Skip to main content

Kubernetes Production Readiness Checklist

A go-live checklist for Kubernetes covering Pod Security Standards, resource limits, probes, autoscaling, network policy, RBAC, observability, and tested backups. It gates production on resilience and a real load test.

Estimated Time
1-2 days
Type
go live
Category
Containers
Steps
13

When to Use This Checklist

Use this before a Kubernetes cluster takes its first production traffic, and again after major version upgrades. It applies to managed clusters (EKS, AKS, GKE) and self-managed ones. The aim is to confirm the cluster and the workloads on it are secure, resilient, observable, and operable under load.

A cluster that runs a demo is not a cluster that survives a Friday-night traffic spike. This checklist closes that gap.

How to Use This Checklist

Split the work between cluster owners and application teams. Cluster owners handle admission control, RBAC, network policy defaults, and backup/restore; application teams handle probes, resource limits, and autoscaling for their workloads.

Treat the security and resilience items as blocking. Resource limits, probes, and Pod Security Standards are not optional for production. Finish with a load test at expected peak so autoscaling and disruption budgets are proven, not assumed.

What Good Looks Like

A production-ready cluster runs workloads under the restricted Pod Security profile, with RBAC scoped to least privilege and default-deny network policies. Every pod declares requests, limits, and probes; HPA and cluster autoscaling respond to load; and high-availability services have disruption budgets and anti-affinity. Images are scanned and signed, secrets live in an external manager, and metrics, logs, and traces flow into one place. Backups of etcd and volumes have been restored at least once.

Common Pitfalls

Missing resource limits cause one workload to starve the node and trigger cascading evictions. Absent or wrong probes let Kubernetes route traffic to pods that are not ready. Running pods as root or as privileged is a frequent and serious gap. Storing secrets as base64-encoded Kubernetes Secrets without encryption or an external manager is another. Finally, teams often skip restore testing and discover during an incident that their backups never worked.

Related Resources

Use the Pod Security Standards and container image hardening guides for the security items, and the production-ready microservices checklist for workload concerns. Define SLOs to anchor the observability and autoscaling targets.