Kubernetes Deployment Guide for Production Applications

A Kubernetes Deployment manifest defines how your application runs: the container image, replica count, resource requests and limits, environment variables, and update strategy. For production, you should always set explicit CPU and memory requests so the scheduler can place pods correctly, and define limits to prevent a single pod from starving the node. Use `spec.strategy.rollingUpdate` with `maxUnavailable: 0` and `maxSurge: 1` to ensure zero-downtime deploys. Pin your image tags to immutable digests or semantic versions rather than `latest` to guarantee reproducibility across environments.

A Deployment alone is not reachable. You need a Service (typically ClusterIP) to give your pods a stable internal DNS name, and an Ingress resource to expose HTTP/HTTPS traffic externally. Ingress controllers like NGINX Ingress or Traefik terminate TLS, route by hostname or path, and support annotations for rate limiting, CORS, and header manipulation. For gRPC or TCP workloads, consider a LoadBalancer Service or the Gateway API, which provides more expressive routing primitives than classic Ingress.

Liveness probes tell Kubernetes when to restart a stuck container; readiness probes tell it when a pod is ready to receive traffic. Define both in your Deployment spec. A common pattern is an HTTP GET to `/healthz` for liveness and `/readyz` for readiness. Set `initialDelaySeconds` high enough for your app to boot, and keep `periodSeconds` reasonable (10-30s). Startup probes are useful for slow-starting apps like JVM services, letting you decouple boot time from ongoing health checks.

Externalize configuration with ConfigMaps for non-sensitive data and Secrets for credentials. Mount them as environment variables or files. Use `envFrom` to inject an entire ConfigMap at once. For Secrets, consider integrating with an external secret manager like HashiCorp Vault or AWS Secrets Manager via the External Secrets Operator, which syncs external secrets into native Kubernetes Secret objects automatically. This keeps sensitive values out of your Git repository while still leveraging Kubernetes-native tooling.