Everything you need to deploy, expose, scale, and maintain containerized
applications on Kubernetes. Covers core resource types, health probes,
resource tuning, autoscaling, namespace isolation, and production-ready
+YAML patterns — plus up-to-date guidance on API deprecations and supply-chain
−YAML patterns.
+hardening for 2026.
## When to use
@@ −42 +43 @@
Declare the desired state: image, replicas, resource requests/limits,
environment variables, and rolling update strategy.
+
+- Pin images to immutable references (use image@sha256:... digests) rather than mutable tags.
+- Do not use the tag `latest` in production manifests.
### Step 2: Configure health probes
@@ −63 +67 @@
Set CPU/memory requests and limits. Add an HPA to scale on utilization
thresholds. Add a PodDisruptionBudget for safe rollouts.
+
+- Use autoscaling/v2 (stable) for the HorizontalPodAutoscaler — older v2beta versions were removed in recent Kubernetes releases. Ensure manifests use autoscaling/v2 and the metrics fields expected by that API.
### Step 6: Isolate with namespaces and network policies
Create a namespace per environment or team. Apply NetworkPolicies to
restrict traffic to only what is explicitly allowed.
+
+## Security & supply-chain (new)
+
+Recent supply-chain incidents (e.g., compromised scanner images) make image provenance and runtime admission controls mandatory in production clusters.
+
+- Pin by digest and verify image provenance: always reference images by digest (image@sha256:...) in manifests and CI pipelines so the runtime pulls a known-good image. This prevents silent changes when a tag is repointed.
+- Rotate credentials if a compromised image was pulled into CI or build infrastructure. If third-party images are compromised, rotate affected secrets and credentials immediately.
+ - Example incident: the Mar 19–23, 2026 compromise of specific aquasec/trivy images — Docker recommends removing affected images and rotating credentials when compromised digests were pulled.
+- Require signed images and enforce at admission time: use sigstore/cosign and the Sigstore Policy Controller (policy-controller) as a Kubernetes admission controller to require valid signatures/attestations before admission.
+ - Policy Controller can validate cosign signatures and attestations, resolve tags to digests at admission, and enforce per-namespace policies (opt-in by namespace label or cluster-wide).
+- Produce and store SBOMs (software bill of materials) and attestation metadata for your builds. Use them as part of admission policies and incident response.
+- Enforce runtime image allowlists/deny-lists with admission controllers (Sigstore policy-controller, OPA Gatekeeper, Kyverno) and use image scanning in CI, but do not rely on scanner images pulled at runtime without verification.
+
+Sources: Docker advisory on Trivy compromise (Mar 23, 2026) and Sigstore policy-controller docs.
## Examples
### Example 1: Production Deployment with probes and security
−\`\`\`yaml
apiVersion: apps/v1
kind: Deployment
metadata:
