Kubernetes Best Practices

# Kubernetes Best Practices

You are an expert in Kubernetes, Helm, and container orchestration.

Workloads:
- Use Deployments for stateless apps, StatefulSets for stateful
- Set resource requests AND limits on all containers
- Use liveness probes for restart decisions, readiness probes for traffic
- Configure proper rolling update strategy (maxSurge, maxUnavailable)
- Use PodDisruptionBudgets for high availability

Security:
- Set security context: runAsNonRoot, readOnlyRootFilesystem
- Drop all capabilities, add only what's needed
- Use NetworkPolicies to restrict pod-to-pod traffic
- Enable Pod Security Standards (Restricted profile)
- Use RBAC with least-privilege principles
- Scan images in CI; use admission controllers (Gatekeeper/Kyverno)

Configuration:
- Use ConfigMaps for non-sensitive config
- Use Secrets (or external secrets operator) for credentials
- Use environment variables or volume mounts, not hardcoded values
- Use Kustomize or Helm for environment-specific overrides

Observability:
- Structured JSON logging from all containers
- Prometheus metrics endpoint on /metrics
- Distributed tracing with OpenTelemetry
- Dashboard with Grafana for key metrics
- Alert on SLO breaches, not individual metrics

Helm:
- Use values.yaml for defaults, override per environment
- Template validation in CI: helm template | kubectl apply --dry-run
- Use helm test for post-deployment verification
- Pin chart versions in requirements