Kubernetes Production-Grade Configuration Guide POD
This guide outlines all key components necessary for production-ready Kubernetes deployments. It includes explanations, benefits, and sample configurations.
1. livenessProbe
Purpose: Ensures Kubernetes restarts pods that become unresponsive.
Effect: Helps recover from application deadlocks or hangs.
Example:
livenessProbe:
httpGet:
path: /healthz
port: 3000
initialDelaySeconds: 10
periodSeconds: 152. readinessProbe
Purpose: Prevents traffic from being sent to pods that aren’t ready.
Effect: Ensures service traffic only reaches healthy pods.
Example:
readinessProbe:
httpGet:
path: /ready
port: 3000
initialDelaySeconds: 5
periodSeconds: 103. PodDisruptionBudget (PDB)
Purpose: Ensures at least some pods are always running during voluntary disruptions.
Effect: Maintains minimum service availability during upgrades.
Example:
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: app-pdb
spec:
minAvailable: 1
selector:
matchLabels:
app: my-app4. securityContext
Purpose: Enforces security boundaries inside containers.
Effect: Prevents running as root, disallow privilege escalation.
Example:
securityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false5. networkPolicy
Purpose: Restricts ingress/egress traffic to/from pods.
Effect: Implements zero-trust networking.
Example:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress6. resource requests/limits
Purpose: Ensures consistent performance and fair resource allocation.
Effect: Avoids resource contention.
Example:
resources:
requests:
memory: "128Mi"
cpu: "250m"
limits:
memory: "256Mi"
cpu: "500m"7. HPA/VPA - Autoscaling
Purpose: Automatically scale pods based on metrics.
HorizontalPodAutoscaler (HPA):
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: my-app-hpa
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: my-app
minReplicas: 1
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 50
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 70VerticalPodAutoscaler (VPA):
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
name: my-app-vpa
spec:
targetRef:
apiVersion: apps/v1
kind: Deployment
name: my-app
updatePolicy:
updateMode: "Auto" # Other options: "Initial", "Off"8. prometheus.io Annotations
Purpose: Enables Prometheus to scrape app metrics.
Effect: Facilitates observability and alerting.
Example:
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "3000"
prometheus.io/path: "/metrics"9. affinity and antiAffinity
Purpose: Controls pod placement on nodes.
Effect: Prevents single points of failure and distributes load.
Example (antiAffinity):
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: my-app
topologyKey: "kubernetes.io/hostname"10. ConfigMap and Secret
Purpose: Externalize configuration and secure sensitive data.
Effect: Keeps deployment definitions clean and manageable.
ConfigMap Example:
apiVersion: v1
kind: ConfigMap
metadata:
name: my-app-config
namespace: default
data:
REDIS_HOST: redis://redis-service:6379Secret Example:
apiVersion: v1
kind: Secret
metadata:
name: my-app-secrets
namespace: default
type: Opaque
stringData:
DB_PASSWORD: mysecurepasswordUsage in Deployment:
envFrom:
- configMapRef:
name: my-app-config
- secretRef:
name: my-app-secrets| Feature | Purpose | Must-Have? |
|---|---|---|
livenessProbe | Self-healing of stuck pods | ✅ Yes |
readinessProbe | Ensure pod only gets traffic when ready | ✅ Yes |
PodDisruptionBudget | Prevent full outage during maintenance | ✅ Yes |
securityContext | Enforce least privilege | ✅ Yes |
networkPolicy | Lock down traffic | ⚠️ Highly recommended |
resource requests/limits | Avoid noisy neighbors, stable scheduling | ✅ Yes |
HPA/VPA | Auto scaling based on metrics | ✅ Yes |
prometheus annotations | Enable metrics scraping | ✅ If monitoring present |
affinity/antiAffinity | Spread across nodes | ✅ For HA |
configMap/Secret | Clean config separation | ✅ Yes |
Each of the above features brings your deployments closer to production-grade quality. Adopt these practices incrementally and tailor them to your application's needs.