Kubernetes — required design sections
Every `design.md` for a K8s-shaped feature must include the five sections below. Omit none; if a section genuinely does not apply, state so explicitly with a one-line justification — silent omissions hide scope gaps, and a reviewer (or `review-spec`) cannot tell absence-by-intent from absence-by-oversight.
Overview
Kubernetes — required design sections
Every design.md for a K8s-shaped feature must include the five sections below. Omit none; if a section genuinely does not apply, state so explicitly with a one-line justification — silent omissions hide scope gaps, and a reviewer (or review-spec) cannot tell absence-by-intent from absence-by-oversight.
Section order is not mandated; the sections must all be present. Cross-reference between sections liberally where a decision in one drives a constraint in another (e.g., a PSA level in Security posture constrains readOnlyRootFilesystem defaults in Reliability posture).
Cluster-compat matrix
- Minimum and maximum Kubernetes minor versions supported, with rationale. Pin to a specific minor (
1.28/1.29) — "latest" is not a support statement. - Required in-cluster addons with pinned minimum versions (e.g.,
cert-manager ≥ 1.13,metrics-server ≥ 0.7,CNI with NetworkPolicy support). - Third-party CRDs the feature installs or consumes, with exact installed versions. CRD schemas are version-pinned per operator release.
- Deprecation horizon — which API versions used by the feature are already
Deprecatedin the target minor, and the planned migration path before they are removed (e.g.,policy/v1beta1/PodDisruptionBudgetremoved in 1.25,batch/v1beta1/CronJobremoved in 1.25).
Resource budget
- Workload sizing — replica count range, requests and limits per container (CPU, memory). Justify the request (baseline steady-state) and the limit (burst ceiling / OOM guard) separately. Declare the intended QoS class:
Guaranteed(requests == limits on all containers — strongest eviction protection),Burstable, orBestEffort. - Ephemeral storage — for workloads writing to
emptyDiror the container writable layer (log buffers, scratch files, temp dirs), declareephemeral-storagerequests and limits — prevents node disk exhaustion and surprise eviction. - Priority and overhead —
PriorityClassname/value (system-cluster-critical,system-node-critical, custom application tier, or default / BestEffort). State whether preemption of lower-priority workloads is acceptable. Pod-overhead accounting if using non-defaultRuntimeClasses. - Autoscaling bounds — HPA
minReplicas/maxReplicaswith scale signal (CPU, memory, custom metric);behavior.scaleDown.stabilizationWindowSecondsandbehavior.scaleUp.policiestuned to prevent flapping under variable load. VPA mode (Off/Auto/Recreate/Initial) if enabled — noteAutoandRecreateboth evict Pods to apply recommendations;Initialsets requests only at Pod creation. - Storage —
PersistentVolumeClaimclass, size, access mode (ReadWriteOnce/ReadWriteOncePod/ReadWriteMany), andreclaimPolicy(Retainpreferred for production data —Deletedestroys the backing volume on PVC deletion; the policy is irreversible once the PV is bound). Expected growth rate; backup/restore SLO for stateful data. - Blast-radius estimate — if this feature consumes its whole budget (bad deploy, autoscaling runaway), which other workloads in the cluster starve first? Name them or declare the headroom.
Reliability posture
PodDisruptionBudgetdeclaration — choose eitherminAvailableormaxUnavailable(not both — the Kubernetes API rejects co-declaration with a 422). State the chosen value and the rationale tying it to the SLO.- Probes —
readinessProbe,livenessProbe, and (for slow-starting workloads)startupProbewith thresholds. Distinguish the three roles: readiness gates traffic; liveness restarts; startup delays liveness enforcement until the app is up. - Graceful shutdown —
terminationGracePeriodSecondsvalue andpreStophook semantics (drain, flush, deregister). - Spreading — prefer
topologySpreadConstraintsoverpodAntiAffinity(GA since K8s 1.19, more expressive for zone / node distribution) with concretetopologyKeyandmaxSkewvalues; ifpodAntiAffinityis chosen instead, state the rationale. - Container roles — separate concerns between init-containers (bootstrapping, migrations), sidecars (cross-cutting: log shippers, proxies, secret fetchers), and the application container. Document resource budget and restart semantics for each.
- Network routing — Service traffic distribution (
sessionAffinity,internalTrafficPolicy,externalTrafficPolicy) and topology-aware routing hints (service.kubernetes.io/topology-mode: auto— GA in 1.27) for multi-zone designs. - Rollout strategy —
RollingUpdatewithmaxSurge/maxUnavailabletuned for the workload, plusminReadySecondsandprogressDeadlineSecondsfor early-failure detection; orRecreatewith declared downtime window. Include rollback procedure and the observable signal that confirms rollback success.
Security posture
- RBAC — ServiceAccount scope (namespace, cluster); enumerated Role/ClusterRole verbs with a one-line justification per verb; explicit list of rejected over-privileged alternatives (e.g., "not granting
*onsecretsbecause X"). - NetworkPolicy — default-deny baseline across both ingress and egress, plus explicit allowed edges; cross-namespace allows called out individually; egress policy for external-facing traffic (DNS, vendor APIs).
- Pod Security — PSA level (
restricted/baseline/privileged; preferrestricted) and enforcement mode (enforce/audit/warn— a namespace inwarn/auditonly provides no actual enforcement);runAsNonRoot: true;runAsUserset to a non-zero UID (non-zero at the pod level overrides a container image's own USER instruction);readOnlyRootFilesystem: true;allowPrivilegeEscalation: false; dropped capabilities (drop: [ALL]+ minimaladd:);seccompProfile(RuntimeDefaultpreferred;Localhostfor custom profiles). State thefsGroupstrategy for any PVC-attached container. - Secrets — source (ESO / Sealed / native / workload identity); rotation frequency and owner; read access at rest (who / what service accounts).
imagePullSecretsprovisioning and rotation for private registries. - Supply chain — image digest-pinning policy (prefer digests over mutable tags); signature verification (cosign, notary); base-image selection and CVE-gating workflow; admission-time enforcement (if any).
Failure-mode narrative
- At least three concrete failure modes the feature must survive. For each: expected user-visible impact, detection signal (metric, log, alert), recovery path, and the person or team on the hook.
- Examples: one node drained during rollout; one zone lost; stateful backend latency spike; CRD controller unreachable; image-pull throttling at registry.
- Explicit out-of-scope failure modes — what the feature does NOT promise to handle, with the risk accepted and by whom.
- Rollback procedure — who triggers it (on-call, release engineer), how (GitOps revert,
helm rollback, canary flip), and the observable signal that confirms rollback succeeded. "Revert the commit" is not a rollback procedure; name the mechanism and the verification.