Code Room
System designHardsd-g484
Subject IdentityLevel Senior–Staff~50 minCommon in Security interviewsIndustries Technology

Question

Design how a brand-new, freshly-booted workload obtains its first verifiable identity — the 'secret-zero' / bootstrap-trust problem. A node autoscales up with NO pre-baked credential; it must prove it is a legitimate workload of a given type and receive an identity (an SVID / cert / token) it can then use to authenticate to everything else, across ~30,000 workloads with heavy churn and short identity TTLs. Hand-baking a long-lived secret into the image is exactly what you want to avoid. Discuss the chain of trust that lets a credential-less node attest itself, how you anchor trust without a planted secret, the renewal model, and how you stop a malicious node from impersonating a legitimate workload type.

What a strong answer looks like

Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.

Narrate your design
Loading whiteboard…
Run or narrate your approach, then ask the coach.