Skip to content
Evan Hines

Chapter 23: The Platform as Product

This is the final chapter. It steps back from implementation and addresses the question that determines whether everything in the preceding 22 chapters succeeds or fails in the real world: do you treat your platform as a product?

The platform’s users are engineers. Its API is CRDs. Its documentation is error messages and status conditions. Its success metric is: can teams deploy without asking for help, and are deployments correct without manual review?

23.1 A New Team’s First Week

Section titled “23.1 A New Team’s First Week”

Return to the payments team from Chapter 1. They joined the organization and asked “how do I deploy?”

Without the platform (Chapter 1). Wiki, Helm chart, Slack channel. Even in the best case — well-maintained tooling — the team spent days learning which values to set, which features to enable, and how to configure secrets. At the end, nobody could answer security questions with certainty.

With the platform. Day 1: the team reads the CRD schema (kubectl explain latticeservice.spec). Day 2: they write a 20-line spec — containers, dependencies, secrets, replicas. They apply it. The derivation pipeline runs. The status reports:

status:
  phase: Failed
  conditions:
    - type: PolicyAuthorized
      status: "False"
      reason: AccessSecretDenied
      message: "Service commerce/payments not permitted to access
               secret payments/stripe-key. Contact the commerce
               team lead to request a Cedar permit policy."

The service didn’t deploy because no Cedar policy grants it access to the Stripe secret. The error message tells them exactly what’s wrong and who to talk to. Day 3: the team lead creates a Cedar permit. The developer re-applies the same spec. The pipeline succeeds. 13 resources derived. The service is running with network policies, observability, and disruption budgets — none of which the developer configured.

Total onboarding: 3 days, with the friction entirely in authorization (which is intentional — the security model requires explicit access). No wiki. No Slack questions about chart values. No “is my traffic encrypted?” uncertainty.

This is what a platform-as-product feels like. The interface is clear (CRD schema). The feedback is immediate (status conditions). The security model is explicit (Cedar policies with actionable denial messages). The developer’s time is spent on their application, not on infrastructure.

23.2 Error Messages Are Documentation

Section titled “23.2 Error Messages Are Documentation”

Most developers don’t read docs. They write a spec, apply it, and read the error. The platform’s error messages are the documentation most developers actually encounter.

Good:

PolicyAuthorized: False — AccessSecret denied for secret payments/api-key.
No Cedar policy permits Service commerce/checkout to access Secret payments/api-key.
Contact the payments team to request access, or see docs.example.com/secrets/authorization.

Bad:

Compilation failed.

The investment: every authorization gate, every admission check, every derivation failure needs a clear, actionable message. This is product work. Budget for it. A developer who gets Compilation failed files a ticket. A developer who gets the specific denial reason fixes it themselves.

23.3 Versioning and Migration

Section titled “23.3 Versioning and Migration”

v1alpha1: No stability guarantees. Fields may change without notice. For early development and internal testing. Tell users explicitly: this will break.

v1beta1: Schema stable. Fields won’t be removed without deprecation. The compiled behavior may be refined. For production early adopters.

v1: Committed. Multi-year support. Breaking changes require a new version (v2), a migration path, and a generous transition period.

Migration tooling. When a version bump requires spec changes, provide platform migrate checkout --to v1beta1 that transforms the spec automatically. A developer who must manually rewrite 15 lines of YAML will delay. A developer who runs a command and reviews the diff does it in 5 minutes.

Deprecation dashboards. Track which CRD versions are in use. When you deprecate v1alpha1, know that 180 of 200 services have migrated and the remaining 20 belong to 3 teams. Talk to those teams directly.

Grace periods. Plan for migration to take longer than expected. Build the timeline around your slowest adopters, not your fastest.

23.4 Saying No

Section titled “23.4 Saying No”

Every CRD field is a maintenance commitment. Every option is a potential misconfiguration.

When to say no:

  • Fewer than 20% of services would use the feature.
  • The feature can be handled by an annotation override or escape hatch.
  • The feature exposes infrastructure details the developer shouldn’t manage.

When to say yes:

  • Multiple teams independently ask for the same capability.
  • The request reveals a gap in the abstraction (not just a preference).
  • The feature strengthens the platform’s guarantees.

How to say no well: Explain the reasoning. Offer an alternative (escape hatch, annotation, future consideration). Don’t dismiss — the request contains signal about what users need.

The abstraction boundary problem. The harder version of “when to say no” is “how much infrastructure should the developer see?” The CRD is an abstraction boundary. Too thin — every infrastructure detail leaks through, and the CRD is just YAML with extra steps. Too thick — the developer can’t express what they need, and escape hatches become the primary interface.

Signs the abstraction is too thin: the CRD has fields for node affinity, tolerations, pod security context, and volume mount options. The developer is writing Kubernetes with extra indirection. The platform hasn’t absorbed complexity — it’s renamed it.

Signs the abstraction is too thick: more than 30% of services use escape hatches or annotations for routine operations. The CRD can’t express “I need GPU nodes” or “I need a specific service account” without the developer reaching around the abstraction. The platform team spends more time extending the CRD than maintaining the derivation logic.

The reference implementation’s heuristic: if the developer needs to know what kind of infrastructure to request, it belongs in the CRD (GPU resources, storage class, replica count). If the developer needs to know how the infrastructure works, it doesn’t (pod scheduling, network policy rules, certificate management). The line moves as the platform matures — early platforms expose more, mature platforms absorb more.

23.5 Measuring Success

Section titled “23.5 Measuring Success”

Adoption metrics:

  • Number of services on the platform (vs. total services in the org).
  • Time from first spec to running service (onboarding latency).
  • Derivation success rate (what % of spec changes succeed on first try?).
  • Support tickets per service per month (should decrease over time).

Autonomy metrics:

  • % of deployments that require no platform team involvement.
  • Mean time to resolve a derivation failure (does the error message enable self-service?).
  • Number of escape hatch usages (high = the CRD is missing capabilities; low = the CRD covers the common case).

An operations team measures availability and response time. A product team measures adoption and autonomy. Both matter. Measure both. Invest in whichever is lagging.

23.6 Forced Migration and Legacy Support

Section titled “23.6 Forced Migration and Legacy Support”

The versioning section (23.3) describes the happy path: deprecate, provide migration tooling, set a grace period. The hard problem is what happens when the grace period ends and 20 services haven’t migrated.

Option 1: Indefinite support. Keep the old version working. The cost is real — every derivation code path must handle both schemas, every test must cover both versions, every bug fix must be applied to both. At 3 supported versions, the test matrix triples. The platform team’s velocity drops because every change is a change to 3 systems.

Option 2: Forced migration. Set a date. After that date, the old version stops working. The holdout teams scramble (or break). The platform team is the bad guy — but the codebase is clean. Forced migration works when leadership backs it. It fails when it doesn’t — and the platform team discovers that their “hard deadline” is actually a suggestion.

Option 3: Automated migration with manual review. The platform automatically converts old specs to the new version at apply time. The developer sees a warning: “your spec was auto-migrated from v1beta1 to v1. Review the converted spec with kubectl get latticeservice checkout -o yaml.” This eliminates the developer’s migration effort while preserving the signal that the spec has changed. The cost: the auto-migration must be correct for every spec, or it’s worse than no migration.

The reference implementation targets Option 3 with a fallback to Option 2. Auto-migrate what can be auto-migrated. For the remainder — specs that require manual decisions because the new version has different semantics — set a hard deadline with 90 days notice and offer engineering support to the holdout teams.

The stronger stance: platforms that don’t enforce convergence fragment and die. Indefinite support sounds accommodating. In practice, it means the platform team maintains three code paths, three test suites, and three sets of bugs. The codebase becomes unmaintainable. The team slows down. New features take twice as long because they must work across all supported versions. Within 18 months, the platform team is spending more time on backward compatibility than on value delivery. Forced migration — with adequate tooling, notice, and support — is an act of product discipline, not hostility.

When to stop supporting escape hatches. The same logic applies to escape hatches (Chapter 11). If a team uses LatticeMeshMember for 2 years because the CRD doesn’t cover their use case, the platform has two failures: the CRD is incomplete, and the team has no incentive to help fix it. Escape hatches need expiration dates too.

23.7 Ship Regularly

Section titled “23.7 Ship Regularly”

A platform that doesn’t ship is a platform being abandoned. Regular releases signal active development. Each release should: make the common case easier, close a gap that exercises or support tickets revealed, or improve error messages based on the most common misunderstandings.

Release cadence is a risk decision. Weekly releases keep the platform responsive but increase the chance of a breaking change reaching production. Monthly releases are more stable but mean bug fixes and feature requests sit for weeks. The reference implementation targets biweekly releases with a policy: any release that changes derivation output (the resources the pipeline produces) requires a canary deployment on a non-production cluster first.

Acceptable break rate. Zero is the aspiration, not the target. If a release breaks 0.1% of services (1 in 1000), is that acceptable? Depends on whether the 1 service is the payments system. The answer isn’t a number — it’s a process: automated derivation diffing (compare before/after for every service’s derived output) catches most regressions before they reach clusters. Services whose derived output changes unexpectedly are flagged for manual review.

Changelogs matter. Developers need to know what changed, whether it affects them, and what to do if it does. A changelog that says “various improvements” is useless. A changelog that says “the AccessSecret error message now includes the policy name that denied access” is useful.

23.8 Running the Product

Section titled “23.8 Running the Product”

The platform is a product. Who runs it like one?

Ownership. A platform without a product owner drifts toward whatever the loudest team requests. Someone — a product manager, a tech lead with product instincts, or an engineering manager who treats the platform as their product — must own the roadmap, prioritize features against maintenance, and say no. The platform team’s backlog is pulled from user feedback (support tickets, escape hatch usage, onboarding friction) and platform health (test coverage, derivation performance, security audit findings). Without explicit prioritization, the team oscillates between “build the next feature” and “fight the last fire.”

Adoption isn’t automatic. The platform is better — but teams resist migration because “it works already” is powerful inertia. Three forces drive adoption: leadership mandate (the VP says “all new services use the platform”), cost incentives (the platform provides observability and security that teams would otherwise build themselves), and deprecation pressure (the old Helm chart stops being maintained). The platform team should use all three — but the strongest driver is making the platform so much easier than the alternative that migration is a net time savings, not an investment.

Support. “Deploy without asking for help” is the goal, not the reality. When it fails — and it will — someone must respond. The platform team needs an on-call rotation, an SLA for response time (not resolution time — response), and a clear escalation path. A developer whose deployment is blocked by a Cedar policy bug at 4 PM on a Friday needs a human, not a wiki link. The support model determines whether teams trust the platform or route around it.

Developer experience is a first-class feature. The platform’s competitive advantage isn’t its architecture — it’s the developer’s experience of using it. Error messages, status conditions, diagnostic CLI output, onboarding time, time-to-first-deploy — these are product features with the same priority as security enforcement or scaling logic. A technically perfect platform with incomprehensible error messages will be abandoned for a mediocre Helm chart with a good README.

23.9 What Goes Wrong

Section titled “23.9 What Goes Wrong”

The platform becomes a bottleneck. Every non-standard request goes through the platform team. Escape hatches are too restrictive. The CRD doesn’t cover common use cases. Teams wait days for platform changes instead of hours for self-service. The platform was supposed to accelerate teams — instead it’s a gatekeeper. The fix: measure support tickets per service per month. If it’s rising, the CRD is too thin or the escape hatches are too narrow.

The CRD becomes too complex. Every feature request adds a field. After 2 years, the spec has 60 fields. New developers are overwhelmed. The “minimal surface” principle from Chapter 4 has been abandoned through incremental additions, each individually justified. The fix: audit field usage quarterly. Fields used by fewer than 10% of services should be moved to annotations, extension CRDs, or removed.

Escape hatches dominate. More than 30% of services use LatticeMeshMember or LatticePackage instead of LatticeService. The platform doesn’t cover the common case. The fix: the escape hatches contain signal — they tell you what the CRD is missing. Read them. Each escape hatch pattern that repeats across teams is a candidate for a first-class CRD feature.

Trust erodes. A bad release breaks 5 services. The postmortem is inadequate. The next release breaks 2 more. Teams stop upgrading. The platform fragments into “teams on the latest version” and “teams pinned to a version from 6 months ago.” The fix: derivation diffing before every release, canary deployments, and postmortems that produce code changes (not just “we’ll be more careful”). Trust is earned in drops and lost in buckets.

If the platform doesn’t behave like a product, it will fail — regardless of technical quality. The architecture in this book is sound. The bilateral agreement model, the derivation pipeline, the self-managing clusters, the security layers — they work. But a platform that works and isn’t used is a platform that failed. The product discipline — measuring adoption, supporting users, saying no to the wrong features, shipping reliably — is what determines whether the architecture reaches production or stays in a demo.

23.10 The Goal

Section titled “23.10 The Goal”

Boringly reliable. The best platform is one nobody thinks about. Deployments succeed. Policies enforce. Secrets resolve. Certificates rotate. Metrics collect. Nothing exciting happens.

This is harder to achieve than any individual feature. It requires: correct derivation logic, comprehensive testing, clear error messages, responsive escape hatches, timely upgrades, and a team that treats the platform as a product — not as infrastructure that happens to work.

23.11 The Book in One Paragraph

Section titled “23.11 The Book in One Paragraph”

The developer declares intent — containers, dependencies, secrets, replicas. The platform derives infrastructure — Deployments, network policies, external secrets, scrape targets, disruption budgets. The intent survives changes to compliance, tooling, and policy. Clusters are provisioned declaratively, become self-managing through the pivot, and communicate through outbound-only gRPC streams. Security is default-deny across four independent layers. Authorization happens at derivation time. Traffic flows only when both sides consent. Images are signed, digests enforced, binaries allowlisted. Compliance is continuous. The code is a real program. The CRD schema captures what the developer knows without exposing what the platform knows. The platform is a product. Its users are engineers. Its features are automatic.

Exercises

Section titled “Exercises”

23.1. [M10] A team requests adding nodeSelector to the LatticeService spec so they can pin services to specific node pools. 15% of services would use it. Should this be a CRD field, an annotation, a policy-gated extension, or rejected? What criteria distinguish “add to the spec” from “use an escape hatch”?

23.2. [H30] Design the adoption dashboard. What metrics does it show? What is the target for each metric at 6 months, 12 months, and 24 months after launch? How do you handle services that are “on the platform” but rarely re-deployed (stale specs that work but haven’t been updated)?

23.3. [R] An executive asks: “What’s the ROI of the platform?” Construct the ROI argument. Costs: platform team (6 engineers × salary), infrastructure (management clusters, monitoring), migration effort (200 services migrated over 12 months). Benefits: faster deployment, fewer security incidents, consistent observability, reduced per-service operational cost. Which benefits can you quantify? Which are qualitative? What is the break-even point?

23.4. [M10] The platform has been running for 2 years. 180 of 200 services use it. The remaining 20 are on Helm charts maintained by a team that doesn’t want to migrate. They pass security audits through the MeshMember + Package escape hatch. Should the platform team force migration? What is the cost of supporting both models indefinitely?

23.5. [R] After reading the entire book, identify the weakest point in the thesis “declare intent, derive infrastructure, intent survives change.” Where does the separation break down? Where does the platform force the developer to think about infrastructure despite the abstraction? Is the thesis true in practice, or is it an aspiration that the implementation approximates?