DevOps best practices - theartusz/config GitHub Wiki
- Inject secrets instead of keeping them in the cluster
- have temporary tokens (rotate them) when accessing secrets
- have grafana dashboard monitoring flux errors
- tags tags tags (createdBy, team, ...)
- have long term storage for prometheus metrics like thanos
- export events from cluster for long time storage
- include death man switch (opsgenie, pagerduty or something else)
- automatic image update with flux
- include CODEOWNERS into each repo
- auto-update cluster (at least dev)
- use helm charts instead of kustomization
- make backup of state everytime modyfying it
Security
- scan images/containers for vulnerabilities
- define traffic policies between pods so only pods which should talk to each other can talk to each other (cilium)
- use dependabot/renovatebot to update dependencies automatically
- possibility to use Whitesource Bolt for security code scanning