Capstone — Deploying a Production-Ready Application

Kubernetes Intermediate/Advanced

Chapter 10 · Capstone — Deploying a Production-Ready Application

Course 1's own capstone (k8s1-12) closed with an honest list of what was deliberately left out. This chapter resolves that list, one item at a time, using everything Course 2 has covered.

Where We Left Off

k8s1-12's shop-app: a namespace, ConfigMap/Secret, three Deployments (frontend, backend, and a simplified database), two ClusterIP Services, an Ingress, resource limits, and probes. Its own closing section named exactly what this chapter now delivers: a proper StatefulSet, RBAC, autoscaling, observability, troubleshooting readiness, Helm packaging, and GitOps deployment.

Step 1 — Packaging as a Helm Chart

k8s2-3: the capstone's raw YAML becomes a proper chart — Chart.yaml, a values.yaml with environment-specific overrides, and a templates/ directory holding every resource from here on.

Step 2 — A Proper StatefulSet for the Database

k8s2-1: the simplified Deployment+PVC database is replaced with a real StatefulSet, using volumeClaimTemplates and a headless Service — directly resolving k8s1-12's own warn-box and its own Exercise 2 about this exact simplification.

Step 3 — Locking Down the Database With a NetworkPolicy

k8s2-5: the exact NetworkPolicy example from that chapter, applied here for real — restricting database access to only backend pods, closing a security gap that existed silently through the entire Course 1 capstone until now.

Step 4 — RBAC for the Monitoring Stack

k8s2-4/k8s2-7: a dedicated ServiceAccount, Role, and RoleBinding for a monitoring tool needing read-only pod access — the exact worked example from Chapter 4, now actually deployed as part of the real app.

Step 5 — Autoscaling the Backend

k8s2-6: an HPA targeting the backend, with a sensible maxReplicas cap — directly applying that chapter's own cost-consciousness warning.

Step 6 — Observability

k8s2-7: Prometheus scraping the backend's /metrics endpoint, node-exporter running as a DaemonSet (k8s2-2's own concrete example, now with full context), Grafana dashboards on top. An honest note, matching Chapter 7's own framing: full observability setup is beyond this capstone's own scope — this integrates the pieces, it doesn't teach Prometheus/Grafana from scratch.

Step 7 — Deploying via GitOps

k8s2-9: the chart lives in git. A PR merges a values change; ArgoCD notices and applies it — no manual kubectl or helm at all. This closes the loop on the entire deployment workflow, not just the application's own configuration.

Step 8 — If Something Breaks

k8s2-8: the troubleshooting decision tree still applies exactly as written — get pods, describe, logs --previous, and reading the specific error/state as the fastest triage signal, regardless of how much additional infrastructure this capstone has layered on top.

The Full Picture — Every Course 2 Chapter's Contribution

StepChapter
1Ch.3 — Helm packaging
2Ch.1 — StatefulSets
3Ch.5 — NetworkPolicy
4Ch.4 — RBAC
5Ch.6 — Autoscaling
6Ch.7 — Observability
7Ch.9 — GitOps
8Ch.8 — Troubleshooting

What's Still Out of Scope, Honestly

Matching this course's own recurring convention: even this "production-ready" capstone doesn't cover everything a real production system would need — proper multi-region/disaster-recovery architecture, a full incident response process (cloud2-6's own material from Cloud Platforms), cost optimization at genuine scale (cloud1-9/cloud2-7), and a genuinely mature CI pipeline with automated testing before the GitOps merge ever happens. Named honestly, rather than implying this capstone is "done" in any absolute sense.

Production-readiness is a spectrum, not a checkbox
Every item resolved in this chapter closes a real gap — but "production-ready" is an ongoing practice, not a state you reach once and never revisit.

Closing the Full Kubernetes Track

From Chapter 1 (Course 1)'s own "why does orchestration even need to exist" all the way to a GitOps-deployed, autoscaled, RBAC-secured, network-policy-restricted, StatefulSet-backed application — the reconciliation loop, named in Chapter 2, has been the throughline the entire way, appearing at every single layer covered across both courses.

One example, evolved across an entire track
Revisiting and evolving a single running application across 22 chapters, rather than building something new every time, is a deliberate choice — it reinforces retention far more than isolated examples would, and it's exactly how a real application actually grows in practice: incrementally, not all at once.

Hands-On Exercises

Exercise 1

Identify which specific limitation from k8s1-12's own "what's deliberately out of scope" list each of the following Course 2 additions resolves: (a) the StatefulSet, (b) the NetworkPolicy, (c) the HPA.

📄 View solution
Exercise 2

Explain why deploying this production-ready version via GitOps (Chapter 9) is considered a meaningfully different security posture than simply running helm upgrade manually from a laptop with cluster-admin credentials.

📄 View solution
Exercise 3

Across the entire Kubernetes track (both courses), name the single concept/pattern that recurs most often, and explain in your own words why understanding it deeply matters more than memorizing any single YAML snippet.

📄 View solution

Chapter 10 Quick Reference — Course & Track Complete

  • Course 1's capstone limitations, resolved one by one: Helm (Ch.3), StatefulSet (Ch.1), NetworkPolicy (Ch.5), RBAC (Ch.4), HPA (Ch.6), observability (Ch.7), GitOps (Ch.9), troubleshooting readiness (Ch.8)
  • Production-readiness remains a spectrum — multi-region, incident response, cost optimization at scale, and mature CI testing are still honestly out of scope
  • The reconciliation loop (Ch.2, Course 1) has appeared at every layer, across both courses, right up through this chapter's own GitOps deployment
  • Course 2 complete — Kubernetes Intermediate/Advanced, 10 chapters
  • Full Kubernetes track complete — Fundamentals + Intermediate/Advanced, 22 chapters across 2 courses