Kubernetes
Deploy and scale BroxiAI applications on Kubernetes for enterprise-grade container orchestration
Learn how to deploy, scale, and manage BroxiAI applications on Kubernetes for production-ready container orchestration with automatic scaling, self-healing, and service discovery.
Overview
Kubernetes provides:
Automatic scaling and load balancing
Self-healing and fault tolerance
Service discovery and networking
Rolling updates and rollbacks
Secret and configuration management
Multi-cloud and hybrid deployments
Basic Kubernetes Setup
Namespace and Resources
Namespace Configuration
# namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: broxi-ai
labels:
name: broxi-ai
environment: production
---
apiVersion: v1
kind: ResourceQuota
metadata:
name: broxi-quota
namespace: broxi-ai
spec:
hard:
requests.cpu: "10"
requests.memory: 20Gi
limits.cpu: "20"
limits.memory: 40Gi
persistentvolumeclaims: "5"
pods: "50"
---
apiVersion: v1
kind: LimitRange
metadata:
name: broxi-limits
namespace: broxi-ai
spec:
limits:
- default:
cpu: "500m"
memory: "512Mi"
defaultRequest:
cpu: "100m"
memory: "128Mi"
type: ContainerConfigMaps and Secrets
Configuration Management
# configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: broxi-config
namespace: broxi-ai
data:
# Application configuration
APP_ENV: "production"
LOG_LEVEL: "info"
MAX_WORKERS: "4"
REQUEST_TIMEOUT: "30"
# Database configuration
DB_HOST: "postgres-service"
DB_PORT: "5432"
DB_NAME: "broxi_production"
# Redis configuration
REDIS_HOST: "redis-service"
REDIS_PORT: "6379"
REDIS_DB: "0"
# BroxiAI configuration
BROXI_API_URL: "https://api.broxi.ai/v1"
BROXI_TIMEOUT: "60"
BROXI_RETRY_ATTEMPTS: "3"
---
apiVersion: v1
kind: Secret
metadata:
name: broxi-secrets
namespace: broxi-ai
type: Opaque
data:
# Base64 encoded secrets
BROXI_API_TOKEN: <base64-encoded-token>
DB_PASSWORD: <base64-encoded-password>
REDIS_PASSWORD: <base64-encoded-password>
SECRET_KEY: <base64-encoded-secret>
JWT_SECRET: <base64-encoded-jwt-secret>
---
apiVersion: v1
kind: Secret
metadata:
name: broxi-tls
namespace: broxi-ai
type: kubernetes.io/tls
data:
tls.crt: <base64-encoded-certificate>
tls.key: <base64-encoded-private-key>Application Deployment
Main Application
Deployment Configuration
# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: broxi-app
namespace: broxi-ai
labels:
app: broxi-app
version: v1.0.0
spec:
replicas: 3
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
selector:
matchLabels:
app: broxi-app
template:
metadata:
labels:
app: broxi-app
version: v1.0.0
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8000"
prometheus.io/path: "/metrics"
spec:
serviceAccountName: broxi-service-account
securityContext:
runAsNonRoot: true
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
containers:
- name: broxi-app
image: broxi/app:v1.0.0
imagePullPolicy: Always
ports:
- containerPort: 8000
name: http
protocol: TCP
env:
- name: PORT
value: "8000"
envFrom:
- configMapRef:
name: broxi-config
- secretRef:
name: broxi-secrets
resources:
requests:
cpu: 200m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
livenessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /ready
port: http
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 2
startupProbe:
httpGet:
path: /startup
port: http
initialDelaySeconds: 10
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 10
volumeMounts:
- name: app-logs
mountPath: /app/logs
- name: temp-storage
mountPath: /tmp
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumes:
- name: app-logs
emptyDir: {}
- name: temp-storage
emptyDir: {}
terminationGracePeriodSeconds: 30
restartPolicy: AlwaysService Configuration
# service.yaml
apiVersion: v1
kind: Service
metadata:
name: broxi-app-service
namespace: broxi-ai
labels:
app: broxi-app
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
spec:
type: LoadBalancer
selector:
app: broxi-app
ports:
- name: http
port: 80
targetPort: 8000
protocol: TCP
sessionAffinity: None
---
apiVersion: v1
kind: Service
metadata:
name: broxi-app-internal
namespace: broxi-ai
labels:
app: broxi-app
spec:
type: ClusterIP
selector:
app: broxi-app
ports:
- name: http
port: 8000
targetPort: 8000
protocol: TCPDatabase Deployment
PostgreSQL StatefulSet
# postgres.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: postgres
namespace: broxi-ai
labels:
app: postgres
spec:
serviceName: postgres-headless
replicas: 1
selector:
matchLabels:
app: postgres
template:
metadata:
labels:
app: postgres
spec:
containers:
- name: postgres
image: postgres:15-alpine
ports:
- containerPort: 5432
name: postgres
env:
- name: POSTGRES_DB
valueFrom:
configMapKeyRef:
name: broxi-config
key: DB_NAME
- name: POSTGRES_USER
value: "broxi"
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: broxi-secrets
key: DB_PASSWORD
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1000m
memory: 2Gi
volumeMounts:
- name: postgres-storage
mountPath: /var/lib/postgresql/data
- name: postgres-config
mountPath: /etc/postgresql/postgresql.conf
subPath: postgresql.conf
livenessProbe:
exec:
command:
- pg_isready
- -U
- broxi
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
exec:
command:
- pg_isready
- -U
- broxi
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: postgres-config
configMap:
name: postgres-config
volumeClaimTemplates:
- metadata:
name: postgres-storage
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: "fast-ssd"
resources:
requests:
storage: 50Gi
---
apiVersion: v1
kind: Service
metadata:
name: postgres-service
namespace: broxi-ai
labels:
app: postgres
spec:
type: ClusterIP
selector:
app: postgres
ports:
- port: 5432
targetPort: 5432
---
apiVersion: v1
kind: Service
metadata:
name: postgres-headless
namespace: broxi-ai
labels:
app: postgres
spec:
type: ClusterIP
clusterIP: None
selector:
app: postgres
ports:
- port: 5432
targetPort: 5432Redis Deployment
# redis.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
namespace: broxi-ai
labels:
app: redis
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: redis:7-alpine
command:
- redis-server
- /etc/redis/redis.conf
ports:
- containerPort: 6379
name: redis
env:
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: broxi-secrets
key: REDIS_PASSWORD
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
volumeMounts:
- name: redis-config
mountPath: /etc/redis
- name: redis-data
mountPath: /data
livenessProbe:
exec:
command:
- redis-cli
- ping
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
exec:
command:
- redis-cli
- ping
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: redis-config
configMap:
name: redis-config
- name: redis-data
persistentVolumeClaim:
claimName: redis-pvc
---
apiVersion: v1
kind: Service
metadata:
name: redis-service
namespace: broxi-ai
labels:
app: redis
spec:
type: ClusterIP
selector:
app: redis
ports:
- port: 6379
targetPort: 6379
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: redis-pvc
namespace: broxi-ai
spec:
accessModes:
- ReadWriteOnce
storageClassName: "fast-ssd"
resources:
requests:
storage: 10GiAuto-scaling Configuration
Horizontal Pod Autoscaler
HPA Configuration
# hpa.yaml
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: broxi-app-hpa
namespace: broxi-ai
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: broxi-app
minReplicas: 3
maxReplicas: 20
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80
- type: Pods
pods:
metric:
name: http_requests_per_second
target:
type: AverageValue
averageValue: "1000"
behavior:
scaleUp:
stabilizationWindowSeconds: 60
policies:
- type: Percent
value: 100
periodSeconds: 15
- type: Pods
value: 4
periodSeconds: 15
selectPolicy: Max
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Percent
value: 10
periodSeconds: 60
selectPolicy: MinVertical Pod Autoscaler
VPA Configuration
# vpa.yaml
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
name: broxi-app-vpa
namespace: broxi-ai
spec:
targetRef:
apiVersion: apps/v1
kind: Deployment
name: broxi-app
updatePolicy:
updateMode: "Auto"
resourcePolicy:
containerPolicies:
- containerName: broxi-app
maxAllowed:
cpu: 1
memory: 2Gi
minAllowed:
cpu: 100m
memory: 128Mi
mode: AutoCluster Autoscaler
Node Scaling Configuration
# cluster-autoscaler.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cluster-autoscaler
namespace: kube-system
labels:
app: cluster-autoscaler
spec:
selector:
matchLabels:
app: cluster-autoscaler
template:
metadata:
labels:
app: cluster-autoscaler
annotations:
prometheus.io/scrape: 'true'
prometheus.io/port: '8085'
spec:
serviceAccountName: cluster-autoscaler
containers:
- image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.0
name: cluster-autoscaler
resources:
limits:
cpu: 100m
memory: 300Mi
requests:
cpu: 100m
memory: 300Mi
command:
- ./cluster-autoscaler
- --v=4
- --stderrthreshold=info
- --cloud-provider=aws
- --skip-nodes-with-local-storage=false
- --expander=least-waste
- --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/broxi-cluster
- --balance-similar-node-groups
- --scale-down-enabled=true
- --scale-down-delay-after-add=10m
- --scale-down-unneeded-time=10m
- --scale-down-utilization-threshold=0.5
env:
- name: AWS_REGION
value: us-west-2
volumeMounts:
- name: ssl-certs
mountPath: /etc/ssl/certs/ca-certificates.crt
readOnly: true
imagePullPolicy: "Always"
volumes:
- name: ssl-certs
hostPath:
path: "/etc/ssl/certs/ca-bundle.crt"Advanced Kubernetes Features
Jobs and CronJobs
Background Processing Jobs
# jobs.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: broxi-data-migration
namespace: broxi-ai
spec:
backoffLimit: 3
completions: 1
parallelism: 1
template:
metadata:
labels:
app: broxi-migration
spec:
restartPolicy: Never
containers:
- name: migration
image: broxi/app:v1.0.0
command: ["python", "manage.py", "migrate"]
envFrom:
- configMapRef:
name: broxi-config
- secretRef:
name: broxi-secrets
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: broxi-cleanup
namespace: broxi-ai
spec:
schedule: "0 2 * * *" # Daily at 2 AM
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
containers:
- name: cleanup
image: broxi/app:v1.0.0
command: ["python", "scripts/cleanup.py"]
envFrom:
- configMapRef:
name: broxi-config
- secretRef:
name: broxi-secrets
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 1Network Policies
Security Network Policies
# network-policies.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: broxi-app-policy
namespace: broxi-ai
spec:
podSelector:
matchLabels:
app: broxi-app
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
- podSelector:
matchLabels:
app: broxi-app
ports:
- protocol: TCP
port: 8000
egress:
- to:
- podSelector:
matchLabels:
app: postgres
ports:
- protocol: TCP
port: 5432
- to:
- podSelector:
matchLabels:
app: redis
ports:
- protocol: TCP
port: 6379
- to: [] # Allow external API calls
ports:
- protocol: TCP
port: 443
- protocol: TCP
port: 80
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: postgres-policy
namespace: broxi-ai
spec:
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: broxi-app
ports:
- protocol: TCP
port: 5432Pod Disruption Budgets
PDB Configuration
# pdb.yaml
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: broxi-app-pdb
namespace: broxi-ai
spec:
minAvailable: 2
selector:
matchLabels:
app: broxi-app
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: postgres-pdb
namespace: broxi-ai
spec:
maxUnavailable: 0
selector:
matchLabels:
app: postgresIngress and Load Balancing
Ingress Configuration
NGINX Ingress
# ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: broxi-ingress
namespace: broxi-ai
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "60"
nginx.ingress.kubernetes.io/proxy-send-timeout: "60"
nginx.ingress.kubernetes.io/proxy-read-timeout: "60"
nginx.ingress.kubernetes.io/rate-limit: "100"
nginx.ingress.kubernetes.io/rate-limit-window: "1m"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "X-Frame-Options: DENY";
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "X-XSS-Protection: 1; mode=block";
spec:
tls:
- hosts:
- api.broxi-app.com
- app.broxi-app.com
secretName: broxi-tls
rules:
- host: api.broxi-app.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: broxi-app-service
port:
number: 80
- host: app.broxi-app.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: broxi-frontend-service
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: broxi-websocket-ingress
namespace: broxi-ai
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
nginx.ingress.kubernetes.io/proxy-set-headers: |
Upgrade $http_upgrade
Connection "upgrade"
spec:
rules:
- host: ws.broxi-app.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: broxi-websocket-service
port:
number: 8080Service Mesh (Istio)
Istio Configuration
# istio-config.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: broxi-gateway
namespace: broxi-ai
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: broxi-tls
hosts:
- api.broxi-app.com
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: broxi-vs
namespace: broxi-ai
spec:
hosts:
- api.broxi-app.com
gateways:
- broxi-gateway
http:
- match:
- uri:
prefix: "/v1/"
route:
- destination:
host: broxi-app-service
port:
number: 8000
timeout: 60s
retries:
attempts: 3
perTryTimeout: 20s
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: broxi-dr
namespace: broxi-ai
spec:
host: broxi-app-service
trafficPolicy:
loadBalancer:
simple: LEAST_CONN
connectionPool:
tcp:
maxConnections: 50
http:
http1MaxPendingRequests: 10
maxRequestsPerConnection: 2
circuitBreaker:
consecutiveErrors: 3
interval: 30s
baseEjectionTime: 30s
maxEjectionPercent: 50
subsets:
- name: v1
labels:
version: v1.0.0
trafficPolicy:
portLevelSettings:
- port:
number: 8000
loadBalancer:
simple: ROUND_ROBINMonitoring and Observability
Prometheus Monitoring
ServiceMonitor Configuration
# monitoring.yaml
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: broxi-app-monitor
namespace: broxi-ai
labels:
app: broxi-app
spec:
selector:
matchLabels:
app: broxi-app
endpoints:
- port: http
path: /metrics
interval: 30s
scrapeTimeout: 10s
---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: broxi-alerts
namespace: broxi-ai
spec:
groups:
- name: broxi.rules
rules:
- alert: BroxiAppDown
expr: up{job="broxi-app"} == 0
for: 5m
labels:
severity: critical
annotations:
summary: "BroxiAI application is down"
description: "BroxiAI application has been down for more than 5 minutes"
- alert: HighCPUUsage
expr: rate(container_cpu_usage_seconds_total{pod=~"broxi-app-.*"}[5m]) > 0.8
for: 10m
labels:
severity: warning
annotations:
summary: "High CPU usage detected"
description: "CPU usage is above 80% for more than 10 minutes"
- alert: HighMemoryUsage
expr: container_memory_usage_bytes{pod=~"broxi-app-.*"} / container_spec_memory_limit_bytes > 0.9
for: 5m
labels:
severity: warning
annotations:
summary: "High memory usage detected"
description: "Memory usage is above 90% for more than 5 minutes"
- alert: PodCrashLooping
expr: rate(kube_pod_container_status_restarts_total[15m]) > 0
for: 0m
labels:
severity: critical
annotations:
summary: "Pod is crash looping"
description: "Pod {{ $labels.pod }} is restarting frequently"Distributed Tracing
Jaeger Configuration
# jaeger.yaml
apiVersion: jaegertracing.io/v1
kind: Jaeger
metadata:
name: broxi-jaeger
namespace: broxi-ai
spec:
strategy: production
storage:
type: elasticsearch
elasticsearch:
nodeCount: 3
redundancyPolicy: SingleRedundancy
resources:
requests:
cpu: 200m
memory: 1Gi
limits:
cpu: 1
memory: 2Gi
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
hosts:
- jaeger.broxi-app.comSecurity and RBAC
Service Accounts and RBAC
RBAC Configuration
# rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: broxi-service-account
namespace: broxi-ai
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: broxi-ai
name: broxi-role
rules:
- apiGroups: [""]
resources: ["configmaps", "secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: broxi-role-binding
namespace: broxi-ai
subjects:
- kind: ServiceAccount
name: broxi-service-account
namespace: broxi-ai
roleRef:
kind: Role
name: broxi-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: broxi-cluster-role
rules:
- apiGroups: [""]
resources: ["nodes", "namespaces"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: broxi-cluster-role-binding
subjects:
- kind: ServiceAccount
name: broxi-service-account
namespace: broxi-ai
roleRef:
kind: ClusterRole
name: broxi-cluster-role
apiGroup: rbac.authorization.k8s.ioPod Security Standards
Pod Security Policy
# security-policy.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: broxi-psp
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: true
---
apiVersion: v1
kind: Pod
metadata:
name: broxi-secure-pod
namespace: broxi-ai
annotations:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
spec:
serviceAccountName: broxi-service-account
securityContext:
runAsNonRoot: true
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
seccompProfile:
type: RuntimeDefault
containers:
- name: broxi-app
image: broxi/app:v1.0.0
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512MiGitOps and CI/CD
ArgoCD Application
ArgoCD Configuration
# argocd-app.yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: broxi-app
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://github.com/your-org/broxi-k8s-manifests
targetRevision: main
path: overlays/production
destination:
server: https://kubernetes.default.svc
namespace: broxi-ai
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- PrunePropagationPolicy=foreground
- PruneLast=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m
revisionHistoryLimit: 10Helm Charts
Helm Chart Structure
# Chart.yaml
apiVersion: v2
name: broxi-app
description: BroxiAI application Helm chart
type: application
version: 1.0.0
appVersion: "v1.0.0"
dependencies:
- name: postgresql
version: 12.1.2
repository: https://charts.bitnami.com/bitnami
condition: postgresql.enabled
- name: redis
version: 17.3.7
repository: https://charts.bitnami.com/bitnami
condition: redis.enabled
---
# values.yaml
replicaCount: 3
image:
repository: broxi/app
tag: v1.0.0
pullPolicy: Always
service:
type: LoadBalancer
port: 80
targetPort: 8000
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: api.broxi-app.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: broxi-tls
hosts:
- api.broxi-app.com
autoscaling:
enabled: true
minReplicas: 3
maxReplicas: 20
targetCPUUtilizationPercentage: 70
targetMemoryUtilizationPercentage: 80
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 200m
memory: 256Mi
postgresql:
enabled: true
auth:
postgresPassword: "changeme"
database: "broxi_production"
primary:
persistence:
enabled: true
size: 50Gi
redis:
enabled: true
auth:
enabled: true
password: "changeme"
master:
persistence:
enabled: true
size: 10Gi
nodeSelector: {}
tolerations: []
affinity: {}Disaster Recovery
Backup and Restore
Velero Backup Configuration
# backup.yaml
apiVersion: velero.io/v1
kind: Schedule
metadata:
name: broxi-daily-backup
namespace: velero
spec:
schedule: "0 1 * * *" # Daily at 1 AM
template:
includedNamespaces:
- broxi-ai
excludedResources:
- events
- events.events.k8s.io
snapshotVolumes: true
ttl: 720h # 30 days
storageLocation: default
volumeSnapshotLocations:
- default
---
apiVersion: velero.io/v1
kind: Backup
metadata:
name: broxi-pre-deployment-backup
namespace: velero
spec:
includedNamespaces:
- broxi-ai
snapshotVolumes: true
storageLocation: defaultDatabase Backup CronJob
# db-backup.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
name: postgres-backup
namespace: broxi-ai
spec:
schedule: "0 2 * * *" # Daily at 2 AM
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
containers:
- name: postgres-backup
image: postgres:15-alpine
command:
- /bin/sh
- -c
- |
PGPASSWORD=$POSTGRES_PASSWORD pg_dump \
-h $POSTGRES_HOST \
-U $POSTGRES_USER \
-d $POSTGRES_DB \
-f /backup/backup-$(date +%Y%m%d_%H%M%S).sql
# Upload to S3
aws s3 cp /backup/backup-$(date +%Y%m%d_%H%M%S).sql \
s3://broxi-backups/postgres/
# Cleanup local backup
rm /backup/backup-$(date +%Y%m%d_%H%M%S).sql
env:
- name: POSTGRES_HOST
value: postgres-service
- name: POSTGRES_USER
value: broxi
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: broxi-secrets
key: DB_PASSWORD
- name: POSTGRES_DB
value: broxi_production
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: aws-credentials
key: access-key-id
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: aws-credentials
key: secret-access-key
volumeMounts:
- name: backup-storage
mountPath: /backup
volumes:
- name: backup-storage
emptyDir: {}
successfulJobsHistoryLimit: 7
failedJobsHistoryLimit: 3Best Practices
Resource Management
Resource Optimization
Set appropriate resource requests and limits
Use horizontal and vertical pod autoscaling
Implement cluster autoscaling for node management
Monitor resource utilization continuously
Use pod disruption budgets for availability
Security
Security Best Practices
Run containers as non-root users
Use network policies for traffic control
Implement RBAC with least privilege
Regular security scanning of container images
Use pod security standards/policies
Encrypt secrets and sensitive data
High Availability
HA Configuration
Deploy across multiple availability zones
Use pod anti-affinity rules
Implement health checks and probes
Configure ingress with load balancing
Use persistent volumes for stateful data
Regular backup and disaster recovery testing
Troubleshooting
Common Issues
Pod Issues
# Check pod status
kubectl get pods -n broxi-ai
# Describe pod for events
kubectl describe pod <pod-name> -n broxi-ai
# Check pod logs
kubectl logs <pod-name> -n broxi-ai
# Debug running pod
kubectl exec -it <pod-name> -n broxi-ai -- /bin/shService Discovery Issues
# Check services
kubectl get svc -n broxi-ai
# Test service connectivity
kubectl run debug --image=busybox -it --rm --restart=Never -- \
nslookup broxi-app-service.broxi-ai.svc.cluster.local
# Check endpoints
kubectl get endpoints -n broxi-aiNetworking Issues
# Check network policies
kubectl get networkpolicy -n broxi-ai
# Test pod-to-pod connectivity
kubectl exec -it <pod1> -n broxi-ai -- \
wget -qO- <pod2-ip>:8000/healthNext Steps
After Kubernetes deployment:
Monitoring Enhancement: Implement comprehensive observability
Security Hardening: Regular security assessments and updates
Performance Tuning: Optimize for your specific workload
Disaster Recovery: Test backup and recovery procedures
Cost Optimization: Monitor and optimize resource usage
Related Guides
Docker: Container fundamentals
Monitoring: Observability and monitoring
Security: Security best practices
Kubernetes provides enterprise-grade container orchestration for BroxiAI applications. Follow these patterns for scalable, reliable, and secure deployments in production environments.
Last updated