kubecon24/content/day1/03_beyond_platform_thinking.md

---
title: Beyond Platform Thinking at Ritchie Brothers - Build Things No One Expects, in a Place No One Expect
weight: 3
tags:
 - platform
 - scaling
 - operators
 - warstory
---

The story of how Thoughtworks buit YY at Ritchie Bros (RB).
Presented by the implementers at Thoughtworks (TW).

## Backgroud

* RB is a auctioneer in the field of heavy machinery
* Problem: They are old(ish) and own a bunch of other companies -> Duplicate Solutions
* Goals
  * Get rid of duplicates
  * Scale without the need of more personel

### Platform creation principles

* Platform is a product
* Building is a exercise in software eng. not operations
* Reduce dev friction

## Platform overview

* Platform provides selfservices
* Teams manage everything inside their namespace themselfes
* Multiple global locations that can be opted-in and -out

## Principles and Solutions

### Compliance at source of change

> Developers own their pipelines

* Dev teams are responsible for scanning, etc
* Platform verifies thath the compliance scans have been done (through admission control)
* Examples:
  * OPA + Gatekeeper for admission -> Teams use snyk for scanning and admission checks the scan results
  * ira as admission hook for approval -> PO approves in Jira, admission only acceps if webhook is approved

### Platform Operators

* Implemented: S3 Operator, IAM Operator, DynamoDB Operatopr
* Reasons:
  * Devs should not need access to AWS/GCP directly
  * Teams have full control while not needing to submit tickets or write terraform
* Goals
  * Abstract specific details away
  * Make the results cloud-portable (AWS, GCP, Azure)
  * Still retain developer transparency
* Example: DynamoDB Database
  1. User: creates dynamo CR and ServiceRole CR
  1. K8S: Create Pods, Secrets, Configs and Serviceaccount (related to a IAM Role)
  1. User: Creates S3 Bucket CR and assignes ServiceRole
  1. K8s: Injects secrets and configs where needed

### Observability

* Tool: Honeycomb
* Metrics: OpenTelemetry
  * Operator reconcile steps are exposed as traces

## Q&A

* Your teams are pretty autonomous -> What to do with more classic teams: Over a multi-year journey every team settles on the ownership and self-service approach
* How teams get access to stages: They just get themselves a stage namespace, attach to ingress and have fun (admission handles the rest)
First batch of day one 2024-03-19 13:59:45 +00:00			`---`
updated titles 2024-03-19 15:53:59 +00:00			`title: Beyond Platform Thinking at Ritchie Brothers - Build Things No One Expects, in a Place No One Expect`
First batch of day one 2024-03-19 13:59:45 +00:00			`weight: 3`
added tags 2024-03-25 12:45:10 +00:00			`tags:`
			`- platform`
			`- scaling`
			`- operators`
			`- warstory`
First batch of day one 2024-03-19 13:59:45 +00:00			`---`

			`The story of how Thoughtworks buit YY at Ritchie Bros (RB).`
			`Presented by the implementers at Thoughtworks (TW).`

			`## Backgroud`

			`* RB is a auctioneer in the field of heavy machinery`
			`* Problem: They are old(ish) and own a bunch of other companies -> Duplicate Solutions`
			`* Goals`
			`* Get rid of duplicates`
			`* Scale without the need of more personel`

			`### Platform creation principles`

			`* Platform is a product`
			`* Building is a exercise in software eng. not operations`
			`* Reduce dev friction`

			`## Platform overview`

			`* Platform provides selfservices`
			`* Teams manage everything inside their namespace themselfes`
			`* Multiple global locations that can be opted-in and -out`

			`## Principles and Solutions`

			`### Compliance at source of change`

			`> Developers own their pipelines`

			`* Dev teams are responsible for scanning, etc`
			`* Platform verifies thath the compliance scans have been done (through admission control)`
			`* Examples:`
			`* OPA + Gatekeeper for admission -> Teams use snyk for scanning and admission checks the scan results`
			`* ira as admission hook for approval -> PO approves in Jira, admission only acceps if webhook is approved`

			`### Platform Operators`

			`* Implemented: S3 Operator, IAM Operator, DynamoDB Operatopr`
			`* Reasons:`
			`* Devs should not need access to AWS/GCP directly`
			`* Teams have full control while not needing to submit tickets or write terraform`
			`* Goals`
			`* Abstract specific details away`
			`* Make the results cloud-portable (AWS, GCP, Azure)`
			`* Still retain developer transparency`
			`* Example: DynamoDB Database`
			`1. User: creates dynamo CR and ServiceRole CR`
			`1. K8S: Create Pods, Secrets, Configs and Serviceaccount (related to a IAM Role)`
			`1. User: Creates S3 Bucket CR and assignes ServiceRole`
			`1. K8s: Injects secrets and configs where needed`

			`### Observability`

			`* Tool: Honeycomb`
Day 1 typos 2024-03-26 13:39:44 +00:00			`* Metrics: OpenTelemetry`
updated titles 2024-03-19 15:53:59 +00:00			`* Operator reconcile steps are exposed as traces`

			`## Q&A`

Day 1 typos 2024-03-26 13:39:44 +00:00			`* Your teams are pretty autonomous -> What to do with more classic teams: Over a multi-year journey every team settles on the ownership and self-service approach`
			`* How teams get access to stages: They just get themselves a stage namespace, attach to ingress and have fun (admission handles the rest)`