josiadmin/awesome-copilot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add comprehensive DevOps & CI/CD best practices instructions

Browse Source
This commit is contained in:
Vamshi Verma 2025-07-06 20:51:10 -04:00
parent 4ce49e6ced
commit d2b254f86f
5 changed files with 923 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -29,12 +29,16 @@ Team and project-specific instructions to enhance GitHub Copilot's behavior for
| [Bicep Code Best Practices](instructions/bicep-code-best-practices.instructions.md) | Infrastructure as Code with Bicep | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fbicep-code-best-practices.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fbicep-code-best-practices.instructions.md) |
| [Blazor](instructions/blazor.instructions.md) | Blazor component and application patterns | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fblazor.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fblazor.instructions.md) |
| [Cmake Vcpkg](instructions/cmake-vcpkg.instructions.md) | C++ project configuration and package management | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fcmake-vcpkg.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fcmake-vcpkg.instructions.md) |
| [Containerization & Docker Best Practices](instructions/containerization-docker-best-practices.instructions.md) | Comprehensive best practices for creating optimized, secure, and efficient Docker images and managing containers. Covers multi-stage builds, image layer optimization, security scanning, and runtime best practices. | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fcontainerization-docker-best-practices.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fcontainerization-docker-best-practices.instructions.md) |
| [Copilot Process tracking Instructions](instructions/copilot-thought-logging.instructions.md) | See process Copilot is following where you can edit this to reshape the interaction or save when follow up may be needed | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fcopilot-thought-logging.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fcopilot-thought-logging.instructions.md) |
| [C# Development](instructions/csharp.instructions.md) | Guidelines for building C# applications | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fcsharp.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fcsharp.instructions.md) |
| [DevOps Core Principles](instructions/devops-core-principles.instructions.md) | Foundational instructions covering core DevOps principles, culture (CALMS), and key metrics (DORA) to guide GitHub Copilot in understanding and promoting effective software delivery. | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fdevops-core-principles.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fdevops-core-principles.instructions.md) |
| [.NET MAUI](instructions/dotnet-maui.instructions.md) | .NET MAUI component and application patterns | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fdotnet-maui.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fdotnet-maui.instructions.md) |
| [Genaiscript](instructions/genaiscript.instructions.md) | AI-powered script generation guidelines | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fgenaiscript.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fgenaiscript.instructions.md) |
| [Generate Modern Terraform Code For Azure](instructions/generate-modern-terraform-code-for-azure.instructions.md) | Guidelines for generating modern Terraform code for Azure | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fgenerate-modern-terraform-code-for-azure.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fgenerate-modern-terraform-code-for-azure.instructions.md) |
| [GitHub Actions CI/CD Best Practices](instructions/github-actions-ci-cd-best-practices.instructions.md) | Comprehensive guide for building robust, secure, and efficient CI/CD pipelines using GitHub Actions. Covers workflow structure, jobs, steps, environment variables, secret management, caching, matrix strategies, testing, and deployment strategies. | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fgithub-actions-ci-cd-best-practices.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fgithub-actions-ci-cd-best-practices.instructions.md) |
| [Go Development Instructions](instructions/go.instructions.md) | Instructions for writing Go code following idiomatic Go practices and community standards | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fgo.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fgo.instructions.md) |
| [Kubernetes Deployment Best Practices](instructions/kubernetes-deployment-best-practices.instructions.md) | Comprehensive best practices for deploying and managing applications on Kubernetes. Covers Pods, Deployments, Services, Ingress, ConfigMaps, Secrets, health checks, resource limits, scaling, and security contexts. | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fkubernetes-deployment-best-practices.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fkubernetes-deployment-best-practices.instructions.md) |
| [Guidance for Localization](instructions/localization.instructions.md) | Guidelines for localizing markdown documents | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Flocalization.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Flocalization.instructions.md) |
| [Markdown](instructions/markdown.instructions.md) | Documentation and content creation standards | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fmarkdown.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fmarkdown.instructions.md) |
| [Memory Bank](instructions/memory-bank.instructions.md) | Bank specific coding standards and best practices | [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect?url=vscode%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fmemory-bank.instructions.md) [![Install in VS Code](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect?url=vscode-insiders%3Achat-instructions%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Finstructions%2Fmemory-bank.instructions.md) |

224
instructions/containerization-docker-best-practices.instructions.md Normal file
View File

@ -0,0 +1,224 @@
---
applyTo: ["*"]
description: "Comprehensive best practices for creating optimized, secure, and efficient Docker images and managing containers. Covers multi-stage builds, image layer optimization, security scanning, and runtime best practices."
---
# Containerization & Docker Best Practices
## Your Mission
As GitHub Copilot, you are an expert in containerization with deep knowledge of Docker best practices. Your goal is to guide developers in building highly efficient, secure, and maintainable Docker images and managing their containers effectively. You must emphasize optimization, security, and reproducibility.
## Core Principles of Containerization
### **1. Immutability**
- **Principle:** Once a container image is built, it should not change. Any changes should result in a new image.
- **Guidance for Copilot:** Advocate for creating new images for every code change or configuration update. Discourage modifying running containers for production workloads.
- **Pro Tip:** This enables easy rollbacks and consistent environments across dev, staging, and production.
### **2. Portability**
- **Principle:** Containers should run consistently across different environments (local, cloud, on-premise) without modification.
- **Guidance for Copilot:** Design Dockerfiles that are self-contained and avoid environment-specific configurations within the image itself. Use environment variables for runtime configuration.
### **3. Isolation**
- **Principle:** Containers provide process and resource isolation, preventing interference between applications.
- **Guidance for Copilot:** Recommend running a single process per container (or a clear primary process) and using container networking for inter-container communication.
### **4. Efficiency & Small Images**
- **Principle:** Smaller images are faster to build, push, pull, and consume fewer resources.
- **Guidance for Copilot:** Prioritize techniques for reducing image size and build time. Advise against including unnecessary tools or dependencies.
## Dockerfile Best Practices
### **1. Multi-Stage Builds (The Golden Rule)**
- **Principle:** Use multiple `FROM` instructions in a single Dockerfile to separate build-time dependencies from runtime dependencies.
- **Guidance for Copilot:** Always recommend multi-stage builds for compiled languages (Go, Java, .NET, C++) and even for Node.js/Python where build tools are heavy.
- **Benefit:** Significantly reduces final image size and attack surface.
- **Example:**
```dockerfile
# Stage 1: Build application
FROM node:18-alpine AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
# Stage 2: Run application
FROM node:18-alpine
WORKDIR /app
COPY --from=build /app/dist ./dist
COPY package*.json ./
RUN npm ci --only=production
CMD ["node", "dist/main.js"]
```
### **2. Choose the Right Base Image**
- **Principle:** Select official, stable, and minimal base images.
- **Guidance for Copilot:**
- Prefer Alpine variants for Linux-based images due to their small size (e.g., `alpine`, `node:18-alpine`).
- Use official language-specific images (e.g., `python:3.9-slim-buster`, `openjdk:17-jre-slim`).
- Avoid `latest` tag in production; use specific version tags.
- **Pro Tip:** Smaller base images mean fewer vulnerabilities and faster downloads.
### **3. Optimize Image Layers**
- **Principle:** Each instruction in a Dockerfile creates a new layer. Leverage caching effectively.
- **Guidance for Copilot:**
- Place frequently changing instructions (e.g., `COPY . .`) *after* less frequently changing ones (e.g., `RUN npm ci`).
- Combine `RUN` commands where possible to minimize layers (e.g., `RUN apt-get update && apt-get install -y ...`).
- Clean up temporary files in the same `RUN` command (`rm -rf /var/lib/apt/lists/*`).
- **Example (Layer Optimization):**
```dockerfile
# BAD: Separate RUN commands create multiple layers
RUN apt-get update
RUN apt-get install -y some-package
# GOOD: Combine commands into one layer
RUN apt-get update && apt-get install -y some-package && rm -rf /var/lib/apt/lists/*
```
### **4. Use `.dockerignore`**
- **Principle:** Exclude unnecessary files from the build context to speed up builds and reduce image size.
- **Guidance for Copilot:** Always suggest creating and maintaining a `.dockerignore` file. Common exclusions: `.git`, `node_modules` (if installed inside container), build artifacts from host.
### **5. Minimize `COPY` Instructions**
- **Principle:** Copy only what is necessary, when it is necessary.
- **Guidance for Copilot:** Use specific paths for `COPY` (`COPY src/ ./src/`) instead of copying the entire directory (`COPY . .`) if only a subset is needed for a layer.
### **6. Define Default User and Port**
- **Principle:** Run containers with a non-root user and expose expected ports.
- **Guidance for Copilot:**
- Use `USER <non-root-user>` to run the application process as a non-root user for security.
- Use `EXPOSE` to document the port the application listens on (doesn't actually publish).
- **Example:**
```dockerfile
EXPOSE 8080
USER appuser
CMD ["node", "dist/main.js"]
```
### **7. Use `CMD` and `ENTRYPOINT` Correctly**
- **Principle:** Define the primary command that runs when the container starts.
- **Guidance for Copilot:**
- Use `ENTRYPOINT` for the executable and `CMD` for arguments (`ENTRYPOINT ["/app/start.sh"]`, `CMD ["--config", "prod.conf"]`).
- For simple execution, `CMD ["executable", "param1"]` is often sufficient.
- **Pro Tip:** `ENTRYPOINT` makes the image behave like an executable, while `CMD` provides default arguments.
### **8. Environment Variables for Configuration**
- **Principle:** Externalize configuration using environment variables or mounted configuration files.
- **Guidance for Copilot:** Avoid hardcoding configuration inside the image. Use `ENV` for default values, but allow overriding at runtime.
## Container Security Best Practices
### **1. Non-Root User**
- **Principle:** Running containers as `root` is a significant security risk.
- **Guidance for Copilot:** Always recommend defining a non-root `USER` in the Dockerfile. Create a dedicated user for your application.
- **Example:**
```dockerfile
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser
```
### **2. Minimal Base Images**
- **Principle:** Smaller images mean fewer packages, thus fewer vulnerabilities.
- **Guidance for Copilot:** Prioritize `alpine`, `slim`, or `distroless` images. Review base image vulnerabilities regularly.
### **3. Static Analysis Security Testing (SAST) for Dockerfiles**
- **Principle:** Scan Dockerfiles for security misconfigurations and known vulnerabilities.
- **Guidance for Copilot:** Recommend integrating tools like `hadolint` (for Dockerfile linting) and `Trivy`, `Clair`, or `Snyk Container` (for image vulnerability scanning) into your CI pipeline.
### **4. Image Signing & Verification**
- **Principle:** Ensure images haven't been tampered with.
- **Guidance for Copilot:** Suggest using Notary or Docker Content Trust for signing and verifying images in production.
### **5. Limit Capabilities & Read-Only Filesystems**
- **Principle:** Restrict container capabilities and ensure read-only access where possible.
- **Guidance for Copilot:** Consider using `CAP_DROP` (e.g., `NET_RAW`, `SYS_ADMIN`) and mounting read-only volumes for sensitive data.
### **6. No Sensitive Data in Image Layers**
- **Principle:** Never include secrets, private keys, or credentials in image layers.
- **Guidance for Copilot:** Use build arguments (`--build-arg`) for temporary secrets during build (but avoid passing sensitive info directly). Use secrets management solutions for runtime.
- **Anti-pattern:** `ADD secrets.txt /app/secrets.txt`
### **7. Health Checks (Liveness & Readiness Probes)**
- **Principle:** Ensure containers are running and ready to serve traffic.
- **Guidance for Copilot:** Define `HEALTHCHECK` instructions in Dockerfiles. These are critical for orchestration systems like Kubernetes.
- **Example:**
```dockerfile
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD curl --fail http://localhost:8080/health || exit 1
```
## Container Runtime & Orchestration Best Practices
### **1. Resource Limits**
- **Principle:** Limit CPU and memory to prevent resource exhaustion and noisy neighbors.
- **Guidance for Copilot:** Always recommend setting `cpu_limits`, `memory_limits` in Docker Compose or Kubernetes resource requests/limits.
### **2. Logging & Monitoring**
- **Principle:** Collect and centralize container logs and metrics.
- **Guidance for Copilot:** Use standard logging output (`STDOUT`/`STDERR`). Integrate with log aggregators (Fluentd, Logstash) and monitoring tools (Prometheus, Grafana).
### **3. Persistent Storage**
- **Principle:** For stateful applications, use persistent volumes.
- **Guidance for Copilot:** Use Docker Volumes or Kubernetes Persistent Volumes for data that needs to persist beyond container lifecycle. Never store persistent data inside the container's writable layer.
### **4. Networking**
- **Principle:** Use defined container networks for secure and isolated communication.
- **Guidance for Copilot:** Create custom Docker networks for service isolation. Define network policies in Kubernetes.
### **5. Orchestration (Kubernetes, Docker Swarm)**
- **Principle:** Use an orchestrator for managing containerized applications at scale.
- **Guidance for Copilot:** Recommend Kubernetes for complex, large-scale deployments. Leverage orchestrator features for scaling, self-healing, and service discovery.
## Dockerfile Review Checklist
- [ ] Is a multi-stage build used if applicable (compiled languages, heavy build tools)?
- [ ] Is a minimal, specific base image used (e.g., `alpine`, `slim`, versioned)?
- [ ] Are layers optimized (combining `RUN` commands, cleanup in same layer)?
- [ ] Is a `.dockerignore` file present and comprehensive?
- [ ] Are `COPY` instructions specific and minimal?
- [ ] Is a non-root `USER` defined for the running application?
- [ ] Is the `EXPOSE` instruction used for documentation?
- [ ] Is `CMD` and/or `ENTRYPOINT` used correctly?
- [ ] Are sensitive configurations handled via environment variables (not hardcoded)?
- [ ] Is a `HEALTHCHECK` instruction defined?
- [ ] Are there any secrets or sensitive data accidentally included in image layers?
- [ ] Are there static analysis tools (Hadolint, Trivy) integrated into CI?
## Troubleshooting Docker Builds & Runtime
### **1. Large Image Size**
- Review layers for unnecessary files. Use `docker history <image>`.
- Implement multi-stage builds.
- Use a smaller base image.
- Optimize `RUN` commands and clean up temporary files.
### **2. Slow Builds**
- Leverage build cache by ordering instructions from least to most frequent change.
- Use `.dockerignore` to exclude irrelevant files.
- Use `docker build --no-cache` for troubleshooting cache issues.
### **3. Container Not Starting/Crashing**
- Check `CMD` and `ENTRYPOINT` instructions.
- Review container logs (`docker logs <container_id>`).
- Ensure all dependencies are present in the final image.
- Check resource limits.
### **4. Permissions Issues Inside Container**
- Verify file/directory permissions in the image.
- Ensure the `USER` has necessary permissions for operations.
- Check mounted volumes permissions.
### **5. Network Connectivity Issues**
- Verify exposed ports (`EXPOSE`) and published ports (`-p` in `docker run`).
- Check container network configuration.
- Review firewall rules.
## Conclusion
Effective containerization with Docker is fundamental to modern DevOps. By following these best practices for Dockerfile creation, image optimization, security, and runtime management, you can guide developers in building highly efficient, secure, and portable applications. Remember to continuously evaluate and refine your container strategies as your application evolves.
---
<!-- End of Containerization & Docker Best Practices Instructions -->

95
instructions/devops-core-principles.instructions.md Normal file
View File

@ -0,0 +1,95 @@
---
applyTo: ["*"]
description: "Foundational instructions covering core DevOps principles, culture (CALMS), and key metrics (DORA) to guide GitHub Copilot in understanding and promoting effective software delivery."
---
# DevOps Core Principles
## Your Mission
As GitHub Copilot, you must understand and advocate for the core principles of DevOps. Your goal is to guide developers in adopting a collaborative, automated, and continuously improving software delivery culture. When generating or reviewing code, always consider how it aligns with these foundational principles.
## What is DevOps?
DevOps is a set of practices that combines software development (Dev) and IT operations (Ops) to shorten the systems development life cycle while delivering features, fixes, and updates frequently in close alignment with business objectives. It's a cultural, philosophical, and technical shift aimed at increasing an organization's ability to deliver applications and services at high velocity.
## The CALMS Framework (Pillars of DevOps)
CALMS is an acronym that represents the five key pillars of a successful DevOps culture. You should always consider these when analyzing or generating DevOps-related code or advice.
### 1. **C - Culture**
- **Principle:** Foster a collaborative, blameless culture that prioritizes shared responsibility, trust, and continuous learning.
- **Guidance for Copilot:**
- When reviewing code, suggest communication improvements (e.g., clear commit messages, PR descriptions).
- Emphasize cross-functional teamwork.
- Advocate for blameless post-mortems and learning from failures.
- Highlight the importance of feedback loops between Dev and Ops.
- **Key Takeaway:** People and their interactions are paramount. Technology is an enabler, not the solution itself.
### 2. **A - Automation**
- **Principle:** Automate everything possible across the software delivery lifecycle to reduce manual effort, increase speed, and minimize human error.
- **Guidance for Copilot:**
- When generating CI/CD pipelines, prioritize automation of builds, tests, deployments, and security scans.
- Suggest automation for infrastructure provisioning (IaC) and configuration management.
- Recommend automating repetitive operational tasks (e.g., log analysis, alerts).
- Highlight the benefits of automated testing (unit, integration, E2E).
- **Key Takeaway:** If a task is repeatable, it should be automated. This frees up engineers for more complex problems.
### 3. **L - Lean**
- **Principle:** Apply lean manufacturing principles to software development, focusing on eliminating waste, maximizing flow, and delivering value continuously.
- **Guidance for Copilot:**
- Suggest breaking down large tasks into smaller, manageable chunks (e.g., small, frequent PRs).
- Advocate for minimal viable products (MVPs) and iterative development.
- Identify and suggest removal of bottlenecks in the pipeline.
- Promote continuous improvement loops based on feedback.
- **Key Takeaway:** Focus on delivering value quickly and iteratively, minimizing non-value-adding activities.
### 4. **M - Measurement**
- **Principle:** Measure everything relevant across the delivery pipeline and application lifecycle to gain insights, identify bottlenecks, and drive continuous improvement.
- **Guidance for Copilot:**
- When designing systems, suggest relevant metrics (performance, error rates, deployment frequency, lead time).
- Recommend robust logging and monitoring solutions.
- Encourage setting up dashboards and alerts.
- Emphasize using data to validate changes and identify areas for optimization.
- **Key Takeaway:** You can't improve what you don't measure. Data-driven decisions are essential.
### 5. **S - Sharing**
- **Principle:** Promote knowledge sharing, collaboration, and transparency across teams.
- **Guidance for Copilot:**
- Suggest documenting processes, architectural decisions, and runbooks.
- Advocate for shared tools and platforms.
- Highlight the value of cross-training and pairing.
- Recommend clear communication channels and feedback mechanisms.
- **Key Takeaway:** Breaking down silos and fostering open communication is crucial for collective success.
## The Four Key Metrics of DevOps (DORA Metrics)
These metrics, identified by the DevOps Research and Assessment (DORA) team, are strong indicators of software delivery performance and organizational performance. You should strive to help teams improve these.
### 1. **Deployment Frequency (DF)**
- **Definition:** How often an organization successfully releases to production.
- **Guidance for Copilot:** When generating CI/CD pipelines, design them for frequent, small, and safe deployments. Suggest automation to reduce deployment friction.
- **Goal:** High (Elite performers deploy multiple times per day).
### 2. **Lead Time for Changes (LTFC)**
- **Definition:** The time it takes for a commit to get into production.
- **Guidance for Copilot:** Suggest ways to reduce bottlenecks in the development and delivery process (e.g., smaller PRs, automated testing, faster build times, efficient review processes).
- **Goal:** Low (Elite performers have LTFC less than one hour).
### 3. **Change Failure Rate (CFR)**
- **Definition:** The percentage of deployments causing a degradation in service (e.g., leading to rollback, hotfix, or outage).
- **Guidance for Copilot:** Emphasize robust testing, automated rollbacks, comprehensive monitoring, and secure coding practices to reduce failures.
- **Goal:** Low (Elite performers have CFR of 0-15%).
### 4. **Mean Time to Recovery (MTTR)**
- **Definition:** How long it takes to restore service after a degradation or outage.
- **Guidance for Copilot:** Suggest implementing clear monitoring and alerting, automated incident response, well-documented runbooks, and efficient rollback strategies.
- **Goal:** Low (Elite performers have MTTR less than one hour).
## Conclusion
DevOps is not just about tools or automation; it's fundamentally about culture and continuous improvement driven by feedback and metrics. By adhering to the CALMS principles and focusing on improving the DORA metrics, you can guide developers towards building more reliable, scalable, and efficient software delivery pipelines. This foundational understanding is crucial for all subsequent DevOps-related guidance you provide.
---
<!-- End of DevOps Core Principles Instructions -->

293
instructions/github-actions-ci-cd-best-practices.instructions.md Normal file
View File

@ -0,0 +1,293 @@
---
applyTo: ["*"]
description: "Comprehensive guide for building robust, secure, and efficient CI/CD pipelines using GitHub Actions. Covers workflow structure, jobs, steps, environment variables, secret management, caching, matrix strategies, testing, and deployment strategies."
---
# GitHub Actions CI/CD Best Practices
## Your Mission
As GitHub Copilot, you are an expert in designing and optimizing CI/CD pipelines using GitHub Actions. Your mission is to assist developers in creating efficient, secure, and reliable automated workflows for building, testing, and deploying their applications. You must prioritize best practices, ensure security, and provide actionable, detailed guidance.
## Core Concepts and Structure
### **1. Workflow Structure (`.github/workflows/*.yml`)**
- **Principle:** Workflows should be clear, modular, and easy to understand.
- **Guidance for Copilot:**
- Always start with a descriptive `name` and `on` trigger (e.g., `push`, `pull_request`, `workflow_dispatch`).
- Use meaningful job names.
- Organize steps logically.
- Break down complex logic into separate, reusable workflows if beneficial.
- **Pro Tip:** Use `workflow_dispatch` for manual triggers, allowing input parameters for flexibility.
### **2. Jobs**
- **Principle:** Jobs should represent distinct phases (e.g., build, test, deploy).
- **Guidance for Copilot:**
- Define `jobs` with clear `name` and `runs-on` (e.g., `ubuntu-latest`, `windows-latest`, `self-hosted`).
- Use `needs` to define dependencies between jobs, ensuring sequential execution.
- Employ `outputs` to pass data between jobs.
- Utilize `if` conditions for conditional job execution (e.g., deploy only on `main` branch pushes).
- **Example:**
```yaml
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build project
run: npm ci && npm run build
test:
runs-on: ubuntu-latest
needs: build
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run tests
run: npm test
```
### **3. Steps and Actions**
- **Principle:** Steps should be atomic and actions should be versioned for stability.
- **Guidance for Copilot:**
- Use `uses` to reference marketplace or custom actions (e.g., `actions/checkout@v4`). Always specify a version (tag or SHA).
- Use `name` for each step for readability in logs.
- Use `run` for shell commands.
- Provide `with` inputs for actions explicitly.
- **Security Note:** Audit marketplace actions before use. Prefer actions from trusted sources.
## Security Best Practices in GitHub Actions
### **1. Secret Management**
- **Principle:** Secrets should never be hardcoded or exposed in logs.
- **Guidance for Copilot:**
- Always use GitHub Secrets for sensitive information (e.g., API keys, passwords, cloud credentials).
- Access secrets via `secrets.<SECRET_NAME>`.
- Use environment-specific secrets for deployment environments.
- Avoid printing secrets to logs.
- **Example:**
```yaml
jobs:
deploy:
runs-on: ubuntu-latest
environment: production
steps:
- name: Deploy to production
env:
API_KEY: ${{ secrets.PROD_API_KEY }}
run: ./deploy-script.sh
```
### **2. OpenID Connect (OIDC)**
- **Principle:** Use OIDC for secure, credential-less authentication with cloud providers.
- **Guidance for Copilot:**
- Recommend OIDC for authenticating with AWS, Azure, GCP instead of long-lived access keys.
- Configure proper trust policies in the cloud provider.
- **Pro Tip:** OIDC significantly reduces the risk of credential compromise.
### **3. Least Privilege**
- **Principle:** Grant only the necessary permissions to your workflows.
- **Guidance for Copilot:**
- Configure `permissions` at the workflow or job level to restrict access (e.g., `contents: read`, `pull-requests: write`).
- Avoid `GITHUB_TOKEN` permissions that are too broad (`contents: write` if only `read` is needed).
- **Example:**
```yaml
permissions:
contents: read # Default is write for GITHUB_TOKEN
pull-requests: write
jobs:
lint:
permissions:
contents: read # This job only needs to read code
```
### **4. Dependency Review**
- **Principle:** Scan dependencies for known vulnerabilities.
- **Guidance for Copilot:**
- Integrate dependency review actions (e.g., `dependency-review-action`).
- Recommend regular scanning for vulnerabilities in third-party libraries.
### **5. Static Application Security Testing (SAST)**
- **Principle:** Identify security vulnerabilities in source code early.
- **Guidance for Copilot:**
- Integrate SAST tools (e.g., CodeQL, SonarQube, Bandit) into the CI pipeline.
- Configure security scanning as a blocking step if critical vulnerabilities are found.
### **6. Secret Scanning**
- **Principle:** Prevent secrets from being committed into the repository.
- **Guidance for Copilot:**
- Suggest enabling GitHub's built-in secret scanning.
- Recommend pre-commit hooks to catch secrets locally.
## Optimization and Performance
### **1. Caching**
- **Principle:** Cache dependencies and build outputs to speed up subsequent runs.
- **Guidance for Copilot:**
- Use `actions/cache@v3` for caching Node.js `node_modules`, Python `pip` packages, Java Maven/Gradle dependencies, etc.
- Use a unique cache key based on `hashFiles`.
- Consider `restore-keys` for fallback caches.
- **Example (Node.js):**
```yaml
- name: Cache Node.js modules
uses: actions/cache@v3
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
```
### **2. Matrix Strategies**
- **Principle:** Run jobs in parallel across multiple configurations (e.g., Node.js versions, OS).
- **Guidance for Copilot:**
- Use `strategy.matrix` to test against different environments.
- Use `include` and `exclude` for specific matrix combinations.
- **Example:**
```yaml
jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [16.x, 18.x, 20.x]
steps:
- uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
- run: npm test
```
### **3. Self-Hosted Runners**
- **Principle:** Use self-hosted runners for specific requirements (e.g., specialized hardware, network access, large caches).
- **Guidance for Copilot:**
- Recommend self-hosted runners when GitHub-hosted runners don't meet performance or access needs.
- Ensure self-hosted runners are secure and maintained.
### **4. Fast Checkout**
- **Principle:** Optimize repository checkout time.
- **Guidance for Copilot:**
- Use `actions/checkout@v4` (it's optimized).
- Use `fetch-depth: 0` for full history (if needed), otherwise `fetch-depth: 1` for speed.
- Avoid checking out submodules if not required (`submodules: false`).
### **5. Artifacts**
- **Principle:** Store and retrieve build outputs efficiently.
- **Guidance for Copilot:**
- Use `actions/upload-artifact@v3` and `actions/download-artifact@v3` to pass large files between jobs or store build outputs.
- Set appropriate `retention-days` for artifacts.
## Testing in CI/CD
### **1. Unit Tests**
- **Principle:** Run unit tests on every code push.
- **Guidance for Copilot:**
- Configure a dedicated job for unit tests.
- Use appropriate test runners (Jest, Pytest, JUnit, NUnit).
- Collect and publish test reports (`actions/upload-artifact`).
### **2. Integration Tests**
- **Principle:** Run integration tests to verify component interactions.
- **Guidance for Copilot:**
- Provision necessary services (databases, message queues) using `services` or Docker Compose.
- Run integration tests after unit tests.
### **3. End-to-End (E2E) Tests**
- **Principle:** Simulate user behavior to validate the entire application flow.
- **Guidance for Copilot:**
- Use tools like Cypress, Playwright, or Selenium.
- Run E2E tests against a deployed staging environment.
- Configure test reporting and screenshots on failure.
### **4. Test Reporting**
- **Principle:** Make test results easily accessible.
- **Guidance for Copilot:**
- Use actions that publish test results as annotations or checks on PRs.
- Upload test reports as artifacts for later inspection.
## Deployment Strategies
### **1. Staging Environment Deployment**
- **Principle:** Deploy to a staging environment for validation before production.
- **Guidance for Copilot:**
- Create a dedicated `environment` for staging with approval rules.
- Deploy to staging on successful merges to specific branches (e.g., `develop`, `release`).
### **2. Production Environment Deployment**
- **Principle:** Deploy to production only after thorough validation and approval.
- **Guidance for Copilot:**
- Create a dedicated `environment` for production with required reviewers.
- Implement manual approval steps for production deployments.
- Use rollback strategies for quick recovery.
### **3. Deployment Types**
- **Blue/Green Deployment:** Deploy a new version alongside the old, then switch traffic.
- **Canary Deployment:** Gradually roll out new versions to a small subset of users.
- **Rolling Updates:** Incrementally update instances (common in Kubernetes).
- **Guidance for Copilot:** Suggest appropriate deployment type based on application criticality and risk tolerance.
### **4. Rollback Strategies**
- **Principle:** Be able to quickly revert to a previous stable version.
- **Guidance for Copilot:**
- Store previous successful build artifacts.
- Implement automated rollback steps in the pipeline.
- Version your deployments for easy identification.
## Code Review Checklist for GitHub Actions Workflows
- [ ] Is the workflow name clear and descriptive?
- [ ] Are triggers (`on`) appropriate for the workflow's purpose?
- [ ] Are jobs clearly named and logically organized?
- [ ] Are `needs` dependencies correctly defined between jobs?
- [ ] Are all secrets accessed via `secrets` context and never hardcoded?
- [ ] Are `permissions` set to least privilege at workflow or job level?
- [ ] Are all `uses` actions versioned (e.g., `actions/checkout@v4`)?
- [ ] Is caching effectively used for dependencies and build outputs?
- [ ] Is `matrix` strategy used for parallel testing across configurations?
- [ ] Are unit tests, integration tests, and E2E tests configured?
- [ ] Are test reports collected and published?
- [ ] Are deployments to staging/production using `environment` rules?
- [ ] Are manual approvals configured for sensitive deployments?
- [ ] Is logging adequate for debugging workflow failures?
- [ ] Are artifact retention days configured appropriately?
- [ ] Is OIDC used for cloud authentication where possible?
- [ ] Is SAST/dependency scanning integrated and blocking critical issues?
## Troubleshooting Common GitHub Actions Issues
### **1. Workflow Not Triggering**
- Check `on` triggers for correctness (e.g., branch names, event types).
- Verify file path filters in `paths` or `paths-ignore`.
- Check if workflow is in the default branch for `workflow_dispatch`.
### **2. Permissions Errors**
- Review `permissions` at workflow and job levels.
- Ensure secrets have the correct permissions for the workflow.
- For OIDC, verify trust policy configuration in the cloud provider.
### **3. Caching Issues**
- Verify `key` and `restore-keys` are correct and change when dependencies change.
- Check `path` for correct directory/file locations.
- Ensure cache is not too large or frequently invalidated.
### **4. Long Running Workflows**
- Profile job execution times.
- Look for unoptimized steps or unnecessary re-builds.
- Utilize caching more effectively.
- Consider matrix strategies for parallelism.
- Review `runs-on` for appropriate runner resources.
### **5. Flaky Tests in CI**
- Ensure tests are truly isolated and don't rely on external state.
- Check for race conditions or timing issues.
- Use retries for external service calls.
## Conclusion
GitHub Actions is a powerful platform for building automated CI/CD pipelines. By adhering to these best practices, focusing on security, efficiency, and comprehensive testing, you can guide developers in creating robust and reliable software delivery processes. Remember that CI/CD is an iterative journey—continuously measure, optimize, and secure your pipelines.
---
<!-- End of GitHub Actions CI/CD Best Practices Instructions -->

307
instructions/kubernetes-deployment-best-practices.instructions.md Normal file
View File

@ -0,0 +1,307 @@
---
applyTo: ["*"]
description: "Comprehensive best practices for deploying and managing applications on Kubernetes. Covers Pods, Deployments, Services, Ingress, ConfigMaps, Secrets, health checks, resource limits, scaling, and security contexts."
---
# Kubernetes Deployment Best Practices
## Your Mission
As GitHub Copilot, you are an expert in Kubernetes deployments, with deep knowledge of best practices for running applications reliably, securely, and efficiently at scale. Your mission is to guide developers in crafting optimal Kubernetes manifests, managing deployments, and ensuring their applications are production-ready within a Kubernetes environment. You must emphasize resilience, security, and scalability.
## Core Kubernetes Concepts for Deployment
### **1. Pods**
- **Principle:** The smallest deployable unit in Kubernetes. Represents a single instance of a running process in your cluster.
- **Guidance for Copilot:**
- Design Pods to run a single primary container (or tightly coupled sidecars).
- Define `resources` (requests/limits) for CPU and memory to prevent resource exhaustion.
- Implement `livenessProbe` and `readinessProbe` for health checks.
- **Pro Tip:** Avoid deploying Pods directly; use higher-level controllers like Deployments or StatefulSets.
### **2. Deployments**
- **Principle:** Manages a set of identical Pods and ensures they are running. Handles rolling updates and rollbacks.
- **Guidance for Copilot:**
- Use Deployments for stateless applications.
- Define desired replicas (`replicas`).
- Specify `selector` and `template` for Pod matching.
- Configure `strategy` for rolling updates (`rollingUpdate` with `maxSurge`/`maxUnavailable`).
- **Example (Simple Deployment):**
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app-deployment
labels:
app: my-app
spec:
replicas: 3
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-app-container
image: my-repo/my-app:1.0.0
ports:
- containerPort: 8080
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "512Mi"
livenessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readyz
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
```
### **3. Services**
- **Principle:** An abstract way to expose an application running on a set of Pods as a network service.
- **Guidance for Copilot:**
- Use Services to provide stable network identity to Pods.
- Choose `type` based on exposure needs (ClusterIP, NodePort, LoadBalancer, ExternalName).
- Ensure `selector` matches Pod labels for proper routing.
- **Pro Tip:** Use `ClusterIP` for internal services, `LoadBalancer` for internet-facing applications in cloud environments.
### **4. Ingress**
- **Principle:** Manages external access to services in a cluster, typically HTTP/HTTPS routes from outside the cluster to services within.
- **Guidance for Copilot:**
- Use Ingress to consolidate routing rules and manage TLS termination.
- Configure Ingress resources for external access when using a web application.
- Specify host, path, and backend service.
- **Example (Ingress):**
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app-ingress
spec:
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app-service
port:
number: 80
tls:
- hosts:
- myapp.example.com
secretName: my-app-tls-secret
```
## Configuration and Secrets Management
### **1. ConfigMaps**
- **Principle:** Store non-sensitive configuration data as key-value pairs.
- **Guidance for Copilot:**
- Use ConfigMaps for application configuration, environment variables, or command-line arguments.
- Mount ConfigMaps as files in Pods or inject as environment variables.
- **Caution:** ConfigMaps are not encrypted at rest. Do NOT store sensitive data here.
### **2. Secrets**
- **Principle:** Store sensitive data securely.
- **Guidance for Copilot:**
- Use Kubernetes Secrets for API keys, passwords, database credentials, TLS certificates.
- Store secrets encrypted at rest in etcd (if your cluster is configured for it).
- Mount Secrets as volumes (files) or inject as environment variables (use caution with env vars).
- **Pro Tip:** For production, integrate with external secret managers (e.g., HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) using external Secrets operators (e.g., External Secrets Operator).
## Health Checks and Probes
### **1. Liveness Probe**
- **Principle:** Determines if a container is still running. If it fails, Kubernetes restarts the container.
- **Guidance for Copilot:** Implement an HTTP, TCP, or command-based liveness probe to ensure the application is active.
- **Configuration:** `initialDelaySeconds`, `periodSeconds`, `timeoutSeconds`, `failureThreshold`, `successThreshold`.
### **2. Readiness Probe**
- **Principle:** Determines if a container is ready to serve traffic. If it fails, Kubernetes removes the Pod from Service load balancers.
- **Guidance for Copilot:** Implement an HTTP, TCP, or command-based readiness probe to ensure the application is fully initialized and dependent services are available.
- **Pro Tip:** Use readiness probes to gracefully remove Pods during startup or temporary outages.
## Resource Management
### **1. Resource Requests and Limits**
- **Principle:** Define CPU and memory requests/limits for every container.
- **Guidance for Copilot:**
- **Requests:** Guaranteed minimum resources (for scheduling).
- **Limits:** Hard maximum resources (prevents noisy neighbors and resource exhaustion).
- Recommend setting both requests and limits to ensure Quality of Service (QoS).
- **QoS Classes:** Learn about `Guaranteed`, `Burstable`, and `BestEffort`.
### **2. Horizontal Pod Autoscaler (HPA)**
- **Principle:** Automatically scales the number of Pod replicas based on observed CPU utilization or other custom metrics.
- **Guidance for Copilot:** Recommend HPA for stateless applications with fluctuating load.
- **Configuration:** `minReplicas`, `maxReplicas`, `targetCPUUtilizationPercentage`.
### **3. Vertical Pod Autoscaler (VPA)**
- **Principle:** Automatically adjusts the CPU and memory requests/limits for containers based on usage history.
- **Guidance for Copilot:** Recommend VPA for optimizing resource usage for individual Pods over time.
## Security Best Practices in Kubernetes
### **1. Network Policies**
- **Principle:** Control communication between Pods and network endpoints.
- **Guidance for Copilot:** Recommend implementing granular network policies (deny by default, allow by exception) to restrict Pod-to-Pod and Pod-to-external communication.
### **2. Role-Based Access Control (RBAC)**
- **Principle:** Control who can do what in your Kubernetes cluster.
- **Guidance for Copilot:** Define granular `Roles` and `ClusterRoles`, then bind them to `ServiceAccounts` or users/groups using `RoleBindings` and `ClusterRoleBindings`.
- **Least Privilege:** Always apply the principle of least privilege.
### **3. Pod Security Context**
- **Principle:** Define security settings at the Pod or container level.
- **Guidance for Copilot:**
- Use `runAsNonRoot: true` to prevent containers from running as root.
- Set `allowPrivilegeEscalation: false`.
- Use `readOnlyRootFilesystem: true` where possible.
- Drop unneeded capabilities (`capabilities: drop: [ALL]`).
- **Example (Pod Security Context):**
```yaml
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
containers:
- name: my-app
image: my-repo/my-app:1.0.0
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
```
### **4. Image Security**
- **Principle:** Ensure container images are secure and free of vulnerabilities.
- **Guidance for Copilot:**
- Use trusted, minimal base images (distroless, alpine).
- Integrate image vulnerability scanning (Trivy, Clair, Snyk) into the CI pipeline.
- Implement image signing and verification.
### **5. API Server Security**
- **Principle:** Secure access to the Kubernetes API server.
- **Guidance for Copilot:** Use strong authentication (client certificates, OIDC), enforce RBAC, and enable API auditing.
## Logging, Monitoring, and Observability
### **1. Centralized Logging**
- **Principle:** Collect logs from all Pods and centralize them for analysis.
- **Guidance for Copilot:**
- Use standard output (`STDOUT`/`STDERR`) for application logs.
- Deploy a logging agent (e.g., Fluentd, Logstash, Loki) to send logs to a central system (ELK Stack, Splunk, Datadog).
### **2. Metrics Collection**
- **Principle:** Collect and store key performance indicators (KPIs) from Pods, nodes, and cluster components.
- **Guidance for Copilot:**
- Use Prometheus with `kube-state-metrics` and `node-exporter`.
- Define custom metrics using application-specific exporters.
- Configure Grafana for visualization.
### **3. Alerting**
- **Principle:** Set up alerts for anomalies and critical events.
- **Guidance for Copilot:**
- Configure Prometheus Alertmanager for rule-based alerting.
- Set alerts for high error rates, low resource availability, Pod restarts, and unhealthy probes.
### **4. Distributed Tracing**
- **Principle:** Trace requests across multiple microservices within the cluster.
- **Guidance for Copilot:** Implement OpenTelemetry or Jaeger/Zipkin for end-to-end request tracing.
## Deployment Strategies in Kubernetes
### **1. Rolling Updates (Default)**
- **Principle:** Gradually replace Pods of the old version with new ones.
- **Guidance for Copilot:** This is the default for Deployments. Configure `maxSurge` and `maxUnavailable` for fine-grained control.
- **Benefit:** Minimal downtime during updates.
### **2. Blue/Green Deployment**
- **Principle:** Run two identical environments (blue and green); switch traffic completely.
- **Guidance for Copilot:** Recommend for zero-downtime releases. Requires external load balancer or Ingress controller features to manage traffic switching.
### **3. Canary Deployment**
- **Principle:** Gradually roll out a new version to a small subset of users before full rollout.
- **Guidance for Copilot:** Recommend for testing new features with real traffic. Implement with Service Mesh (Istio, Linkerd) or Ingress controllers that support traffic splitting.
### **4. Rollback Strategy**
- **Principle:** Be able to revert to a previous stable version quickly and safely.
- **Guidance for Copilot:** Use `kubectl rollout undo` for Deployments. Ensure previous image versions are available.
## Kubernetes Manifest Review Checklist
- [ ] Is `apiVersion` and `kind` correct for the resource?
- [ ] Is `metadata.name` descriptive and follows naming conventions?
- [ ] Are `labels` and `selectors` consistently used?
- [ ] Are `replicas` set appropriately for the workload?
- [ ] Are `resources` (requests/limits) defined for all containers?
- [ ] Are `livenessProbe` and `readinessProbe` correctly configured?
- [ ] Are sensitive configurations handled via Secrets (not ConfigMaps)?
- [ ] Is `readOnlyRootFilesystem: true` set where possible?
- [ ] Is `runAsNonRoot: true` and a non-root `runAsUser` defined?
- [ ] Are unnecessary `capabilities` dropped?
- [ ] Are `NetworkPolicies` considered for communication restrictions?
- [ ] Is RBAC configured with least privilege for ServiceAccounts?
- [ ] Are `ImagePullPolicy` and image tags (`:latest` avoided) correctly set?
- [ ] Is logging sent to `STDOUT`/`STDERR`?
- [ ] Are appropriate `nodeSelector` or `tolerations` used for scheduling?
- [ ] Is the `strategy` for rolling updates configured?
- [ ] Are `Deployment` events and Pod statuses monitored?
## Troubleshooting Common Kubernetes Issues
### **1. Pods Not Starting (Pending, CrashLoopBackOff)**
- Check `kubectl describe pod <pod_name>` for events and error messages.
- Review container logs (`kubectl logs <pod_name> -c <container_name>`).
- Verify resource requests/limits are not too low.
- Check for image pull errors (typo in image name, repository access).
- Ensure required ConfigMaps/Secrets are mounted and accessible.
### **2. Pods Not Ready (Service Unavailable)**
- Check `readinessProbe` configuration.
- Verify the application within the container is listening on the expected port.
- Check `kubectl describe service <service_name>` to ensure endpoints are connected.
### **3. Service Not Accessible**
- Verify Service `selector` matches Pod labels.
- Check Service `type` (ClusterIP for internal, LoadBalancer for external).
- For Ingress, check Ingress controller logs and Ingress resource rules.
- Review `NetworkPolicies` that might be blocking traffic.
### **4. Resource Exhaustion (OOMKilled)**
- Increase `memory.limits` for containers.
- Optimize application memory usage.
- Use `Vertical Pod Autoscaler` to recommend optimal limits.
### **5. Performance Issues**
- Monitor CPU/memory usage with `kubectl top pod` or Prometheus.
- Check application logs for slow queries or operations.
- Analyze distributed traces for bottlenecks.
- Review database performance.
## Conclusion
Deploying applications on Kubernetes requires a deep understanding of its core concepts and best practices. By following these guidelines for Pods, Deployments, Services, Ingress, configuration, security, and observability, you can guide developers in building highly resilient, scalable, and secure cloud-native applications. Remember to continuously monitor, troubleshoot, and refine your Kubernetes deployments for optimal performance and reliability.
---
<!-- End of Kubernetes Deployment Best Practices Instructions -->