| name | deployment-docker |
| description | Docker and containerization guidelines. Use when deployment docker guidance is required. |
| metadata | [object Object] |
Container Optimization Patterns
Base Image Selection and Management
Minimal Base Image Requirements
Execute lightweight, secure base image selection:
- Prefer alpine-based images for minimal footprint
- Use distroless images for maximum security
- Select official images with active maintenance
- Apply semantic versioning for image tags
Image versioning enforcement:
- Pin specific versions, avoid
latesttags - Use SHA digests for reproducible builds
- Implement automated base image updates
- Document version upgrade procedures
Multi-Stage Build Implementation
Execute optimized build process with multi-stage builds:
- Separate build and runtime environments
- Copy only necessary artifacts to final stage
- Use build caches for faster incremental builds
- Minimize layer count and size
Layer optimization strategies:
- Group related operations into single layers
- Order instructions by frequency of change
- Use
.dockerignoreto exclude unnecessary files - Leverage build cache effectively
Security Hardening Standards
Container Runtime Security
Execute non-root user implementation:
- Create and use dedicated service users
- Set appropriate file permissions
- Use
USERdirective in Dockerfile - Apply capability dropping for minimal privileges
Security scanning and validation:
- Integrate vulnerability scanning in CI/CD
- Apply security policies with tools like Trivy
- Fix critical vulnerabilities before deployment
- Implement image signing with Notary or Cosign
Secret Management Implementation
Execute external secret management:
- Use environment variables for configuration
- Implement secret management services (HashiCorp Vault, AWS Secrets Manager)
- Never bake secrets in container images
- Apply secret injection at runtime
Credential handling best practices:
- Rotate secrets regularly
- Use temporary credentials where possible
- Implement audit logging for secret access
- Apply principle of least privilege
Resource Management and Orchestration
Performance Optimization
Resource Limits Configuration
Set appropriate resource constraints:
- Define memory limits and reservations
- Configure CPU quotas and shares
- Set appropriate request/limit ratios
- Monitor resource utilization metrics
Health check implementation:
- Configure comprehensive health checks
- Use appropriate check intervals and timeouts
- Implement graceful degradation strategies
- Monitor application responsiveness
Container Orchestration Patterns
Execute Kubernetes deployment configuration:
- Use proper resource requests and limits
- Implement liveness and readiness probes
- Configure appropriate replica sets
- Apply pod disruption budgets
Service mesh integration:
- Implement service discovery mechanisms
- Use load balancing for high availability
- Apply circuit breakers for resilience
- Configure proper network policies
Deployment Pipeline Integration
CI/CD Container Build Pipeline
Execute automated build process:
- Integrate Docker builds in CI pipelines
- Implement automated testing in containers
- Use multi-environment deployment strategies
- Apply blue-green or canary deployments
Image registry management:
- Use private registries for sensitive images
- Implement proper access controls
- Configure image replication across regions
- Apply automated image cleanup policies
Environment Configuration
Execute configuration management:
- Use ConfigMaps for application configuration
- Implement environment-specific overrides
- Apply configuration validation
- Document configuration requirements
Data persistence strategies:
- Use persistent volumes for stateful applications
- Implement backup and restore procedures
- Configure proper volume mounting
- Apply data lifecycle management
Monitoring and Observability
Container Monitoring Implementation
Application Performance Monitoring
Execute container application instrumentation:
- Export application metrics via Prometheus
- Implement distributed tracing with Jaeger or Zipkin
- Configure log aggregation with ELK or Loki
- Set up alerting for critical metrics
Infrastructure monitoring:
- Monitor container resource usage
- Track container lifecycle events
- Implement cluster-level monitoring
- Use tools like cAdvisor and kube-state-metrics
Security Monitoring
Execute container security monitoring:
- Implement runtime security monitoring
- Monitor for unusual container behavior
- Apply security policies and controls
- Use Falco or similar tools for threat detection
Compliance and audit logging:
- Log all container access and modifications
- Implement audit trail for container operations
- Monitor compliance with security policies
- Generate regular security reports