Kubernetes Blog Series
Master Kubernetes —
From Custom Metrics to
Production-Ready Platforms
PipelineCraft.io brings you in-depth, hands-on DevSecOps and CI/CD coverage. Every topic is a linked two-part series — Part 1 builds the foundation, Part 2 takes it to production.
Pairs
Posts
Sections
At PipelineCraft.io, we believe deep CI/CD and DevSecOps knowledge should be accessible, practical, and progressive. This series is not a collection of isolated tutorials — every pair of posts is designed to take you from concept to implementation, with each section building skills you will use in real production environments.
All Sections
1. Custom Metrics & Autoscaling
Scale your workloads on the signals that actually drive load — not just CPU and memory.
| Pair | Part 1 | Part 2 | Status |
|---|---|---|---|
| Pair 1 | Building a custom metrics exporter in Go | Connecting custom metrics to the HorizontalPodAutoscaler | ✅ Published |
| Pair 4 | Deploying KEDA for event-driven autoscaling | Scaling on Kafka lag with KEDA ScaledObjects | 🔜 Coming Soon |
2. Admission Webhooks & Policy
Intercept, validate, and enforce policy on every resource before it hits your cluster.
| Pair | Part 1 | Part 2 | Status |
|---|---|---|---|
| Pair 2 | Writing a custom admission webhook in Kubernetes | Enforcing policy with an admission webhook | ✅ Published |
3. Multi-cluster Scheduling
Place and federate workloads across clusters with precision.
| Pair | Part 1 | Part 2 | Status |
|---|---|---|---|
| Pair 3 | Adopting the PlacementDecision API for multi-cluster scheduling | Federating workloads across clusters using PlacementDecision | 🔄 Part 1 Live |
4. RBAC & Access Control
Design, enforce, and audit access control across your Kubernetes environments.
| Pair | Part 1 | Part 2 | Status |
|---|---|---|---|
| Pair 5 | Implementing RBAC in Kubernetes | Auditing and tightening RBAC permissions with kubectl-who-can | 🔜 Coming Soon |
5. Certificates & Secrets
Automate TLS, rotate credentials, and keep secrets out of plain sight.
| Pair | Part 1 | Part 2 | Status |
|---|---|---|---|
| Pair 6 | Issuing TLS certificates for workloads using cert-manager | Automating certificate rotation and renewal in Kubernetes | 🔜 Coming Soon |
| Pair 7 | Encrypting Kubernetes Secrets at rest | Syncing secrets from HashiCorp Vault using the External Secrets Operator | 🔜 Coming Soon |
6. Networking
Control traffic, enforce boundaries, and secure communication between workloads.
| Pair | Part 1 | Part 2 | Status |
|---|---|---|---|
| Pair 8 | Implementing NetworkPolicy for pod-to-pod traffic control | Enforcing zero-trust networking with Kubernetes NetworkPolicy | 🔜 Coming Soon |
7. Observability
Trace, measure, and correlate signals across your entire cluster.
| Pair | Part 1 | Part 2 | Status |
|---|---|---|---|
| Pair 9 | Setting up distributed tracing in Kubernetes with OpenTelemetry | Correlating traces, metrics, and logs for cluster-wide observability | 🔜 Coming Soon |
8. Storage / CSI
Build and operate custom storage integrations for stateful workloads.
| Pair | Part 1 | Part 2 | Status |
|---|---|---|---|
| Pair 10 | Writing a custom CSI driver for Kubernetes | Handling volume lifecycle and snapshots with your CSI driver | 🔜 Coming Soon |
9. Operators & CRDs
Extend Kubernetes with custom resources and automate Day-2 operations.
| Pair | Part 1 | Part 2 | Status |
|---|---|---|---|
| Pair 11 | Defining a Custom Resource Definition (CRD) in Kubernetes | Validating custom resources with CEL expressions in CRDs | 🔜 Coming Soon |
| Pair 12 | Writing your first Kubernetes controller with controller-runtime | Handling reconciliation loops and error recovery in your controller | 🔜 Coming Soon |
| Pair 13 | Building a Kubernetes Operator with the Operator SDK | Managing Operator lifecycle with the Operator Lifecycle Manager (OLM) | 🔜 Coming Soon |
| Pair 14 | Implementing leader election and high availability in your Operator | Upgrading CRDs safely across versions with conversion webhooks | 🔜 Coming Soon |
| Pair 15 | Testing Kubernetes Operators with envtest | Publishing and distributing your Operator on OperatorHub | 🔜 Coming Soon |
10. GitOps & CI/CD
Automate deployments, enforce delivery standards, and ship with confidence.
| Pair | Part 1 | Part 2 | Status |
|---|---|---|---|
| Pair 16 | Introduction to GitOps principles and workflow in Kubernetes | Setting up a GitOps repository structure for Kubernetes manifests | 🔜 Coming Soon |
| Pair 17 | Installing and bootstrapping Flux in a Kubernetes cluster | Automating deployments with Flux Kustomization and HelmRelease | 🔜 Coming Soon |
| Pair 18 | Installing ArgoCD and connecting your first Git repository | Managing multi-environment deployments with ArgoCD ApplicationSets | 🔜 Coming Soon |
| Pair 19 | Building container images in CI and pushing to a registry | Triggering GitOps reconciliation from a CI pipeline with image update automation | 🔜 Coming Soon |
| Pair 20 | Implementing canary deployments with Flagger and Flux | Automating rollbacks on metric failures with Flagger analysis | 🔜 Coming Soon |
11. Pod Security
Harden workloads, drop privileges, and enforce security standards cluster-wide.
| Pair | Part 1 | Part 2 | Status |
|---|---|---|---|
| Pair 21 | Configuring security contexts for Pods and containers in Kubernetes | Hardening workloads with read-only filesystems and non-root users | 🔜 Coming Soon |
| Pair 22 | Introduction to Pod Security Admission and the three built-in policy levels | Enforcing Pod Security Standards across namespaces with labels and exceptions | 🔜 Coming Soon |
| Pair 23 | Dropping Linux capabilities from Kubernetes workloads | Restricting syscalls with Seccomp profiles in Kubernetes | 🔜 Coming Soon |
| Pair 24 | Applying AppArmor profiles to Kubernetes Pods | Enforcing SELinux labels on Pods and volumes in Kubernetes | 🔜 Coming Soon |
| Pair 25 | Auditing workloads for Pod Security Standard violations with kubectl | Migrating from PodSecurityPolicy to Pod Security Admission | 🔜 Coming Soon |
12. Service Mesh
Encrypt, observe, and control service-to-service traffic with Istio and Linkerd.
| Pair | Part 1 | Part 2 | Status |
|---|---|---|---|
| Pair 26 | Introduction to service mesh concepts and architecture in Kubernetes | Choosing between Istio and Linkerd for your Kubernetes cluster | 🔜 Coming Soon |
| Pair 27 | Installing Istio on a Kubernetes cluster with the Istio Operator | Configuring traffic management with Istio VirtualServices and DestinationRules | 🔜 Coming Soon |
| Pair 28 | Enabling mutual TLS (mTLS) between services with Istio PeerAuthentication | Managing mTLS certificates and SPIFFE identities with Istio | 🔜 Coming Soon |
| Pair 29 | Installing and meshing workloads with Linkerd | Securing service-to-service communication with Linkerd mTLS and authorization policies | 🔜 Coming Soon |
| Pair 30 | Visualizing service traffic and latency with Istio and Kiali | Implementing traffic shifting and fault injection for resilience testing | 🔜 Coming Soon |
13. Ingress & Gateway API
Route, secure, and manage external traffic into your cluster.
| Pair | Part 1 | Part 2 | Status |
|---|---|---|---|
| Pair 31 | Routing external traffic into Kubernetes with Ingress resources | Configuring TLS termination and host-based routing with Ingress | 🔜 Coming Soon |
| Pair 32 | Installing and configuring the NGINX Ingress Controller in Kubernetes | Rate limiting and access control with NGINX Ingress annotations | 🔜 Coming Soon |
| Pair 33 | Introduction to the Kubernetes Gateway API and how it replaces Ingress | Configuring HTTPRoutes and TLSRoutes with the Gateway API | 🔜 Coming Soon |
| Pair 34 | Splitting traffic across backends with Gateway API weighted routing | Securing Gateway API routes with ReferenceGrants and policy attachments | 🔜 Coming Soon |
| Pair 35 | Migrating from Ingress to the Kubernetes Gateway API | Running Gateway API in production with observability and rate limiting | 🔜 Coming Soon |
14. Logging
Collect, enrich, and query logs from every corner of your cluster.
| Pair | Part 1 | Part 2 | Status |
|---|---|---|---|
| Pair 36 | Understanding Kubernetes logging architecture and log sources | Collecting container logs with a DaemonSet-based log forwarder | 🔜 Coming Soon |
| Pair 37 | Installing and configuring Fluentd as a log collector in Kubernetes | Parsing, filtering, and routing logs to multiple outputs with Fluentd | 🔜 Coming Soon |
| Pair 38 | Setting up Grafana Loki for log aggregation in Kubernetes | Querying and alerting on logs with LogQL and Grafana dashboards | 🔜 Coming Soon |
| Pair 39 | Emitting structured JSON logs from Kubernetes workloads | Enriching logs with Kubernetes metadata using Fluent Bit | 🔜 Coming Soon |
| Pair 40 | Enabling and configuring Kubernetes API server audit logging | Forwarding and analysing audit logs with Fluentd and Loki | 🔜 Coming Soon |
15. Multitenancy
Isolate teams, enforce resource boundaries, and onboard tenants at scale.
| Pair | Part 1 | Part 2 | Status |
|---|---|---|---|
| Pair 41 | Designing namespace boundaries for multitenancy in Kubernetes | Enforcing namespace isolation with NetworkPolicy and RBAC | 🔜 Coming Soon |
| Pair 42 | Setting resource quotas to limit consumption per namespace in Kubernetes | Monitoring and alerting on ResourceQuota usage across tenants | 🔜 Coming Soon |
| Pair 43 | Defining default resource requests and limits with LimitRange | Combining LimitRange and ResourceQuota for predictable tenant workloads | 🔜 Coming Soon |
| Pair 44 | Automating tenant namespace provisioning with a Kubernetes Operator | Bootstrapping tenant RBAC, quotas, and policies with GitOps | 🔜 Coming Soon |
| Pair 45 | Managing namespace hierarchies with the Hierarchical Namespace Controller | Propagating policies and quotas across child namespaces with HNC | 🔜 Coming Soon |
16. Backup & Disaster Recovery
Protect your cluster state, automate backups, and recover with confidence.
| Pair | Part 1 | Part 2 | Status |
|---|---|---|---|
| Pair 46 | Understanding Kubernetes backup strategies and what needs to be backed up | Installing and configuring Velero for cluster backup in Kubernetes | 🔜 Coming Soon |
| Pair 47 | Creating on-demand and scheduled backups of namespaces with Velero | Backing up persistent volumes with Velero and CSI volume snapshots | 🔜 Coming Soon |
| Pair 48 | Restoring namespaces and resources from a Velero backup | Cross-cluster restore with Velero for disaster recovery | 🔜 Coming Soon |
| Pair 49 | Backing up and restoring etcd in a self-managed Kubernetes cluster | Automating etcd snapshots and validating restore integrity | 🔜 Coming Soon |
| Pair 50 | Testing disaster recovery with simulated cluster failures and Velero restores | Building a disaster recovery runbook for Kubernetes platform teams | 🔜 Coming Soon |
| Pair 51 | Configuring Velero with AWS S3 as a backup storage location | Storing Velero backups in Azure Blob Storage and Google Cloud Storage | 🔜 Coming Soon |
| Pair 52 | Setting backup schedules and retention policies with Velero | Managing backup lifecycle and cleaning up expired backups automatically | 🔜 Coming Soon |
| Pair 53 | Centralising backups from multiple clusters into a single Velero storage location | Migrating workloads between clusters using Velero backup and restore | 🔜 Coming Soon |
| Pair 54 | Encrypting Velero backups at rest with server-side encryption | Securing Velero credentials and storage access with IAM roles and IRSA | 🔜 Coming Soon |
| Pair 55 | Monitoring Velero backup status with Prometheus metrics and alerts | Validating backup completeness and integrity with automated restore tests | 🔜 Coming Soon |
Stay ahead in DevSecOps and CI/CD
New pairs drop every week. Subscribe to get notified — no noise, just deep technical content.