Introduction
Kubernetes has become the de facto standard for container orchestration. However, running it in production requires careful planning and operational maturity.
Cluster Architecture
Control Plane High Availability
- Run 3+ control plane nodes across availability zones
- Use managed Kubernetes (EKS, AKS, GKE) when possible
- Separate etcd to dedicated nodes for large clusters
Node Pools
Node Pools:
โโโ system-pool (m5.large)
โ โโโ Core system components
โโโ general-pool (m5.xlarge)
โ โโโ Standard workloads
โโโ memory-pool (r5.2xlarge)
โ โโโ Memory-intensive apps
โโโ gpu-pool (p3.2xlarge)
โโโ ML workloadsResource Management
Requests and Limits
Always set both requests and limits:
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "512Mi"
cpu: "500m"Pod Disruption Budgets
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: api-pdb
spec:
minAvailable: 2
selector:
matchLabels:
app: apiPriority Classes
Ensure critical workloads survive resource pressure:
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: high-priority
value: 1000000
globalDefault: falseNetworking
Network Policies
Implement zero-trust networking:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-policy
spec:
podSelector:
matchLabels:
app: api
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- port: 8080Observability
The Three Pillars
- Metrics: Prometheus + Grafana
- Logs: Fluent Bit โ Elasticsearch/Loki
- Traces: OpenTelemetry โ Jaeger/Tempo
Essential Dashboards
- Cluster resource utilization
- Node health and capacity
- Pod restart rates
- API server latency
- etcd performance
Security
Pod Security Standards
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restrictedImage Security
- Scan images for vulnerabilities (Trivy, Clair)
- Sign images (Cosign, Notary)
- Use admission controllers to enforce policies
Disaster Recovery
- Regular etcd backups
- GitOps for configuration recovery
- Multi-region deployment strategy
- Tested recovery procedures
Lessons Learned
- Start with managed Kubernetes
- Invest in observability from day one
- Automate everything with GitOps
- Practice failure scenarios regularly
- Keep clusters reasonably sized
Conclusion
Production Kubernetes requires significant operational investment. Build your platform team's expertise gradually and automate relentlessly.