DevOps

Every platform team eventually asks: should we build an Internal Developer Platform? The answer is probably yes. The question is how. I’ve seen platforms that cost millions and never got adopted. I’ve also seen scrappy internal tools that transformed developer productivity overnight. The difference isn’t budget or technology — it’s approach. What Is an Internal Developer Platform? An Internal Developer Platform (IDP) is a self-service layer that abstracts infrastructure complexity from developers. Instead of writing Kubernetes YAML, developers describe what they need. The platform handles how. ...

I’ve run both Arch and NixOS as my daily driver workstation. Not in VMs, not as a weekend experiment — as my actual work machine where I do professional DevOps/platform engineering work, and as my personal machine where I do everything else. Both are excellent. Both have serious trade-offs. And the “best” choice depends heavily on your life situation and how much time you have for system maintenance. Here’s the thing: I have kids now. The days of spending a Saturday afternoon debugging a broken Xorg config are gone. My system needs to work, reliably, every time I open the laptop. But I’ve also learned that Arch’s “instability” is largely a skill issue — with the right practices, Arch can be just as reliable as NixOS. ...

I spend my evenings doing Hack The Box challenges and CTF competitions. Not because I want to become a pentester — I’m happy in platform engineering. But because the skills I learn there make me significantly better at my day job. This isn’t obvious at first. What does pwning a vulnerable web app have to do with running Kubernetes clusters? More than you’d think. Forensics and offensive security train you to think about systems differently. You learn to investigate, to trace, to understand what’s actually happening rather than what should be happening. And that mindset — plus the tooling — is exactly what you need when debugging production issues at 3 AM. ...

“We want to migrate to Kubernetes by November.” It was September. The client was an e-commerce company. Their biggest sales event of the year — Black Friday — was in late November. I said no. They asked if I knew someone who might take it on anyway. I did. A fellow platform engineer — someone I respect, highly capable. I made the introduction, but warned him about the timeline. He took the engagement, documented the same concerns I had, got them signed off. The client proceeded anyway. ...

When everything has cluster-admin, nothing is secure. Kubernetes RBAC (Role-Based Access Control) exists to answer one question: who can do what to which resources? Most clusters answer incorrectly: “everyone can do everything.” This isn’t just a security problem — it’s a resilience problem. When a service account gets compromised, how much damage can it do? When someone runs the wrong command, what’s the blast radius? Least privilege limits that radius. ...