Kubernetes & DevOps: Production-Grade Infrastructure

Containerization is the foundation of modern infrastructure. Docker packages your application, its dependencies, and runtime environment into a portable, reproducible unit. Getting containers right at the foundation level prevents cascading problems in Kubernetes, CI/CD, and production.

Key practices for production Docker images:

• Multi-stage builds -- Separate build and runtime stages. Build with full SDK, run with minimal runtime. Reduces image size by 60-80%.
• Non-root users -- Never run containers as root. Create a dedicated user in the Dockerfile for security compliance.
• Layer caching -- Order Dockerfile instructions from least to most frequently changed. Copy package.json before source code to cache dependency installation.
• Health checks -- Define HEALTHCHECK instructions for proper container orchestration and load balancer integration.
• Image scanning -- Integrate Trivy or Snyk in your CI pipeline to catch vulnerabilities before deployment.

Managed Kubernetes services (GKE on Google Cloud, EKS on AWS) eliminate the complexity of cluster management while providing enterprise-grade reliability. The choice between GKE and EKS depends on your existing cloud investment and specific requirements.

Helm packages Kubernetes manifests into reusable, versioned charts. For platforms with 26 microservices, Helm is essential -- it standardizes deployment configurations, enables environment-specific overrides via values files, and provides atomic rollback capabilities.

A well-structured Helm chart strategy for microservice platforms:

• Base chart -- A generic chart that handles 90% of your services (deployment, service, ingress, HPA, PDB). Services use values.yaml overrides for customization.
• Environment values -- Separate values files per environment: values-dev.yaml, values-staging.yaml, values-prod.yaml. Keep secrets in a separate encrypted store.
• Chart versioning -- Semantic versioning for charts. Breaking changes bump the major version. CI validates chart templates before merge.
• Helmfile -- Declaratively manage multiple releases across environments. One command to sync all services in an environment.

Istio adds a transparent infrastructure layer that handles service-to-service communication, security, and observability without modifying application code. For microservice platforms, Istio provides capabilities that would otherwise require custom implementation in every service.

Continuous Integration and Continuous Deployment pipelines automate the path from code commit to production deployment. A well-designed pipeline ensures every change is tested, validated, and deployed consistently -- eliminating human error from the release process.

GitOps and Platform Engineering (2026): GitOps adoption has crossed a critical threshold, with over 64% of enterprises reporting it as their primary delivery mechanism. Argo CD 3.3 (February 2026) closes several long-standing operational gaps including OIDC background token refresh, configurable Kubernetes API timeouts, and improved ApplicationSet UI. Flux continues to differentiate with its composable GitOps Toolkit that monitors image registries and auto-updates manifests. The broader trend is platform engineering standardization -- internal developer platforms (IDPs) now embed Argo CD or Flux as day-one tools, providing golden paths that enforce consistency and traceability while abstracting Kubernetes complexity from application developers.

Kubernetes 1.36 "Haru" (released April 22, 2026) ships with 70 tracked enhancements, including DRA reaching GA for GPU scheduling, HPAScaleToZero enabled by default, User Namespaces GA for rootless containers, OCI VolumeSource GA, and MutatingAdmissionPolicy graduating to stable. The Ingress NGINX Controller was officially retired on March 24, 2026 -- all teams should migrate to Gateway API. On the tooling side, Helm 4.1.4 (the current stable line) delivers Server-Side Apply by default and kstatus-based readiness checks, making helm install --wait reliable in CI/CD pipelines for the first time. Helm 4.2.0 is due May 13, 2026.

Site Reliability Engineering bridges development and operations, using software engineering practices to solve infrastructure problems. The core principles that make the difference in production:

Observability means understanding what's happening inside your system by examining its outputs. The three pillars -- metrics, logs, and traces -- work together to provide complete visibility into system behavior.

• Metrics -- Prometheus for collection, Grafana for visualization. Key metrics: request rate, error rate, latency (RED method), and resource utilization (CPU, memory, disk).
• Logs -- Structured JSON logging, centralized with ELK stack or Loki. Correlation IDs across services for request tracing through log analysis.
• Traces -- Distributed tracing with Jaeger or Tempo. Visualize request flow across microservices, identify bottlenecks, and measure service dependencies.
• Alerting -- Alert on SLO violations, not on individual metric thresholds. PagerDuty or Opsgenie integration for on-call notifications with severity-based routing.

The platform runs 26 microservices on Google Kubernetes Engine, serving multiple countries with localized billing (Stripe + MercadoPago). The infrastructure supports 41 branded Android app variants built and deployed through a unified CI/CD pipeline.