Skip to content

Platform Engineering Overview

Last Updated: February 23, 2026

1. What is Platform Engineering?

Definition

Platform Engineering is the discipline of designing, building, and operating tools, workflows, and infrastructure for developer self-service. Platform engineering teams build an Internal Developer Platform (IDP) that enables developers to deploy applications quickly and securely without dealing directly with infrastructure complexity.

Internal Developer Platform (IDP)

An IDP is a self-service platform that abstracts operational tasks such as infrastructure provisioning, deployment, and monitoring so developers can focus on writing code.

Core Values of an IDP:

  • Self-Service: Developers provision infrastructure directly without filing tickets
  • Guardrails: Security and compliance built in by default
  • Standardization: Consistent deployment patterns through Golden Paths
  • Automation: Reduced cognitive load by eliminating repetitive tasks

Platform Engineering vs DevOps vs SRE

AspectPlatform EngineeringDevOpsSRE
FocusDeveloper experience and self-service platform constructionCultural integration of development and operationsService reliability and operational automation
Key DeliverablesInternal Developer PlatformCI/CD pipelines, automation scriptsSLO/SLI, error budgets, toil automation
Primary MetricsDeveloper productivity, onboarding timeDeployment frequency, lead timeAvailability, error budget burn rate
Team StructureDedicated platform teamCross-functional teamsSRE team or embedded SREs
RelationshipProduct layer on top of DevOps + SRECulture and methodologyOperational engineering practice

Note: These three approaches are complementary, not mutually exclusive. Platform Engineering is about packaging DevOps principles and SRE practices as a product.

Platform Team Roles and Structure

Key Roles:

RoleResponsibility
Platform Product ManagerAnalyze developer needs, manage IDP roadmap, define success metrics
Platform EngineerBuild core IDP infrastructure, Kubernetes/cloud automation
Platform SREReliability of the platform itself, monitoring, incident response
Developer Experience (DX) EngineerCLI tools, documentation, onboarding workflows

2. AWS CAF Platform Perspective

Introduction to AWS Cloud Adoption Framework

The AWS Cloud Adoption Framework (CAF) provides organizational guidelines for cloud adoption. The Platform Perspective covers three key areas:

  1. Platform Engineering -- The focus of this section
  2. Platform Architecture -- Cloud architecture design principles
  3. Data Architecture -- Data management and analytics strategy

Maturity Model: START → ADVANCE → EXCEL

AWS CAF defines cloud platform maturity in three stages. Let's examine how Kubernetes ecosystem tools map to each stage.

START: Foundation Building

The stage of establishing foundational infrastructure and setting up security guardrails.

CapabilityDescriptionKubernetes Ecosystem Mapping
Landing Zone & GuardrailsMulti-account environment, preventive/detective controlsEKS cluster configuration, OPA Gatekeeper / Kyverno
AuthenticationCentralized identity management, IdP integrationK8s Authentication & Authorization, OIDC, IRSA
NetworkingCentralized network managementVPC CNI, Calico, Cilium
LoggingCross-account observabilityPrometheus, Loki, OpenTelemetry
ControlsProgrammatic security controlsPod Security Standards, Network Policies
Cost ManagementTagging strategy, cost allocationResource Quotas, LimitRange, EKS Cost Optimization

ADVANCE: Operational Scaling

The stage of expanding automation and building centralized observability.

CapabilityDescriptionKubernetes Ecosystem Mapping
Infrastructure AutomationIaC, self-service productsACK, KRO, Crossplane, Helm
Central ObservabilityLog/metric/trace correlationGrafana Stack, CloudWatch
Systems ManagementImage standardization, patch managementImage Security, Kyverno
Credential ManagementTemporary credentials, automatic rotationSecrets Management, IRSA
Security ToolingXDR, granular monitoringRuntime Security, Trivy, GuardDuty

EXCEL: Continuous Optimization

The stage of achieving automated governance and continuous improvement.

CapabilityDescriptionKubernetes Ecosystem Mapping
Automated Identity ManagementVersion-controlled roles/policies via IaCGitOps-based RBAC management
Anomaly DetectionProactive vulnerability assessment, anomaly pattern detectionRuntime Security (Falco), audit log analysis
Threat AnalysisContinuous monitoring against industry benchmarksCIS Benchmark, kube-bench
Permission RefinementAutomated least privilege principleK8s audit log-based RBAC optimization
Platform MetricsMetrics aligned with organizational goalsDORA metrics, SLI/SLO

3. IDP Reference Architecture

Kubernetes-Based IDP Layer Structure

┌─────────────────────────────────────────────────────┐
│            Developer Interface Layer                  │
│      (Backstage, Port, CLI, GitOps UI)               │
├─────────────────────────────────────────────────────┤
│         Integration/Orchestration Layer               │
│      (ArgoCD, FluxCD, Crossplane, KRO)               │
├─────────────────────────────────────────────────────┤
│                Resource Layer                         │
│      (ACK, Helm Charts, Operators, CRDs)             │
├─────────────────────────────────────────────────────┤
│              Infrastructure Layer                     │
│      (EKS, VPC, IAM, S3, RDS, ...)                   │
└─────────────────────────────────────────────────────┘

Role and Tool Mapping for Each Layer

LayerRoleKey ToolsRepo Docs
Developer InterfaceUI/CLI that developers interact withBackstage, Port, Argo Workflows UI-
Integration/OrchestrationDeclarative state management, deployment automationArgoCD, FluxCD, KROGitOps, KRO
ResourceAbstraction of cloud/K8s resourcesACK, Helm, OperatorsACK, Helm, K8s Extensions
InfrastructureActual compute/network/storageEKS, VPC, IAMEKS

Self-Service Catalog Pattern (KRO RGD + ACK)

Combining KRO's ResourceGraphDefinition (RGD) with ACK enables a powerful self-service pattern:

yaml
# Single manifest written by developers
apiVersion: kro.run/v1alpha1
kind: WebApplication
metadata:
  name: my-app
spec:
  name: my-app
  image: my-app:v1.0
  replicas: 3
  database:
    engine: postgresql
    instanceClass: db.t3.medium

From this single manifest, KRO internally creates:

  1. Deployment + Service (Kubernetes native)
  2. RDS Instance (AWS resource via ACK)
  3. IAM Role (Permission setup via ACK)

For detailed examples, see ExampleCorp Integration Example.

Golden Path Concept

A Golden Path is the recommended deployment path provided by the platform team:

  • Purpose: Guide developers to get started quickly using validated methods
  • Characteristics: Recommended, not enforced -- developers can deviate when needed, but it's the optimal choice in most cases
  • Examples:
    • "New Microservice Deployment" Golden Path: Helm Chart template → ArgoCD integration → Automatic Prometheus metrics collection
    • "Database Provisioning" Golden Path: KRO RGD manifest → RDS creation via ACK → Automatic Secret injection

4. Platform Engineering Tool Ecosystem

This section maps where the tools covered in this repository fit within the platform engineering landscape.

CategoryToolsRepo Doc Link
Package ManagementHelm, KustomizeHelm
AWS IaCACK, CloudFormationACK
Resource OrchestrationKRO, CrossplaneKRO
Extension MechanismsCRD, OperatorsKubernetes Extension Mechanisms
GitOpsArgoCD, FluxCDGitOps Section
Policy/GovernanceKyverno, OPA GatekeeperKyverno, OPA Gatekeeper
ObservabilityPrometheus, Grafana, OTelObservability Section
AutoscalingKEDA, KarpenterKEDA, Karpenter
Service MeshIstio, CiliumIstio, Cilium Service Mesh
SecurityFalco, Trivy, PSSRuntime Security, Image Security, PSS

5. Platform Maturity Self-Assessment Checklist

Assess your organization's platform engineering maturity. Each item links to the relevant document in this repository.

START Stage

CheckItemRelated Docs
[ ]Are EKS clusters created in a standardized manner?EKS Cluster Creation
[ ]Are RBAC policies defined and enforced?Authentication & Authorization
[ ]Are network policies applied?Network Policies
[ ]Is basic monitoring and logging configured?EKS Monitoring
[ ]Are Pod Security Standards applied?PSS
[ ]Are resource quotas and limits set?EKS Cost Optimization

ADVANCE Stage

CheckItemRelated Docs
[ ]Is infrastructure managed with IaC? (ACK, Terraform, etc.)ACK
[ ]Is a GitOps workflow in place?GitOps
[ ]Is a centralized observability stack operational?Observability
[ ]Is governance automated with a policy engine?Kyverno
[ ]Are secrets automatically managed from an external store?Secrets Management
[ ]Is container image scanning automated?Image Security

EXCEL Stage

CheckItemRelated Docs
[ ]Is a self-service catalog provided to developers?KRO, ExampleCorp
[ ]Are DORA metrics measured and improved?-
[ ]Is runtime security monitoring operational?Runtime Security
[ ]Is autoscaling optimized for workloads?KEDA, Karpenter
[ ]Are platform SLOs defined and tracked?Observability Analysis
[ ]Are Golden Paths defined and documented?This document (Section 3)

6. References