kubernetes-best-practices

# Kubernetes Best Practices

This skill provides guidance for writing production-ready Kubernetes manifests and managing cloud-native applications.

## Resource Management

**Memory**: Set requests and limits to the same value to ensure QoS class and prevent OOM kills.

**CPU**: Set requests only, omit limits to allow performance bursting and avoid throttling.

```yaml
resources:
  requests:
    memory: "256Mi"
    cpu: "250m"
  limits:
    memory: "256Mi"
    # No CPU limit
```

## Image Versioning

Always pin specific versions, never use `:latest` tag unless explicitly requested:

```yaml
# Good
image: nginx:1.25.3

# Bad
image: nginx:latest
```

For immutability, consider pinning to specific digests.

## Configuration Management

**Secrets**: Sensitive data (passwords, tokens, certificates)
**ConfigMaps**: Non-sensitive configuration (feature flags, URLs, settings)

```yaml
env:
  - name: DATABASE_URL
    valueFrom:
      secretKeyRef:
        name: app-secrets
        key: database-url
  - name: LOG_LEVEL
    valueFrom:
      configMapKeyRef:
        name: app-config
        key: log-level
```

**Best practices:**
- Never hardcode secrets in manifests
- Use external secret management (Sealed Secrets, External Secrets Operator)
- Rotate secrets regularly
- Limit access with RBAC

## Workload Selection

Choose the appropriate workload type:

- **Deployment**: Stateless applications (web servers, APIs, microservices)
- **StatefulSet**: Stateful applications (databases, message queues)
- **DaemonSet**: Node-level services (log collectors, monitoring agents)
- **Job/CronJob**: Batch processing and scheduled tasks

## Security Context

Always implement security best practices:

```yaml
securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  fsGroup: 1000
  capabilities:
    drop:
      - ALL
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
```

**Security checklist:**
- Run as non-root user
- Drop all capabilities by default
- Use read-only root file