Series MapLesson 54 / 60
Focus mode active/Press Alt+Shift+R to toggle/Esc to exit
Final StretchOrdered learning track

Platform Policy and Governance

Namespace, label, annotation, resource, probe, security, NetworkPolicy, RBAC, secret, ingress, admission controller, OPA Gatekeeper, Kyverno, policy-as-code, and platform governance checklist for enterprise Kubernetes.

20 min read3889 words
PrevNext
Lesson 5460 lesson track51–60 Final Stretch
#kubernetes#governance#policy-as-code#admission-control+3 more

Part 054 — Platform Policy and Governance

1. Core thesis

Kubernetes without platform governance becomes a cluster full of locally reasonable but globally dangerous decisions.

Every team can create:

  • slightly different labels
  • inconsistent probes
  • missing resource requests
  • over-permissive ServiceAccounts
  • unmanaged secrets
  • public ingresses without clear ownership
  • pods running as root
  • missing NetworkPolicies
  • unbounded logging
  • fragile Helm values
  • undocumented exceptions

At small scale, this looks like flexibility.

At enterprise scale, it becomes:

incident risk
security risk
cost leak
operational ambiguity
audit weakness
platform drift

Platform governance is the discipline of turning production expectations into consistent, reviewable, enforceable standards.

The goal is not bureaucracy.

The goal is to make the safe path the default path.


2. Governance is a control system

A mature platform uses multiple layers of control:

flowchart TD A[Platform standards] --> B[Templates and golden paths] B --> C[CI validation] C --> D[GitOps review] D --> E[Admission control] E --> F[Runtime monitoring] F --> G[Drift detection] G --> H[Exception review] H --> A

Good governance does not rely only on humans remembering checklists.

It combines:

  • documentation
  • templates
  • PR review
  • static validation
  • admission policy
  • runtime detection
  • dashboards
  • exception handling
  • periodic audit

3. What platform governance must standardize

At minimum, standardize these areas:

namespace
labels
annotations
resource requests/limits
probes
security context
RBAC
ServiceAccount
secrets
ConfigMaps
NetworkPolicy
Ingress/Gateway
TLS
storage
autoscaling
observability
cost attribution
GitOps ownership
runbooks
exceptions

The most important standard is not the YAML shape. It is the operational contract.

Example:

Every customer-facing service must expose a readiness endpoint
that only becomes ready after local startup is complete
and must support graceful shutdown within the configured termination grace period.

That contract can then be implemented in Helm templates, Kustomize bases, CI checks, and admission policies.


4. Namespace standards

Namespaces are not just folders.

They define boundaries for:

  • access control
  • quota
  • NetworkPolicy
  • Pod Security admission
  • secret visibility
  • deployment ownership
  • cost attribution
  • environment separation
  • incident blast radius

4.1 Namespace naming

A useful naming convention encodes ownership and environment.

Examples:

quote-order-dev
quote-order-test
quote-order-staging
quote-order-prod
platform-observability
platform-ingress
platform-secrets

Avoid names that hide ownership:

app
backend
default
prod
misc
test2

4.2 Namespace required metadata

Example:

apiVersion: v1
kind: Namespace
metadata:
  name: quote-order-prod
  labels:
    app.kubernetes.io/part-of: quote-order
    environment: prod
    owner-team: quote-order
    cost-center: example-cost-center
    data-classification: confidential
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted
  annotations:
    runbook.example.com/url: "internal-verification-required"
    escalation.example.com/team: "internal-verification-required"

Do not copy this as-is for CSG. Use it as a shape to compare against internal standards.

4.3 Namespace governance checklist

Internal verification checklist:

  • What is the namespace naming standard?
  • Is namespace per team, product, environment, tenant, or application?
  • Are default namespace workloads forbidden?
  • Are namespace owners visible?
  • Are cost labels required?
  • Are Pod Security labels enforced?
  • Are quotas applied?
  • Are LimitRanges applied?
  • Are default-deny NetworkPolicies required?
  • Are runbooks linked?
  • Who can create namespaces?

5. Label standards

Labels are queryable identity.

They power:

  • selectors
  • Services
  • Deployments
  • NetworkPolicies
  • dashboards
  • alerts
  • cost allocation
  • ownership
  • GitOps grouping
  • inventory
  • incident search

A poor label strategy breaks automation.

Use labels for stable machine-readable identity:

metadata:
  labels:
    app.kubernetes.io/name: quote-api
    app.kubernetes.io/instance: quote-api-prod
    app.kubernetes.io/version: "1.42.0"
    app.kubernetes.io/component: api
    app.kubernetes.io/part-of: quote-order
    app.kubernetes.io/managed-by: Helm
    environment: prod
    owner-team: quote-order
    workload-type: jaxrs-api
    data-classification: confidential

5.2 Selector labels must be stable

A Service selector should not use frequently changing labels.

Bad:

selector:
  app.kubernetes.io/version: "1.42.0"

This can disconnect Service from pods during rollout.

Better:

selector:
  app.kubernetes.io/name: quote-api
  app.kubernetes.io/instance: quote-api-prod

5.3 Label governance checklist

Internal verification checklist:

  • Are standard Kubernetes recommended labels used?
  • Which labels are mandatory?
  • Which labels are allowed in selectors?
  • Which labels drive cost allocation?
  • Which labels drive dashboards?
  • Which labels drive NetworkPolicy?
  • Which labels identify owner team?
  • Are mutable labels kept out of selectors?
  • Are labels consistent across Helm/Kustomize/GitOps?
  • Are labels validated in CI/admission?

6. Annotation standards

Annotations are metadata for tools and humans.

They often configure:

  • ingress controllers
  • service meshes
  • secret reloaders
  • observability agents
  • deployment tools
  • policy exceptions
  • runbook links
  • ownership links

Annotations can be dangerous because they may alter controller behavior.

Example ingress annotations may change:

  • timeout
  • body size
  • rewrite
  • TLS behavior
  • backend protocol
  • canary routing
  • sticky session

6.1 Annotation governance rule

Treat controller-specific annotations as privileged configuration.

They should be:

  • documented
  • reviewed
  • validated
  • owned
  • tested
  • monitored

6.2 Annotation governance checklist

Internal verification checklist:

  • Which annotations are allowed?
  • Which annotations are forbidden?
  • Which annotations require platform approval?
  • Are ingress annotations reviewed?
  • Are policy exception annotations time-bound?
  • Are runbook annotations required?
  • Are annotation values validated?
  • Are annotation changes tested in non-prod?
  • Are annotations documented per controller?

7. Resource standards

Resource governance protects:

  • application stability
  • node capacity
  • autoscaling behavior
  • cost
  • noisy-neighbor isolation
  • JVM correctness

Every production workload should define:

resources:
  requests:
    cpu: "500m"
    memory: "1Gi"
  limits:
    memory: "2Gi"

CPU limit policy is more nuanced for Java services because CPU throttling can harm latency. Some organizations use memory limits but avoid CPU limits for latency-sensitive services, relying on CPU requests and quota instead. This must be an internal platform decision.

7.1 Resource standard by workload type

Different workload types need different defaults.

REST API:
  prioritize latency, startup, readiness, CPU headroom

Kafka/RabbitMQ consumer:
  prioritize throughput, lag recovery, graceful shutdown

Batch job:
  prioritize bounded runtime, retry safety, resource isolation

Camunda worker:
  prioritize lock duration, idempotency, external task behavior

Stateful dependency:
  prioritize memory, disk, IO, anti-affinity, disruption safety

7.2 Resource governance checklist

Internal verification checklist:

  • Are CPU requests mandatory?
  • Are memory requests mandatory?
  • Are memory limits mandatory?
  • Are CPU limits required, optional, or discouraged?
  • Are defaults workload-type aware?
  • Are JVM heap rules standardized?
  • Are QoS classes understood?
  • Are ResourceQuotas applied?
  • Are LimitRanges applied?
  • Are cost dashboards using resource labels?
  • Are resource changes reviewed against metrics?

8. Probe standards

Probe governance prevents accidental outages.

Required distinctions:

startupProbe:
  protects slow-starting containers from premature liveness failure

readinessProbe:
  controls whether pod receives traffic

livenessProbe:
  detects unrecoverable local process failure

8.1 Probe anti-patterns to forbid

Avoid:

- liveness checks all downstream dependencies
- readiness always returns 200 after process starts
- same endpoint used for all probes with same semantics
- very short timeout for Java cold start
- aggressive failureThreshold causing restart storm
- no startupProbe for slow JVM startup
- readiness depends on optional dependency
- probe endpoint performs expensive DB query

8.2 Probe governance checklist

Internal verification checklist:

  • Are readiness/liveness/startup required for APIs?
  • Are probe endpoints standardized?
  • Are dependency checks allowed in readiness?
  • Are downstream checks forbidden in liveness?
  • Are timeouts standardized?
  • Are slow-start Java services required to use startupProbe?
  • Are probe failures dashboarded?
  • Are probe-induced incidents reviewed?
  • Are Helm chart defaults safe?

9. Security standards

Security governance defines the baseline runtime posture.

Common standards:

securityContext:
  runAsNonRoot: true
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
  seccompProfile:
    type: RuntimeDefault

This may need exceptions for specific workloads, but exceptions should be explicit and reviewed.

9.1 Security settings to control

Control:

  • privileged containers
  • hostNetwork
  • hostPID
  • hostIPC
  • HostPath
  • added Linux capabilities
  • root user
  • writable root filesystem
  • privilege escalation
  • unsafe sysctls
  • service account token automount
  • image registry source
  • latest tag
  • unsigned images
  • unscanned images

9.2 Pod Security Standards

Pod Security Standards define broad profiles such as privileged, baseline, and restricted. Platform teams commonly map namespace enforcement to environment and workload needs.

Example:

metadata:
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

Internal policy may differ. Verify.

9.3 Security governance checklist

Internal verification checklist:

  • Is restricted Pod Security enforced?
  • Are exceptions allowed?
  • Who approves privileged containers?
  • Is HostPath forbidden?
  • Is hostNetwork forbidden?
  • Is root forbidden?
  • Is read-only root filesystem required?
  • Are capabilities dropped by default?
  • Is seccomp RuntimeDefault required?
  • Are images restricted to trusted registries?
  • Is image scanning required before deploy?
  • Are security exceptions time-bound?

10. RBAC and ServiceAccount standards

RBAC governance prevents workload and automation privilege sprawl.

10.1 ServiceAccount standard

Every workload should have an explicit ServiceAccount.

Avoid relying on default.

Example:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: quote-api
automountServiceAccountToken: false

If the pod needs Kubernetes API access or cloud workload identity, enable only what is needed.

10.2 RBAC principles

Use:

least privilege
namespace scope when possible
separate deployer permission from runtime permission
separate GitOps controller permission from application permission
avoid cluster-admin
avoid wildcard verbs/resources unless justified

10.3 RBAC governance checklist

Internal verification checklist:

  • Are default ServiceAccounts forbidden?
  • Is automount disabled by default?
  • Which workloads need Kubernetes API access?
  • Which workloads need cloud identity?
  • Are Roles preferred over ClusterRoles?
  • Are wildcard permissions forbidden?
  • Are CI/CD permissions separated from runtime permissions?
  • Are GitOps permissions reviewed?
  • Are RBAC denies monitored?
  • Is cluster-admin usage audited?

11. Secret standards

Secret governance prevents credential leakage.

Important rules:

Kubernetes Secret is not a full secret management strategy by itself.
Base64 is not encryption.
Secret source of truth must be clear.
Rotation must be designed.
Runtime exposure must be minimized.

11.1 Standard questions

For each secret:

  • Where does it originate?
  • Who can read it?
  • How is it synced into Kubernetes?
  • Is it stored in Git?
  • Is it encrypted at rest?
  • Is it mounted as env var or volume?
  • How is it rotated?
  • Does the app reload it?
  • Is leakage monitored?
  • Is access audited?

11.2 Secret governance checklist

Internal verification checklist:

  • Are plain Kubernetes Secret manifests allowed in Git?
  • Is External Secrets used?
  • Is Sealed Secrets used?
  • Is AWS Secrets Manager used?
  • Is Azure Key Vault used?
  • Is SSM Parameter Store used?
  • Is Azure App Configuration used?
  • Are secrets mounted as files where possible?
  • Are sensitive env vars restricted?
  • Are secret names standardized?
  • Are secret rotations tested?
  • Are logs scanned for secret leakage?

12. Config standards

Config governance protects environment consistency.

Standardize:

  • config naming
  • environment overlays
  • default values
  • required values
  • validation
  • config reload behavior
  • config drift detection
  • restart-on-config-change behavior
  • config ownership

12.1 Dangerous config patterns

Avoid:

- environment-specific magic hidden in application code
- config changes outside GitOps
- no validation at startup
- defaulting to production endpoints
- feature flags without owner
- config copied across overlays with silent drift
- secret values mixed into ConfigMap

12.2 Config governance checklist

Internal verification checklist:

  • Are ConfigMaps GitOps-managed?
  • Are config schemas validated?
  • Are required config values checked at startup?
  • Are environment overlays reviewed?
  • Are secret and non-secret config separated?
  • Are config changes traceable to PRs?
  • Are runtime config changes allowed?
  • Are config reloads supported or do pods restart?

13. NetworkPolicy standards

NetworkPolicy governance turns network access into explicit intent.

Recommended model:

default deny ingress
default deny egress where operationally feasible
allow DNS
allow required dependency traffic
allow ingress from approved gateways
allow observability agents if needed
deny everything else

13.1 Standard egress categories

For enterprise Java services:

  • DNS
  • PostgreSQL
  • Kafka
  • RabbitMQ
  • Redis
  • Camunda/database/workflow dependencies
  • internal REST APIs
  • cloud APIs
  • secret manager
  • telemetry backend
  • package/image registry if needed at runtime
  • proxy if used

13.2 NetworkPolicy governance checklist

Internal verification checklist:

  • Does the CNI enforce NetworkPolicy?
  • Is default deny required?
  • Is DNS egress standardized?
  • Are database and messaging egress rules explicit?
  • Are cloud service egress rules explicit?
  • Are namespace labels standardized for policy selectors?
  • Are ingress rules limited to gateway/service mesh/approved callers?
  • Is policy tested before production?
  • Are blocked-traffic signals observable?

14. Ingress and Gateway standards

Ingress/Gateway governance protects customer-facing traffic.

Standardize:

  • allowed ingress controllers
  • IngressClass/GatewayClass
  • DNS ownership
  • TLS certificate ownership
  • host naming
  • path routing
  • rewrite rules
  • timeout defaults
  • body size defaults
  • source IP handling
  • forwarded header handling
  • authentication integration
  • canary rules
  • WAF/front door integration
  • public vs private exposure

14.1 Required ingress metadata

Every public ingress should answer:

Who owns this route?
What service receives traffic?
Is it public, private, or partner-facing?
Where is TLS terminated?
Which certificate is used?
What is the timeout chain?
What auth layer protects it?
What runbook covers outage?
What dashboard shows traffic?

14.2 Ingress governance checklist

Internal verification checklist:

  • Which ingress controller is used?
  • Is Gateway API used?
  • Who owns DNS?
  • Who owns certificates?
  • Are public ingresses reviewed by security/platform?
  • Are wildcard hosts restricted?
  • Are controller annotations restricted?
  • Are timeout/body-size defaults documented?
  • Are forwarded headers standardized?
  • Are runbooks linked?
  • Are 4xx/5xx dashboards available?

15. Storage standards

Storage governance protects data durability.

Standardize:

  • allowed StorageClasses
  • reclaim policy
  • access modes
  • backup requirements
  • snapshot requirements
  • encryption requirements
  • zone topology
  • expansion policy
  • StatefulSet patterns
  • managed service preference
  • HostPath restrictions

15.1 Storage questions

For every PVC:

What data is stored?
Can it be recreated?
Is it customer data?
Is it encrypted?
Is it backed up?
What is RPO?
What is RTO?
Can the pod move zones?
What happens on node loss?
Who owns restore testing?

15.2 Storage governance checklist

Internal verification checklist:

  • Which StorageClasses are allowed?
  • Is HostPath forbidden?
  • Are PVCs labeled with owner/data classification?
  • Are backups required?
  • Are snapshots tested?
  • Are reclaim policies reviewed?
  • Are stateful workloads approved by platform/SRE?
  • Are managed services preferred for PostgreSQL/Kafka/RabbitMQ/Redis?
  • Are CSI drivers monitored?

16. Autoscaling standards

Autoscaling governance prevents unstable scaling.

Standardize:

  • HPA default metrics
  • min/max replicas
  • CPU target ranges
  • memory scaling policy
  • custom metric naming
  • KEDA scaler patterns
  • queue lag scaling
  • scale-to-zero rules
  • stabilization windows
  • max surge interaction
  • PDB interaction
  • node autoscaler assumptions

16.1 Autoscaling anti-patterns

Avoid:

- HPA with minReplicas=1 for critical APIs without justification
- scaling consumers only on CPU while lag grows
- scaling Java apps with too-low memory request
- aggressive scale-down causing cold-start latency
- HPA depending on broken metrics adapter
- no alert when HPA cannot fetch metrics
- node autoscaler unable to add required node type

16.2 Autoscaling governance checklist

Internal verification checklist:

  • Are HPAs required for customer-facing services?
  • Are min/max replicas standardized?
  • Are queue consumers scaled by lag/depth?
  • Is KEDA used?
  • Are HPA events monitored?
  • Are metrics adapters reliable?
  • Are node autoscaler limits documented?
  • Are scale-down windows safe for Java cold start?
  • Are autoscaling changes load-tested?

17. Observability standards

Observability governance ensures every workload can be operated.

Minimum standard:

logs
metrics
traces where appropriate
Kubernetes events
dashboards
alerts
runbook
owner
SLO/SLA where applicable

17.1 Java/JAX-RS observability baseline

Each service should expose:

  • structured logs
  • correlation ID
  • request count
  • latency histogram
  • error rate
  • JVM heap/non-heap metrics
  • GC metrics
  • thread metrics
  • connection pool metrics
  • HTTP client metrics
  • Kafka/RabbitMQ consumer metrics if applicable
  • database pool metrics
  • readiness/liveness status
  • build/version info

17.2 Observability governance checklist

Internal verification checklist:

  • Are logs structured?
  • Is correlation ID required?
  • Are metrics scraped?
  • Are traces required for critical services?
  • Are dashboards generated from standard labels?
  • Are alerts tied to customer impact?
  • Are runbooks linked from alerts?
  • Are noisy alerts reviewed?
  • Is logging cost monitored?
  • Is PII in logs prohibited and scanned?

18. Cost governance

Kubernetes cost governance requires attribution.

Standardize:

  • owner labels
  • cost-center labels
  • environment labels
  • resource request review
  • storage class review
  • load balancer review
  • NAT/egress review
  • logging volume review
  • metrics cardinality review
  • idle resource review
  • autoscaling limits

18.1 Cost anti-patterns

Avoid:

- services with huge requests but low utilization
- no owner label
- per-service public load balancer without justification
- high-cardinality metrics explosion
- verbose debug logs in production
- oversized persistent volumes
- NAT-heavy egress path
- multi-AZ cost ignored
- stale namespaces left running

18.2 Cost governance checklist

Internal verification checklist:

  • Are cost labels mandatory?
  • Are resource requests reviewed periodically?
  • Are idle workloads detected?
  • Are LB costs attributed?
  • Are NAT/egress costs visible?
  • Are log volumes measured?
  • Are high-cardinality metrics controlled?
  • Are ephemeral environments cleaned up?
  • Are storage costs reviewed?

19. Admission control

Admission control is where policy can be enforced before objects enter the cluster.

Admission can:

  • validate
  • mutate
  • reject
  • default
  • audit

Examples:

reject pods running as root
require resource requests
require owner labels
forbid latest image tag
require trusted registry
deny privileged containers
require NetworkPolicy
require read-only root filesystem
require Pod Security labels
enforce allowed ingress classes

19.1 Admission policy design principles

Good policies are:

  • clear
  • testable
  • explainable
  • actionable
  • environment-aware
  • exception-aware
  • version-controlled
  • monitored

Bad policies are:

  • surprising
  • undocumented
  • too broad
  • impossible to satisfy
  • different between CI and cluster
  • missing exception workflow
  • enforced before teams have migration path

19.2 Admission control checklist

Internal verification checklist:

  • Which admission controllers are enabled?
  • Is Pod Security Admission used?
  • Is OPA Gatekeeper used?
  • Is Kyverno used?
  • Are policies enforced, audited, or warned?
  • Are policy failures visible in CI?
  • Are exceptions time-bound?
  • Are policies version-controlled?
  • Are policies tested?
  • Is there a break-glass process?

20. OPA Gatekeeper awareness

OPA Gatekeeper uses policy constraints to validate Kubernetes resources.

Conceptually:

ConstraintTemplate defines reusable policy logic.
Constraint applies that logic to selected resources.
Admission webhook enforces or audits the result.

Use cases:

  • require labels
  • restrict repositories
  • forbid privileged pods
  • require resource requests
  • enforce allowed hostnames
  • restrict Service types
  • validate ingress annotations

Strengths:

  • powerful policy language
  • strong validation model
  • good for centralized platform policy
  • mature Kubernetes admission pattern

Trade-offs:

  • policy language requires skill
  • debugging can be non-trivial
  • overly abstract policies can be hard for app teams
  • exception process must be clear

21. Kyverno awareness

Kyverno is a Kubernetes-native policy engine that can validate, mutate, generate, and verify resources using Kubernetes-style YAML policies.

Use cases:

  • add default labels
  • require resource limits
  • restrict image registries
  • verify image signatures
  • generate default NetworkPolicies
  • mutate securityContext
  • enforce Pod Security controls

Strengths:

  • YAML-native policy style
  • accessible for Kubernetes teams
  • supports validation and mutation patterns
  • useful for generating standard resources

Trade-offs:

  • mutation can hide complexity
  • generated resources need ownership clarity
  • policy ordering must be understood
  • exceptions must be governed

22. Policy-as-code lifecycle

Policy-as-code must follow software engineering discipline.

Lifecycle:

1. Define standard.
2. Write policy.
3. Test against known good manifests.
4. Test against known bad manifests.
5. Run in audit mode.
6. Review violations.
7. Fix templates and workloads.
8. Communicate enforcement date.
9. Enforce in lower environments.
10. Enforce in production.
11. Monitor violations.
12. Review exceptions.
13. Iterate.

22.1 Policy promotion

Treat policy like code:

dev -> test -> staging -> production

Never introduce high-blast-radius policy directly into production enforcement.

22.2 Policy exception

Every exception should include:

what policy is violated
why exception is needed
who owns it
when it expires
what compensating control exists
how it will be remediated
who approved it

23. CI validation vs admission control

CI validation and admission control are complementary.

CI validation

Pros:

  • fast feedback before merge
  • developer-friendly
  • can run richer checks
  • can include chart rendering
  • can comment on PR

Cons:

  • can be bypassed if cluster changes outside CI
  • may not exactly match cluster admission
  • may lack live cluster context

Admission control

Pros:

  • protects cluster boundary
  • cannot be bypassed by ordinary deploy path
  • sees final object
  • enforces runtime platform rules

Cons:

  • later feedback
  • can block urgent changes
  • requires clear messages
  • needs exception/break-glass design

Best practice:

same policy intent in CI and admission
CI catches early
admission protects final boundary

24. Governance for Helm and Kustomize

24.1 Helm governance

Standardize:

  • chart structure
  • values schema
  • helper templates
  • default labels
  • resource defaults
  • probe defaults
  • securityContext defaults
  • ServiceAccount creation
  • ingress templates
  • NetworkPolicy templates
  • HPA templates
  • PDB templates
  • NOTES usage if applicable
  • secret handling

Checklist:

- Does chart render valid manifests?
- Does values schema reject bad input?
- Are environment values minimal?
- Are secrets kept out of values files?
- Are labels consistent?
- Are selectors stable?
- Are security defaults safe?
- Are resources required?

24.2 Kustomize governance

Standardize:

  • base ownership
  • overlay naming
  • patch style
  • image update strategy
  • generator behavior
  • namespace handling
  • common labels
  • environment-specific divergence limits

Checklist:

- Is overlay drift controlled?
- Are patches minimal?
- Are generated ConfigMaps/Secrets intentional?
- Are image tags updated by automation?
- Are environment differences documented?
- Is rendered output validated?

25. Governance for GitOps

GitOps governance defines how desired state changes.

Standardize:

  • repository structure
  • environment promotion
  • sync policy
  • sync waves
  • CRD ownership
  • app ownership
  • manual hotfix policy
  • drift detection
  • rollback procedure
  • approval gates
  • secrets strategy
  • cluster bootstrap

25.1 GitOps anti-patterns

Avoid:

- manual kubectl edits in production without Git follow-up
- unclear source of truth
- multiple repos owning same resource
- CRDs and CRs synced in wrong order
- production auto-sync without guardrails
- no rollback strategy
- no diff review
- no ownership metadata

25.2 GitOps governance checklist

Internal verification checklist:

  • Is Git the source of truth?
  • Which repo owns each namespace/app?
  • Are manual changes allowed?
  • Is drift alerted?
  • Are sync waves used?
  • Are CRDs managed separately?
  • Are environment promotions explicit?
  • Are production changes approved?
  • Are rollback procedures tested?

26. Governance for Java/JAX-RS service templates

A platform should provide a golden path for Java/JAX-RS services.

The template should include:

  • Dockerfile baseline
  • non-root runtime
  • JVM options pattern
  • health endpoint contract
  • graceful shutdown config
  • structured logging
  • correlation ID propagation
  • metrics endpoint
  • OpenTelemetry hooks if used
  • Deployment template
  • Service template
  • Ingress/Gateway template
  • ConfigMap/Secret pattern
  • ServiceAccount
  • RBAC if needed
  • NetworkPolicy
  • HPA
  • PDB
  • dashboard
  • alert rules
  • runbook skeleton

26.1 Golden path principle

The default template should be production-safe.

Teams should not need to discover production standards from incident history.


27. Governance failure modes

27.1 Missing resource requests

Symptoms:

  • unpredictable scheduling
  • BestEffort QoS
  • node pressure eviction
  • HPA mismatch
  • noisy-neighbor issues
  • cost attribution gaps

Prevention:

CI/admission require resource requests
template provides workload-aware defaults
periodic review against actual usage

27.2 Inconsistent labels

Symptoms:

  • dashboards miss workloads
  • alerts cannot route
  • cost reports incomplete
  • Service selector mistakes
  • NetworkPolicy mismatch

Prevention:

mandatory label policy
template-generated labels
selector label review

27.3 Over-permissive RBAC

Symptoms:

  • workload can read secrets
  • CI has cluster-admin
  • GitOps controller can mutate too much
  • audit findings

Prevention:

least privilege standard
RBAC review
wildcard deny policy where possible
cluster-admin audit

27.4 Unsafe ingress annotations

Symptoms:

  • exposed internal service
  • timeout mismatch
  • broken auth redirect
  • source IP wrong
  • canary misrouting
  • 502/504 spike

Prevention:

allowed annotation list
platform review for edge routing
ingress tests
dashboard and logs

27.5 Secret leakage

Symptoms:

  • secrets in Git
  • secrets in logs
  • env dump exposes credentials
  • developers copy production values
  • stale secrets never rotated

Prevention:

external secret strategy
Git secret scanning
log scanning
RBAC restriction
rotation runbook

27.6 Policy too strict without migration

Symptoms:

  • deployment freeze
  • emergency bypass
  • teams distrust platform
  • manual cluster edits
  • shadow processes

Prevention:

audit mode first
clear remediation docs
golden templates
exception process
enforcement schedule

28. Internal verification checklist

Use this as a CSG/team discovery checklist.

Namespace

  • What is namespace naming standard?
  • Who can create namespace?
  • Are quotas required?
  • Are LimitRanges required?
  • Are Pod Security labels required?
  • Are default namespaces blocked?

Labels and annotations

  • What labels are mandatory?
  • Which labels drive ownership?
  • Which labels drive cost?
  • Which labels drive dashboards?
  • Which labels drive NetworkPolicy?
  • Which annotations are allowed?
  • Which annotations require approval?

Resource and probes

  • Are resource requests mandatory?
  • Are memory limits mandatory?
  • What is the CPU limit policy?
  • Are Java heap rules standardized?
  • Are startup/readiness/liveness probes required?
  • Are probe endpoints standardized?

Security

  • Is Pod Security Admission enforced?
  • Are OPA Gatekeeper or Kyverno used?
  • Are privileged pods allowed?
  • Is root forbidden?
  • Is read-only root filesystem required?
  • Are trusted registries enforced?
  • Is image signature verification used?

RBAC and identity

  • Are default ServiceAccounts forbidden?
  • Is automount disabled by default?
  • Who approves ClusterRole?
  • Are CI/CD permissions scoped?
  • Are GitOps permissions scoped?
  • Are IRSA/Azure Workload Identity standards documented?

Secrets and config

  • What is the secret source of truth?
  • Are secrets allowed in Git?
  • Is External Secrets used?
  • Is Sealed Secrets used?
  • Is AWS Secrets Manager used?
  • Is Azure Key Vault used?
  • How is rotation tested?
  • Are ConfigMaps validated?

Networking

  • Is default deny required?
  • Is NetworkPolicy enforced by CNI?
  • Are DNS egress rules standardized?
  • Are database/messaging egress policies standardized?
  • Are private endpoint policies documented?
  • Are public ingresses reviewed?

GitOps/IaC

  • Which repo owns desired state?
  • Are Helm and Kustomize both used?
  • Are environment overlays standardized?
  • Is drift detection enabled?
  • Are manual hotfixes allowed?
  • How are policy exceptions represented?

Observability and operations

  • Are dashboards required before production?
  • Are alerts required?
  • Are runbooks required?
  • Are owner/escalation annotations required?
  • Are incident notes linked?
  • Are governance violations reported?

29. PR review checklist

When reviewing a Kubernetes platform PR, ask:

Ownership

  • Is owner team clear?
  • Is environment clear?
  • Is runbook linked?
  • Is escalation path visible?

Correctness

  • Are selectors stable?
  • Are labels consistent?
  • Are resources valid?
  • Are probes semantically correct?
  • Are config and secret separated?

Security

  • Is pod running non-root?
  • Are capabilities dropped?
  • Is root filesystem read-only where possible?
  • Is ServiceAccount least privilege?
  • Are secrets protected?
  • Is ingress exposure intentional?

Networking

  • Is Service targetPort correct?
  • Is ingress host/path correct?
  • Are NetworkPolicies explicit?
  • Is DNS dependency understood?
  • Is private endpoint access documented?

Operations

  • Are resources sized?
  • Is HPA/PDB configured where needed?
  • Is graceful shutdown supported?
  • Are logs/metrics/traces available?
  • Are alerts and dashboards ready?
  • Is rollback possible?

Governance

  • Does it follow namespace/label/resource/probe/security standards?
  • Does it require policy exception?
  • Is exception documented and time-bound?
  • Does CI/admission validate it?

30. Senior engineer heuristics

Use these heuristics:

If ownership is unclear, incident response will be slow.
If labels are inconsistent, automation will lie.
If probes are weak, rollout safety is fake.
If resources are missing, capacity planning is guesswork.
If ServiceAccount is default, privilege is ambiguous.
If secrets are in Git, rotation is already compromised.
If ingress annotations are uncontrolled, edge behavior is fragile.
If NetworkPolicy is absent, segmentation is assumed, not enforced.
If policy exceptions never expire, standards decay.
If Git is not source of truth, drift is guaranteed.

31. Governance anti-patterns

Avoid:

- standards documented but not enforced
- admission policies enforced without CI feedback
- one-off exceptions with no expiry
- using production incident as the only governance mechanism
- every team writing unique Helm charts from scratch
- platform team owning everything manually
- app teams having no self-service path
- security rules that block delivery without remediation guidance
- cost labels that nobody uses
- dashboards that depend on optional labels
- NetworkPolicy written after incident only
- manual kubectl as normal production workflow

32. What good governance feels like

Good governance feels like:

I know where to put my service.
I know which template to use.
I know which labels are required.
I know how traffic reaches my pod.
I know how secrets are delivered.
I know what policy will reject.
I know how to test before merge.
I know what dashboard proves health.
I know who approves exceptions.
I know how to rollback safely.

Bad governance feels like:

Copy YAML from another service and hope it works.
Ask three people which annotation is correct.
Disable the policy because deployment is blocked.
Patch production manually because GitOps is confusing.
Find out during incident that no dashboard exists.

33. Final mental model

Platform governance is not about making Kubernetes rigid.

It is about making production behavior predictable.

For enterprise Java/JAX-RS systems, governance should protect:

  • availability
  • security
  • privacy
  • observability
  • cost
  • upgradeability
  • debuggability
  • auditability
  • team autonomy

The best governance model is:

documented standard
encoded template
validated in CI
enforced at admission
observed at runtime
reviewed through exceptions
improved after incidents

A senior backend engineer should be able to review Kubernetes changes not only for whether they deploy, but whether they fit the platform operating model.


34. Key takeaway

Kubernetes gives teams enormous power.

Platform governance decides whether that power produces:

reliable production systems

or:

unbounded YAML entropy

For senior engineers, the practical skill is to connect every governance rule to a real failure mode:

  • missing labels break ownership
  • missing requests break scheduling
  • bad probes break rollout
  • weak RBAC breaks security
  • unmanaged secrets break privacy
  • uncontrolled ingress breaks traffic
  • missing NetworkPolicy breaks segmentation
  • missing dashboards break incident response
  • missing standards break scale

Governance is production engineering expressed as reusable constraints.

Lesson Recap

You just completed lesson 54 in final stretch. Use the series map if you want to review the broader track, or continue directly into the next lesson while the context is still warm.

Continue The Track

Keep the momentum while the lesson is still fresh. Move backward for review or continue forward into the next concept.