AI 7993 ยท Spring 2026 Capstone complete

Project ID: 21-Enterprise Kubernetes Platform Engineering-IND Team 2

Enterprise Kubernetes Platform Engineering

12-week capstone: secure, observable, GitOps-driven computer vision on Kubernetes (CNCF certification track).

Kunal Shenoi
Job King
Jericho Tuazon
Abraham Dejene
Drew Patrick
Project GitHub Final presentation See what we built โ†“
12Weeks
3Certifications
20+Labs Completed
5Engineers
5Microservices

Platform scope

Production-grade Kubernetes operations GitOps automation with ArgoCD Shift-left security with Trivy Full observability stack
CKA ยท Admin CKAD ยท Developer CKS ยท Security

01 ยท Overview

Platform first.
Applications next.
Security by design.

This capstone simulates a real enterprise Kubernetes environment โ€” designed, deployed, secured, and operated end-to-end with alignment to the full CNCF certification track.

๐Ÿ—๏ธ

Cluster Architecture & Operations

Multi-node clusters via kind, k3s, and EKS. Control plane inspection, namespace isolation, resource scheduling, and HPA-driven autoscaling.

๐Ÿ“ฆ

Application Delivery

Helm-packaged microservices with rolling updates, zero-downtime deployments, liveness/readiness probes, and externalised config via ConfigMaps and Secrets.

๐Ÿ”„

GitOps with ArgoCD

Declarative, Git-driven deployments with automatic reconciliation. Drift detection and self-heal demonstrated live against manually edited cluster state.

๐Ÿ›ก๏ธ

Shift-Left Security

Trivy image scanning with CI exit-code gates, Sealed Secrets review, and manifest validation scripts blocking non-compliant deploys before any kubectl apply runs.

๐Ÿ“Š

Observability Stack

Prometheus metrics collection and Grafana dashboards. HPA events, resource trends, and incident simulation with documented recovery procedures.

โšก

CI/CD Automation

GitHub Actions pipelines: checkout โ†’ YAML validate โ†’ Docker build โ†’ security scan โ†’ Helm deploy. Blocking gates enforce quality before any apply runs.

02 ยท Skills Demonstrated

What We Built

Hands-on engineering across the full Kubernetes production stack โ€” every skill listed was implemented, observed, and documented in lab.

CKA Phase ยท Weeks 1โ€“6

Platform Engineering

โš™๏ธCluster Setup & kubectl

Bootstrapped multi-node kind clusters with custom config. Verified control plane health, inspected API server and DNS endpoints, and established kubeconfig contexts.

๐Ÿ—‚๏ธNamespaces & Isolation

Created namespace-scoped environments via YAML manifests. Verified workload isolation with kubectl exec and context switching enforced per team boundary.

๐Ÿ“Scheduling, Taints & Tolerations

Applied NoSchedule taints, confirmed pods remain Pending without matching tolerations, then added tolerations and observed placement. Used nodeSelector for additional control.

๐Ÿ“ˆHorizontal Pod Autoscaler

Deployed Metrics Server, created HPA targeting CPU utilisation, generated synthetic load inside pods, confirmed automatic replica scale-up via HPA event log.

๐Ÿ”Troubleshooting

Diagnosed and resolved four failure scenarios: CrashLoopBackOff (bad entrypoint), ImagePullBackOff (invalid tag), Pending pod (resource exhaustion), and Service selector mismatch.

๐Ÿ”„Rolling Updates & Rollback

Configured maxSurge: 1 / maxUnavailable: 0 for zero-downtime guarantees. Simulated a bad image deploy โ€” old pods kept serving. Recovered instantly with kubectl rollout undo.

CKAD Phase ยท Weeks 7โ€“10

Application Delivery & GitOps

โ›ตHelm Charts

Authored Helm charts parameterising image tag, replica count, and service type via values.yaml. Executed install, upgrade, and rollback โ€” demonstrated full release lifecycle across 4 revisions.

๐Ÿ—ƒ๏ธConfigMaps & Secrets

Injected config via envFrom (restart required) and volume mounts (auto-refresh without restart). Managed base64-encoded Secrets with --dry-run=client previews and safe describe inspection.

๐ŸชœMulti-Container Pods

Implemented sidecar log-reader pattern using emptyDir shared volume between nginx main app and busybox sidecar. Confirmed shared filesystem at runtime with pod showing 2/2 Ready.

๐Ÿš€GitHub Actions CI Pipeline

Built four-stage pipeline: checkout โ†’ YAML syntax validation โ†’ Docker build โ†’ Helm deploy. Triggered on pull_request to main. Pipeline structure mirrors production GitOps workflows.

๐Ÿ”ArgoCD & GitOps

Deployed ArgoCD with Application manifest pointing to Git repo. Enabled auto-sync and self-heal. Introduced live drift via kubectl edit โ€” ArgoCD detected and reverted within seconds.

๐Ÿ›ก๏ธImage Scanning with Trivy

Scanned two container images for CRITICAL/HIGH CVEs. Used --exit-code 1 to block CI on critical findings, saving JSON audit output. Demonstrated warn-only vs. hard-gate comparison.

CKS Phase ยท Weeks 11โ€“12

Security Hardening & Observability

๐Ÿ”RBAC & Least Privilege

Provisioned dedicated ServiceAccounts per workload (trainer-sa, intake-sa, inference-sa, dashboard-sa). Namespace-scoped read-only Role + RoleBinding for the dashboard, limiting API access to pods, services, endpoints, and configmaps only.

๐ŸŒNetworkPolicies

Default-deny ingress for all pods in warehouse-cv with explicit allow rules for ingress-nginx โ†’ services and approved app-to-app paths only. Enforced via dev overlay, leaving no implicit inter-pod reachability.

๐Ÿ›ก๏ธPod Security Standards

Pod Security Admission labels (restricted) applied to the application namespace. All workloads enforce runAsNonRoot, explicit UID 1000, seccompProfile: RuntimeDefault, and dropped all capabilities with privilege escalation disabled.

๐Ÿ”‘Sealed Secrets

Cluster credentials delivered via SealedSecret โ€” encrypted values committed to Git, decrypted only by the in-cluster controller. Setup script interactively reseals if the placeholder sentinel is detected, making credential rotation an explicit, auditable step.

๐Ÿ“ŠPrometheus & Grafana

kube-prometheus-stack deployed via Helm. ServiceMonitor configured for the application namespace. Grafana dashboard provisioned via ConfigMap. System ingress exposes Prometheus and Grafana at dedicated internal hostnames.

๐Ÿ”„Drift Protection & CI Validation

ArgoCD auto-sync with prune, self-heal, and foreground pruning eliminates config drift. CI pipeline validates YAML with yamllint, renders Kustomize overlays, and runs kubeconform on all rendered output before any merge.

03 ยท Final Platform

Warehouse CV Platform

The capstone culminated in a fully deployed warehouse computer-vision pipeline โ€” three Flask microservices running YOLO detection, managed entirely through GitOps.

๐Ÿ“ท

footage-intake

Serves camera frame data from local image files. Exposes /stream, /frame, and /health. HPA maintains minimum two replicas.

๐Ÿค–

cv-inference

Fetches frames from intake and runs YOLO object detection. Returns JSON detections via POST /detect. Sealed credentials for model registry access.

๐Ÿ–ฅ๏ธ

results-dashboard

Web UI that proxies the video stream and polls inference for live detections. Exposed at dashboard.warehouse-cv.internal via NGINX ingress.

โšก

model-finetune

Nightly CronJob for GPU-backed YOLO fine-tuning. Mounts a 20Gi PVC for model artifacts and consumes sealed object-store credentials. Scheduled for GPU nodes.

๐Ÿ”

GitOps Delivery

Two ArgoCD applications sync from Kustomize overlays: warehouse-cv-dev and warehouse-cv-addons-dev. Auto-sync, prune, and self-heal enforce Git as the sole source of truth.

๐Ÿ—๏ธ

One-Command Bootstrap

A single interactive script handles preflight checks, kind cluster creation, Sealed Secrets, ArgoCD, ingress-nginx, and kube-prometheus-stack โ€” from zero to a fully synced cluster.

Namespaces 
warehouse-cv    # footage-intake ยท cv-inference ยท results-dashboard ยท model-finetune
argocd          # GitOps controller โ€” auto-sync, prune, self-heal
ingress-nginx   # North-south traffic, internal hostname routing
monitoring      # kube-prometheus-stack ยท ServiceMonitor ยท Grafana dashboard
kube-system     # Sealed Secrets controller

04 ยท Architecture

Stack Overview

The platform layers cluster infrastructure, application delivery, security controls, and observability into a cohesive production environment.

Cluster Infrastructure

kind k3s EKS NGINX Ingress

Application Layer

Frontend Backend Worker Helm Charts

CI/CD & GitOps

GitHub Actions ArgoCD Trivy

Security Controls

RBAC NetworkPolicy Pod Security Sealed Secrets

Observability

Prometheus Grafana Metrics Server

Certification Alignment

Focus AreaCKACKADCKS
Cluster Architectureโ—
Namespaces & Quotasโ—
Scheduling & Resourcesโ—
Troubleshootingโ—
Application Deploymentโ—
ConfigMaps & Secretsโ—โ—
Scaling & Probesโ—โ—
CI/CD & GitOpsโ—
RBAC & NetworkPolicyโ—
Pod Security & Scanningโ—
Monitoring & Observabilityโ—

05 ยท Roadmap

12-Week Journey

Structured to mirror real Kubernetes industry adoption: platform fundamentals first, application patterns next, security hardening last.

WEEKS 01โ€“02CKA

Kubernetes Foundations

Cluster setup with kind, kubectl fundamentals, namespaces, context switching, and basic Deployment + Service patterns.

Working cluster with namespaced environments
WEEKS 03โ€“04CKA

Cluster Operations & Troubleshooting

Resource requests/limits, taints, tolerations, HPA, and debugging CrashLoopBackOff, ImagePullBackOff, and selector mismatches.

Resource isolation policies + troubleshooting report
WEEKS 05โ€“06CKA

Application Deployment Phase

ConfigMaps and Secrets injection, liveness and readiness probes, rolling updates with maxUnavailable: 0, and rollback workflows.

Stable app deployments ยท CKA Exam Target
WEEKS 07โ€“08CKAD

Application Patterns & CI/CD

Helm chart packaging, multi-container sidecar pods, GitHub Actions CI pipeline, and Blue-Green/Canary deployment strategies.

Helm-packaged apps + automated CI pipeline
WEEKS 09โ€“10CKAD

GitOps & Application Security

ArgoCD auto-sync and self-heal, Trivy image scanning with CI gates, Sealed Secrets review, and manifest validation scripts.

GitOps pipeline ยท CKAD Exam Target
WEEKS 11โ€“12CKS

Security & Observability

Least-privilege RBAC, scoped ServiceAccounts, NetworkPolicies, Pod Security Standards (restricted), Sealed Secrets, Prometheus + Grafana, and ArgoCD drift protection.

Warehouse CV platform โ€” fully deployed โœ“

06 ยท Deliverables

Milestone Outputs

Each phase closes with a concrete, demonstrable deliverable mapped to CNCF certification objectives.

07 ยท Repository

Codebase Structure

All manifests, Helm charts, CI configs, and lab logs are version-controlled in a single monorepo.

k8s-enterprise-capstone-team2/ 
โ”œโ”€โ”€ docs/           # Architecture diagrams and security models
โ”œโ”€โ”€ Docker/         # Service Dockerfiles and image build script
โ”œโ”€โ”€ k8s/            # Manifests: Base, Overlays, RBAC
โ”œโ”€โ”€ gitops/         # ArgoCD ApplicationSets
โ”œโ”€โ”€ monitoring/     # Prometheus + Grafana configs
โ”œโ”€โ”€ scripts/        # cluster-setup.sh bootstrap script
โ””โ”€โ”€ labs/           # Weekly milestone logs

08 ยท Team

The Engineers

Five engineers building production-grade Kubernetes infrastructure and working toward CNCF certification.

Kunal Shenoi

Kunal Shenoi

Team Lead ยท Developer

LinkedIn
Job King

Job King

kind & EKS ยท Validation

LinkedIn
Jericho Tuazon

Jericho Tuazon

Developer

LinkedIn
Abraham Dejene

Abraham Dejene

Developer

LinkedIn
Drew Patrick

Drew Patrick

Developer

LinkedIn

Advisor / Instructor: Arthur Choi ยท Industry Sponsor: Sudheer Amgothu