Skip to main content

Production-Ready Kubernetes Deployment Guide

This guide covers the complete journey from bare-metal hardware to a production-hardened Kubernetes platform. Every tool is selected for a specific operational purpose, with hardware requirements, benefits, trade-offs, and integration points clearly explained.

Table of Contents

  1. Hardware Requirements
  2. Cluster Provisioning Tools
  3. Networking Layer
  4. Load Balancing Layer
  5. Ingress Control
  6. Storage Layer
  7. Security & Identity
  8. Artifact Management
  9. GitOps & CI/CD
  10. Observability Stack
  11. Complete Deployment Sequence
  12. Operational Runbooks
  13. Architecture Diagram

1. Hardware Requirements

Before installing software, you need properly sized hardware. Kubernetes is resource-intensive, and every additional component (observability, storage, GitOps) adds overhead.

Control Plane Nodes

The control plane runs the API server, scheduler, controller manager, and etcd. It is the brain of the cluster. If the control plane fails, the cluster stops accepting changes (though running pods continue).
Critical: etcd data must be on a dedicated disk or partition. Never share the etcd disk with log files or container storage. etcd uses the disk as a write-ahead log — contention kills performance.

Worker Nodes

Worker nodes run your applications (pods). They need resources proportional to your workload density.

Load Balancer Nodes (HAProxy + Keepalived)

These sit outside the Kubernetes cluster and provide the external entry point.

Observability Nodes

Mimir, Loki, and Tempo are resource-hungry. Depending on cluster size, these may run on dedicated nodes or the worker pool.
Rule of thumb: For a 50-node cluster with 1,000 pods, allocate 32 GB RAM and 8 cores for the observability stack.

Total Cluster Sizing Example


2. Cluster Provisioning Tools

You cannot install Dex or Traefik without a cluster. The provisioning tool you choose determines how you bootstrap, upgrade, and lifecycle-manage the entire platform.

Tool Comparison

Why These Tools Matter

Kubeadm: The Foundation

Why it is required: Kubeadm is the official Kubernetes bootstrapping tool. It is the reference implementation that other tools (RKE2, CAPI) build upon. Understanding kubeadm means understanding how Kubernetes actually works. Benefits:
  • Transparency: You see every certificate, static pod manifest, and kubeconfig file.
  • Portability: Works on bare metal, VMs, cloud instances, and Raspberry Pis.
  • Flexibility: Customize every API server flag, etcd parameter, and kubelet configuration.
Typical Workflow:
Operational Reality:
  • Upgrades require manual coordination: upgrade control plane nodes one by one, then workers.
  • etcd backups are your responsibility (etcdctl snapshot save).
  • Node replacement is manual: drain, delete, provision new VM, join.

RKE2: Security-First Distribution

Why it is required: When your organization operates under regulatory requirements (government, healthcare, finance), you need a distribution that is certified and hardened out of the box. RKE2 provides this without manual hardening scripts. Benefits:
  • FIPS 140-2 Compliance: Uses FIPS-validated cryptographic modules. Required for US government workloads.
  • CIS Hardening: Applies Center for Internet Security benchmarks automatically.
  • Embedded etcd: No separate etcd cluster to manage. Simplifies backup and recovery.
  • Air-Gapped Support: Can be installed entirely from tarballs without internet access.
  • Automated Upgrades: Via Rancher’s system-upgrade-controller; plans upgrades across nodes.
Key Differences from Standard Kubernetes:
  • Uses containerd by default (no Docker dependency).
  • Runs etcd as an embedded process (not a static pod).
  • Configuration is via /etc/rancher/rke2/config.yaml (not flags).
Typical Workflow:

Cluster API (CAPI): The Professional Approach

Why it is required: When you manage tens or hundreds of clusters, manual provisioning becomes impossible. CAPI brings the Kubernetes declarative model (desired state, controllers, reconciliation) to cluster infrastructure itself. Benefits:
  • Declarative Infrastructure: Define clusters as YAML manifests stored in Git.
  • GitOps Integration: ArgoCD or Flux can manage your cluster definitions.
  • Multi-Cloud Abstraction: Same manifests work across vSphere, AWS, Azure, and OpenStack.
  • Automated Lifecycle: Creation, scaling, upgrade, and deletion are all automated.
Architecture:
Typical Workflow:

3. Networking Layer

Component: Cilium

Why it is required: The default Kubernetes networking (kube-proxy + iptables) is functional but slow, opaque, and lacks security features. Cilium replaces this with eBPF, providing high-performance networking, zero-trust security, and deep observability in one component. Benefits: Architecture:
Deployment Considerations:
  1. Kernel Requirements: Linux kernel 4.19+ (5.10+ recommended).
  2. Kube-Proxy Replacement: Cilium can fully replace kube-proxy for better performance: --set kubeProxyReplacement=strict.
  3. Encryption: Enable WireGuard for pod-to-pod encryption: --set encryption.enabled=true --set encryption.type=wireguard.
  4. IPAM Mode: For VMware/vSphere, use cluster-pool (Cilium-managed pod CIDR).

4. Load Balancing Layer

External Load Balancing: HAProxy + Keepalived

Why it is required: In bare-metal or private cloud, there is no cloud provider to provision a load balancer in front of your cluster. You need a highly available entry point that distributes traffic across multiple Traefik instances and survives node failures. Benefits: Architecture:
Hardware Placement: Run HAProxy + Keepalived on dedicated VMs or control plane nodes (not as pods — they must survive cluster failures).

Internal Load Balancing: MetalLB

Why it is required: Kubernetes Services of type LoadBalancer expect a cloud provider to provision an IP. On bare metal, this integration does not exist. Without MetalLB, you are limited to NodePort services with random high-numbered ports (30000–32767), which is unacceptable for production. Benefits: Without MetalLB vs. With MetalLB:

5. Ingress Control

Component: Traefik + Gateway API

Why it is required: Kubernetes needs an ingress controller to route external HTTP/HTTPS traffic to internal services. Traefik is modern, cloud-native, and natively supports the Gateway API — the next-generation standard that replaces the aging Ingress resource. Benefits: Ingress vs. Gateway API:

6. Storage Layer

Component: Longhorn

Why it is required: Kubernetes pods are ephemeral. Without persistent storage, databases, message queues, and file stores lose all data on restart. Longhorn provides replicated, snapshot-capable, backup-ready block storage for stateful workloads. Benefits: Hardware Requirements:
  • Each worker node must have unused raw disk space or a dedicated mount point.
  • Open-iscsi must be installed on every node (apt install open-iscsi).
  • nfs-common required for NFS backup targets.

7. Security & Identity

Component: Cert-Manager

Why it is required: TLS certificates expire. Manual certificate management in a dynamic Kubernetes environment is a guaranteed outage. Cert-Manager automates issuance, renewal, and injection of certificates from Let’s Encrypt, Vault, and private CAs. Benefits:

Component: Dex (OIDC)

Why it is required: Kubernetes does not authenticate users — it validates tokens. Without an identity bridge, every user needs a manually distributed kubeconfig with embedded certificates. Dex connects Kubernetes to your existing corporate identity system (LDAP, Okta, Azure AD). Benefits:

8. Artifact Management

Component: Nexus Repository

Why it is required: Building containers and pulling dependencies from the public internet on every CI run is slow, unreliable, and insecure. Nexus provides a local cache and private host for all artifacts — Docker images, Helm charts, npm packages, Maven dependencies. Benefits:

9. GitOps & CI/CD

Component: GitLab

Why it is required: You need a single source of truth for code, configuration, and operational knowledge. GitLab provides repository hosting, CI/CD pipelines, issue tracking, and documentation in one platform. Benefits:
  • Single Source of Truth: Code, manifests, runbooks, and issues all in one place.
  • CI/CD Native: .gitlab-ci.yml defines the entire build-test-deploy pipeline.
  • Container Registry: Built-in Docker registry (can mirror to Nexus).
  • Integration: Webhooks to ArgoCD, issue references in commits, merge request pipelines.

Component: ArgoCD

Why it is required: Manual kubectl apply is error-prone and un-auditable. ArgoCD ensures the live cluster state always matches the desired state stored in Git. It is the enforcement layer for GitOps. Benefits:

Component: GitLab Runners

Why it is required: CI/CD jobs need compute resources. GitLab Runners provide dynamic, scalable build execution as Kubernetes pods. Benefits:
  • Autoscaling: Jobs spin up as pods and terminate after completion. No idle workers.
  • Kubernetes-Native: Runs inside the cluster it deploys to. No separate build farm needed.
  • Security: Build isolation via pod sandboxes. Compromised build does not affect other jobs.

10. Observability Stack

Component: LGTM Stack (Loki, Grafana, Tempo, Mimir)

Why it is required: Running a production cluster without observability is flying blind. You cannot debug what you cannot see. The LGTM stack provides unified metrics, logs, traces, and dashboards — all correlated. Benefits: Additional Components:

11. Complete Deployment Sequence

Phase 1: Infrastructure Provisioning

Phase 2: Cluster Bootstrap

Phase 3: Load Balancing Foundation

Phase 4: Storage Foundation

Phase 5: Security Layer

Phase 6: Ingress Control

Phase 7: Artifact Management

Phase 8: Identity Layer

Phase 9: GitOps

Phase 10: Observability Stack

Phase 11: CI/CD Integration


12. Operational Runbooks

Runbook: Adding a New Worker Node

Runbook: Replacing a Failed Node

Runbook: Certificate Expiry Emergency

Runbook: Storage Volume Degraded

Runbook: MetalLB IP Not Responding

Runbook: Traefik Gateway Not Routing

Runbook: Cilium Network Policy Blocking Traffic

Runbook: Observability Stack Down

Runbook: GitOps Sync Failure


13. Architecture Diagram

Below is the complete platform architecture showing how all components integrate:

Data Flow Summary


Summary Matrix


Further Reading