Konstruct Platform: Team Responsibilities Overview
This diagram illustrates the separation of concerns between the Platform Admin Team (green) and the downstream Engineering (blue) in a Konstruct-managed Kubernetes platform.
Color Key
| Color | Owner | Scope |
|---|---|---|
| Orange | Konstruct | Upstream templates and infrastructure — consumers reference but don't manage |
| Green | Platform Admin | Management ecosystem, cluster provisioning, platform tooling |
| Blue | Engineering | Applications, environments, and delivery to workload clusters |
Platform Admin Responsibilities
The platform admin team operates the management ecosystem, which includes:
Git Layer
- Maintains the platform team gitops repo with cluster templates
- Provisions team cluster instances and workload clusters from registered upstream templates
- Manages platform tools configuration and catalog apps
Infrastructure Layer
- Runs the management cluster with Konstruct, Argo CD, and Crossplane, among other tooling
- Provisions new organizations, cloud accounts, and team management clusters
- Installs and manages platform tools on all management, physical and virtual clusters
- Controls the GitOps delivery pipeline for platform-level concerns
Engineering Team Responsibilities
Engineers receive ready-to-use workload clusters with platform tools pre-installed. Their focus:
Git Layer
- Owns the engineering org gitops repo for environment definitions (dev/stage/prod)
- Owns application repos containing Dockerfiles, Helm charts, and source code (auto-generated with registry)
- Registers environments and applications for delivery
Infrastructure Layer
- Uses provisioned EKS clusters and ECR for container images
- Deploys applications across namespaces (dev/stage/prod) via GitOps
- Leverages platform tools without managing them
The Handoff
The platform admin team hydrates upstream templates to create cluster configurations, then provisions infrastructure. Engineers receive clusters with everything wired up — secrets management, ingress, cert-manager, external-dns — and simply register their apps and environments to start delivering.
Argo CD Project Boundary and Git Isolation Layers
Konstruct provides deep isolation boundaries by enforcing project RBAC controls at each layer. This prevents engineers from delivering to unsanctioned namespaces that belong to either a team in the same organization or to the platform team's managed resources. The GitOps repository separations allow platform teams the controls they need for future downstream team collaborators with an eye toward the visibility concerns and requirements of such a mutitenancy ecosystem.