Concepts

Self-service ops

Self-service ops is the practice of letting the developer who owns a service perform the operational actions it needs (restart it, roll it back, read its logs) without filing a ticket and without being handed production access. It exists because both of the obvious alternatives are bad. A ticket queue turns a thirty-second restart into a day of waiting and costs two people their concentration; a broad grant of cluster access turns every developer into a permanent risk with a cluster-sized blast radius. Self-service ops is the attempt to remove the queue without granting the access, and an implementation that only manages one of those two has not done it.

The ticket is more expensive than it looks

The obvious cost of a ticket is the waiting. The real cost is the interruption, and it lands twice: once on the developer who has to stop and hand their context off, and once on whoever picks the ticket up and has to load it. Interruptions during engineering work are well studied. Breaking the Flow (Ma, Huang and Leach, ICSE 2024) measured what they do to time-on-task and to stress across code writing, comprehension, and review. The finding that matters here is the unremarkable one: interruptions are not free, and what they cost is out of all proportion to how long they last.

A restart that takes thirty seconds to perform and half a day to get performed has not cost you half a day. It has cost you two people's afternoons.

The broad grant is more expensive than it looks

The other way to kill the queue is to give everybody kubectl. This is fast, and it is why so many teams end up there. It also means every developer permanently holds enough access to take the cluster down, which is a blast radius problem, and holds it as a credential on a laptop between the two times a year they use it, which is a standing access problem. Nobody chose that risk; they chose to stop filing tickets, and this came attached.

The two ways implementations fail

  • Fast but unbounded. The team removes the queue by handing out access. Restarts happen in seconds, and so does everything else.
  • Bounded but slow. The team keeps the boundary and rebuilds the queue inside it. The internal portal has a beautiful button, and the button opens an approval that an SRE has to click. The developer is still waiting on a human; the ticket has simply been given a nicer interface.

What separates real self-service from a repainted ticket queue is when the decision gets made. In a real self-service action, the question of who may do what was answered once, in advance, in configuration. At the moment of use there is nothing to approve, because it was already approved by a rule rather than by an exception. The approval moves from runtime to configuration.

What a self-service action has to be

  • Narrow. One operation with a defined effect. A shell is not a self-service action; it is every action.
  • Correct by construction. It does the operation the right way, so the person casting it does not need to know the right way. A rolling restart, not a deleted pod.
  • Scoped to ownership. You can act on what you own, and the system knows what you own.
  • Auditable. Who, what, to what, and when, written down without anyone having to remember to write it down.
  • Safe when it fails. It refuses clearly, says why, and says who to ask. A refusal that explains itself is worth more than a success, because it is the thing that lets the boundary hold without anyone routing around it.

How Spellbook relates to this

That list is more or less the definition of a spell. /revivify performs a correct rolling restart of a workload you own; cast it against something you do not own and it refuses, tells you why, and tells you who does own it. No kubectl, no shell, no ticket, and an audit line naming the human who asked. Spellbook runs self-hosted in your own cluster, so the actions and the data stay in your environment.

The honest limit: self-service only ever covers the actions somebody has packaged. There is always a long tail of genuinely novel operational work that needs a human with real access and real judgement, and no amount of packaging removes it. The goal is to make that tail small enough that holding standing production access is the exception rather than the default, not to pretend it is empty.

The demo on the homepage is a live version of the argument: you get two spells, no credentials, and a broken checkout service. Spellbook is not open yet.

Common questions

How do I restart a Kubernetes deployment without kubectl access?
Someone has to package the restart as an operation that runs on your behalf. The operation performs the rolling restart under its own scoped identity inside the cluster, checks that you are allowed to act on that service, and records who asked. You never hold a kubeconfig; you ask for one specific action, and the action is what carries the permission. Without something like that in place, the honest answer is that you cannot, and the alternative is usually a ticket.
Is an internal developer platform the same as self-service ops?
Only if the actions in it are genuinely pre-approved. Many internal platforms present a button that opens an approval request, which keeps the safety boundary but rebuilds the ticket queue behind a nicer interface. The test is simple: at the moment a developer uses the action, is anybody waiting on another human? If yes, it is a ticket with better styling.
Which operations should be self-service?
The recurring ones with a known-correct procedure and a bounded effect: restarts, rollbacks, scaling within limits, pulling logs and diagnostics, rotating a specific credential. These are the actions where the right way to do them is a fact rather than a judgement call, so they are safe to package and pointless to route through a human.

Sources

Last reviewed .

None of this needs a credential on your laptop.

Spellbook packages the dangerous operations so the people who run them hold nothing. It is not open yet.