kubernetes

Manifest Standards

Workloads

• Always set resource requests AND limits for CPU and memory
• Use PodDisruptionBudget for all production Deployments
• Set terminationGracePeriodSeconds appropriate to the workload
• Use topologySpreadConstraints for HA across zones
• Prefer Deployment unless ordering matters (StatefulSet) or every-node is needed (DaemonSet)
• Always set securityContext:

  securityContext:
    runAsNonRoot: true
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    capabilities:
      drop: ["ALL"]
  

Labels and Annotations

• Required labels: app.kubernetes.io/name, app.kubernetes.io/version, app.kubernetes.io/component, app.kubernetes.io/managed-by
• Use annotations for tooling metadata, not selectors

ConfigMaps and Secrets

• Mount as volumes, not environment variables, for rotation support
• Use immutable: true for ConfigMaps/Secrets that should not change
• Use ExternalSecrets or Sealed Secrets for sensitive data — never plain Secrets in git

Networking

• Use NetworkPolicy to restrict traffic by default (deny all, allow specific)
• Services: ClusterIP by default, LoadBalancer only via Ingress/Gateway API
• Prefer Gateway API over Ingress for new projects

Helm

• Values files: values.yaml (defaults), values-dev.yaml, values-prod.yaml
• Template all labels consistently via _helpers.tpl
• Use {{- include }} not {{- template }} for named templates
• Validate with helm lint and helm template before merge

Kustomize

• Base in base/, overlays in overlays/{dev,staging,prod}/
• Use configMapGenerator and secretGenerator over raw manifests
• Strategic merge patches for environment-specific changes