#Kubernetes

136 posts

Certified Kubernetes Application Developer (CKAD) #6 Workloads 2: DaemonSet, StatefulSet
9 min read

Certified Kubernetes Application Developer (CKAD) #6 Workloads 2: DaemonSet, StatefulSet

The sixth post in the Certified Kubernetes Application Developer (CKAD) series. It covers the workload controllers beyond Deployment — DaemonSet and StatefulSet — from a hands-on perspective. We will build the DaemonSet that places one Pod on every node, and the StatefulSet that needs a stable network ID and ordering guarantees, in YAML all the way down to the headless Service and volumeClaimTemplates.

Certified Kubernetes Security Specialist (CKS) #4: RBAC least privilege in depth (Cluster Hardening)
10 min read

Certified Kubernetes Security Specialist (CKS) #4: RBAC least privilege in depth (Cluster Hardening)

The fourth post in the Certified Kubernetes Security Specialist (CKS) series. On top of the RBAC you learned in CKA, we layer the principle of least privilege and go deep, from a security angle, on how to find and narrow Roles that are too broad. We cover the danger of wildcard verb/resource, removing default ServiceAccount permissions, cutting ClusterRoleBinding overuse down with RoleBinding, the gotchas of aggregated ClusterRole, identifying dangerous permissions like secrets get, pods/exec, escalate, bind, and impersonate, and the flow of verifying narrowed permissions with kubectl auth can-i --as.

CI/CD Pipeline
13 min read

CI/CD Pipeline

The myshop-api built through Chapter 23 still relies heavily on humans when a new version comes in. This chapter automates that process. With OIDC trust, GitHub Actions pushes a container image to AWS ECR without static keys, auto-commits the Helm values in the manifest repo, and ArgoCD, covered in Chapter 20, detects that change and syncs it to the cluster. We also cover PR approval gates, the dev / prod split, Argo Rollouts canary deployment, and image tag immutability.

CNI in Depth
16 min read

CNI in Depth

How the same NetworkPolicy manifest resolves into iptables rules on Calico and into eBPF programs on Cilium — the depth of the data plane. We cover the four conditions of the Kubernetes network model, what the CNI interface actually is, the three data plane models (iptables · IPVS · eBPF), a comparison of Calico and Cilium, and the practical criteria for choosing a CNI.

Cost Optimization
16 min read

Cost Optimization

The second chapter of Part 5. It covers the cost items pointed out through five sources in Chapter 26. It ties together the two axes of compute (nodes) and add-ons (LB · storage · network · control plane), the cost meaning of requests, the right-sizing of VPA · Goldilocks · KRR, the decision tree of Spot · Karpenter · Cluster Autoscaler, bin packing and descheduler, the visualization of OpenCost · Kubecost, chargeback / showback by namespace label, and PV · network cost — and it closes with a checklist for reviewing next month's bill.

DB Integration — RDS · External Secrets
15 min read

DB Integration — RDS · External Secrets

The myshop-api we exposed externally in Chapter 22 is an empty shell with no data store. This chapter fills that space. We stand up RDS PostgreSQL with Terraform, keep the master password in AWS Secrets Manager, auto-sync that secret into a Kubernetes Secret with the External Secrets Operator, grant permissions without static credentials via IRSA, add a connection pool with PgBouncer, and automate schema migrations with a Helm hook-based Job pattern.

Deploying a Fullstack App on EKS
21 min read

Deploying a Fullstack App on EKS

The Part 6 capstone, and the book's final chapter. It deploys the React Next.js (App Router + RSC + Server Actions) app and the Modern Python FastAPI (SQLAlchemy 2.x + Pydantic v2) app together on one EKS cluster under the same TODO domain. Across 13 PRs, it walks through cluster setup with Terraform + Karpenter + IRSA + ALB Controller + ExternalDNS + cert-manager, DB integration with RDS + External Secrets + RDS IAM auth, per-environment deployment with Helm + ArgoCD ApplicationSet, observability with Prometheus + Grafana + Loki + OpenTelemetry, autoscaling with HPA + Karpenter, k6 load testing + OpenCost cost estimation, and the operations cycles of Chapters 26 and 30. This capstone shows how the tools from Chapters 1 ~ 30 fit together inside one system.

EKS Cluster Setup
15 min read

EKS Cluster Setup

We cover the flow of standing up a real production cluster on AWS EKS from scratch. With Terraform we declare the VPC · EKS control plane · node group · IRSA · essential add-ons (VPC CNI · CoreDNS · kube-proxy · EBS CSI) in one codebase, and we wrap up eksctl's quick-setup option, Karpenter's node autoscaling, and the first checks · cost model into a single chapter.

From docker-compose to Kubernetes
18 min read

From docker-compose to Kubernetes

Appendix A. It collects the seven differences that trip up readers who have reached Docker / docker-compose and are moving to Kubernetes. It maps each `docker-compose.yml` key to the corresponding Kubernetes resource, walks through one migration cycle from a small web + db compose file to Kubernetes manifests, and explains the limits of kompose and what comes next. It is the book's last chapter, but for readers who started from Docker, it also becomes a starting point.

GitOps
14 min read

GitOps

We cover the operational model where the source of truth for manifests sits in git and a controller inside the cluster watches git to sync automatically. We wrap up Part 3, organizing the difference between the push model and the pull model, the four principles of GitOps, ArgoCD's Application CRD · App of Apps · Sync Wave, Flux's GitRepository · Kustomization · HelmRelease, directory-structure patterns, and the three standard tools for putting secrets in git.

kubectl Debugging Patterns
15 min read

kubectl Debugging Patterns

The first chapter of Part 5 (Operations · Debugging · Cost). It collects the diagnostic trees for the incidents you meet most often on a production cluster (CrashLoopBackOff, OOMKilled, ImagePullBackOff, Pending, a Service that won't reach). Starting from the three commands describe · events · logs, it ties together kubectl debug's ephemeral container, network diagnostic patterns, and the Chapter 19 observability stack into a manual that becomes a junior SRE's first reference.

Monitoring · Alerts
15 min read

Monitoring · Alerts

The myshop-api built through Chapter 24 is automated from code to deployment, but if you cannot see its behavior, operations do not move. This chapter layers on the EKS cluster's observability stack. We install Prometheus · Grafana · Alertmanager at once with kube-prometheus-stack, standardize myshop-api metrics and the 4 golden signals alerts with ServiceMonitor / PrometheusRule, capture logs with Loki, keep AWS-coupled metrics and long-term retention with CloudWatch Container Insights, and organize the on-call flow of Slack / PagerDuty with severity · team routing.