# SteadyOps Kubernetes Production Evidence Checklist

Version: 1.1.0  
Last reviewed: 2026-07-12  
License: MIT

Canonical implementation guide: https://steadyops.best/articles/kubernetes-production-readiness-checklist/

This package helps a platform or SRE team move from “the manifests exist” to reviewable evidence that a Kubernetes workload can be released, disrupted, rolled back, observed, and recovered safely.

## Start here

1. Copy the files into a repository owned by the team operating the cluster.
2. Replace example namespaces, labels, domains, ports, owners, and thresholds.
3. Review every command and manifest against the deployed Kubernetes version and security model.
4. Run the validation exercises in stage or another production-like environment.
5. Store outputs, screenshots, timestamps, and follow-up tickets in the evidence location named by the team.
6. Repeat the checks after material changes to workloads, networking, storage, access, or release strategy.

## Package contents

| File | Purpose |
|---|---|
| `README.md` | Usage model and evidence index. |
| `pdb.yaml` | PodDisruptionBudget starting point for planned disruption. |
| `network-policy.yaml` | NetworkPolicy example that must be adapted to real traffic paths. |
| `service-monitor.yaml` | Prometheus Operator ServiceMonitor example. |
| `node-drain-test.md` | Controlled node-drain exercise and validation path. |
| `readiness-check.sh` | Read-only readiness inputs for review before a change. |
| `rollback-checklist.md` | Rollback ownership, stop conditions, commands, and post-rollback validation. |
| `CITATION.cff` | Versioned citation metadata for reuse and internal documentation. |

## Evidence areas

Use the package to collect evidence for:

- failure model and expected fault domains;
- replicas, requests, limits, PDB, topology, and graceful shutdown;
- readiness and liveness behavior under dependency degradation;
- SLOs, actionable alerts, logs, traces, Kubernetes events, and release markers;
- RBAC, service accounts, secrets, NetworkPolicy, and named production access;
- deployment strategy, migration compatibility, stop conditions, and rollback;
- backup, restore, secret recovery, and dependency recovery order;
- node-drain, failed-rollout, and recovery exercises;
- technical health plus a real customer-facing transaction.

## Evidence register

| Control | Configured | Tested | Result | Owner | Evidence | Next review |
|---|---|---|---|---|---|---|
| Node drain | | | | | | |
| PDB and topology | | | | | | |
| Probes and graceful shutdown | | | | | | |
| Rollback and migration compatibility | | | | | | |
| Backup and restore | | | | | | |
| SLO and alert path | | | | | | |
| Production access and NetworkPolicy | | | | | | |
| Critical business transaction | | | | | | |

## Safety boundaries

These files are conservative examples, not drop-in production configuration.

Before applying anything:

- confirm API versions and controller compatibility;
- review selectors so policies and monitors target the intended workloads;
- test NetworkPolicy in a controlled namespace before enforcing it broadly;
- confirm a PDB still permits required maintenance and emergency recovery;
- verify probes represent real serving ability and cannot create restart loops;
- keep database migrations backward-compatible with the rollback window;
- never treat a green `kubectl apply` as proof of production readiness.

## Related maintained resources

- Kubernetes rollback checklist: https://github.com/steadyops-best/kubernetes-rollback-checklist
- SteadyOps resource library: https://steadyops.best/resources/
- Kubernetes observability guide: https://steadyops.best/articles/kubernetes-observability-best-practices-for-sre-teams/
- Kubernetes rollback guide: https://steadyops.best/articles/kubernetes-rollback-checklist-for-production-deployments/
- Disaster recovery runbook: https://steadyops.best/articles/ha-dr-runbooks/

## Maintenance

Update the version and review date only when the package receives a meaningful technical change. Record environment-specific results outside this public package so credentials, internal topology, and customer data are not published.