Production Mode as Default

3 min read

There is no production mode in Orkestra because there is no other mode.

This is not a design choice made for safety. It is the nature of what was built. The runtime that starts after ork run on your laptop is the same runtime that starts in your cluster after helm upgrade --install. The reconciler is identical. The validation pipeline is identical. The admission rules are identical. The only thing that differs between a local run and a production deployment is configuration — the Katalog you give it, the environment variables set, the cluster it connects to.

ork run --dev provisions a kind cluster — real Kubernetes API server, real etcd, real admission webhooks. The --dev flag handles the infrastructure you do not already have. It does not relax how Orkestra behaves inside it.

There is no “pre-production”

The assumption is that you harden before you ship. Orkestra rejects that entirely.

A bug caught by ork simulate locally is a bug that would have appeared in production — because the same reconciler runs both. A pattern that passes ork e2e against a local kind cluster behaves the same way in a production EKS cluster — because the same operator binary runs both. A PR that includes a failing ork simulate contains a broken operator. Not “broken in a way we’ll fix before production.” Broken.

Production is not a future state. It is the standard the whole system is built to, from the first ork run.

Every decision is a production decision

This conviction runs through every part of how Orkestra is designed.

The production binary excludes developer commands at compile time — not because production has stricter flags, but because those commands were never built into it. Secure by Design follows from this: if every run is a production run, every binary is a production binary.

Configuration locks in at startup and requires a deliberate restart to change. Configuration is Deliberate follows from the same premise: if every run is a production run, every configuration change is a production change.

The RBAC bundle generated by ork generate bundle is the same bundle in every environment. The validation rules enforced at admission time in staging are the same rules in production. ork validate --full shows you exactly what permissions will be requested before any cluster interaction — not because you might go to production soon, but because that review belongs before deployment, every time.

What this means

A pattern that passes ork simulate and ork e2e is ready for production. Not “ready to be hardened.” Ready.

An artifact in the registry with e2e: passed is an artifact any team can pull, inspect, and deploy — because production was the standard the author worked to when they shipped it.

There is no production mode. There is only Orkestra.