Day 20: DaemonSets — One Pod per Node, for Real Per-Node Concerns
Deployment, StatefulSet, Job — none of them are the right shape for ‘I need exactly one of these on every node, automatically.’ That is the DaemonSet’s only ...
Recent Posts
Day 19: Jobs and CronJobs — Batch Workloads, Parallelism, and Scheduled Backups
A Deployment is the wrong workload type for anything that has a finishing line. Day 19 introduces the two right ones: Job (run a Pod to completion, retry on ...
Day 18: Init Containers and Sidecars — Multi-Container Pod Patterns
A Pod can hold more than one container, and the order they start in is a feature, not an accident. Init containers run once and must finish before the app st...
Day 17: StatefulSets and Persistent Volumes — Stable Identity for Stateful Workloads
Day 5 through Day 16 ran one stateless webapp Pod. Stateful workloads — Postgres, Kafka, anything with a disk it cares about — break that model entirely: Pod...
Day 16: PodDisruptionBudgets — Keep at Least N Pods Running Across Drains and Rollouts
Days 14 and 15 stopped the cluster being misused. Day 16 stops it being accidentally torn down during routine operations. A PodDisruptionBudget tells the evi...
Day 15: ResourceQuotas and LimitRanges — Cap Aggregate Use, Default Per-Pod Limits
Day 14 stopped Pods from doing dangerous things. Day 15 stops them from quietly consuming everything. One ResourceQuota caps a namespace’s total CPU/memory/P...
Day 14: Pod Security Standards — Reject Privileged Workloads at Admission Time
Day 13 fixed who can talk to the cluster. Day 14 fixes what can run in it. Pod Security Standards is the built-in admission controller that replaces the depr...
Day 13: RBAC — ServiceAccounts, Roles, and the Principle of Least Privilege
Every Pod since Day 5 has been running as the default ServiceAccount with an automounted API token nobody asked for. That token is a credential — and if the ...
Day 12: Horizontal Pod Autoscaler — Scale on CPU, Memory, and Custom Metrics
A fixed replicaCount wastes capacity at 3 AM and crashes the app at peak. HPA fixes that: install metrics-server, add an HPA resource to your Helm chart, and...
Day 11: Sealed Secrets — Encrypt Kubernetes Secrets for Safe Git Storage
A raw Kubernetes Secret is just base64 — paste it into any terminal and you have the plaintext. Sealed Secrets fixes this: a controller inside the cluster ho...