Foundations

Five timeless patterns that underlie everything else in the program: control-loops, mediation, virtualization, privilege-separation, and layering-and-abstraction. The category every other category leans on.

Five patterns that underlie everything. Touched in Y1; deepens through Y3 as the substrate exercises them daily.

Patterns in this category

PatternFirst touchedDEEP target
control-loopsY3 Phase 20 (K8s reconciliation)Y3 end (operating Flux + custom operator)
mediationY3 Phase 25 (service mesh)Y3 end (Cilium operational)
virtualizationY1 Phase 1 (Linux processes)Y3 Phase 19 (containers from scratch)
privilege-separationY3 Phase 17 (kernel)Y3 end (multi-cloud + mesh + secrets)
layering-and-abstractionY1 Phase 1 (Linux)Y3 Phase 18 (networking deep)

Why this category exists

Foundations are the small set of patterns that don’t fit cleanly under any other category but get exercised under every other category. Control loops underlie GitOps, observability alerting, and operator reconciliation. Mediation underlies service mesh, API gateways, and the platform contract. Virtualization underlies containers, VMs, and namespace-as-a-service. Privilege separation underlies the kernel, mesh mTLS, and zero-trust. Layering-and-abstraction is the meta-pattern that lets every other layer in the stack stay debuggable.

These five patterns are touched early and return often. Each phase from Y1 to Y5 re-exercises at least one foundations pattern in a new layer. By Year 3 you’re running control loops through Flux; by Year 5 you’re running them through the aiops operator. The pattern is the same. The context is different. That’s the whole point of naming the pattern once and reusing the name.

By graduation, all five should be DEEP. Not because you read about them, but because you’ve operated systems that depend on each. The Foundations category is the litmus test for pattern-fluency: if you can articulate the four trade-offs of control loops from your operational experience, you’re a platform engineer. If you can only recite a Kubernetes tutorial, you’re not there yet.

How to read this category

Two patterns are entry points and two are late-DEEP.

Entry points (Y1): virtualization and layering-and-abstraction. You touch these on day one of Phase 1 (Linux processes and namespaces are virtualization; the shell → filesystem → kernel stack is layering). Read the STUB entries when Phase 1 references them. Promote to OUTLINE by end of Phase 1.

Load-bearing (Y3): control-loops and mediation. These are the patterns that basecamp’s whole architecture depends on. You’ll see control-loops in Kubernetes, ArgoCD, Flux, Crossplane, and the custom operators you write. You’ll see mediation in Cilium mesh, ingress controllers, and the platform contract. Both go DEEP by end of Year 3 through operational hours on basecamp.

Cross-cutting (Y3): privilege-separation shows up everywhere identity and permission live: kernel capabilities, mesh mTLS, cloud IAM, Kubernetes RBAC, Kyverno policies. It’s less a single pattern than a discipline that runs through the other four.

How the patterns connect

The five patterns compose in predictable ways.

  • layering-and-abstraction is the meta-pattern. Every other pattern in this category (and most patterns in other categories) is an instance of layering applied to a specific problem.
  • virtualization creates the layers layering-and-abstraction describes. Namespaces, cgroups, VMs, containers, K8s pods are all virtualization applied at different depths of the stack.
  • control-loops and mediation are the two ways layers talk. Control loops drive reconciliation between declared and actual state. Mediation intercepts traffic between layers to enforce cross-cutting concerns.
  • privilege-separation is the safety discipline that runs across all four. Every layer, every reconciliation, every mediated flow has a privilege model. Get it wrong and the layer becomes unsafe.

Where these show up in /root

Chronologically, from Phase 1 to Phase 50:

  • Y1 Phase 1virtualization (Linux processes as virtualized execution) and layering-and-abstraction (shell, filesystem, kernel as layers).
  • Y3 Phase 17privilege-separation first fires as kernel capabilities and syscall boundaries.
  • Y3 Phase 18layering-and-abstraction deepens through the OSI model and TCP/IP stack.
  • Y3 Phase 19virtualization deepens as you build containers from scratch with unshare and cgroups.
  • Y3 Phase 20control-loops first fires (Kubernetes reconciliation). All subsequent phases operate through this pattern.
  • Y3 Phase 25mediation first fires through service mesh. Cilium becomes the operational proof.
  • Y3 Phase 27privilege-separation deepens through secrets lifecycle + Kyverno policies.
  • Y5 Phase 46mediation reappears as llm-gateway (the LLM traffic mediator).
  • Y5 Phase 50control-loops reappears in aiops (agents reconciling incident state).

By the time you write the Pattern Paper at graduation, every one of the five foundations has been operated in at least two contexts.

Anti-patterns

Anti-patternWhy
Promoting control-loops to DEEP after only using KubernetesDEEP requires operating at least two implementations. If you only know K8s reconciliation, you know Kubernetes; you don’t know the pattern. Wait until you’ve written a Crossplane XRD or a custom operator.
Skipping the STUB stage for virtualization because “it’s obvious”The obviousness is the trap. Every senior engineer discovers late that they conflated virtualization-as-isolation with virtualization-as-abstraction. The STUB entry forces you to write the distinction down.
Treating mediation and layering-and-abstraction as the same patternThey’re related but distinct. Mediation intercepts a flow; layering creates the abstractions the flow crosses. A layer boundary is not automatically a mediation point.
Deferring privilege-separation promotion to Y5This pattern lives in every year. Force yourself to promote it to OUTLINE by end of Y3 even though the DEEP evidence keeps accumulating. Deferring the OUTLINE work means the entry stays wrong for longer than it needs to.

Cross-references