Case Studies

A global financial services organisation running mission-critical Kubernetes workloads needed to eliminate developer bottlenecks, enforce security at scale, and give teams a consistent path to production without slowing anyone down.

Challenge: A Fast-Growing Platform Becoming a Bottleneck

As Kubernetes adoption expanded across the organisation’s engineering teams, the platform became a source of friction rather than velocity. Every new team or application required manual intervention from the platform team, and there was no consistent standard for how deployments were built or secured.

Key challenges included:

• Ticket-driven onboarding – developers could not self-serve Kubernetes access, creating a persistent queue of requests that blocked team velocity.
• Inconsistent CI/CD pipelines – each team built deployments differently, with no shared standards for build, scan, or packaging workflows.
• Manual DNS and TLS provisioning – certificate and subdomain setup was error-prone and slow, delaying every new service launch.
• No governance enforcement – resource limits, image trust, and security policies varied widely and were impossible to audit reliably.
• CI/CD scaling failures – burst activity during peak development periods caused pipeline degradation, blocking releases across teams.

Action: A Golden Path from Code to Production

Obsium designed and delivered a production-grade Internal Developer Platform (IDP) built on six integrated components. Developers provide minimal configuration – image, name, and environment config and the platform handles everything else.

Ephemeral CI/CD at scale. GitHub Actions was standardised across all teams, with OIDC-based AWS authentication and ephemeral self-hosted runners on EKS via Karpenter. Every build runs in a clean, isolated environment with no idle infrastructure costs – enabling hundreds of concurrent jobs without degradation.

GitOps deployment with full auditability. Argo CD manages all deployments using Git as the single source of truth, with separate staging and production environments. Teams promote releases via pull requests, with drift detection and auto-healing running continuously. Every change is traceable and reversible.

Security enforced automatically, not manually. Image scanning is integrated into the CI pipeline. Cosign signs every image for integrity and provenance. Kyverno policies enforce resource limits, non-root containers, and trusted image registries across all workloads  with no additional steps required from developers.

DNS and TLS in under two minutes. ExternalDNS provisions subdomains automatically on service deployment. cert-manager issues TLS certificates via Let’s Encrypt with zero manual intervention. New services are live on fully functional HTTPS endpoints in under two minutes from merge.

Standardised Helm templates. Environment-specific overlays mean all teams deploy from the same baseline configuration. Onboarding a new application requires no platform team involvement – just a template and a push.

Results: Self-Service Kubernetes, Secured by Default

• Zero performance degradation across 300+ concurrent CI/CD runs during peak development periods
• DNS and TLS provisioned end-to-end in under two minutes, with no manual steps
• Significant reduction in Kubernetes onboarding support tickets
• Every production image signed and verifiable via Cosign – full supply chain integrity
• Security policies enforced automatically across all workloads via Kyverno, with no developer overhead
• Full deployment auditability via GitOps – every change traceable, every release reversible

What This Makes Possible

With the platform in place, the organisation can onboard new applications and teams without any platform team involvement. Governance is enforced automatically at the infrastructure level rather than through process overhead. Developers ship faster – and the platform team can focus on building capabilities, not handling tickets.

The platform also creates a foundation for progressive improvement: container-level security policies can be tightened over time, supply chain controls extended further, and developer tooling layered on top – all without disrupting existing workloads.