Sre

GitOps Fundamentals Core Principles Declarative Infrastructure Version Controlled Changes Automated Reconciliation Self-healing Systems Implementation Patterns ArgoCD Application Configuration apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: production-app spec: project: default source: repoURL: https://github.com/org/app-config.git targetRevision: HEAD path: environments/production destination: server: https://kubernetes.default.svc namespace: production syncPolicy: automated: prune: true selfHeal: true Workflow Patterns Multi-Environment Setup # environments/base/kustomization.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - deployment.yaml - service.yaml - ingress.yaml # environments/production/kustomization.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization bases: - ../base patchesStrategicMerge: - production-patches.yaml Security Practices RBAC Configuration apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: gitops-deployer rules: - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] Production Example # Complete GitOps application setup apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: full-stack-app namespace: argocd spec: project: production source: repoURL: https://github.com/org/app-config.git targetRevision: main path: environments/production directory: recurse: true destination: server: https://kubernetes.default.svc namespace: production syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true retry: limit: 5 backoff: duration: 5s factor: 2 maxDuration: 3m These patterns ensure reliable, automated deployment workflows. ...

WAF Configuration Fundamentals Rule Set Implementation # Custom VCL for WAF integration sub vcl_recv { # Enable WAF for specific paths if (req.url.path ~ "^/api/") { set req.http.X-Fastly-WAF-Enabled = "true"; } # Custom headers for WAF logging set req.http.X-Environment = "production"; set req.http.X-Application = "api-gateway"; } Advanced Security Rules Custom Rule Configuration { "rule_id": "custom-sqli-protection", "severity": "critical", "conditions": { "operator": "and", "conditions": [ { "parameter": "REQUEST_URI", "operator": "contains", "value": "sql" }, { "parameter": "REQUEST_METHOD", "operator": "equals", "value": "POST" } ] }, "action": "block" } Logging and Monitoring Real-time Alert Configuration { "name": "waf-alerts", "endpoint_type": "https", "url": "https://alerts.example.com/webhook", "content_type": "application/json", "format": { "timestamp": "%{strftime({"%Y-%m-%d %H:%M:%S"}, time.start)}V", "client_ip": "%{req.http.Fastly-Client-IP}V", "request_id": "%{req.http.Fastly-Request-ID}V", "rule_id": "%{waf.rule_id}V", "severity": "%{waf.severity}V", "action": "%{waf.action}V", "message": "%{waf.message}V" } } Production Implementation # Terraform configuration for Fastly WAF resource "fastly_service_waf_configuration" "production" { name = "production-waf" rule_set { type = "owasp" version = "latest" } rule { rule_id = "1010020" status = "log" threshold = 10 } rule { rule_id = "1010030" status = "block" threshold = 5 } logging { name = "waf-logs" format = "${jsonencode({ timestamp = "%{strftime({"%Y-%m-%d %H:%M:%S"}, time.start)}V", client_ip = "%{req.http.Fastly-Client-IP}V", request_id = "%{req.http.Fastly-Request-ID}V", rule_id = "%{waf.rule_id}V", severity = "%{waf.severity}V", action = "%{waf.action}V", message = "%{waf.message}V" })}" } }

Pod Disruption Budgets (PDBs) are crucial for maintaining application availability during voluntary disruptions like node drains or cluster upgrades. Understanding PDB Basics PDBs define the minimum number of pods that must remain available during voluntary disruptions. Basic PDB Configuration apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: app-pdb spec: minAvailable: 2 selector: matchLabels: app: critical-service Implementation Strategies 1. Absolute vs. Percentage Values Choose between: minAvailable: 2: Absolute number minAvailable: "50%": Percentage-based 2. Using maxUnavailable apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: app-pdb spec: maxUnavailable: 1 selector: matchLabels: app: critical-service Best Practices PDB Calculation ...

Horizontal Pod Autoscaling (HPA) is a crucial component for maintaining application performance and resource efficiency in Kubernetes clusters. This guide explores implementation best practices and common pitfalls to avoid. Understanding HPA Fundamentals HPA automatically scales the number of pods in a deployment based on observed metrics. While CPU and memory are common scaling triggers, custom metrics can provide more meaningful scaling decisions. Key Metrics Selection When choosing metrics for HPA, consider: ...

Node Pool Design Patterns GKE Node Pool Configuration # GKE Node Pool resource "google_container_node_pool" "general_purpose" { name = "general-purpose" cluster = google_container_cluster.primary.name location = "us-central1" autoscaling { min_node_count = 1 max_node_count = 10 location_policy = "BALANCED" } node_config { machine_type = "n2-standard-4" disk_size_gb = 100 disk_type = "pd-ssd" labels = { role = "general" env = "production" } taint { key = "specialty" value = "gpu" effect = "NO_SCHEDULE" } } management { auto_repair = true auto_upgrade = true } } EKS Node Group Configuration # EKS Node Group resource "aws_eks_node_group" "compute_optimized" { cluster_name = aws_eks_cluster.main.name node_group_name = "compute-optimized" node_role_arn = aws_iam_role.eks_node.arn subnet_ids = aws_subnet.private[*].id scaling_config { desired_size = 2 max_size = 10 min_size = 1 } instance_types = ["c5.2xlarge"] capacity_type = "SPOT" labels = { workload = "compute" cost = "spot" } taint { key = "workload" value = "compute" effect = "NO_SCHEDULE" } } AKS Node Pool Configuration # AKS Node Pool resource "azurerm_kubernetes_cluster_node_pool" "memory_optimized" { name = "memopt" kubernetes_cluster_id = azurerm_kubernetes_cluster.main.id vm_size = "Standard_E4s_v3" enable_auto_scaling = true min_count = 1 max_count = 5 node_labels = { workload = "memory-intensive" } node_taints = [ "workload=memory:NoSchedule" ] zones = [1, 2, 3] } Cloud-Specific Features GKE-Specific Capabilities # GKE-specific features resource "google_container_cluster" "advanced" { # Autopilot mode enable_autopilot = true # Vertical Pod Autoscaling vertical_pod_autoscaling { enabled = true } # Binary Authorization enable_binary_authorization = true # Workload Identity workload_identity_config { workload_pool = "${project_id}.svc.id.goog" } } EKS-Specific Features # EKS-specific features resource "aws_eks_cluster" "advanced" { # Fargate Profiles fargate_profile { name = "serverless" selectors { namespace = "serverless" } } # IPv6 Support kubernetes_network_config { ip_family = "ipv6" } # Secrets Encryption encryption_config { provider { key_arn = aws_kms_key.eks.arn } resources = ["secrets"] } } AKS-Specific Features # AKS-specific features resource "azurerm_kubernetes_cluster" "advanced" { # Azure CNI Overlay network_profile { network_plugin = "azure" network_policy = "calico" network_mode = "overlay" } # Azure AD Integration azure_active_directory_role_based_access_control { managed = true azure_rbac_enabled = true } # Azure Key Vault Integration key_vault_secrets_provider { secret_rotation_enabled = true } }