The Problem
A new Kubernetes cluster goes from “demo working” to “production-ready” through a series of capabilities that aren’t visible in any individual feature. The cluster has them all, or it doesn’t. The people responsible for declaring “production-ready” (engineering leadership, security review, a customer’s procurement team) usually don’t have a shared definition of what those capabilities are.
That causes two failure modes:
- A cluster gets declared production-ready and isn’t. The first incident reveals that nothing was set up to recover. The team learns the gap the expensive way.
- A cluster gets blocked from production indefinitely because no two reviewers can agree on what’s missing. The launch slips by quarters.
The fix is a checklist. Not exhaustive. Concrete and scoreable.
The Approach
Five dimensions. Each has eight items. Each item scores 0, 1, or 2:
- 0. Not addressed.
- 1. Partially or informally addressed.
- 2. Fully addressed and operationally verified.
A score of 70+/80 across the dimensions is “production-ready.” 60-69 is “production-soft.” Below 60 is “demo.” The threshold is somewhat arbitrary. The score is what matters: a number leadership can use to compare clusters and track progress.
Dimension 1: Identity & Access
The cluster’s answer to “who can do what.”
- Cluster-level authentication source is an enterprise identity provider (OIDC, SAML), not static kubeconfigs.
- RBAC is least-privilege by default. No default-admin bindings. No
cluster-adminClusterRoleBindings to groups larger than a handful of platform engineers. - Service accounts are namespaced and tightly scoped. No application uses the
defaultservice account. - Workload identity (IRSA on EKS, Workload Identity on GKE, AAD Pod Identity on AKS) ties pod-level access to cloud IAM. No long-lived cloud credentials in cluster.
- Audit logging for the API server is on, shipped to a log-archive store outside the cluster, with at least 90-day retention.
- MFA enforced on the identity provider for any user with cluster access.
- Break-glass access is documented: who has it, how it’s used, how it’s audited after.
- No long-lived kubeconfigs issued to anyone. Access is short-lived and re-authenticated.
Dimension 2: Network
How traffic flows in, out, and between pods.
- NetworkPolicy enforcement enabled on the cluster (most clusters require an explicit CNI plugin choice for this).
- Default-deny network policy in every namespace; explicit allow rules for required traffic.
- Ingress controllers terminate TLS at the edge with managed certificates that auto-renew (cert-manager + ACME is standard).
- Egress controlled. Either a NAT gateway with logging, an egress proxy, or — for stricter postures — explicit egress NetworkPolicy.
- Service mesh or sidecar mTLS for service-to-service traffic in regulated environments. Not mandatory for non-regulated workloads.
- DNS policy doesn’t allow arbitrary external DNS. CoreDNS is configured with explicit forwarders.
- Load-balancer health checks properly configured (path, interval, threshold) — not the AWS default which often misses application-level health.
- No services exposed as LoadBalancer or NodePort without explicit review. Ingress is the only sanctioned external entry path.
Dimension 3: Workload Health
What happens when things start to fail.
- Every deployment has liveness and readiness probes, distinct from each other and not the default “/healthz returns 200” placeholder.
- Resource requests and limits set on every container. Not optional. Enforced via OPA/Gatekeeper or Kyverno.
- PodDisruptionBudgets on every production workload, set to allow at most 25% disruption.
- Horizontal Pod Autoscaler or KEDA configured for workloads with variable load.
- Anti-affinity rules prevent all replicas of a critical workload from landing on the same node.
- Quality of Service class is Guaranteed for critical workloads (requests = limits).
- Init containers have timeouts and are not used for arbitrary one-time setup that should be a Job.
- Graceful shutdown is implemented in application code. SIGTERM is handled; in-flight requests complete.
Dimension 4: Observability
What the operator can see during normal operation and during incidents.
- kube-state-metrics scraped by Prometheus or equivalent.
- Node-level metrics (node-exporter, kubelet) scraped.
- Application metrics exposed by every service, with at minimum the four Golden Signals (latency, traffic, errors, saturation).
- Centralized logging ships every container’s stdout/stderr to a queryable store with at least 30-day retention.
- Audit log retention beyond the centralized logging system (separate retention rule for security events).
- SLOs defined for every production service, with error budget tracking visible on a shared dashboard.
- Alerts route to a paging system with documented runbooks. Pages are tested quarterly.
- Tracing enabled for services in the request path (less critical for backend batch services).
Dimension 5: Recovery
What happens when the cluster, or a piece of it, fails entirely.
- etcd backups every 30 minutes, retained for 30 days, stored outside the cluster.
- Application data backed up via Velero or equivalent, with cross-region copies for regulated environments.
- Restore drill performed at least annually. Documented runbook with timestamps.
- Documented disaster-recovery posture. RTO and RPO targets stated, mapped to actual backup cadence.
- HA control plane. Managed services (EKS, GKE, AKS) provide this; self-managed clusters need explicit verification.
- Multi-AZ workload spread for production deployments via anti-affinity or topology spread constraints.
- Stateful workloads use StorageClasses with documented backup and snapshot policies.
- Cluster upgrade procedure documented and rehearsed. Last upgrade was within the support window of the current Kubernetes version.
The Template
Score your cluster row by row. Anywhere you can’t honestly score 2, write a one-line note explaining the gap and the planned remediation.
Total score: __ / 80
- 70-80: Production-ready. Document the score, the date, the cluster, and circulate to whoever needs to approve.
- 60-69: Production-soft. OK for non-customer-facing or non-regulated workloads. Not OK for the production workload your customers depend on.
- Below 60: Demo. Don’t run production traffic. Don’t put PHI on it. Don’t claim it as “production” in customer contracts.
The number you produce will feel low the first time. That’s the point. Most teams score around 50 on the first honest pass. The next quarter’s work is moving 50 to 70.
Operating Notes
Re-score every cluster every six months. Drift happens. Items that scored 2 become 1 because a person left, a process lapsed, a tool changed. The score is a leading indicator.
When a new cluster is built, the scorecard is part of the launch criteria. Cluster cannot host production traffic until the score is documented and approved. This creates an explicit gate that engineering, security, and product can all point at.
When a customer asks “is your platform production-grade?” — share the scorecard methodology, not the raw score. The methodology builds trust; the raw score gets weaponized in contract negotiations.