Building cloud platforms: the checks that matter

CNCF’s platform design is useful because it focuses on drift, artifact trust, and operational evidence — not because Kubernetes alone solves delivery risk.

2026-05-29 GIGATAP Team #security
#cloud native#Kubernetes#GitOps

Building cloud platforms: the checks that matter

CNCF’s post describes a cloud native internal developer platform built around Kubernetes, GitOps, Infrastructure as Code, and supply chain controls. The useful part is not the tool list. It is the operating model: make infrastructure, platform components, and application delivery reproducible, reviewable, and harder to mutate by hand.

What changed#

The CNCF Blog article lays out a reference design for building cloud native internal developer platforms with Kubernetes and CNCF ecosystem tools. It uses Kubernetes as the execution layer, Terraform for cloud resource provisioning, Argo CD for GitOps reconciliation, and security tooling such as Trivy, Cosign, and Kyverno around the delivery path.

The author frames the problem plainly: modern software delivery is often constrained less by application code than by the platform that runs it. The listed failure modes are familiar in security operations and platform engineering: inconsistent deployments, infrastructure drift, hardcoded secrets, weak CI/CD posture, inefficient scaling, limited rollback paths, and fragmented observability.

The architecture separates the system into three layers:

  • Infrastructure: cloud resources provisioned through Terraform, including networks, Kubernetes, identity, access settings, and secret stores.
  • Platform: Kubernetes-level capabilities installed and managed declaratively, including Argo CD, Istio, Prometheus, Grafana, Loki, and Kyverno.
  • Applications: independently deployable containerized services, packaged with Helm and promoted through Git-driven workflows.

That separation is the main design choice. The source says collapsing these layers early created maintenance complexity. That is a useful warning. Many internal platform efforts fail because “platform” becomes a single repository, a shared deployment pipeline, and a loose collection of admin permissions. The result is not speed. It is hidden coupling.

The post also describes a delivery workflow that keeps application build, security validation, and infrastructure provisioning distinct. Application changes pass through build and compilation, testing, static analysis, dependency scanning with Trivy, image signing with Cosign, and publication to a container registry. The stated goal is that only versioned, signed, and tamper-evident artifacts enter the platform.

Why building cloud this way matters#

The strongest claim in the CNCF post is operational, not architectural fashion. GitOps and IaC matter because they reduce the number of places where reality can diverge from intent.

In a manual platform, the cluster state is partly in code, partly in dashboards, partly in CLI history, and partly in one engineer’s memory. That is a weak trust model. It makes incident response slower because teams first have to discover what the environment actually is. It also turns audits into archaeology.

A GitOps model changes the evidence path. If Git is the declared source of truth, then a deployment is not just “what ran.” It is a diff, a reviewer, a commit, a controller reconciliation event, and a cluster state that can be compared against intent. That does not make the platform secure by itself. It makes drift more visible and unauthorized change harder to normalize.

The same applies to supply chain controls. Signing a container image with Cosign does not prove the code is safe. It proves something narrower and still valuable: the artifact can be tied to an expected build identity and can be checked before use. Trivy scanning does not remove vulnerable dependencies. It gives teams a repeatable way to surface known issues before promotion.

This is where open source security work becomes operational rather than symbolic. A bill of materials, a signature, or a scan result is only useful if the platform knows what to do with it. Otherwise it is a compliance souvenir. The CNCF design points in the right direction by placing these controls inside the pipeline and admission path, rather than treating them as reports generated after deployment.

For related context, see GigaTap’s note on making security artifacts operational: https://gigatap.top/en/articles/openssfs-april-signal-make-security-artifacts-operational

What to check before acting on it#

A reference architecture is not an implementation. Before copying this pattern, teams should check whether their current bottleneck is actually solved by building a cloud native internal developer platform, or whether they are about to automate an unclear process.

Start with ownership. The infrastructure, platform, and application layers need separate responsibilities, but not separate kingdoms. If every change requires negotiation across three teams, GitOps becomes a ticket machine. If one team owns everything without review boundaries, the separation is mostly cosmetic.

Then check the control points:

  • Is Terraform state stored in a remote backend with access controls and recovery expectations?
  • Are cloud provider service connections scoped narrowly enough for pipeline use?
  • Does the registry enforce the use of signed, versioned images?
  • Are image signatures verified before deployment, or only created during build?
  • Are dependency and image scan results blocking, advisory, or ignored?
  • Are Kyverno or other admission policies tied to clear rules that developers can understand before merge?
  • Can Argo CD detect and correct drift without masking emergency changes?
  • Are secrets kept out of pipeline definitions and application repositories?
  • Is rollback tested as a normal operation, not only discussed during incidents?
  • Do Prometheus, Grafana, Loki, and service mesh telemetry answer concrete incident questions?

The observability point deserves scrutiny. Installing metrics, dashboards, and logs is not the same as having usable observability. The platform should answer: what changed, who changed it, what version is running, what dependency or image introduced risk, and whether the failing service is a code, network, identity, or infrastructure problem.

Cost is another practical check. The source mentions inefficient scaling strategies as a platform problem. A Kubernetes-based internal platform can reduce waste when policies, autoscaling, quotas, and environment lifecycles are designed well. It can also increase spend if teams create always-on clusters, duplicate shared services, or treat every workload as needing the full platform stack.

Security operations impact#

For security operations, the value is better evidence and fewer invisible exceptions.

A platform like this can make routine checks less dependent on tribal knowledge. Infrastructure changes are versioned. Application delivery has a trace. Artifacts can be signed. Policies can be enforced at admission time. Logs and metrics can be centralized. Those are real improvements if they are connected.

The privacy risk is more indirect but still relevant. Internal platforms concentrate identity, logs, secrets, deployment metadata, and service traffic controls. Poorly governed platforms can become high-value internal surveillance and breach targets. Strong access boundaries, retention policies, and secret handling matter as much as the Kubernetes components themselves.

This is also where “cloud native” should be read carefully. The source notes that some implementations use managed AKS, but the architectural patterns apply to CNCF-conformant Kubernetes distributions. That portability claim is reasonable at the pattern level. It does not mean every control behaves identically across providers, identity systems, registries, and managed Kubernetes defaults.

Platform teams should document the assumptions that are provider-specific: workload identity, registry behavior, network policy, secret store integration, audit logs, and admission controller support. Those are the seams that usually matter during incidents.

What not to overclaim#

This CNCF post is a design article, not an independent measurement of platform performance or security outcomes. It does not prove that Kubernetes, GitOps, Istio, or any named tool will reduce incidents in every organization. It shows a coherent way to combine them.

Do not overclaim image signing. It improves provenance and tamper evidence. It does not validate business logic, remove vulnerable code, or stop a compromised build system from producing a signed bad artifact.

Do not overclaim GitOps. It improves auditability and drift control when the desired state is accurate and protected. It can also propagate mistakes quickly if review, testing, and policy checks are weak.

Do not overclaim Policy as Code. Admission controls are only as good as the rules, exception process, and developer feedback loop. A policy system that blocks unexplained changes at deploy time will be bypassed politically, even if it works technically.

The practical lesson is narrower and stronger: building cloud native internal platforms should start with operational checks, not tool enthusiasm. If the platform can prove what changed, verify what runs, limit who can mutate state, recover from bad deployments, and expose useful incident evidence, it is moving in the right direction. If it only adds Kubernetes vocabulary to the same old manual process, it is just a more expensive maze.