Infrastructure

Build small, secure container images with multi-stage builds, pinned slim bases, non-root users, cache-ordered layers, and no baked-in secrets.

Externalize Kubernetes config via ConfigMaps and treat Secrets as unencrypted base64 — encrypt at rest, tighten RBAC, and prefer external secret managers.

Run Kubernetes workloads with explicit resource requests/limits, health probes, hardened pod security, and safe rollout strategies.

Read config that varies between deploys from the environment and promote one immutable build artifact unchanged across every environment.