Latest Kubernetes Resources

Introduction

Every time I spin up a new cluster, I go through the same ritual: write a Deployment, attach a Service, wrap it in a Namespace, bolt on RBAC, tune the HPA. After years of doing this I have a mental checklist of the resources that actually matter in production. This article is that checklist — covering the full complement of modern Kubernetes resource types (API version v1.28+), with a real Go HTTP microservice as the workload running through every example.

I will not cover every available resource (there are hundreds of CRDs out there). I cover the ones that show up in every serious cluster.

The Go Microservice

All YAML manifests in this article deploy or configure the same Go HTTP service. Here is the source:

goapp/
├── main.go
├── go.mod
└── Dockerfile

main.go:

package main

import (
	"encoding/json"
	"fmt"
	"log/slog"
	"net/http"
	"os"
	"time"
)

type HealthResponse struct {
	Status    string `json:"status"`
	Timestamp string `json:"timestamp"`
	Version   string `json:"version"`
}

type ItemResponse struct {
	ID    int    `json:"id"`
	Name  string `json:"name"`
	Price int    `json:"price"`
}

func main() {
	logger := slog.New(slog.NewJSONHandler(os.Stdout, nil))
	port := os.Getenv("PORT")
	if port == "" {
		port = "8080"
	}

	mux := http.NewServeMux()
	mux.HandleFunc("GET /healthz", func(w http.ResponseWriter, r *http.Request) {
		w.Header().Set("Content-Type", "application/json")
		json.NewEncoder(w).Encode(HealthResponse{
			Status:    "ok",
			Timestamp: time.Now().UTC().Format(time.RFC3339),
			Version:   os.Getenv("APP_VERSION"),
		})
	})

	mux.HandleFunc("GET /items", func(w http.ResponseWriter, r *http.Request) {
		w.Header().Set("Content-Type", "application/json")
		json.NewEncoder(w).Encode([]ItemResponse{
			{ID: 1, Name: "Widget A", Price: 100},
			{ID: 2, Name: "Widget B", Price: 200},
		})
	})

	mux.HandleFunc("POST /items", func(w http.ResponseWriter, r *http.Request) {
		w.Header().Set("Content-Type", "application/json")
		w.WriteHeader(http.StatusCreated)
		json.NewEncoder(w).Encode(ItemResponse{ID: 3, Name: "Widget C", Price: 300})
	})

	addr := fmt.Sprintf(":%s", port)
	logger.Info("starting server", "addr", addr, "version", os.Getenv("APP_VERSION"))
	if err := http.ListenAndServe(addr, mux); err != nil {
		logger.Error("server error", "err", err)
		os.Exit(1)
	}
}

go.mod:

module github.com/example/goapp

go 1.24

Dockerfile:

FROM golang:1.24-alpine AS build
WORKDIR /app
COPY go.mod ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -trimpath -ldflags="-s -w" -o server .

FROM gcr.io/distroless/static:nonroot
COPY --from=build /app/server /server
EXPOSE 8080
ENTRYPOINT ["/server"]

Build and push:

docker build -t myregistry.io/goapp:v1.0.0 .
docker push myregistry.io/goapp:v1.0.0

Workload Resources

Deployment

Deployment is the standard controller for stateless services. apps/v1 has been stable since Kubernetes 1.9.

# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: goapp
  namespace: production
  labels:
    app: goapp
    version: v1.0.0
spec:
  replicas: 3
  revisionHistoryLimit: 5
  selector:
    matchLabels:
      app: goapp
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0       # zero-downtime rolling update
  template:
    metadata:
      labels:
        app: goapp
        version: v1.0.0
    spec:
      serviceAccountName: goapp
      automountServiceAccountToken: false
      securityContext:
        runAsNonRoot: true
        runAsUser: 65532        # distroless nonroot UID
        seccompProfile:
          type: RuntimeDefault
      terminationGracePeriodSeconds: 30
      containers:
        - name: goapp
          image: myregistry.io/goapp:v1.0.0
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          env:
            - name: PORT
              value: "8080"
            - name: APP_VERSION
              valueFrom:
                fieldRef:
                  fieldPath: metadata.labels['version']
          resources:
            requests:
              cpu: "100m"
              memory: "64Mi"
            limits:
              cpu: "500m"
              memory: "256Mi"
          readinessProbe:
            httpGet:
              path: /healthz
              port: http
            initialDelaySeconds: 5
            periodSeconds: 10
            failureThreshold: 3
          livenessProbe:
            httpGet:
              path: /healthz
              port: http
            initialDelaySeconds: 15
            periodSeconds: 20
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop: ["ALL"]
          volumeMounts:
            - name: tmp
              mountPath: /tmp
      volumes:
        - name: tmp
          emptyDir: {}

Key points I always enforce:

maxUnavailable: 0 — never go below desired replica count during rollout
revisionHistoryLimit: 5 — keeps rollback history manageable
readOnlyRootFilesystem: true + emptyDir for /tmp — prevents container breakouts
automountServiceAccountToken: false — principle of least privilege

StatefulSet

Use StatefulSet when pods need stable network identity or persistent storage per-replica.

# statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: goapp-cache
  namespace: production
spec:
  serviceName: goapp-cache-headless
  replicas: 3
  selector:
    matchLabels:
      app: goapp-cache
  podManagementPolicy: Parallel      # start all pods simultaneously
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
  template:
    metadata:
      labels:
        app: goapp-cache
    spec:
      containers:
        - name: app
          image: myregistry.io/goapp:v1.0.0
          ports:
            - containerPort: 8080
          volumeMounts:
            - name: data
              mountPath: /var/data
          resources:
            requests:
              cpu: "100m"
              memory: "128Mi"
            limits:
              cpu: "500m"
              memory: "512Mi"
  volumeClaimTemplates:
    - metadata:
        name: data
      spec:
        accessModes: ["ReadWriteOnce"]
        storageClassName: fast-ssd
        resources:
          requests:
            storage: 10Gi
---
# Headless service required by StatefulSet
apiVersion: v1
kind: Service
metadata:
  name: goapp-cache-headless
  namespace: production
spec:
  clusterIP: None                   # headless — DNS A records per pod
  selector:
    app: goapp-cache
  ports:
    - port: 8080
      targetPort: 8080

DaemonSet

DaemonSet ensures exactly one pod runs on every node — perfect for log collectors, node exporters, or network agents.

# daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: node-agent
  namespace: kube-system
spec:
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
  selector:
    matchLabels:
      app: node-agent
  template:
    metadata:
      labels:
        app: node-agent
    spec:
      tolerations:
        - key: node-role.kubernetes.io/control-plane
          operator: Exists
          effect: NoSchedule
      hostNetwork: false
      containers:
        - name: agent
          image: myregistry.io/goapp:v1.0.0
          resources:
            requests:
              cpu: "50m"
              memory: "32Mi"
            limits:
              cpu: "200m"
              memory: "128Mi"
          volumeMounts:
            - name: host-logs
              mountPath: /host/var/log
              readOnly: true
      volumes:
        - name: host-logs
          hostPath:
            path: /var/log
            type: Directory

Job and CronJob

Jobs for batch processing; CronJobs for scheduled tasks.

# job.yaml — one-shot database migration
apiVersion: batch/v1
kind: Job
metadata:
  name: goapp-db-migrate
  namespace: production
spec:
  ttlSecondsAfterFinished: 300      # clean up 5 minutes after completion
  backoffLimit: 3
  activeDeadlineSeconds: 300
  template:
    spec:
      restartPolicy: OnFailure
      containers:
        - name: migrate
          image: myregistry.io/goapp:v1.0.0
          command: ["/server", "migrate"]
          envFrom:
            - secretRef:
                name: goapp-db-secret
          resources:
            requests:
              cpu: "100m"
              memory: "64Mi"
            limits:
              cpu: "500m"
              memory: "256Mi"
---
# cronjob.yaml — nightly report export
apiVersion: batch/v1
kind: CronJob
metadata:
  name: goapp-nightly-report
  namespace: production
spec:
  schedule: "0 2 * * *"            # 02:00 UTC every night
  timeZone: "UTC"                   # explicit timezone (GA since 1.27)
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 3
  failedJobsHistoryLimit: 3
  startingDeadlineSeconds: 60
  jobTemplate:
    spec:
      ttlSecondsAfterFinished: 3600
      template:
        spec:
          restartPolicy: OnFailure
          containers:
            - name: report
              image: myregistry.io/goapp:v1.0.0
              command: ["/server", "report"]
              resources:
                requests:
                  cpu: "100m"
                  memory: "64Mi"
                limits:
                  cpu: "500m"
                  memory: "256Mi"

Autoscaling Resources

HorizontalPodAutoscaler (v2)

autoscaling/v2 is stable since Kubernetes 1.26. It supports CPU, memory, and custom metrics simultaneously.

# hpa.yaml
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: goapp-hpa
  namespace: production
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: goapp
  minReplicas: 3
  maxReplicas: 20
  metrics:
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: 70       # scale when avg CPU > 70%
    - type: Resource
      resource:
        name: memory
        target:
          type: AverageValue
          averageValue: "200Mi"
  behavior:
    scaleUp:
      stabilizationWindowSeconds: 60    # wait 60s before scaling up again
      policies:
        - type: Pods
          value: 4
          periodSeconds: 60             # add at most 4 pods per minute
    scaleDown:
      stabilizationWindowSeconds: 300   # wait 5 min before scaling down
      policies:
        - type: Percent
          value: 10
          periodSeconds: 60             # remove at most 10% per minute

VerticalPodAutoscaler (VPA)

VPA is installed separately via the VPA Helm chart or official manifests. It recommends (or automatically updates) resource requests/limits.

# vpa.yaml
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: goapp-vpa
  namespace: production
spec:
  targetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: goapp
  updatePolicy:
    updateMode: "Off"                  # "Off" = recommendations only, no auto-restart
  resourcePolicy:
    containerPolicies:
      - containerName: goapp
        minAllowed:
          cpu: "50m"
          memory: "32Mi"
        maxAllowed:
          cpu: "2"
          memory: "1Gi"
        controlledResources: ["cpu", "memory"]

I use updateMode: "Off" in production and review VPA recommendations during the weekly infra review. Auto-apply (updateMode: "Auto") is useful in dev environments.

Reliability and Policy Resources

PodDisruptionBudget

PDB prevents your service from being unavailable during voluntary disruptions (node drains, rolling upgrades).

# pdb.yaml
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: goapp-pdb
  namespace: production
spec:
  minAvailable: 2                    # always keep at least 2 pods running
  selector:
    matchLabels:
      app: goapp

Alternative: use maxUnavailable instead of minAvailable.

spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      app: goapp

PDB works with kubectl drain. Without it, a node drain could evict all goapp pods simultaneously.

PriorityClass

PriorityClass controls scheduling order when the cluster is under resource pressure.

# priorityclass.yaml
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
  name: production-critical
value: 1000000
globalDefault: false
preemptionPolicy: PreemptLowerPriority
description: "Production services — preempts lower-priority workloads"
---
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
  name: batch-low
value: 10000
globalDefault: false
preemptionPolicy: Never
description: "Batch / background jobs — never preempts other workloads"

Assign to pods:

spec:
  priorityClassName: production-critical

Resource Management

ResourceQuota

ResourceQuota limits total resource consumption per namespace.

# resourcequota.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
  name: production-quota
  namespace: production
spec:
  hard:
    # Compute
    requests.cpu: "20"
    requests.memory: "40Gi"
    limits.cpu: "40"
    limits.memory: "80Gi"
    # Object counts
    pods: "100"
    services: "20"
    persistentvolumeclaims: "40"
    secrets: "100"
    configmaps: "100"
    # LoadBalancer services are expensive
    services.loadbalancers: "5"
    services.nodeports: "0"           # disable NodePort in production

LimitRange

LimitRange sets default and maximum resource values for containers that do not specify them explicitly.

# limitrange.yaml
apiVersion: v1
kind: LimitRange
metadata:
  name: production-limits
  namespace: production
spec:
  limits:
    - type: Container
      default:
        cpu: "250m"
        memory: "128Mi"
      defaultRequest:
        cpu: "100m"
        memory: "64Mi"
      max:
        cpu: "2"
        memory: "2Gi"
      min:
        cpu: "10m"
        memory: "8Mi"
    - type: Pod
      max:
        cpu: "4"
        memory: "4Gi"
    - type: PersistentVolumeClaim
      max:
        storage: "100Gi"
      min:
        storage: "1Gi"

Network Security

NetworkPolicy

NetworkPolicy is enforced by the CNI plugin (Cilium, Calico, etc.). The default behavior in most clusters is allow-all — NetworkPolicy flips that.

# networkpolicy.yaml — default deny all, then allow only what is needed
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: production
spec:
  podSelector: {}                    # selects all pods in namespace
  policyTypes:
    - Ingress
    - Egress
---
# Allow ingress only from the gateway
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: goapp-allow-ingress
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: goapp
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: gateway-system
          podSelector:
            matchLabels:
              app: gateway
      ports:
        - protocol: TCP
          port: 8080
---
# Allow egress to DNS and external APIs
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: goapp-allow-egress
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: goapp
  policyTypes:
    - Egress
  egress:
    - to:                            # DNS
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
      ports:
        - protocol: UDP
          port: 53
        - protocol: TCP
          port: 53
    - to:                            # PostgreSQL in same namespace
        - podSelector:
            matchLabels:
              app: postgres
      ports:
        - protocol: TCP
          port: 5432
    - ports:                         # External HTTPS
        - protocol: TCP
          port: 443

Configuration and ServiceAccount

# namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    kubernetes.io/metadata.name: production
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
---
# serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: goapp
  namespace: production
  annotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/goapp-role"  # IRSA
automountServiceAccountToken: false
---
# configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: goapp-config
  namespace: production
data:
  APP_LOG_LEVEL: "info"
  APP_ENV: "production"
  DATABASE_HOST: "postgres.production.svc.cluster.local"
  DATABASE_PORT: "5432"
---
# secret.yaml — in practice, use External Secrets Operator or Sealed Secrets
apiVersion: v1
kind: Secret
metadata:
  name: goapp-db-secret
  namespace: production
type: Opaque
stringData:
  DATABASE_PASSWORD: "replace-me-with-external-secrets"
  DATABASE_USER: "goapp"

Applying Everything

Apply in order:

kubectl apply -f namespace.yaml
kubectl apply -f serviceaccount.yaml
kubectl apply -f configmap.yaml
kubectl apply -f secret.yaml
kubectl apply -f limitrange.yaml
kubectl apply -f resourcequota.yaml
kubectl apply -f deployment.yaml
kubectl apply -f hpa.yaml
kubectl apply -f pdb.yaml
kubectl apply -f networkpolicy.yaml

Check the result:

kubectl get deploy,hpa,pdb -n production
kubectl describe resourcequota production-quota -n production
kubectl get networkpolicies -n production

Resource API Version Reference

Resource

API Group

Stable Since

Deployment

apps/v1

K8s 1.9

StatefulSet

apps/v1

K8s 1.9

DaemonSet

apps/v1

K8s 1.9

Job

batch/v1

K8s 1.21

CronJob

batch/v1

K8s 1.21

HorizontalPodAutoscaler

autoscaling/v2

K8s 1.26

PodDisruptionBudget

policy/v1

K8s 1.21

PriorityClass

scheduling.k8s.io/v1

K8s 1.14

ResourceQuota

v1 (core)

stable

LimitRange

v1 (core)

stable

NetworkPolicy

networking.k8s.io/v1

K8s 1.7

VPA

autoscaling.k8s.io/v1

separate install

What I Learned

Always set both PDB and HPA together — HPA scales you up under load, PDB keeps you safe during node drains.
LimitRange prevents unbounded containers — a single container without limits can starve the whole node.
NetworkPolicy default-deny-all should be your baseline in any namespace handling user data.
VPA in Off mode is a free performance recommendation engine — check it weekly.
CronJob timeZone field (stable in 1.27) eliminates the DST ambiguity bugs I used to deal with.

Kubernetes Gateway API — replace Ingress with the modern traffic management API
Kubernetes Cluster API — manage entire cluster lifecycles declaratively

PreviousProduction Best Practices NextKubernetes Gateway API

Last updated 27 days ago

hashtagIntroduction

hashtagThe Go Microservice

hashtagWorkload Resources

hashtagDeployment

hashtagStatefulSet

hashtagDaemonSet

hashtagJob and CronJob

hashtagAutoscaling Resources

hashtagHorizontalPodAutoscaler (v2)

hashtagVerticalPodAutoscaler (VPA)

hashtagReliability and Policy Resources

hashtagPodDisruptionBudget

hashtagPriorityClass

hashtagResource Management

hashtagResourceQuota

hashtagLimitRange

hashtagNetwork Security

hashtagNetworkPolicy

hashtagConfiguration and ServiceAccount

hashtagApplying Everything

hashtagResource API Version Reference

hashtagWhat I Learned

hashtagNext

Introduction

The Go Microservice

Workload Resources

Deployment

StatefulSet

DaemonSet

Job and CronJob

Autoscaling Resources

HorizontalPodAutoscaler (v2)

VerticalPodAutoscaler (VPA)

Reliability and Policy Resources

PodDisruptionBudget

PriorityClass

Resource Management

ResourceQuota

LimitRange

Network Security

NetworkPolicy

Configuration and ServiceAccount

Applying Everything

Resource API Version Reference

What I Learned

Next