Saltar a contenido

Week 24 - Defense, Documentation, and the Capstone Demo

24.1 Conceptual Core

The final week is integration and defense. Bring the capstone (whichever track) to production-defensible quality.

24.2 Final Hardening Checklist

  • CIS benchmark green (kube-bench).
  • All control-plane components mTLS, with cert auto-rotation tested.
  • Encryption-at-rest enabled for secrets in etcd.
  • Audit logging enabled; logs shipped off-cluster.
  • Default-deny NetworkPolicy in every namespace.
  • PodSecurity restricted everywhere except documented exceptions.
  • Image admission requires signed images (Sigstore policy).
  • Velero backups + tested cross-cluster restore.
  • Chaos: drain a node, kill a master, partition the network-cluster recovers.
  • Observability: Prometheus + Grafana + Loki + Tempo (or equivalent) integrated.
  • Cost attribution per tenant.
  • Runbooks: node-not-ready, etcd-degraded, apiserver-OOM, namespace-stuck-terminating, pod-pending-forever.

24.3 Lab-"Defend the Cluster"

Schedule a 60-minute mock review. Demo: 1. The architecture diagram. 2. Provisioning (Ansible/Terraform/Crossplane). 3. Tenant onboarding from request to running app. 4. Failure injection: kill a control-plane node; show cluster recovery. 5. Observability: trace a request from ingress through service mesh to backend, with metrics, logs, and trace ID correlation. 6. Backup + restore.

24.4 Operations Slice

  • Tag the cluster manifest repo v1.0.0. Sign with cosign. Publish a RUNBOOK.md that, in principle, lets a successor team rebuild the cluster from scratch.

Month 6 Deliverable

The capstone artifact (per CAPSTONE_PROJECTS.md), plus the aggregated kubernetes-mastery/ repo containing every prior month's deliverable.

Comments