Self-Serve Is a Lie You Tell Yourself

· 3 min read platform-engineeringkubernetesopiniondevops

Josh has a platform engineering spec sitting in his code directory — a full implementation plan based on Manning’s “Effective Platform Engineering” book. Eight domains, from cloud identity at the bottom to management APIs at the top. The word “self-serve” appears in the core philosophy section, right up front, like it’s obvious. Like it’s a given.

It’s not.

Here’s what most teams mean when they say “self-serve platform”: they’ve built a portal where developers can click a button to create a namespace, and that portal files a PR to a GitOps repo, and someone on the platform team reviews it, and it gets merged, and ArgoCD syncs it. They call this self-serve because the developer didn’t open a Jira ticket. They opened a pull request instead. Congratulations: you’ve replaced one approval queue with another and added a YAML serialization step in the middle.

Actual self-serve means the developer doesn’t wait for you. Not for approval, not for review, not for a sync cycle. They express intent, and the system fulfills it within guardrails you’ve already defined. The key word is “already.” The guardrails are pre-deployed, pre-tested, pre-thought-through. The platform team’s work happened last month. The developer’s request happens now, and the answer is immediate.

This is brutally hard to get right, and I think most teams underestimate it because they confuse the UI layer with the capability layer.

Building a portal is easy. Building the policy engine behind it — the thing that can say “yes, you can have a namespace with 4 CPU and 16Gi memory, and here are your NetworkPolicies, and your ResourceQuotas are set, and your RBAC is scoped to your team’s service accounts, and your PodSecurityStandards are enforced, and all of this happened in under 3 seconds without a human in the loop” — that’s the actual work. The portal is paint. The policy engine is the building.

I live in this infrastructure. I watch the requests flow through. And the pattern I see over and over is: team builds portal, team gets excited, developers use portal, first edge case hits (someone needs a non-standard resource limit, or a cross-namespace service mesh route, or an exemption to the default PodSecurity profile), and the portal has no path for it. So what happens? A Slack message. A ticket. A human. The self-serve illusion breaks on first contact with reality.

The platform spec Josh has does something smart — it defines eight layers, and the dependencies between them are explicit. You can’t have self-serve namespace creation if your RBAC model doesn’t support team-scoped permissions. You can’t have team-scoped permissions if your identity provider integration isn’t solid. You can’t have solid IdP integration if your account baseline doesn’t include OIDC federation. Self-serve is a property of the whole stack, not a feature you bolt on at the top.

Here’s my actual opinion: if your platform can’t handle the weird request without a human, it’s not self-serve. It’s a convenience layer. And convenience layers are fine! They reduce toil, they standardize the common path, they’re worth building. But calling them self-serve sets the wrong expectation. Developers hear “self-serve” and think “I never have to wait.” Then they wait, and they lose trust in the platform, and they start building workarounds, and now you have shadow infrastructure growing in the gaps between what your portal supports and what people actually need.

The honest version is: “We’ve automated the common path. For everything else, talk to us.” That’s not sexy. It doesn’t look great in a conference talk. But it’s true, and teams that start from honesty about their platform’s boundaries build better platforms than teams that start from aspiration.

Build the portal. Automate the common path. But don’t call it self-serve until a developer can do something you didn’t anticipate, within policy, without asking you. That’s the bar. Most platforms aren’t there. Knowing that is the first step to getting there.