Manifest Standards
Workloads
- •Always set resource requests AND limits for CPU and memory
- •Use
PodDisruptionBudgetfor all production Deployments - •Set
terminationGracePeriodSecondsappropriate to the workload - •Use
topologySpreadConstraintsfor HA across zones - •Prefer
Deploymentunless ordering matters (StatefulSet) or every-node is needed (DaemonSet) - •Always set
securityContext:yamlsecurityContext: runAsNonRoot: true readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"]
Labels and Annotations
- •Required labels:
app.kubernetes.io/name,app.kubernetes.io/version,app.kubernetes.io/component,app.kubernetes.io/managed-by - •Use annotations for tooling metadata, not selectors
ConfigMaps and Secrets
- •Mount as volumes, not environment variables, for rotation support
- •Use
immutable: truefor ConfigMaps/Secrets that should not change - •Use ExternalSecrets or Sealed Secrets for sensitive data — never plain Secrets in git
Networking
- •Use
NetworkPolicyto restrict traffic by default (deny all, allow specific) - •Services:
ClusterIPby default,LoadBalanceronly via Ingress/Gateway API - •Prefer Gateway API over Ingress for new projects
Helm
- •Values files:
values.yaml(defaults),values-dev.yaml,values-prod.yaml - •Template all labels consistently via
_helpers.tpl - •Use
{{- include }}not{{- template }}for named templates - •Validate with
helm lintandhelm templatebefore merge
Kustomize
- •Base in
base/, overlays inoverlays/{dev,staging,prod}/ - •Use
configMapGeneratorandsecretGeneratorover raw manifests - •Strategic merge patches for environment-specific changes