Skip to main content

Kubernetes From Zero to Production

A staged, practical course. It starts with someone who's never touched Kubernetes and ends with a production-shaped deployment of an Express.js app on self-managed Kubernetes, running on DigitalOcean droplets. Every chapter ends with a result you can verify.

"Production-shaped" is deliberate. The course teaches the practices, posture, and tooling a real production team uses, but it doesn't produce a true production-grade system. The gaps are intentional, and they're listed in the orientation chapter.

Target outcome

By the end of the course you will have:

  • A local Linux or macOS workstation set up for Kubernetes work.
  • A minimal Express.js application with /, /healthz, /readyz, and /metrics.
  • Two self-managed clusters on DigitalOcean droplets, installed with kubeadm and networked with Cilium. One for staging, one for production. No managed Kubernetes.
  • The DigitalOcean cloud-controller-manager in each cluster, so Service type=LoadBalancer provisions a real DigitalOcean Load Balancer with a stable public IP.
  • The DigitalOcean CSI driver so platform components (Prometheus, VictoriaMetrics, Grafana, Alertmanager) can claim persistent volumes. This is the deliberate platform-state exception to an otherwise stateless course.
  • metrics-server in every cluster so the built-in CPU/memory HorizontalPodAutoscaler works. (kube-prometheus-stack doesn't replace it.)
  • A real domain pointed at each cluster's DO Load Balancer IP, with Traefik as the ingress controller and real Let's Encrypt certificates issued by cert-manager.
  • A GitHub Actions pipeline that builds images with Kaniko (Chainguard fork), pushes them to the DigitalOcean Container Registry, and deploys with kubectl apply -k.
  • PR status checks (lint, tests, manifest validation with kubeconform, Trivy scans, Docusaurus build) that block merges when something breaks.
  • Protected v* tags plus a tag-on-master provenance check that refuses to deploy a tag that doesn't point at protected master.
  • App manifests structured with Kustomize (base/ + overlays/{staging,prod}). CRD-typed resources (ServiceMonitor, SealedSecret) are added only after their controllers are installed by cluster-bootstrap.
  • Sealed Secrets committed safely to git, with the controller's signing key backed up off-cluster so a destroyed cluster can still decrypt committed SealedSecrets.
  • A metrics stack with Prometheus, VictoriaMetrics, Grafana, and Alertmanager (all on persistent volumes via the DO CSI driver), plus dashboards for cluster health and Express RED metrics.
  • Hardened cluster posture: namespace-scoped RBAC, default-deny Cilium NetworkPolicies, the restricted Pod Security Standard, and enforced image scanning.
  • Cluster health monitoring with node-problem-detector, scheduled etcd snapshots and the sealed-secrets signing key shipped to DigitalOcean Spaces, and a rehearsed restore drill that proves committed SealedSecrets still decrypt after restore.
  • A second deploy path with ArgoCD so you can compare push-based deploys to pull-based GitOps.
  • The course site itself published as a public static site via Appliku.

How to use the course

Read the orientation first. It covers the stack, the explicit production gaps, the prerequisites you'll need before installing tools, and the cost expectations. Then follow the chapters in order. Each one assumes the completion signal of the previous one.

Current state

Every chapter has step-by-step commands, expected output, and a verifiable completion signal. The site builds cleanly under onBrokenLinks: 'throw'. Chapter content keeps evolving as toolchain versions move; if a pinned version drifts, the chapter that uses it is the source of truth.