Kustomize when: Simple env differences, readable manifests, patching YAML Helm when: Complex templating, third-party charts, release management
K8s Security Defaults
Every workload: non-root user, read-only filesystem, no privilege escalation, dropped capabilities, network policies.
GitHub Actions Patterns
-
CI workflow: Lint, test, compile on PRs (run on both x86 + ARM)
-
Release workflow: Multi-arch Docker build on tags (native ARM runners)
-
Pin actions by SHA, least-privilege permissions
References
-
KUBERNETES.md - K8s resource patterns
-
TERRAFORM.md - Terraform module patterns
-
GITHUB-ACTIONS.md - CI/CD workflow patterns
-
MAKEFILE.md - Build automation patterns
-
DOCKERFILE.md - Container build patterns
-
templates/ - Ready-to-use templates
Commands
kubectl apply -k ./ # Apply kustomize
helm upgrade --install NAME . # Install/upgrade chart
terraform plan && terraform apply