DevOps best practices - theartusz/config GitHub Wiki

• Inject secrets instead of keeping them in the cluster
• have temporary tokens (rotate them) when accessing secrets
• have grafana dashboard monitoring flux errors
• tags tags tags (createdBy, team, ...)
• have long term storage for prometheus metrics like thanos
• export events from cluster for long time storage
• include death man switch (opsgenie, pagerduty or something else)
• automatic image update with flux
• include CODEOWNERS into each repo
• auto-update cluster (at least dev)
• use helm charts instead of kustomization
• make backup of state everytime modyfying it

Security

• scan images/containers for vulnerabilities
• define traffic policies between pods so only pods which should talk to each other can talk to each other (cilium)
• use dependabot/renovatebot to update dependencies automatically
• possibility to use Whitesource Bolt for security code scanning