Kubernetes Resources
Kubernetes YAML Manifests
A collection of production-ready Kubernetes manifest examples for various workload types and configuration patterns.
Deployment
Standard Deployment with resource limits, probes, and environment variables
deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-application
namespace: production
labels:
app: web-application
spec:
replicas: 3
selector:
matchLabels:
app: web-application
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
labels:
app: web-application
spec:
containers:
- name: web-application
image: nginx:1.25-alpine
ports:
- containerPort: 80
name: http
resources:
limits:
cpu: "500m"
memory: "512Mi"
requests:
cpu: "100m"
memory: "128Mi"
livenessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: http
initialDelaySeconds: 5
periodSeconds: 5Service (ClusterIP)
Internal service for pod-to-pod communication within the cluster
service-clusterip.yaml
apiVersion: v1
kind: Service
metadata:
name: web-application
namespace: production
labels:
app: web-application
spec:
type: ClusterIP
selector:
app: web-application
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
- name: https
port: 443
targetPort: 443
protocol: TCPIngress (Traefik)
Ingress resource for Traefik with TLS and middleware
ingress-traefik.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-application
namespace: production
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.middlewares: production-redirect@kubernetescrd
spec:
ingressClassName: traefik
tls:
- hosts:
- app.example.com
secretName: app-tls-secret
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-application
port:
number: 80ConfigMap
Configuration data for application settings and environment variables
configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
namespace: production
data:
# Simple key-value pairs
DATABASE_HOST: "postgres.database.svc.cluster.local"
DATABASE_PORT: "5432"
LOG_LEVEL: "info"
# File-based configuration
nginx.conf: |
server {
listen 80;
server_name _;
location / {
root /usr/share/nginx/html;
index index.html;
try_files $uri $uri/ /index.html;
}
location /api {
proxy_pass http://backend:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}Secret
Secure storage for sensitive data like passwords and API keys
secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: app-secrets
namespace: production
type: Opaque
stringData:
# Use stringData for plain text (auto-encoded to base64)
DATABASE_USER: "app_user"
DATABASE_PASSWORD: "secure-password-here"
API_KEY: "your-api-key"
---
# For TLS certificates
apiVersion: v1
kind: Secret
metadata:
name: app-tls-secret
namespace: production
type: kubernetes.io/tls
data:
# Base64-encoded certificate and key
tls.crt: LS0tLS1CRUdJTi...
tls.key: LS0tLS1CRUdJTi...PersistentVolumeClaim
Storage request for persistent data with Longhorn storage class
pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: app-data
namespace: production
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 10Gi
---
# For shared storage (ReadWriteMany)
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: shared-data
namespace: production
spec:
accessModes:
- ReadWriteMany
storageClassName: longhorn-nfs
resources:
requests:
storage: 50GiNetworkPolicy
Network segmentation to control pod-to-pod traffic
networkpolicy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: app-network-policy
namespace: production
spec:
podSelector:
matchLabels:
app: web-application
policyTypes:
- Ingress
- Egress
ingress:
# Allow traffic from ingress controller
- from:
- namespaceSelector:
matchLabels:
name: traefik
ports:
- protocol: TCP
port: 80
# Allow traffic from same namespace
- from:
- podSelector: {}
egress:
# Allow DNS resolution
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
# Allow database access
- to:
- namespaceSelector:
matchLabels:
name: database
ports:
- protocol: TCP
port: 5432HorizontalPodAutoscaler
Auto-scaling based on CPU and memory utilization
hpa.yaml
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: web-application-hpa
namespace: production
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: web-application
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80
behavior:
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Percent
value: 10
periodSeconds: 60
scaleUp:
stabilizationWindowSeconds: 0
policies:
- type: Percent
value: 100
periodSeconds: 15Helm Charts
Curated Helm charts for deploying common applications and services on Kubernetes.
Traefik
Kubernetes Ingress Controller with automatic HTTPS
Repo: https://helm.traefik.io/traefik v26.0.0
values.yaml
# values.yaml for Traefik
deployment:
replicas: 2
ingressClass:
enabled: true
isDefaultClass: true
ports:
web:
port: 8000
exposedPort: 80
websecure:
port: 8443
exposedPort: 443
tls:
enabled: true
service:
type: LoadBalancer
dashboard:
enabled: true
ingressRoute: trueLonghorn
Cloud-native distributed storage for Kubernetes
Repo: https://charts.longhorn.io v1.6.0
values.yaml
# values.yaml for Longhorn
persistence:
defaultClass: true
defaultClassReplicaCount: 2
defaultSettings:
backupTarget: "nfs://nas.local:/backups"
defaultReplicaCount: 2
storageMinimalAvailablePercentage: 15
ingress:
enabled: true
host: longhorn.localPrometheus Stack
Complete monitoring solution with Prometheus, Grafana, and Alertmanager
Repo: https://prometheus-community.github.io/helm-charts v56.0.0
values.yaml
# values.yaml for kube-prometheus-stack
prometheus:
prometheusSpec:
retention: 30d
storageSpec:
volumeClaimTemplate:
spec:
storageClassName: longhorn
resources:
requests:
storage: 50Gi
grafana:
adminPassword: changeme
persistence:
enabled: true
size: 10Gi
alertmanager:
alertmanagerSpec:
storage:
volumeClaimTemplate:
spec:
storageClassName: longhorn
resources:
requests:
storage: 5GiKubernetes Operators
Examples and guides for using Kubernetes Operators to automate application lifecycle management.
Cert-Manager
Automate certificate management in Kubernetes
Install:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.0/cert-manager.yaml example-usage.yaml
# ClusterIssuer for Let's Encrypt
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: you@example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: traefikExternal Secrets
Sync secrets from external secret stores (Vault, AWS, etc.)
Install:
helm install external-secrets external-secrets/external-secrets -n external-secrets --create-namespace example-usage.yaml
# ExternalSecret syncing from Vault
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: app-secrets
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: ClusterSecretStore
target:
name: app-secrets
data:
- secretKey: database-password
remoteRef:
key: secret/data/production/db
property: passwordKubernetes Best Practices
Tips, tricks, and best practices for managing Kubernetes clusters effectively and securely.
-
Resource Requests and Limits
Always define CPU and memory requests/limits to ensure fair scheduling and prevent resource starvation.
- Set requests to typical usage, limits to maximum acceptable
- Use LimitRange to enforce defaults namespace-wide
- Monitor actual usage with Prometheus to tune values
-
Security Contexts
Run containers as non-root users and use read-only filesystems where possible.
- Set runAsNonRoot: true in pod security context
- Use readOnlyRootFilesystem: true when possible
- Drop all capabilities and add only what's needed
-
Health Probes
Configure liveness, readiness, and startup probes for reliable deployments.
- Readiness probes control traffic routing
- Liveness probes trigger container restarts
- Use startup probes for slow-starting applications
-
Network Policies
Implement network segmentation to control traffic between pods and namespaces.
- Default deny all ingress/egress, then allow explicitly
- Separate concerns by namespace (frontend, backend, database)
- Allow DNS (UDP 53) in egress rules