Kubernetes From Zero to Production
A staged, practical course. It starts with someone who's never touched Kubernetes and ends with a production-shaped deployment of an Express.js app on self-managed Kubernetes, running on DigitalOcean droplets. Every chapter ends with a result you can verify.
"Production-shaped" is deliberate. The course teaches the practices, posture, and tooling a real production team uses, but it doesn't produce a true production-grade system. The gaps are intentional, and they're listed in the orientation chapter.
Target outcome
By the end of the course you will have:
- A local Linux or macOS workstation set up for Kubernetes work.
- A minimal Express.js application with
/,/healthz,/readyz, and/metrics. - Two self-managed clusters on DigitalOcean droplets, installed with
kubeadmand networked with Cilium. One for staging, one for production. No managed Kubernetes. - The DigitalOcean cloud-controller-manager in each cluster, so
Service type=LoadBalancerprovisions a real DigitalOcean Load Balancer with a stable public IP. - The DigitalOcean CSI driver so platform components (Prometheus, VictoriaMetrics, Grafana, Alertmanager) can claim persistent volumes. This is the deliberate platform-state exception to an otherwise stateless course.
metrics-serverin every cluster so the built-in CPU/memory HorizontalPodAutoscaler works. (kube-prometheus-stack doesn't replace it.)- A real domain pointed at each cluster's DO Load Balancer IP, with Traefik as the ingress controller and real Let's Encrypt certificates issued by
cert-manager. - A GitHub Actions pipeline that builds images with Kaniko (Chainguard fork), pushes them to the DigitalOcean Container Registry, and deploys with
kubectl apply -k. - PR status checks (lint, tests, manifest validation with
kubeconform, Trivy scans, Docusaurus build) that block merges when something breaks. - Protected
v*tags plus atag-on-masterprovenance check that refuses to deploy a tag that doesn't point at protectedmaster. - App manifests structured with Kustomize (
base/+overlays/{staging,prod}). CRD-typed resources (ServiceMonitor,SealedSecret) are added only after their controllers are installed bycluster-bootstrap. - Sealed Secrets committed safely to git, with the controller's signing key backed up off-cluster so a destroyed cluster can still decrypt committed
SealedSecrets. - A metrics stack with Prometheus, VictoriaMetrics, Grafana, and Alertmanager (all on persistent volumes via the DO CSI driver), plus dashboards for cluster health and Express RED metrics.
- Hardened cluster posture: namespace-scoped RBAC, default-deny Cilium NetworkPolicies, the
restrictedPod Security Standard, and enforced image scanning. - Cluster health monitoring with
node-problem-detector, scheduled etcd snapshots and the sealed-secrets signing key shipped to DigitalOcean Spaces, and a rehearsed restore drill that proves committedSealedSecrets still decrypt after restore. - A second deploy path with ArgoCD so you can compare push-based deploys to pull-based GitOps.
- The course site itself published as a public static site via Appliku.
How to use the course
Read the orientation first. It covers the stack, the explicit production gaps, the prerequisites you'll need before installing tools, and the cost expectations. Then follow the chapters in order. Each one assumes the completion signal of the previous one.
Current state
Every chapter has step-by-step commands, expected output, and a verifiable completion signal. The site builds cleanly under onBrokenLinks: 'throw'. Chapter content keeps evolving as toolchain versions move; if a pinned version drifts, the chapter that uses it is the source of truth.