports every resource type Kubernetes itself supports, including CRDs through a dynamic provider." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L85 in content/what-is/infrastructure-as-code-for-kubernetes.md "Imperative IaC tools (e.g., pulumi up from CI) are described as having 'Excellent' capability for cluster-level resources and 'Good' capability for workload-…" (also L92) → ✅ verified (evidence: The comparison table in the file reads: "Cluster-level resources: Excellent (cloud accounts, IAM, networks) [for Imperative IaC] | Limited [for GitOps]" and "Workload-level resources: Good [for Imperative IaC] | Excellent [for GitOps]", ex…; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md)
• L88 in content/what-is/infrastructure-as-code-for-kubernetes.md "GitOps controllers (ArgoCD, Flux) are limited in handling cluster-level resources and most controllers only handle Kubernetes objects." → 🤷 unverifiable (evidence: Search results confirm ArgoCD and Flux are Kubernetes-native tools that "continually sync the states of Kubernetes objects," but no authoritative source specifically characterizes them as "limited in handling cluster-level resources." In f…; source: WebSearch ran query "ArgoCD Flux GitOps cluster-level resources limitations Kubernetes objects only"; top results didn't address the specific limitation claim with authoritative sourcing.; intuition: The claim conflates two distinct limitations: (1) inability to manage non-Kubernetes cloud infrastructure (e.g., AWS VP…)
• L89 in content/what-is/infrastructure-as-code-for-kubernetes.md "Imperative IaC tools like Pulumi are rated 'Good' for workload-level Kubernetes resources, while GitOps tools are rated 'Excellent'." → ❌ contradicted (framing: shifted — claim labels Pulumi as "imperative IaC" but all authoritative sources classify Pulumi as declarative (using general-purpose languages); the 'Good'/'E…; evidence: Pulumi is not an imperative IaC tool — authoritative sources including Pulumi's own docs and third-party analyses consistently describe it as declarative: "Despite incorporating imperative programming languages, Pulumi primarily operates i…; source: WebSearch ran query "Pulumi imperative Kubernetes workload-level Good Excellent GitOps comparison table rating"; cloudthat.com (index 8-18), pulumi.com docs, plural.sh blog)
• L91 in content/what-is/infrastructure-as-code-for-kubernetes.md "IaC engine drift detection works by comparing declared state to live state, while GitOps controller drift detection works by continuously reconciling toward Gi…" → ✅ verified (framing: strengthened — claim adds "toward Git" to the drift detection description, which is explicitly stated in the adjacent "Apply mechanism" row of the same table;…; evidence: The comparison table in the file at the "Drift detection" row states: "Engine compares declared state to live state" for IaC and "Controller continuously reconciles" for GitOps. The "toward Git" qualifier is directly supported by the table…; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md)
• L102 in content/what-is/infrastructure-as-code-for-kubernetes.md "Pulumi, Terraform, and OpenTofu are categorized as general IaC tools that handle both cluster and workload management for Kubernetes." → ✅ verified (evidence: The file contains a table with the row: "General IaC (cluster + workloads) | Pulumi, Terraform, OpenTofu" — exactly matching the claim that these three tools are categorized as general IaC tools handling both cluster and workload managemen…; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md)
• L103 in content/what-is/infrastructure-as-code-for-kubernetes.md "eksctl, gcloud, az aks, and ClusterAPI are categorized as cluster-provisioning-focused tools." → ✅ verified (evidence: The file contains a table under "What tools support IaC for Kubernetes?" with the row: "Cluster provisioning (focused) | eksctl, gcloud, az aks, ClusterAPI" — exactly matching the claim.; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md)
• L104 in content/what-is/infrastructure-as-code-for-kubernetes.md "Helm, Kustomize, and jsonnet are categorized as workload templating tools for Kubernetes." → ✅ verified (evidence: The file contains a table at approximately line 104 with the row: "| Workload templating | Helm, Kustomize, jsonnet |" — exactly matching the claim that Helm, Kustomize, and jsonnet are categorized as workload templating tools for Kubernet…; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md)
• L105 in content/what-is/infrastructure-as-code-for-kubernetes.md "ArgoCD and Flux are categorized as GitOps controllers for Kubernetes." → ✅ verified (evidence: The file's tools table at the relevant section explicitly lists: "| GitOps controllers | ArgoCD, Flux |", directly categorizing ArgoCD and Flux as GitOps controllers for Kubernetes.; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md)
• L106-107 in content/what-is/infrastructure-as-code-for-kubernetes.md "Pulumi ESC, External Secrets Operator, Sealed Secrets, and Vault are categorized as secrets management tools for Kubernetes." → ✅ verified (evidence: The file at content/what-is/infrastructure-as-code-for-kubernetes.md contains a table row: | Secrets | [Pulumi ESC](/product/esc/), External Secrets Operator, Sealed Secrets, Vault | — exactly matching the claim that these four tools a…; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md)
• L107 in content/what-is/infrastructure-as-code-for-kubernetes.md "| Secrets | Pulumi ESC, External Secrets Operator, Sealed Secrets, Vault |" → ✅ verified (evidence: The file content/what-is/infrastructure-as-code-for-kubernetes.md contains exactly the claimed table row at the relevant line: | Secrets | [Pulumi ESC](/product/esc/), External Secrets Operator, Sealed Secrets, Vault |. The `/product/e…; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md)
• L108-109 in content/what-is/infrastructure-as-code-for-kubernetes.md "Trivy, kube-bench, and Falco are categorized as cluster security scanning tools for Kubernetes." → ✅ verified (evidence: The file contains a table with the row: "| Cluster security scanning | Trivy, kube-bench, Falco |", directly categorizing Trivy, kube-bench, and Falco as cluster security scanning tools for Kubernetes.; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md)
• L118 in content/what-is/infrastructure-as-code-for-kubernetes.md "A bare Pod is not rescheduled when the node it runs on fails." → ✅ verified (evidence: This is a well-established Kubernetes behavior: bare Pods (not managed by a controller such as a Deployment or ReplicaSet) are not rescheduled when the node they run on fails. The official Kubernetes documentation explicitly states this un…; source: https://kubernetes.io/docs/concepts/workloads/pods/#pod-os (official Kubernetes docs on Pods); also consistent with Kubernetes docs on ReplicaSets and Deployments explaining why controllers are needed for resilience.)
• L119 in content/what-is/infrastructure-as-code-for-kubernetes.md "IRSA, Workload Identity, and Azure AD are described as per-workload identity mechanisms offered by cloud providers that are easier to scope, rotate, and audit…" → ✅ verified (evidence: (escalated from pass1) Multiple authoritative sources confirm IRSA, Workload Identity, and Azure AD Workload Identity are per-workload identity mechanisms that replace long-lived static credentials. As one source states: "All methods provi…; source: https://kubernetes.recipes/recipes/security/workload-identity-cloud-access/ ; https://www.systemshardening.com/articles/kubernetes/azure-workload-identity-aks/)
• L121 in content/what-is/infrastructure-as-code-for-kubernetes.md "Pulumi ESC and the External Secrets Operator both let Kubernetes pull secrets from a central vault at runtime." → ❌ contradicted (framing: shifted — the claim frames Pulumi ESC and ESO as two parallel alternatives that both independently "let Kubernetes pull secrets from a central vault at runtime…; evidence: (escalated from pass1) Official Pulumi docs and blog posts show that Pulumi ESC acts as the central secrets vault/broker, while the External Secrets Operator (ESO) is the Kubernetes-side operator that pulls secrets from Pulumi ESC into t…; source: https://www.pulumi.com/blog/pulumi-esc-ga/ ; https://www.pulumi.com/docs/esc/integrations/kubernetes/external-secrets-operator/)
• L131 in content/what-is/infrastructure-as-code-for-kubernetes.md "Pulumi's ConfigFile and ConfigGroup resources can consume existing Kubernetes manifests, Helm charts, or Kustomize bundles directly." → ❌ contradicted (framing: shifted — the claim attributes Helm chart and Kustomize bundle consumption to ConfigFile/ConfigGroup, but those capabilities belong to separate dedicated r…; evidence: The pulumi-kubernetes SDK shows ConfigFile and ConfigGroup (in pulumi_kubernetes/yaml/) only handle Kubernetes YAML manifests. Helm charts are handled by helm.v3.Chart/helm.v4.Chart and Kustomize bundles by kustomize.Directory…; source: gh api repos/pulumi/pulumi-kubernetes/contents/sdk/python/pulumi_kubernetes/yaml/yaml.py; gh api repos/pulumi/pulumi-kubernetes/contents/sdk/python/pulumi_kubernetes/kustomize/kustomize.py)
• L132 in content/what-is/infrastructure-as-code-for-kubernetes.md "Pulumi Crosswalk for Kubernetes provides higher-level components that bundle defaults for managed Kubernetes, including EKS clusters with sensible networking,…" → ❌ contradicted (framing: shifted — source describes Crosswalk for Kubernetes as playbooks/guides for EKS/GKE/AKS; claim asserts it provides "higher-level components that bundle default…; evidence: (escalated from pass1) Official docs describe Pulumi Crosswalk for Kubernetes as "a collection of playbooks and libraries" for EKS, AKS, and GKE, not as "higher-level components that bundle defaults" with the specific per-cloud features cl…; source: WebSearch ran query "Pulumi Crosswalk Kubernetes higher-level components EKS GKE AKS"; https://www.pulumi.com/docs/iac/clouds/kubernetes/guides/; intuition: The claim mixes Crosswalk for AWS (which has pulumi-eks with sensible networking defaults) with Crosswalk for Kubernete…)
• L133 in content/what-is/infrastructure-as-code-for-kubernetes.md "Misspelled Kubernetes field names fail at compile time in Pulumi rather than at kubectl apply time." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L133 in content/what-is/infrastructure-as-code-for-kubernetes.md "Pulumi provides strong typing for Kubernetes API objects in TypeScript, Python, Go, C#, and Java." → ✅ verified (evidence: The pulumi/pulumi-kubernetes repository's sdk/ directory contains subdirectories for all five languages: nodejs (TypeScript), python, go, dotnet (C#), and java, confirming strongly-typed Kubernetes API object support across T…; source: gh api repos/pulumi/pulumi-kubernetes/contents/sdk)
• L134 in content/what-is/infrastructure-as-code-for-kubernetes.md "* Policy as code. Write Kubernetes-aware policies in the same language as the program. Block naked pods, missing resource limits, or latest tags before …" → ➖ not-a-claim (evidence: The word latest refers to a Docker image tag (:latest tags on container images) used as an example of a policy violation — it is a tag name, not a temporal/recency assertion.)
• L136 in content/what-is/infrastructure-as-code-for-kubernetes.md "* Automation API. Wrap Pulumi programs in software (a service, a CLI, a CI job) so platform teams can offer self-service cluster and workload provisioning..." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L138 in content/what-is/infrastructure-as-code-for-kubernetes.md "Get started with Pulumi Kubernetes to manage a cluster and its workloads in TypeScript, Python, Go, C#, Java, or YAML." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L144 in content/what-is/infrastructure-as-code-for-kubernetes.md "Yes, inside the cluster. What Kubernetes doesn't provide is a single source of truth, versioning, code review, or testing for the desired state. IaC sits in fr…" → ➖ not-a-claim (evidence: The text is the PR author's own editorial explanation of how IaC and Kubernetes compose — it describes the author's own design perspective ("IaC sits in front of the cluster and produces those properties") rather than attributing a factual…; source: content/what-is/infrastructure-as-code-for-kubernetes.md L144 (author's own explanatory prose))
• L152 in content/what-is/infrastructure-as-code-for-kubernetes.md "GitOps controllers (ArgoCD/Flux) are not well-suited for managing cloud-level resources." → ✅ verified (framing: strengthened — claim narrows the source's "other types of infrastructure" to "cloud-level resources"; source's broader form proves the claim as a subset; evidence: Multiple sources confirm that ArgoCD and Flux are primarily Kubernetes-focused tools with limited support for cloud-level (non-Kubernetes) resources. As one source states: "Argo CD is primarily designed for Kubernetes resources and might n…; source: https://www.linkedin.com/pulse/argocd-spinnaker-flux-gitops-exploring-limitations-solutions-a (index 1-13); WebSearch ran query "ArgoCD Flux GitOps cloud infrastructure limitations non-Kubernetes resources")
• L156 in content/what-is/infrastructure-as-code-for-kubernetes.md "Pulumi has ConfigFile (single manifest), ConfigGroup (multiple manifests), and Chart (Helm) resources that consume existing Kubernetes artifacts without…" → ✅ verified (evidence: The pulumi/pulumi-kubernetes repo contains configFile.go and configGroup.go under sdk/go/kubernetes/yaml/v2/ (for ConfigFile and ConfigGroup), and chart.go under sdk/go/kubernetes/helm/v3/ (for Chart/Helm). All three resource typ…; source: gh api repos/pulumi/pulumi-kubernetes/contents/sdk/go/kubernetes/yaml/v2 and repos/pulumi/pulumi-kubernetes/contents/sdk/go/kubernetes/helm/v3)
• L160 in content/what-is/infrastructure-as-code-for-kubernetes.md "Don't put secret values in IaC code. Use Pulumi ESC, HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or the External Secrets Operator t…" → ✅ verified (evidence: The file content/what-is/infrastructure-as-code-for-kubernetes.md contains the exact text in the best practices section: "Don't put secret values in IaC code. Use Pulumi ESC, HashiCorp Vault, AWS Secrets Manager, Azure K…; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md)
• L164 in content/what-is/infrastructure-as-code-for-kubernetes.md "kind and k3d are tools that can be used to create ephemeral clusters for integration testing of Kubernetes IaC." → ✅ verified (evidence: (escalated from pass1) Multiple authoritative sources confirm both tools for ephemeral Kubernetes cluster creation for integration/CI testing. The official kind site states "kind was primarily designed for testing Kubernetes itself, but ma…; source: https://kind.sigs.k8s.io/ and https://testkube.io/glossary/kubernetes-sandbox-environment)
• L168 in content/what-is/infrastructure-as-code-for-kubernetes.md "A naked pod is a Pod object created directly, not through a controller like a Deployment, StatefulSet, or DaemonSet, and if the node hosting it fails or is d…" → ✅ verified (evidence: The file itself begins the naked pod description with "A bare Pod is" at the cut-off point, consistent with the claim. The behavior described — that a Pod created directly (not via a Deployment, StatefulSet, or DaemonSet controller) is n…; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md (L168 context) + canonical Kubernetes docs on naked pods)
• L172 in content/what-is/infrastructure-as-code-for-kubernetes.md "Pulumi providers can be parameterized by a kubeconfig, so a single Pulumi program can address multiple Kubernetes clusters by instantiating multiple providers." → ✅ verified (evidence: The pulumi-kubernetes provider's Go SDK provider.go confirms a Kubeconfig *string field on ProviderArgs with the comment "The contents of a kubeconfig file or the path to a kubeconfig file." This is a standard Pulumi pattern where mu…; source: gh api repos/pulumi/pulumi-kubernetes/contents/sdk/go/kubernetes/provider.go (decoded: // The contents of a kubeconfig file or the path to a kubeconfig file.\nKubeconfig *string))
• L176 in content/what-is/infrastructure-as-code-for-kubernetes.md "IaC for Kubernetes supports SOC 2, HIPAA, and HITRUST compliance by providing reviewed pull requests with author and timestamp, policy violations logged in CI,…" → 🤷 unverifiable (framing: shifted — the claim bundles HITRUST with SOC 2 and HIPAA as equally supported compliance targets with those three specific audit mechanisms; sources show HITRU…; evidence: (escalated from pass1) Pulumi docs confirm SOC 2 and HIPAA compliance support, and HITRUST appears in policy framework lists (e.g., "CIS, HITRUST, PCI DSS"), but no authoritative source specifically ties all three frameworks (SOC 2, HIPAA,…; source: WebSearch ran query "Pulumi IaC Kubernetes SOC2 HIPAA HITRUST compliance audit trail"; top results confirm SOC 2 and HIPAA individually and HITRUST in policy packs, but not the full compound claim.)
• L180 in content/what-is/infrastructure-as-code-for-kubernetes.md "Pulumi's pulumi import command can bring existing Kubernetes resources under management without recreating them." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L184 in content/what-is/infrastructure-as-code-for-kubernetes.md "Pulumi turns the cluster, the workloads on it, and the cloud resources around it into one reviewable program in the language your team already uses. Combined w…" → ✅ verified (evidence: The file content/docs/insights/policy/_index.md exists in the repo and is a live page titled "Policies" covering policy as code for Pulumi infrastructure, confirming the link /docs/insights/policy/ is valid.; source: repo:content/docs/insights/policy/_index.md)
• L188-190 in content/what-is/infrastructure-as-code-for-kubernetes.md "* What is Infrastructure as Code (IaC)?" → ✅ verified (evidence: The file content/what-is/what-is-infrastructure-as-code.md exists with the title "What is Infrastructure as Code (IaC)?", exactly matching the link text and path referenced in the claim.; source: repo:content/what-is/what-is-infrastructure-as-code.md)
• L191 in content/what-is/infrastructure-as-code-for-kubernetes.md "* How to Step Up Cloud Infrastructure Testing" → ✅ verified (evidence: The file content/what-is/how-to-step-up-cloud-infrastructure-testing.md exists in the repo with title: How to Step Up Cloud Infrastructure Testing, exactly matching the link text and URL path `/what-is/how-to-step-up-cloud-infrastructu…; source: repo:content/what-is/how-to-step-up-cloud-infrastructure-testing.md)
• L192-193 in content/what-is/infrastructure-as-code-for-kubernetes.md "* What is Configuration Management?" → ✅ verified (evidence: The file content/what-is/what-is-configuration-management.md exists in the repo with title: What is Configuration Management?, confirming the linked page at /what-is/what-is-configuration-management/ is valid and the link text matche…; source: repo:content/what-is/what-is-configuration-management.md)

🚨 Outstanding in this PR

No outstanding issues — all previously flagged findings have been resolved.

⚠️ Low-confidence

Review each and resolve as appropriate — these don't block the PR.

• [L176] content/what-is/infrastructure-as-code-for-kubernetes.md — "For SOC 2, HIPAA, and HITRUST, auditors get a concrete artifact for each control rather than a written-down policy that may or may not be enforced." — verdict: unverifiable; framing: shifted — SOC 2 and HIPAA are documented Pulumi compliance targets, but HITRUST is bundled in alongside them in a way no source corroborates as a parallel framework with the same three audit mechanisms. Author question: is HITRUST in this list because a specific customer uses Pulumi for HITRUST evidence, or is it aspirational? If aspirational, consider dropping it ("For SOC 2 and HIPAA, auditors get a concrete artifact…") or rephrasing to "For frameworks like SOC 2 and HIPAA — and policy frameworks like HITRUST and PCI DSS — auditors get a concrete artifact…". (Left open by author request.)

💡 Pre-existing issues in touched files (optional)

No pre-existing issues in touched files.

✅ Resolved since last review

• [L85] Column header "Imperative IaC for Kubernetes" renamed to "IaC engine for Kubernetes" and "GitOps (ArgoCD, Flux)" to "GitOps controller (ArgoCD, Flux)" — removes the incorrect "Imperative" characterization of Pulumi, which is a declarative IaC tool. (resolved in 565d957)

• [L121] Best-practices bullet now correctly distinguishes ESC as the central vault and ESO as the in-cluster operator that syncs from ESC and other vaults into Kubernetes Secrets — no longer frames them as interchangeable alternatives. (resolved in 565d957)

• [L131] Bullet rewritten to expose per-format resources: ConfigFile/ConfigGroup for raw YAML manifests, Chart for Helm, Directory for Kustomize — no longer incorrectly attributes Helm/Kustomize consumption to ConfigFile/ConfigGroup. (resolved in 565d957)

• [L132] Bullet rewritten to separate @pulumi/eks (EKS-only component package) from GKE/AKS, which have guide-level docs rather than equivalent higher-level component packages — no longer conflates Crosswalk for AWS with Crosswalk for Kubernetes. (resolved in 565d957)

• [L74] Unverifiable but substantively covered by the independently-verified ESC claim at the same line; no corrective action was needed. (acknowledged by @CamSoper)

• [L79] Link to Pulumi Kubernetes documentation already present at end of the assertion — bare claim is no longer bare. (pre-existing in file at 565d957)

• [L88] GitOps comparison table parenthetical tightened from "most controllers only handle Kubernetes objects" to "most controllers reconcile Kubernetes API objects, not cloud-side resources like VPCs or IAM" — now matches the verified L152 framing. (resolved in 32bee1c)

• [L133] Compile-time claim qualified to the statically typed languages (TypeScript, Go, C#, Java) — Python and YAML are no longer implicitly covered by the "fails at compile time" assertion. (resolved in 32bee1c)

• [L136] "Automation API" bullet header linked to /docs/iac/automation-api/ — readers can verify the self-service framing in one click. (resolved in 32bee1c)

• [L138] Unverifiable but the linked get-started page on L138 covers all listed languages; no corrective action was needed. (acknowledged by @CamSoper)

• [L180] `pulumi import` linked to /docs/iac/cli/commands/pulumi_import/ — readers can confirm Kubernetes-specific support directly. (resolved in 32bee1c)

📜 Review history

• 2026-05-19T03:34:50Z — 4 contradicted Pulumi-capability claims (imperative-IaC label, ESC/ESO architecture, ConfigFile/Group scope, Crosswalk-for-Kubernetes conflation) plus 8 low-confidence items to either cite or rephrase; mechanics clean. (1d84689)
• 2026-05-19T04:15:00Z — re-reviewed after fix push (1 new commit, 565d957); all 4 outstanding findings resolved; 8 low-confidence items unchanged. (565d957)
• 2026-05-19T18:00:00Z — re-reviewed after @CamSoper's mention; author replaced (zack-chase → cam-soper); 7 of 8 low-confidence items resolved (4 edits in 32bee1c, 1 pre-existing link, 2 acknowledged no-action items); L176 (HITRUST bundling) left open by author request. (32bee1c)
• 2026-05-19T19:00:00Z — re-reviewed after @CamSoper's request to remove deprecated CrossGuard term; 5 occurrences replaced with "Pulumi policy as code" (1 new commit, 8cf29eb); no new findings introduced; L176 (HITRUST bundling) remains open. (8cf29eb)

---

Need a re-review? Want to dispute a finding? Mention @claude and include #update-review.
(For ad-hoc questions or fixes, just @claude — no hashtag.)

[alexleventer]

@claude - fix all the outstanding items and then #update-review

[github-actions]

🤖 Review updated on @alexleventer's request.

[CamSoper]

@claude

• implement all the low-confidence suggestions except L176
• replace the author with cam-soper
• #update-review

[github-actions]

🤖 Review updated on @CamSoper's request.

[CamSoper]

@claude Remove all references to CrossGuard (deprecated term) and #update-review

[github-actions]

🤖 Review updated on @CamSoper's request.