Platform One Big Bang: Too Much, Too Soon, and Why It’s Hurting Kubernetes Engineers

Platform One Big Bang: Too Much, Too Soon, and Why It's Hurting Kubernetes Engineers

Let me be clear upfront: Platform One exists for good reasons. The Department of Defense has a real need to deploy secure, compliant software at scale. CNAP, Iron Bank, Big Bang—these are genuine attempts to solve genuinely hard problems. I respect the effort.

That said, Big Bang has a serious problem that nobody in the DoD ecosystem talks about loudly enough: it’s handing engineers a pre-assembled, compliance-theater kitchen sink and letting them believe they understand Kubernetes. They don’t. And that matters.

What Big Bang Actually Is

Big Bang is a GitOps-driven, Flux-based platform that pre-packages a large suite of tools—Istio, Kiali, Loki, Tempo, Prometheus, Grafana, Neuvector, Kyverno, and more—enabled by default, with optional add-ons for Keycloak, Elasticsearch, MinIO, GitLab, Harbor, and others—all hardened to DoD standards and deployable as a single opinionated stack.

The pitch is appealing: take a compliant, hardened Kubernetes platform and drop your mission application on top of it. STIG compliance baked in. Authority to Operate (ATO) artifacts pre-generated. Iron Bank images pre-scanned. It sounds like an engineering win.

In some specific contexts, it is.

In most contexts, it’s not. And the costs are significant.

The Kitchen Sink Problem

The first issue is scope. Big Bang deploys, at minimum, dozens of services before your mission app ships a single line of code. Istio service mesh. Kiali for mesh observability. Loki for log aggregation and Alloy for collection. Tempo for distributed tracing. Prometheus and Grafana for monitoring. Neuvector for runtime security. Kyverno and its policy library for policy enforcement. And that’s just what’s enabled by default—optional add-ons for Keycloak, Elasticsearch, MinIO, GitLab, and others are available on top of the base stack.

Ask yourself honestly: how many of your programs need all of that?

For a large, multi-team program building complex microservices across multiple domains with full-time platform engineers—maybe. For a team of five building a CRUD app with a Postgres backend—absolutely not. But they’re getting it anyway, because Big Bang is monolithic. You take the whole thing or you take none of it.

The result is clusters running 80+ pods of infrastructure just to host an application that could have run on a three-node cluster with cert-manager, nginx-ingress, and a handful of namespaces. The resource overhead is real. The operational surface area is enormous. The cost—in compute, in licensing for nodes, in engineer time—adds up.

Abstraction Is the Enemy of Learning

Here’s the deeper problem, and the one I care more about.

When an engineer deploys Big Bang, they don’t learn how Kubernetes works. They learn how to configure values files for a pre-assembled platform. Those are not the same skill.

Kubernetes has concepts that matter: how the API server processes requests, how etcd stores cluster state, how the scheduler places pods, how kubelet converges toward desired state, how CNI plugins wire up pod networking, how kube-proxy implements service routing (or how eBPF replaces it), how PersistentVolumes and Claims interact with CSI drivers, how RBAC actually controls access, how admission webhooks intercept and mutate object creation.

Big Bang hides all of that. Istio replaces standard Kubernetes networking with a service mesh, and suddenly an engineer who doesn’t understand kube-proxy also doesn’t understand Envoy sidecars—they just know the VirtualService YAML works. Keycloak handles OIDC, and the engineer never learns how Kubernetes ServiceAccount tokens work or how JWKS validation is configured. Flux deploys everything, and the engineer never writes a Deployment or configures a HorizontalPodAutoscaler directly.

Platform One compounded this abstraction problem with custom Helm library charts designed to simplify Istio and network policy configuration. Instead of writing a VirtualService or DestinationRule, engineers fill out a simplified values schema and a library template generates the Istio resources. Instead of authoring a NetworkPolicy, they reference a library helper. The intent was to reduce misconfiguration errors—and it did. But the effect was to remove one more opportunity for engineers to understand what they’re actually deploying. An engineer who has never written a VirtualService has no mental model of what a VirtualService does. They know their values file works and traffic flows. When traffic stops flowing, they have no framework for debugging it. They know the abstraction broke—they don’t know what the abstraction was abstracting.

The abstractions stack on top of abstractions. An engineer who has worked in Big Bang environments for two years may have never written a basic Deployment manifest, never configured a NetworkPolicy, never debugged why a pod can’t reach another pod in a different namespace, never understood what a ClusterIP Service actually does.

That’s not a Kubernetes engineer. That’s a Big Bang operator.

The abstraction problem extends to custom Helm libraries that programs build on top of Big Bang. Platform One and programs that have built on Big Bang have created Helm library charts that further abstract Istio VirtualServices, DestinationRules, and NetworkPolicies into higher-level templates—you declare intent, the library generates the mesh configuration. This sounds like developer experience improvement. In practice, it creates engineers who have never read an Istio VirtualService and don’t know what one does. They’ve worked with an abstraction over an abstraction over an abstraction.

When that library chart has a bug, or when traffic behavior doesn’t match expectations and the abstraction doesn’t account for the edge case, engineers have no foundation to stand on. The Helm library removed Istio’s complexity, which also removed the opportunity to understand Istio’s model. Custom abstractions built for convenience become the permanent ceiling on what engineers are allowed to know.

When Things Go Wrong, Nobody Knows Why

The abstraction problem reveals itself completely when something breaks.

Istio is notoriously difficult to debug. If a request fails between services, the failure could be in the Envoy proxy configuration, the PeerAuthentication policy, the DestinationRule, the VirtualService routing, the mTLS handshake, a sidecar injection issue, or an upstream service problem. To debug this, you need to understand the full Istio control plane and data plane model. Most teams that run Big Bang do not have this understanding, because Big Bang installed Istio for them.

The same is true everywhere in the stack. Keycloak broke? How many engineers understand how Kubernetes-OIDC integration works under the hood? Loki can’t ingest logs? Do they understand how Alloy scrapes and forwards logs, or how Loki’s compactor handles retention? If a team has opted into the Elasticsearch add-on, do they understand how StatefulSet pod management handles failed PersistentVolumeClaims? Flux isn’t reconciling? Can they read the controller-runtime reconciliation loop logic and understand what a NotReady dependency means at the controller level?

The answer, consistently, is no. Because they never had to learn it. Big Bang worked when it worked. Now that it doesn’t work, they file a ticket to Platform One support and wait.

Compliance Theater Versus Actual Security

There’s another issue that nobody in the government contractor space wants to say out loud: Big Bang enables compliance theater.

The promise is that Big Bang delivers DoD STIG compliance out of the box. And in a narrow technical sense, it does—the containers come from Iron Bank, the Kubernetes configurations follow the Kubernetes STIG, the Istio mTLS configuration meets IA requirements. The ATO artifacts exist. The boxes are checked.

It is worth acknowledging what Big Bang’s security team actually built: Iron Bank image scanning, Twistlock runtime security integration, and STIG-hardened Kubernetes and Istio configurations represent genuine security engineering effort. That hardening work is real.

But passing image scans is not the same as application-level hardening. A Tomcat container can clear Iron Bank’s vulnerability scanning while still running with default servlet configurations, unrestricted HTTP methods, and none of the CIS Tomcat Benchmark controls applied. The image is scanned—the application inside it is not hardened. Engineers who inherit Big Bang deployments rarely know the difference, because they never had to configure the application server themselves. Container image hardening and runtime application hardening are different disciplines, and Big Bang’s Iron Bank integration addresses only the first.

Network policy is another casualty of the Big Bang operational model. Istio’s authorization policy architecture is powerful but complex, and teams that didn’t understand it well enough to write correct PeerAuthentication and AuthorizationPolicy resources discovered a shortcut: a NetworkPolicy that allows all traffic within the namespace. This pattern spread. What began as a debugging workaround became a standard template in Big Bang-derived environments. Clusters routinely run namespace-wide allow-all NetworkPolicies that negate network segmentation entirely—while the Istio configuration gives the appearance of a secured mesh. The ATO says mTLS is enabled. The actual traffic flow within namespaces is ungoverned.

But compliance is not security. Security is understanding your threat model, knowing your attack surface, understanding how your components interact, and making deliberate tradeoffs. You cannot do any of that if you don’t understand what’s running in your cluster.

An engineer who doesn’t know how Kubernetes RBAC works cannot meaningfully assess whether their RBAC configuration is too permissive. An engineer who doesn’t understand how Istio handles mTLS cannot meaningfully assess whether their service mesh configuration actually enforces mutual authentication. Big Bang provides the configuration, but it doesn’t provide the understanding. And without understanding, compliance is theater.

ATOs issued against Big Bang clusters are often covering infrastructure that the program team couldn’t explain if asked. That’s not a security posture—it’s a checkbox.

The compliance gap runs deeper than configuration understanding alone. Iron Bank approval means an image has been scanned and passes DoD vulnerability thresholds—it does not mean the container is CIS-hardened. A Tomcat container in Iron Bank may pass Twistlock scanning while still running with default Tomcat configurations that violate CIS Benchmark controls: unnecessary connectors enabled, default example applications deployed, verbose error pages exposing version information, or AJP connectors left open. The distinction matters: vulnerability scanning catches known CVEs; CIS hardening addresses configuration posture. Big Bang conflates the two, and engineers who treat “Iron Bank approved” as equivalent to “CIS hardened” are operating under a false assumption that could have real consequences at assessment time.

The network policy problem is equally instructive. Properly configured Kubernetes NetworkPolicies implement default-deny, namespace-scoped traffic control that enforces actual pod-to-pod isolation. In many Big Bang deployments, teams that didn’t understand how to write correct NetworkPolicies for their mission applications simply deployed permissive allow-all rules at the namespace level. What began as an expedient workaround became a de facto standard. Entire namespaces that should have had tightly scoped ingress and egress rules instead ran completely open, with the appearance of security theater: Istio mTLS encrypting traffic between services that had no business talking to each other in the first place. The platform didn’t force teams to learn NetworkPolicy correctly, so they didn’t, and the gap was papered over with a blanket exception that nobody revisited.

The Upgrade Treadmill

Big Bang has another practical problem: upgrades are painful, and the monolithic design makes them more painful than they need to be.

Because everything is bundled and wired together, a Kubernetes version upgrade requires coordinating changes across every component simultaneously. Big Bang releases its own versioned packages. If you’re running Big Bang 3.10 and want Big Bang 3.18, you’re upgrading Istio, Kyverno, Loki, Flux, and fifteen or more other components in a single operation. The upgrade guide is long. The breaking changes accumulate.

Compare this to running a composable stack where you own each component independently. When Istio releases 1.25, you upgrade Istio. Your cert-manager upgrade is unrelated. Your nginx-ingress upgrade is unrelated. You can move each component at its own pace, test in isolation, and roll back a single component when it breaks without touching everything else.

The monolithic bundle creates a monolithic upgrade problem. Teams fall behind. Running Big Bang on a program that started in 2022 and hasn’t had time to chase versions is not an unusual situation—the gap between current releases and what programs are actually running in production is often significant. The security debt from running outdated components inside a “hardened” platform is real.

The Cloud-Native Reality: When Big Bang’s Stack Overlaps With What You Already Have

One dimension the Big Bang discussion often skips is context-specific applicability. The twenty-plus optional add-ons in Big Bang’s catalog—Keycloak, MinIO, GitLab, Harbor, Vault, Mattermost, Nexus, Velero, external secrets, Thanos, and others—are all disabled by default. But even the core stack assumptions stop holding when a program runs on commercial cloud infrastructure.

In cloud-native environments—AWS GovCloud, Azure Government, GCP Assured Workloads—the cloud provider has already solved most of the problems Big Bang’s addon catalog addresses:

Identity and SSO: AWS IAM with OIDC federation, Azure Entra ID, and GCP Cloud IAM replace Keycloak for the majority of use cases. These are managed, STIG-configured, and already covered under the cloud program’s FedRAMP or DoD IL authorization. Deploying a parallel Keycloak cluster to authenticate users that Azure Entra already manages adds operational overhead without adding security value.

Object storage: S3, Azure Blob Storage, and GCS replace MinIO entirely. These services are cheaper, more durable, and operationally simpler than running an in-cluster MinIO operator.

Secrets management: AWS Secrets Manager, Azure Key Vault, and GCP Secret Manager replace Vault for the majority of use cases. Cloud-native secrets management integrates directly with pod service accounts via IRSA, Workload Identity, or Managed Identity—no sidecar injector, no Vault operator, no lease renewal complexity.

Container registry: ECR, ACR, and GCR replace Harbor. These registries integrate natively with cloud IAM and Kubernetes pull secrets, and are already authorized in the cloud program’s boundary.

Log aggregation: CloudWatch Logs, Azure Monitor Logs, and GCP Cloud Logging replace Loki and the Alloy collection stack. Cloud-native logging is already compliant, already aggregated, and already integrated with SIEM tooling. Running Loki alongside CloudWatch means engineers maintain two parallel log systems—with two sets of retention policies, two sets of query tools, and two sets of operational runbooks.

Metrics and monitoring: CloudWatch Container Insights, Azure Monitor for containers, and GCP Cloud Monitoring reduce the case for running a full kube-prometheus-stack plus Grafana in-cluster. Cloud-managed monitoring services provide dashboards, alerting, and historical metrics without the operational overhead of managing Prometheus storage, cardinality limits, and retention rules.

CI/CD tooling: Native cloud pipelines—CodePipeline, Azure DevOps, Cloud Build—combined with GitHub Actions eliminate the operational need for in-cluster GitLab and GitLab Runner.

What remains genuinely useful in cloud-native environments is a much smaller subset: Istio or a lighter service mesh for zero-trust intra-cluster networking and mTLS enforcement, Kyverno for policy enforcement and admission control, NeuVector for runtime container security, and cert-manager for certificate lifecycle management. These are components where in-cluster execution provides capabilities the cloud provider does not replicate as a managed service.

The practical implication is significant: a cloud-native program adopting Big Bang primarily for ATO coverage may be paying the full operational overhead of the Big Bang core stack—Istio, NeuVector, Loki, Alloy, Tempo, kube-prometheus-stack, Grafana, Kyverno, Kiali—to get compliance documentation for components they are already running better through cloud-native managed services. The Big Bang ATO artifacts cover the Big Bang stack; they do not cover AWS CloudWatch, Azure Monitor, or GCP Cloud Logging, which the program is also operating. The result is compliance documentation for infrastructure the program didn’t need, alongside cloud-native services that lack equivalent artifacts in the bundle.

For programs that started cloud-native and adopted Big Bang primarily to accelerate ATO, the honest audit question is: which Big Bang components are you actually using, which are you running in parallel with cloud-native equivalents, and which could be replaced entirely by services already inside your authorization boundary?

Who Big Bang Actually Makes Sense For

I don’t think Big Bang should be abandoned entirely. It solves a real problem for a specific user—a large program with dedicated platform engineers, a genuine need for enterprise observability and identity management at scale, and a compliance burden that justifies the operational overhead.

If you’re running a major command’s logistics system with hundreds of developers, multiple microservice domains, and a full-time platform team, Big Bang’s bundling might save you meaningful engineering time. The components you’re paying overhead for—Istio, Kiali, Loki, Tempo, Neuvector, Kyverno, the full monitoring stack—might actually get used, and optional add-ons like Keycloak or Elasticsearch might actually be warranted at that scale.

But that’s not most users. Most programs that adopt Big Bang are small teams that would be better served by:

  • Learning Kubernetes from scratch on a stripped-down cluster
  • Adding components individually as needs emerge and justify the overhead
  • Understanding every piece of infrastructure they’re operating
  • Building compliance into their own stack rather than inheriting it from a bundle they don’t understand

The answer to “how do we get to ATO quickly?” should not be “install Big Bang and check the boxes.” The answer should be “understand what you’re operating well enough to defend it.”

What Engineers Should Do Instead

If you’re an engineer in the DoD space who has only ever operated Big Bang, do yourself a professional favor: spin up a bare cluster somewhere. Not a managed service—an actual cluster. RKE2 on a few Rocky Linux nodes, or K3s in a VM, or a kubeadm cluster on bare metal if you’re ambitious.

Then build it up yourself, piece by piece:

  • Configure a CNI plugin. Understand what happens when a pod starts and how it gets an IP address.
  • Install cert-manager manually. Understand how certificate issuers work, how ACME challenges function, how the controller watches CertificateRequest objects.
  • Configure an ingress controller. Understand what an IngressClass is, how the controller watches Ingress resources, how TLS termination works.
  • Set up Flux. Understand the GitRepository, Kustomization, and HelmRelease reconciliation model—not just that it syncs Git, but how it determines what’s changed and what to do about it.
  • Write your own RBAC policies. Understand ServiceAccounts, ClusterRoles, and RoleBindings at the level where you can debug a 403 without searching Stack Overflow.
  • Configure a secret management solution. Understand SOPS encryption, understand how Kubernetes secrets are stored in etcd, understand why you should care.
  • Add monitoring. Install Prometheus and Grafana from scratch. Understand how ServiceMonitors work. Write a recording rule.

Do all of that before you touch Big Bang. Once you understand what each of those components does and how it interacts with the others, you’ll understand what Big Bang is bundling—and you’ll be much better equipped to operate it, debug it, and make real security assessments about it.

The Bottom Line

Big Bang is a product. It delivers value in contexts where its full scope is warranted and where teams have the expertise to operate it correctly. It is not a substitute for Kubernetes education, and deploying it to teams who haven’t earned their Kubernetes fundamentals is a disservice to those teams and to the programs that depend on them.

The DoD needs Kubernetes engineers. Not Big Bang operators. Not ATO checklist completers. Engineers who understand distributed systems, who can debug networking issues at the packet level, who can read controller-manager logs and understand what they mean, who can make real security decisions based on real understanding of their infrastructure.

That expertise comes from building from scratch, making mistakes, and understanding what’s actually happening. It does not come from deploying a values file and watching Flux reconcile a bundle of pre-built tools you never had to configure.

Learn Kubernetes. Then use Big Bang if you actually need it.


Related reading: Zarf and Air-Gap Kubernetes: What DoD Engineers Actually Need to Know covers how to build composable, disconnected-environment Kubernetes deployments without inheriting a full platform bundle.

Share this post: LinkedIn Reddit WhatsApp Mastodon
Jesse Borden

Jesse Borden

Software Engineer with an interest in hands on learning

I have several years of professional Information Technology (IT) experience leading staff and projects within the Department of War (DOW). I have managed Service Desk, Web Application Development, and System Administration teams. My two greatest passions are learning and conti...