System Context
This chapter establishes the operating rule for the rest of the course: keep change boundaries narrow enough that investigation and rollback stay obvious.
The platform is only half of the story. The application itself must be built with Kubernetes-native operational contracts:
- Health probes (liveness/readiness)
- Graceful shutdown
- Structured telemetry
- Signed delivery artifacts
Local Git Guardrails (Pre-Hooks)
We use local hooks to catch risky workflow mistakes early on the workstation, before CI even starts.
Install and verify local hooks:
make install-hooks
pre-commit run --all-files
These hooks enforce:
- Protected Branch Guard: Blocks direct commits to
main. - Secret Blocking: Prevents committing files like
kubeconfigor.env. - Manifest Validation: Ensures Flux/Kustomize renders are valid.
Safe Workflow (Step-by-Step)
- Verify Context: Check your current cluster and namespace.
- Produce Plan/Diff: Always generate a Terraform plan or GitOps diff first.
- Review: Look for correlated changes (e.g., mixing networking with app changes).
- Apply One by One: Apply only one change type at a time.
- Verify: Check health and routing separately after each apply.
- Prepare Rollback: Have your rollback commands ready before you merge.
Demo Commands
A. Kubernetes context/namespace guard
# Verify you are in the right environment
scripts/guard-kube-context.sh \
--context sre-control-plane \
--namespace develop
B. Terraform plan-before-apply guard
# 1. Create plan + metadata marker
scripts/guard-terraform-plan.sh plan \
--dir infra/terraform/hcloud_cluster \
--out tfplan
# 2. Apply only from a fresh, reviewed planfile
scripts/guard-terraform-plan.sh apply \
--dir infra/terraform/hcloud_cluster \
--out tfplan \
--max-age-minutes 60
This builds on: Course foundation — first guardrail principles. This enables: IaC discipline (Chapter 02) — plan-before-apply extends to Terraform.