Roadmap: Container & Kubernetes Operations

1. Overview

This roadmap defines a container operations infrastructure for:

Containerized service deployment (Docker, Podman)
Kubernetes orchestration for production workloads
Container security scanning and policies
GitOps-based deployment workflows
Service mesh and observability

Containers are the foundation of modern infrastructure. This roadmap establishes patterns from single-host Docker to production Kubernetes, with emphasis on security and automation throughout.

2. Architecture Vision

direction: right

# Environments
dev: "Development" {
  shape: rectangle
  style.fill: "#313244"
  style.stroke: "#89b4fa"

  docker: "Docker Compose"
}

staging: "Staging" {
  shape: rectangle
  style.fill: "#313244"
  style.stroke: "#f9e2af"

  k3s: "k3s (single)"
}

prod: "Production" {
  shape: rectangle
  style.fill: "#313244"
  style.stroke: "#a6e3a1"

  k8s: "Kubernetes (HA)\n3 control + N workers"
}

dev -> staging -> prod

# Infrastructure
registry: "Registry" {
  shape: rectangle
  style.fill: "#45475a"
  style.stroke: "#cba6f7"

  harbor: "Harbor (private)"
  trivy: "Trivy scan"
}

gitops: "GitOps" {
  shape: rectangle
  style.fill: "#45475a"
  style.stroke: "#94e2d5"

  argo: "ArgoCD"
  flux: "FluxCD"
  ci: "GitLab CI"
}

obs: "Observability" {
  shape: rectangle
  style.fill: "#45475a"
  style.stroke: "#fab387"

  prom: "Prometheus"
  graf: "Grafana"
  loki: "Loki"
}

# Security & Network
security: "Security" {
  shape: rectangle
  style.fill: "#1e1e2e"
  style.stroke: "#f38ba8"

  opa: "OPA/Gatekeeper"
  falco: "Falco"
  rbac: "RBAC"
}

secrets: "Secrets" {
  shape: rectangle
  style.fill: "#1e1e2e"
  style.stroke: "#cba6f7"

  vault: "Vault"
  eso: "External Secrets Op"
}

network: "Network" {
  shape: rectangle
  style.fill: "#1e1e2e"
  style.stroke: "#89b4fa"

  cni: "Cilium CNI"
  np: "NetworkPolicy"
  ing: "Traefik Ingress"
}

3. Current State

Component	Status	Notes
Docker	OPERATIONAL	Single-host containerization
Podman	PARTIAL	Rootless containers tested
Kubernetes	PLANNED	k3s for home enterprise in scope
Container Registry	PLANNED	Harbor or registry:2
GitOps	REFERENCE	ArgoCD patterns in Codex
Security Scanning	PLANNED	Trivy, grype not deployed

Component

Status

Notes

Docker

OPERATIONAL

Single-host containerization

Podman

PARTIAL

Rootless containers tested

Kubernetes

PLANNED

k3s for home enterprise in scope

Container Registry

PLANNED

Harbor or registry:2

GitOps

REFERENCE

ArgoCD patterns in Codex

Security Scanning

PLANNED

Trivy, grype not deployed

4. Phase 1: Docker Mastery

4.1. Objectives

Production-grade Docker Compose patterns
Multi-stage builds for minimal images
Health checks and restart policies
Volume management and backup

4.2. Docker Best Practices

# Multi-stage build for minimal image
FROM golang:1.21-alpine AS builder
WORKDIR /app
COPY go.* ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 go build -ldflags="-s -w" -o /app/server

FROM gcr.io/distroless/static-debian12
COPY --from=builder /app/server /server
USER nonroot:nonroot
EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=3s \
  CMD ["/server", "health"] || exit 1
ENTRYPOINT ["/server"]

4.3. Tasks

#	Task	Priority
1.1	Document multi-stage build patterns	HIGH
1.2	Create Docker Compose production template	HIGH
1.3	Implement container health checks	HIGH
1.4	Document volume backup procedures	MEDIUM
1.5	Create .dockerignore best practices	MEDIUM
1.6	Document in domus-linux-ops containers section	HIGH

#

Task

Priority

1.1

Document multi-stage build patterns

HIGH

1.2

Create Docker Compose production template

HIGH

1.3

Implement container health checks

HIGH

1.4

Document volume backup procedures

MEDIUM

1.5

Create .dockerignore best practices

MEDIUM

1.6

Document in domus-linux-ops containers section

HIGH

4.4. Success Criteria

Docker patterns documented with examples
Multi-stage builds for all custom images
Health checks on all production containers
Volume backup automation

5. Phase 2: Rootless Containers (Podman)

5.1. Objectives

Rootless container execution
Podman-Docker compatibility
Systemd integration for services
Quadlet for declarative containers

5.2. Podman Advantages

Feature	Benefit
Rootless	No daemon, reduced attack surface
Daemonless	No single point of failure
Systemd integration	Native service management
Docker-compatible	Same CLI, same images
Quadlet	Declarative systemd units

Feature

Benefit

Rootless

No daemon, reduced attack surface

Daemonless

No single point of failure

Systemd integration

Native service management

Docker-compatible

Same CLI, same images

Quadlet

Declarative systemd units

5.3. Tasks

#	Task	Priority
2.1	Document Podman rootless setup	MEDIUM
2.2	Create Quadlet unit examples	MEDIUM
2.3	Migrate select containers from Docker to Podman	LOW
2.4	Document podman-compose for multi-container apps	LOW

#

Task

Priority

2.1

Document Podman rootless setup

MEDIUM

2.2

Create Quadlet unit examples

MEDIUM

2.3

Migrate select containers from Docker to Podman

LOW

2.4

Document podman-compose for multi-container apps

LOW

6. Phase 3: Kubernetes Foundation (k3s)

6.1. Objectives

Deploy k3s for home enterprise Kubernetes
Establish namespace organization
Configure persistent storage
Implement basic RBAC

6.2. k3s Deployment

# Single-node k3s installation
curl -sfL https://get.k3s.io | sh -s - \
  --write-kubeconfig-mode 644 \
  --disable traefik \
  --tls-san k8s.inside.domusdigitalis.dev

# Verify installation
kubectl get nodes
kubectl get pods -A

6.3. Namespace Strategy

Namespace	Purpose	Services
kube-system	Core Kubernetes components	CoreDNS, metrics-server
monitoring	Observability stack	Prometheus, Grafana, Loki
apps	Application workloads	Custom applications
ingress	Ingress controllers	Traefik, cert-manager
vault	Secrets management	Vault agent, external-secrets

Namespace

Purpose

Services

kube-system

Core Kubernetes components

CoreDNS, metrics-server

monitoring

Observability stack

Prometheus, Grafana, Loki

apps

Application workloads

Custom applications

ingress

Ingress controllers

Traefik, cert-manager

vault

Secrets management

Vault agent, external-secrets

6.4. Tasks

#	Task	Priority
3.1	Deploy k3s on dedicated VM	HIGH
3.2	Configure kubectl and kubeconfig	HIGH
3.3	Create namespace structure	HIGH
3.4	Deploy Traefik ingress controller	HIGH
3.5	Configure cert-manager with Vault PKI	MEDIUM
3.6	Document in new domus-container-ops	HIGH

#

Task

Priority

3.1

Deploy k3s on dedicated VM

HIGH

3.2

Configure kubectl and kubeconfig

HIGH

3.3

Create namespace structure

HIGH

3.4

Deploy Traefik ingress controller

HIGH

3.5

Configure cert-manager with Vault PKI

MEDIUM

3.6

Document in new domus-container-ops

HIGH

6.5. Success Criteria

k3s cluster operational
Ingress serving HTTPS traffic
Certificates auto-issued via Vault
kubectl accessible from workstations

7. Phase 4: GitOps with ArgoCD

7.1. Objectives

Declarative application deployment
Git-based change management
Automated sync and drift detection
Multi-environment promotion

7.2. GitOps Architecture

7.3. Tasks

#	Task	Priority
4.1	Deploy ArgoCD to k3s cluster	MEDIUM
4.2	Create GitOps repository structure	MEDIUM
4.3	Configure ArgoCD with Keycloak SSO	MEDIUM
4.4	Create ApplicationSets for multi-env	LOW
4.5	Document GitOps patterns	MEDIUM

#

Task

Priority

4.1

Deploy ArgoCD to k3s cluster

MEDIUM

4.2

Create GitOps repository structure

MEDIUM

4.3

Configure ArgoCD with Keycloak SSO

MEDIUM

4.4

Create ApplicationSets for multi-env

LOW

4.5

Document GitOps patterns

MEDIUM

8. Phase 5: Container Security

8.1. Objectives

Image scanning with Trivy
Runtime security with Falco
Policy enforcement with OPA/Gatekeeper
RBAC hardening

8.2. Security Scanning Pipeline

# Scan image with Trivy
trivy image --severity HIGH,CRITICAL myapp:latest

# Scan Kubernetes manifests
trivy config --severity MEDIUM,HIGH,CRITICAL ./k8s/

# Scan running cluster
trivy k8s --report summary cluster

# Generate SBOM
trivy image --format spdx-json -o sbom.json myapp:latest

8.3. Tasks

#	Task	Priority
5.1	Implement Trivy scanning in CI/CD	HIGH
5.2	Deploy Falco for runtime detection	MEDIUM
5.3	Configure OPA Gatekeeper policies	MEDIUM
5.4	Harden default RBAC (no cluster-admin)	HIGH
5.5	Document container security in domus-linux-ops	MEDIUM

#

Task

Priority

5.1

Implement Trivy scanning in CI/CD

HIGH

5.2

Deploy Falco for runtime detection

MEDIUM

5.3

Configure OPA Gatekeeper policies

MEDIUM

5.4

Harden default RBAC (no cluster-admin)

HIGH

5.5

Document container security in domus-linux-ops

MEDIUM

8.4. Security Policies (Gatekeeper)

# Require resource limits
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: require-resource-limits
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    limits:
      - cpu
      - memory

9. Phase 6: Observability Stack

9.1. Objectives

Prometheus metrics collection
Grafana dashboards
Loki log aggregation
Alertmanager notifications

9.2. Tasks

#	Task	Priority
6.1	Deploy kube-prometheus-stack	MEDIUM
6.2	Create custom Grafana dashboards	LOW
6.3	Deploy Loki for log aggregation	LOW
6.4	Configure Alertmanager with Slack/email	LOW

#

Task

Priority

6.1

Deploy kube-prometheus-stack

MEDIUM

6.2

Create custom Grafana dashboards

LOW

6.3

Deploy Loki for log aggregation

LOW

6.4

Configure Alertmanager with Slack/email

LOW

10. Work Applicability

This roadmap directly supports work enterprise requirements:

Modernization: Container-first application deployment
Scalability: Kubernetes for production workloads
Security: Image scanning, runtime protection, policy enforcement
GitOps: Auditable, repeatable deployments
Observability: Full-stack monitoring and logging

Container patterns validated in home enterprise deploy to enterprise Kubernetes.

11. Related Documentation

12. Revision History

Date	Author	Changes
2026-02-11	EvanusModestus	Initial roadmap from Aethelred-Codex patterns

Date

Author

Changes

2026-02-11

EvanusModestus

Initial roadmap from Aethelred-Codex patterns