Kubernetes Stack ======= ###### tags: `k8s` ![](https://i.imgur.com/u0HsDpS.png) # 6 Key Patterns for a Production Grade K8s ## 1. Infrastructure as Code (IaC) It discourages or prevents manual deployments, making your infrastructure more consistent, reliable, and repeatable. As a result, teams implementing IaC deliver more stable environments rapidly and at scale. In addition, IaC tools like ***#Terraform*** or ***#Pulumi*** work great. ## 2. Monitoring & Centralized logging Without proper monitoring, a certificate expires, or a node memory overcommit can cause an outage. You can easily prevent these failures with appropriate monitoring in place. ***#Prometheus*** and ***#Grafana*** are Kubernetes' most used monitoring solutions. ## 3. Centralized Ingress Controller with SSL certificate management When an Ingress Controller is linked to a public Cloud LoadBalancer, all traffic is automatically load-balanced among Nodes and sent to the correct pods' IP Addresses. It can also take care of HTTPS and SSL. All incoming traffic will be automatically encrypted using the HTTPS certificates and forwarded to the correct Kubernetes pods. ## 4. Role-Based Access Control (RBAC) When we integrate Kubernetes with an IAM solution like ***#Keycloak***, ***#AzureAD***, or ***#AWSCognito***, we can centrally manage authentication and authorization using OAuth2 / OIDC for both platform tools and applications. In addition, roles and groups can be defined to give users access to the resources they need based on their team or role. ## 5. GitOps Deployments Manually deploying to Kubernetes using the 'kubectl apply' command is not a best practice. Instead, we need a deployment platform that rolls out to Kubernetes. ***#ArgoCD*** and ***#Flux*** are the leading GitOps platforms for Kubernetes deployments. ## 6. Secret Management The best way to sync secrets is using a central vault, like ***#Azure*** Key Vault, ***#Hashicorp*** Vault, or ***#AWS*** Secrets Manager with a central secrets operator like External Secrets Operator. This way, secret references can be stored in GIT, pointing to an entry in an external secrets Vault. It is also an option to lock out all developers from secrets in Kubernetes using ***#RBAC***.