Production-Ready Kubernetes Deployment Guide
This guide covers the complete journey from bare-metal hardware to a production-hardened Kubernetes platform. Every tool is selected for a specific operational purpose, with hardware requirements, benefits, trade-offs, and integration points clearly explained.Table of Contents
- Hardware Requirements
- Cluster Provisioning Tools
- Networking Layer
- Load Balancing Layer
- Ingress Control
- Storage Layer
- Security & Identity
- Artifact Management
- GitOps & CI/CD
- Observability Stack
- Complete Deployment Sequence
- Operational Runbooks
- Architecture Diagram
1. Hardware Requirements
Before installing software, you need properly sized hardware. Kubernetes is resource-intensive, and every additional component (observability, storage, GitOps) adds overhead.Control Plane Nodes
The control plane runs the API server, scheduler, controller manager, and etcd. It is the brain of the cluster. If the control plane fails, the cluster stops accepting changes (though running pods continue).Critical: etcd data must be on a dedicated disk or partition. Never share the etcd disk with log files or container storage. etcd uses the disk as a write-ahead log — contention kills performance.
Worker Nodes
Worker nodes run your applications (pods). They need resources proportional to your workload density.Load Balancer Nodes (HAProxy + Keepalived)
These sit outside the Kubernetes cluster and provide the external entry point.Observability Nodes
Mimir, Loki, and Tempo are resource-hungry. Depending on cluster size, these may run on dedicated nodes or the worker pool.Rule of thumb: For a 50-node cluster with 1,000 pods, allocate 32 GB RAM and 8 cores for the observability stack.
Total Cluster Sizing Example
2. Cluster Provisioning Tools
You cannot install Dex or Traefik without a cluster. The provisioning tool you choose determines how you bootstrap, upgrade, and lifecycle-manage the entire platform.Tool Comparison
Why These Tools Matter
Kubeadm: The Foundation
Why it is required: Kubeadm is the official Kubernetes bootstrapping tool. It is the reference implementation that other tools (RKE2, CAPI) build upon. Understanding kubeadm means understanding how Kubernetes actually works. Benefits:- Transparency: You see every certificate, static pod manifest, and kubeconfig file.
- Portability: Works on bare metal, VMs, cloud instances, and Raspberry Pis.
- Flexibility: Customize every API server flag, etcd parameter, and kubelet configuration.
- Upgrades require manual coordination: upgrade control plane nodes one by one, then workers.
- etcd backups are your responsibility (
etcdctl snapshot save). - Node replacement is manual: drain, delete, provision new VM, join.
RKE2: Security-First Distribution
Why it is required: When your organization operates under regulatory requirements (government, healthcare, finance), you need a distribution that is certified and hardened out of the box. RKE2 provides this without manual hardening scripts. Benefits:- FIPS 140-2 Compliance: Uses FIPS-validated cryptographic modules. Required for US government workloads.
- CIS Hardening: Applies Center for Internet Security benchmarks automatically.
- Embedded etcd: No separate etcd cluster to manage. Simplifies backup and recovery.
- Air-Gapped Support: Can be installed entirely from tarballs without internet access.
- Automated Upgrades: Via Rancher’s system-upgrade-controller; plans upgrades across nodes.
- Uses containerd by default (no Docker dependency).
- Runs etcd as an embedded process (not a static pod).
- Configuration is via
/etc/rancher/rke2/config.yaml(not flags).
Cluster API (CAPI): The Professional Approach
Why it is required: When you manage tens or hundreds of clusters, manual provisioning becomes impossible. CAPI brings the Kubernetes declarative model (desired state, controllers, reconciliation) to cluster infrastructure itself. Benefits:- Declarative Infrastructure: Define clusters as YAML manifests stored in Git.
- GitOps Integration: ArgoCD or Flux can manage your cluster definitions.
- Multi-Cloud Abstraction: Same manifests work across vSphere, AWS, Azure, and OpenStack.
- Automated Lifecycle: Creation, scaling, upgrade, and deletion are all automated.
3. Networking Layer
Component: Cilium
Why it is required: The default Kubernetes networking (kube-proxy + iptables) is functional but slow, opaque, and lacks security features. Cilium replaces this with eBPF, providing high-performance networking, zero-trust security, and deep observability in one component. Benefits:
Architecture:
- Kernel Requirements: Linux kernel 4.19+ (5.10+ recommended).
- Kube-Proxy Replacement: Cilium can fully replace kube-proxy for better performance:
--set kubeProxyReplacement=strict. - Encryption: Enable WireGuard for pod-to-pod encryption:
--set encryption.enabled=true --set encryption.type=wireguard. - IPAM Mode: For VMware/vSphere, use
cluster-pool(Cilium-managed pod CIDR).
4. Load Balancing Layer
External Load Balancing: HAProxy + Keepalived
Why it is required: In bare-metal or private cloud, there is no cloud provider to provision a load balancer in front of your cluster. You need a highly available entry point that distributes traffic across multiple Traefik instances and survives node failures. Benefits:
Architecture:
Internal Load Balancing: MetalLB
Why it is required: Kubernetes Services of typeLoadBalancer expect a cloud provider to provision an IP. On bare metal, this integration does not exist. Without MetalLB, you are limited to NodePort services with random high-numbered ports (30000–32767), which is unacceptable for production.
Benefits:
Without MetalLB vs. With MetalLB:
5. Ingress Control
Component: Traefik + Gateway API
Why it is required: Kubernetes needs an ingress controller to route external HTTP/HTTPS traffic to internal services. Traefik is modern, cloud-native, and natively supports the Gateway API — the next-generation standard that replaces the aging Ingress resource. Benefits:
Ingress vs. Gateway API:
6. Storage Layer
Component: Longhorn
Why it is required: Kubernetes pods are ephemeral. Without persistent storage, databases, message queues, and file stores lose all data on restart. Longhorn provides replicated, snapshot-capable, backup-ready block storage for stateful workloads. Benefits:
Hardware Requirements:
- Each worker node must have unused raw disk space or a dedicated mount point.
- Open-iscsi must be installed on every node (
apt install open-iscsi). nfs-commonrequired for NFS backup targets.
7. Security & Identity
Component: Cert-Manager
Why it is required: TLS certificates expire. Manual certificate management in a dynamic Kubernetes environment is a guaranteed outage. Cert-Manager automates issuance, renewal, and injection of certificates from Let’s Encrypt, Vault, and private CAs. Benefits:Component: Dex (OIDC)
Why it is required: Kubernetes does not authenticate users — it validates tokens. Without an identity bridge, every user needs a manually distributed kubeconfig with embedded certificates. Dex connects Kubernetes to your existing corporate identity system (LDAP, Okta, Azure AD). Benefits:8. Artifact Management
Component: Nexus Repository
Why it is required: Building containers and pulling dependencies from the public internet on every CI run is slow, unreliable, and insecure. Nexus provides a local cache and private host for all artifacts — Docker images, Helm charts, npm packages, Maven dependencies. Benefits:9. GitOps & CI/CD
Component: GitLab
Why it is required: You need a single source of truth for code, configuration, and operational knowledge. GitLab provides repository hosting, CI/CD pipelines, issue tracking, and documentation in one platform. Benefits:- Single Source of Truth: Code, manifests, runbooks, and issues all in one place.
- CI/CD Native:
.gitlab-ci.ymldefines the entire build-test-deploy pipeline. - Container Registry: Built-in Docker registry (can mirror to Nexus).
- Integration: Webhooks to ArgoCD, issue references in commits, merge request pipelines.
Component: ArgoCD
Why it is required: Manualkubectl apply is error-prone and un-auditable. ArgoCD ensures the live cluster state always matches the desired state stored in Git. It is the enforcement layer for GitOps.
Benefits:
Component: GitLab Runners
Why it is required: CI/CD jobs need compute resources. GitLab Runners provide dynamic, scalable build execution as Kubernetes pods. Benefits:- Autoscaling: Jobs spin up as pods and terminate after completion. No idle workers.
- Kubernetes-Native: Runs inside the cluster it deploys to. No separate build farm needed.
- Security: Build isolation via pod sandboxes. Compromised build does not affect other jobs.
10. Observability Stack
Component: LGTM Stack (Loki, Grafana, Tempo, Mimir)
Why it is required: Running a production cluster without observability is flying blind. You cannot debug what you cannot see. The LGTM stack provides unified metrics, logs, traces, and dashboards — all correlated. Benefits:
Additional Components:
11. Complete Deployment Sequence
Phase 1: Infrastructure Provisioning
Phase 2: Cluster Bootstrap
Phase 3: Load Balancing Foundation
Phase 4: Storage Foundation
Phase 5: Security Layer
Phase 6: Ingress Control
Phase 7: Artifact Management
Phase 8: Identity Layer
Phase 9: GitOps
Phase 10: Observability Stack
Phase 11: CI/CD Integration
12. Operational Runbooks
Runbook: Adding a New Worker Node
Runbook: Replacing a Failed Node
Runbook: Certificate Expiry Emergency
Runbook: Storage Volume Degraded
Runbook: MetalLB IP Not Responding
Runbook: Traefik Gateway Not Routing
Runbook: Cilium Network Policy Blocking Traffic
Runbook: Observability Stack Down
Runbook: GitOps Sync Failure
13. Architecture Diagram
Below is the complete platform architecture showing how all components integrate:Data Flow Summary
Summary Matrix
Further Reading
- Kubeadm Documentation
- RKE2 Documentation
- Cluster API Documentation
- Cilium Documentation
- HAProxy Documentation
- Keepalived Documentation
- MetalLB Documentation
- Traefik Gateway API
- Longhorn Documentation
- Cert-Manager Documentation
- Dex Documentation
- Nexus Repository Documentation
- ArgoCD Documentation
- Grafana LGTM Stack
- Prometheus Operator
- OpenTelemetry Collector