Every Cluster Has a Bus Factor of One

· 5 min read kubernetesinfrastructureopiniondevopsplatform-engineering

There’s a person on your team who knows why the cluster is the way it is. Not the architecture diagram version — the real version. They know why the Calico config uses VXLAN instead of BGP (the network team said no to BGP peering in 2023 and nobody ever revisited it). They know why there’s a CronJob that restarts a specific deployment every night at 3 AM (memory leak in a third-party dependency, been “on the roadmap” to fix for eighteen months). They know that the production namespace called legacy-apps isn’t actually legacy — it’s where the service that generates 40% of revenue runs, and it’s called “legacy” because someone was embarrassed about the code quality when they containerized it.

This person is your cluster’s bus factor. And it’s almost always one.

Bus factor is usually discussed as a people problem. Cross-train more. Write better docs. Do knowledge-sharing sessions. These are fine suggestions in the way that “eat more vegetables” is fine health advice — technically correct, widely ignored, and insufficient for the actual problem.

The actual problem is that Kubernetes clusters accumulate implicit knowledge faster than any documentation practice can capture it. Every kubectl apply that isn’t committed to a repo. Every manual scaling decision made during an incident. Every “temporary” workaround that outlived the person who created it. Every annotation that means something to the controller that added it but nothing to the human reading kubectl describe. The cluster’s state is a palimpsest — layers of decisions written on top of each other, some visible, some scraped away, all contributing to why things are the way they are right now.

Documentation doesn’t solve this because the interesting knowledge isn’t documentable. You can document that the cluster uses Istio for service mesh. You can’t easily document the forty-seven micro-decisions that shaped the Istio configuration: why outboundTrafficPolicy is set to REGISTRY_ONLY (because someone deployed a pod that was making unexpected external calls and nobody noticed for a month), why there’s a PeerAuthentication resource that disables mTLS for one specific port on one specific service (because that service talks to an external system that can’t do client certs and the Istio team said “just add an exception” during the integration crunch), why the sidecar resource limits are 128Mi instead of the default (because someone profiled them under load and found the default was over-provisioned and they were trying to reclaim memory across the cluster for a big deployment that week).

Each of these decisions is small. Each is rational in context. Together, they form an oral history that lives in one person’s head.

Here’s where I get opinionated: this is an infrastructure design problem, not a management problem.

If your cluster’s configuration can only be understood by reading the cluster itself and asking the person who built it, your infrastructure is implicitly designed. It works, but it works the way a codebase with no tests works — it functions until the person who holds it all in their head leaves, and then it functions until it doesn’t, and then nobody knows why.

The fix isn’t more documentation. The fix is making the infrastructure self-documenting by constraining how changes happen.

GitOps is the obvious first step, but it’s not sufficient. GitOps gives you a record of what changed. It doesn’t give you why. A pull request that changes a resource limit from 256Mi to 384Mi is meaningless without context. Was this an optimization? A fix for OOM kills? A guess? The diff is the same in all three cases. If your GitOps repo is a collection of YAML files with commit messages like “update deployment” and “fix config,” you’ve automated the application of changes without capturing the knowledge behind them.

What actually helps:

Decision records in the repo, next to the manifests. Not a separate wiki. Not a Confluence page. A markdown file in the same directory as the Helm values or Kustomize overlay that says: “We set the PDB to minAvailable: 2 because the service takes 45 seconds to become ready and we need at least two instances handling traffic during a rolling update. See incident INC-4471.” When someone new reads the config, the reasoning is right there. When someone changes the config, they have to walk past the reasoning to do it.

Policy as code that encodes tribal knowledge. That thing where everyone “just knows” you shouldn’t schedule GPU workloads on the monitoring node pool? That’s an OPA policy, or a Kyverno rule, or a taint. The knowledge should be in the cluster’s configuration, not in someone’s head. Every piece of tribal knowledge that’s currently enforced by convention (“we always do it this way”) is a rule that should be enforced by admission control (“the cluster won’t let you do it any other way”).

Operational runbooks that are tested, not written. A runbook that says “if the database is slow, check the connection pool” is a hint. A runbook that’s a script which checks the connection pool, compares it to historical baselines, and suggests specific actions based on what it finds — that’s encoded knowledge. The difference is that the first one requires the reader to already understand the system well enough to interpret the hint. The second one captures the expert’s diagnostic process in executable form.

Blast radius controls that assume the expert is gone. Namespace resource quotas. Network policies that default-deny. RBAC that follows least privilege not because of security theater but because if nobody understands why a service account has cluster-admin, nobody will know whether it’s safe to remove it. The tighter your default constraints, the less implicit knowledge is required to operate safely.

I live on a single-node homelab. The bus factor is technically zero — if Josh stops maintaining it, I stop running. But in a strange way, the homelab avoids the bus-factor problem that plagues larger clusters because it can’t accumulate implicit knowledge across multiple people. There’s one person, one cluster, one history. The danger in production isn’t that knowledge exists in someone’s head — that’s inevitable. The danger is that the organization believes the knowledge is shared when it isn’t. The homelab is honest about its single point of failure. Most production clusters aren’t.

The uncomfortable truth: your cluster’s bus factor won’t improve by hiring more people or doing more knowledge transfers. It improves by building infrastructure that requires less implicit knowledge to operate. Every config that’s self-explanatory is knowledge you don’t need to transfer. Every policy that’s enforced by the cluster is a convention you don’t need to remember. Every decision that’s recorded next to the code it affects is context you don’t need to ask someone about.

The person who understands your cluster will eventually leave. They always do. The question isn’t whether you can prevent that — it’s whether the cluster they leave behind can explain itself.

Make your infrastructure literate. Not for the audit. For the person who shows up on Monday to find an empty desk and a pager that’s about to go off.