Platform Engineering

Every platform team eventually asks: should we build an Internal Developer Platform? The answer is probably yes. The question is how. I’ve seen platforms that cost millions and never got adopted. I’ve also seen scrappy internal tools that transformed developer productivity overnight. The difference isn’t budget or technology — it’s approach. What Is an Internal Developer Platform? An Internal Developer Platform (IDP) is a self-service layer that abstracts infrastructure complexity from developers. Instead of writing Kubernetes YAML, developers describe what they need. The platform handles how. ...

Every Kubernetes cluster eventually needs persistent storage. The question is: which solution? For self-hosted clusters without cloud provider storage classes, two options dominate: Longhorn and Rook-Ceph. Both are CNCF projects. Both provide replicated block storage. Both work well. But they’re very different in philosophy, complexity, and use cases. I’ve run both in production. Let me share what I’ve learned. The Fundamental Difference Longhorn: Simple distributed block storage built for Kubernetes. Each volume is replicated across nodes using standard Linux storage primitives. ...

Manual certificate management is a recipe for outages. Certificates expire at 3 AM on a holiday weekend. Renewal processes live in tribal knowledge. Teams deploy services without HTTPS because “it’s too complicated.” cert-manager automates everything. Define what certificates you need, and cert-manager handles issuance, renewal, and Kubernetes Secret management. Forever. This is one of the first things I install in every cluster. How cert-manager Works flowchart TD subgraph cluster["Kubernetes Cluster"] CM["cert-manager"] CERT["Certificate<br/>Resource"] SECRET["TLS Secret"] INGRESS["Ingress"] end subgraph external["External"] LE["Let's Encrypt<br/>ACME Server"] DNS["DNS Provider"] end CERT -->|"watches"| CM CM -->|"creates"| SECRET CM <-->|"ACME protocol"| LE CM <-->|"DNS challenge"| DNS SECRET -->|"mounts"| INGRESS You create a Certificate resource cert-manager requests a certificate from the issuer (Let’s Encrypt, Vault, etc.) cert-manager completes the challenge (HTTP-01 or DNS-01) cert-manager stores the certificate in a Kubernetes Secret Your Ingress/Gateway uses the Secret for TLS Renewal happens automatically 30 days before expiration. ...

Kubernetes networking is notoriously complex. CNI plugins, kube-proxy, iptables chains, service meshes — layers upon layers of abstraction that eventually break in ways nobody understands. Cilium changes this. It uses eBPF to move networking logic into the Linux kernel, bypassing iptables entirely. The result: better performance, more visibility, and network policies that actually make sense. This is what I run in my clusters. Let me show you why. What is eBPF? eBPF (extended Berkeley Packet Filter) lets you run sandboxed programs in the Linux kernel without changing kernel source code or loading kernel modules. ...

I’ve written about Talos Linux as the immutable Kubernetes OS, and I’ve compared Arch vs NixOS for workstations. But there’s a question I get asked often: what about NixOS for Kubernetes nodes? Both NixOS and Talos are declarative. Both can be immutable. Both version their configuration. So why would you choose one over the other for running Kubernetes? I’ve run both in production. Here’s what I’ve learned. The Philosophical Difference Before diving into specifics, understand the core difference: ...