惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

AI
AI
G
Google Developers Blog
T
Tailwind CSS Blog
大猫的无限游戏
大猫的无限游戏
量子位
月光博客
月光博客
美团技术团队
阮一峰的网络日志
阮一峰的网络日志
罗磊的独立博客
T
The Exploit Database - CXSecurity.com
C
CXSECURITY Database RSS Feed - CXSecurity.com
Latest news
Latest news
P
Privacy International News Feed
www.infosecurity-magazine.com
www.infosecurity-magazine.com
WordPress大学
WordPress大学
博客园 - 三生石上(FineUI控件)
TaoSecurity Blog
TaoSecurity Blog
Hacker News: Ask HN
Hacker News: Ask HN
Hugging Face - Blog
Hugging Face - Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
Cisco Blogs
Project Zero
Project Zero
Security Latest
Security Latest
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
人人都是产品经理
人人都是产品经理
Scott Helme
Scott Helme
S
Securelist
有赞技术团队
有赞技术团队
T
Threat Research - Cisco Blogs
N
News | PayPal Newsroom
博客园 - 聂微东
小众软件
小众软件
S
SegmentFault 最新的问题
D
Darknet – Hacking Tools, Hacker News & Cyber Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
P
Privacy & Cybersecurity Law Blog
博客园 - Franky
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Spread Privacy
Spread Privacy
A
Arctic Wolf
S
Security @ Cisco Blogs
The Hacker News
The Hacker News
腾讯CDC
博客园 - 【当耐特】
T
Troy Hunt's Blog
NISL@THU
NISL@THU
爱范儿
爱范儿

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Golden Paths That Include Cost Guardrails: A Platform Engineering Playbook
Muskan · 2026-05-13 · via DEV Community

Every service provisioned from a Backstage template starts with a git repo, a Kubernetes namespace, and a CI pipeline. It starts with zero budget alerts, zero mandatory tags, and a dev environment that runs 24 hours a day. The platform team did not choose this. They just never added cost defaults to the template.

The bill for that choice arrives slowly, then all at once. At 10 services, the missing tags are annoying. At 50 services, the unlabeled spend is unattributable. At 100 services, the finance team is asking questions the platform team cannot answer.

Golden Paths Without Cost Defaults Ship Waste by Design

A golden path template is a forcing function. Every developer who provisions a new service from it inherits exactly what the template defines, nothing more. If the template does not include a budget alert, no service gets one. If the template does not enforce tags, no service ships with them. The template author makes this decision once, and every downstream service lives with it.

This is not a developer problem. Developers filling in a Backstage form to provision a microservice are not thinking about AWS Budgets or tag governance. They are thinking about shipping features. The platform team's job is to make the cost-safe choice the easy choice, which means embedding it in the template before the developer ever opens the form.

The standard golden path today provisions three things: a source repository, a deployment target (Kubernetes namespace or cloud resource), and a CI/CD pipeline. That covers the delivery path.

Standard Golden Path: Missing Cost Defaults

The cost gap is not in the delivery path. It is in the three things the template skips.

Flexera's 2025 State of the Cloud report found that 32% of cloud spend is wasted, with non-production workloads running outside business hours as one of the top three identified categories. Golden path templates that provision dev environments with no shutdown schedule contribute to this directly.

The Cost-Embedded Platform Pattern Changes the Default

The Cost-Embedded Platform Pattern is a single principle: every golden path template provisions cost guardrails alongside the delivery resources. Budget alerts, tags, and environment schedules are not added later by the developer. They are provisioned by the template at instantiation time, using the data the developer already entered in the form.

This works because the template form already contains the necessary data. When a developer fills in a Backstage, Port, or Cortex template, they enter a team name, an environment type, and a cost center. These are the same fields that cloud provider APIs need to create a budget alert and apply a tag policy. The data is already there. The only question is whether the template wires it forward.

Cost-Embedded Platform Pattern

The platform team pays this cost once, when writing the template. Every downstream team that provisions a service gets the guardrails for free. The alternative is every team implementing budget alerts independently, which in practice means 20% of teams implement them and 80% never do.

This pattern applies equally to Backstage scaffolder actions, Port self-service actions, and Cortex automation workflows. The mechanism is the same: the template completion event triggers API calls to cloud cost management tooling alongside the standard infra provisioning.

Budget Limits Wire Directly Into the Scaffolder Action

A Backstage scaffolder action is a TypeScript function that runs when the developer submits the template form. It receives the form values and can call any external API. Adding an AWS Budgets or Azure Cost Management call to a scaffolder action takes the same form values and creates a per-service budget with a threshold alert.

The practical setup: a scaffolder action takes the costCenter and team form fields, calls the AWS Budgets API with a monthly spend threshold, and wires the alert to the team's Slack channel or email. The budget alert is linked to the service tag, so every AWS resource tagged with that service name counts toward the budget.

Provisioning Step Standard Template Cost-Embedded Template
Git repository Created Created
Kubernetes namespace Created Created + ResourceQuota + LimitRange
CI/CD pipeline Wired Wired
AWS/Azure budget alert Not created Created, threshold set, alert wired
Mandatory resource tags Developer responsibility Applied from form fields at creation
Non-prod environment schedule Not set KEDA cron scaler or cloud scheduler added

Port self-service actions use a webhook model: when the action completes, Port fires a webhook to an automation endpoint, which calls the cost management APIs. The implementation differs from Backstage, but the result is identical. Cortex uses a similar automation trigger pattern.

This approach breaks when the developer's cloud account does not have budget creation permissions attached to the service account that the IDP uses for provisioning. The platform team needs to scope the provisioning role to include budgets:CreateBudget (AWS) or Microsoft.Consumption/budgets/write (Azure). If that permission is missing, the scaffolder action fails at the budget step. The fix is a one-line addition to the provisioning IAM role, not a template redesign.

Tag Policies Are Free at Instantiation Time and Expensive Later

Tag remediation is engineering work. An engineer audits existing resources, identifies untagged ones, applies tags, verifies, and repeats monthly as new resources appear. Retrospective tag governance at a 200-developer org consumes 2 to 4 engineer-days per month, indefinitely.

Tag enforcement at template instantiation is zero engineering work, because the data already exists in the form. The developer entered team: payments, cost-center: CC-1042, and environment: staging when they filled out the template. The template passes those values to the cloud provider resource creation API as tags. The resource is tagged at birth, before it ever runs.

Tag Governance at Instantiation Time

The three mandatory tags are team, cost-center, and environment. These map directly to the three dimensions any FinOps team needs for chargeback: who owns it, what budget it draws from, and whether it is production or not. Every service provisioned with these three tags produces attributable cost data from the first day it runs.

This works when the template form makes team, cost-center, and environment required fields. It breaks when the IDP allows those fields to be optional, because developers under deadline pressure skip optional fields. Required fields on the template form are the only enforcement mechanism that does not require downstream remediation.

Tag governance applied at the resource discovery layer covers what happens when you miss this window and need to recover from an existing pool of untagged resources. It is significantly more expensive than getting it right in the template.

Non-Production Schedules Cut the Idle Compute Bill by 65%

A dev environment runs 24 hours a day. Developers use it for 8 to 10 hours on weekdays. The remaining 14 hours on weekdays, plus 48 hours on weekends, the environment sits idle consuming its full provisioned capacity.

A simple schedule that stops the environment at 8pm and starts it at 8am weekdays recovers 65% of the provisioned capacity. For a dev environment that costs $200 per month at full utilization, the scheduled version costs $70 per month. The developer does not notice, because the environment is running every time they are at their desk.

Environments Monthly Cost (24/7) Monthly Cost (8am-8pm weekdays) Annual Saving
10 dev environments $2,000 $700 $15,600
25 dev environments $5,000 $1,750 $39,000
50 dev environments $10,000 $3,500 $78,000

The mechanism for Kubernetes workloads: embed a KEDA CronJob scaler in the golden path template for non-production namespaces. The scaler sets replica count to 0 at 8pm and back to the desired count at 8am. KEDA reads a environment label on the namespace to determine whether the schedule applies, so production namespaces are excluded automatically.

For cloud-native resources (RDS, EC2, Azure VM), the golden path template provisions a cloud scheduler rule at creation time. AWS Instance Scheduler and Azure Automation runbooks both accept start/stop schedules that the template can parameterize from the environment form field.

This breaks in one specific scenario: teams that run automated overnight test suites against their dev environments. If the environment scales to zero at 8pm, the overnight tests fail. The fix is a template parameter: overrideSchedule: false by default, overrideSchedule: true for teams that need 24/7 access. Requiring an explicit override makes the cost-safe schedule the default while preserving the escape hatch for legitimate use cases. Automating dev and staging environment scheduling on AWS covers the infrastructure mechanics for cloud-native resources in detail.

Measuring the Impact: What Cost-Embedded Templates Change

The Cost-Embedded Platform Scorecard tracks four metrics before rollout and 90 days after. These are the numbers that demonstrate value to both engineering leadership and the finance team.

Metric Baseline (Before) 90-Day Target
Percentage of services with mandatory tags 20-40% 100% (enforced at template level)
Percentage of services with active budget alert 5-15% 100% (provisioned by template)
Non-production idle compute hours per week 65-70% of provisioned Under 35% of provisioned
Unattributed cloud spend 35-50% of total Under 10% of total

The tagged services metric reaches 100% immediately for all new services provisioned after the template update. It does not retroactively tag existing services. The platform team should run a parallel enrichment pass on existing services using the same scaffolder logic, but treat that as a separate initiative from the template rollout.

Budget alert coverage follows the same pattern: 100% for new services, a separate remediation task for existing ones. The unattributed spend percentage is a lagging indicator: it drops gradually as new cost-embedded services replace older ones in the spending mix.

Kubernetes admission controllers for cost guardrails provides a complementary enforcement layer: admission controllers block misconfigured pods that bypass the golden path entirely. Golden paths and admission controllers are both necessary, because admission controllers only cover Kubernetes objects, while golden path templates cover the full provisioning surface including cloud provider resources.

The combined effect, measured across organizations that have implemented both layers: cloud spend per service drops by an average of 28% within 90 days, because idle compute is eliminated and overspend is caught by budget alerts before it compounds. Closed-loop cloud remediation describes what becomes possible once the tag and budget layers are clean: automated cost remediation that closes the loop without manual engineering intervention.

The platform team that writes these defaults into its templates is not doing FinOps work. It is doing platform work. FinOps is the output. The input is a template that provisioned things right the first time. That is a much easier problem to solve.