The latest articles on Forem by Akshat Sinha (@pingtoprod). https://forem.com/pingtoprod https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3906571%2F6ceb4b97-48d7-48ac-94d5-88ee21b67386.png https://forem.com/pingtoprod en Akshat Sinha Tue, 12 May 2026 10:08:31 +0000 https://forem.com/pingtoprod/when-coredns-falls-silent-a-kubernetes-dns-disaster-story-the-playbook-that-saved-us-5dek https://forem.com/pingtoprod/when-coredns-falls-silent-a-kubernetes-dns-disaster-story-the-playbook-that-saved-us-5dek <p><em>A real-world incident narrative + definitive best practices for CoreDNS at scale</em></p> <h2> Prologue: The Calm Before the Storm </h2> <p>The cluster was healthy. 312 pods spread across 24 nodes. CoreDNS two replicas, default settings, humming along since the cluster was provisioned eighteen months ago. Nobody had touched it. Nobody <em>needed</em> to touch it.</p> <p>Until the Wednesday nobody expected.</p> <h2> Chapter 1 The Incident: "Why Is Payment Timing Out?" </h2> <p>It started with a Slack ping at 11:42 PM.</p> <blockquote> <p><strong>@oncall-alert</strong> <code>[CRITICAL]</code> Payment service unreachable circuit breaker open on checkout-gateway</p> </blockquote> <p>I SSH'd into the jump box. First instinct: <code>kubectl get pods</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ kubectl get pods -n production | grep payment payment-svc-8d4f6b7c-x2k9m 1/1 Running 0 45d order-processor-6c8d9f4-x7q2w 1/1 Running 0 45d </code></pre> </div> <p>All pods running. All healthy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ kubectl get svc -n production NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) payment-service ClusterIP 10.102.144.200 &lt;none&gt; 8080/TCP order-processor ClusterIP 10.102.145.88 &lt;none&gt; 8080/TCP </code></pre> </div> <p>Services exist. IPs assigned. Then I did the obvious:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ kubectl exec -it payment-svc-8d4f6b7c-x2k9m -n production -- curl -s http://10.102.145.88:8080/health {"status":"ok"} $ kubectl exec -it payment-svc-8d4f6b7c-x2k9m -n production -- nslookup order-processor.production.svc.cluster.local ;; connection timed out; no servers could be reached </code></pre> </div> <p><strong>IP works. DNS doesn't.</strong></p> <p>The entire payment pipeline was dead not because services were down, but because pods couldn't <em>find</em> each other by name. Every microservice call that relied on DNS resolution was failing. Idempotency queues were backing up. Retry storms were starting. It was 15 minutes before we declared it an SEV-2.</p> <h2> Chapter 2 The Interrogation: What Is CoreDNS Doing? </h2> <h3> 2.1 Logging Into CoreDNS </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl logs <span class="nt">-n</span> kube-system <span class="nt">-l</span> k8s-app<span class="o">=</span>kube-dns <span class="nt">--tail</span><span class="o">=</span>200 </code></pre> </div> <p>The errors were telling:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[ERROR] plugin/kubernetes: Get "https://10.96.0.1:443/api/v1/namespaces/production/services/order-processor": context deadline exceeded (Client.Timeout exceeded while awaiting headers) [ERROR] plugin/forward: 2 errors occurred: * read udp 10.244.1.8:53291-&gt;8.8.8.8:53: i/o timeout * read udp 10.244.1.8:38472-&gt;8.8.4.4:53: i/o timeout </code></pre> </div> <p><strong>Two problems screaming simultaneously:</strong></p> <ol> <li><p>CoreDNS couldn't talk to the Kubernetes API server fast enough (internal lookups failing)</p></li> <li><p>CoreDNS couldn't reach upstream DNS (external lookups timing out)</p></li> </ol> <h3> 2.2 Checking CoreDNS Health </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get pods <span class="nt">-n</span> kube-system <span class="nt">-l</span> k8s-app<span class="o">=</span>kube-dns NAME READY STATUS RESTARTS AGE coredns-5d78c9fd5d-4kx2m 1/1 Running 0 182d coredns-5d78c9fd5d-9vr3j 1/1 Running 0 182d </code></pre> </div> <p>Pods were "Running." But running doesn't mean performing.</p> <h3> 2.3 Measuring the Damage </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># From a pod external DNS resolution</span> <span class="nv">$ </span><span class="nb">time </span>nslookup google.com Server: 10.96.0.10 Address: 10.96.0.10#53 <span class="p">;;</span> connection timed out<span class="p">;</span> no servers could be reached <span class="p">;;</span> → Total: 5 seconds of waiting, <span class="k">then </span>failure </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Internal resolution same story</span> <span class="nv">$ </span><span class="nb">time </span>nslookup order-processor.production.svc.cluster.local Server: 10.96.0.10 Address: 10.96.0.10#53 <span class="p">;;</span> connection timed out<span class="p">;</span> no servers could be reached </code></pre> </div> <p>Normal DNS resolution should take <strong>1–5 milliseconds</strong>. We were at <strong>5 seconds (timeout)</strong> or complete failure.</p> <h3> 2.4 CPU Throttling The Hidden Killer </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl top pods <span class="nt">-n</span> kube-system <span class="nt">-l</span> k8s-app<span class="o">=</span>kube-dns NAME CPU<span class="o">(</span>cores<span class="o">)</span> MEMORY<span class="o">(</span>bytes<span class="o">)</span> coredns-5d78c9fd5d-4kx2m 97m 168Mi coredns-5d78c9fd5d-9vr3j 95m 172Mi </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get deployment coredns <span class="nt">-n</span> kube-system <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.spec.template.spec.containers[0].resources}'</span> <span class="o">{</span><span class="s2">"limits"</span>:<span class="o">{</span><span class="s2">"cpu"</span>:<span class="s2">"100m"</span>,<span class="s2">"memory"</span>:<span class="s2">"170Mi"</span><span class="o">}</span>,<span class="s2">"requests"</span>:<span class="o">{</span><span class="s2">"cpu"</span>:<span class="s2">"75m"</span>,<span class="s2">"memory"</span>:<span class="s2">"70Mi"</span><span class="o">}}</span> </code></pre> </div> <p><strong>97m usage against 100m limit.</strong> Three millicores of headroom for a Go binary handling hundreds of queries per second. CoreDNS was CPU-throttled nearly continuously.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Confirmed: throttling counters through the roof</span> kubectl debug <span class="nt">-it</span> <span class="nt">-n</span> kube-system coredns-5d78c9fd5d-4kx2m <span class="nt">--image</span><span class="o">=</span>busybox <span class="nt">--target</span><span class="o">=</span>coredns <span class="nt">--</span> <span class="nb">cat</span> /sys/fs/cgroup/cpu.stat nr_throttled 14832 throttled_time 294812005 <span class="c"># → 4.9 MINUTES of throttled time per minute!</span> </code></pre> </div> <p>The Go scheduler was starving. Goroutines queued, DNS queries backed up, timeouts cascaded.</p> <h3> 2.5 The <code>ndots</code> Multiplier </h3> <p>Let's talk about the silent multiplier. Every pod in Kubernetes has a default DNS config inherited from the kubelet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">dnsConfig</span><span class="pi">:</span> <span class="na">options</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ndots</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">5"</span> <span class="na">searches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">default.svc.cluster.local</span> <span class="pi">-</span> <span class="s">svc.cluster.local</span> <span class="pi">-</span> <span class="s">cluster.local</span> <span class="pi">-</span> <span class="s">eu-west-1.compute.internal</span> </code></pre> </div> <p><code>ndots: 5</code> is a <em>threshold</em>, not a queue. Here's how it actually works:</p> <ul> <li><p>If a hostname has <strong>fewer than N dots</strong>, the resolver <strong>prepends search domains first</strong>, then tries the name as-is only if none of those succeed.</p></li> <li><p>If a hostname has <strong>N dots or more</strong>, the resolver <strong>tries it as an absolute name first</strong>, then falls through to search domains if it fails.</p></li> </ul> <p>So with <code>ndots: 5</code>, when our application calls <code>api.stripe.com</code> (which has 2 dots fewer than 5):</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Attempt</th> <th>Query Sent</th> <th>Result</th> </tr> </thead> <tbody> <tr> <td>1</td> <td><code>api.stripe.com.default.svc.cluster.local</code></td> <td>NXDOMAIN</td> </tr> <tr> <td>2</td> <td><code>api.stripe.com.svc.cluster.local</code></td> <td>NXDOMAIN</td> </tr> <tr> <td>3</td> <td><code>api.stripe.com.cluster.local</code></td> <td>NXDOMAIN</td> </tr> <tr> <td>4</td> <td><code>api.stripe.com.eu-west-1.compute.internal</code></td> <td>NXDOMAIN</td> </tr> <tr> <td>5</td> <td><code>api.stripe.com</code></td> <td>Resolved</td> </tr> </tbody> </table></div> <p><strong>5 queries for 1 hostname.</strong> With 312 pods × average 8 external calls per startup = <strong>12,480 DNS queries</strong> hitting CoreDNS. With <code>ndots: 2</code>, that's <strong>2,496 queries</strong>. An <strong>80% amplification</strong> caused by one setting.</p> <blockquote> <p><strong>Why</strong> <code>ndots: 2</code> <strong>is the right production value:</strong> Internal Kubernetes service names follow the pattern <code>service.namespace.svc.cluster.local</code> that's at minimum 2 dots (<code>payment-service.production</code>). With <code>ndots: 2</code>, names with 2+ dots are tried as absolute first (which is correct for FQDNs), while short names like <code>order-processor</code> still get search domains prepended. External hostnames like <code>api.stripe.com</code> (2 dots) are tried absolute first no search domain penalty.</p> </blockquote> <h2> Chapter 3 The Diagnosis: Five Problems At Once </h2> <p>We'd found the killers. Not one, but five compounding failures:</p> <blockquote> <p><strong>Here's how these five problems compounded each other:</strong><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────┐ │ COREDNS FAILURE CHAIN │ │ │ │ 1. ndots: 5 → 5x query amplification on externals │ │ ↓ │ │ 2. No node-local → Every query traverses the network │ │ cache to reach CoreDNS pods │ │ ↓ │ │ 3. Resources too → 97m/100m CPU = constant throttling │ │ tight → goroutines back up │ │ ↓ │ │ 4. Cache exhausted → Under load, cache evicts entries, │ │ under memory misses spike, more upstream queries │ │ ↓ │ │ 5. Static replica → No autoscaling, no PDB │ │ count → Single point of failure │ │ │ │ Result: 5s timeouts → Circuit breakers trip → OUTAGE │ └─────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> Chapter 4 The Fix: Step by Step </h2> <p>We applied fixes in strict order each one built on the previous. Changing five things simultaneously is how you create a new mystery.</p> <h3> Step 1: Set <code>ndots: 2</code> 80% Load Reduction in 5 Minutes </h3> <p><strong>The mechanism, stated precisely:</strong> With <code>ndots: 2</code>, any name with 2 or more dots is tried as an absolute name first (before search domains are appended). Names with fewer than 2 dots still use the search list first. In practice, this means:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Name</th> <th>Dots</th> <th>Behavior under <code>ndots: 2</code> </th> </tr> </thead> <tbody> <tr> <td><code>order-processor</code></td> <td>0</td> <td>Search domains prepended first: <code>order-processor.default.svc.cluster.local</code> → resolves</td> </tr> <tr> <td><code>order-processor.prod</code></td> <td>1</td> <td>Search domains prepended first: <code>order-processor.prod.default.svc.cluster.local</code> → resolves</td> </tr> <tr> <td><code>order-processor.production.svc</code></td> <td>2</td> <td>Tried as absolute first (2 ≥ 2) → resolves or falls through to search list</td> </tr> <tr> <td><code>api.stripe.com</code></td> <td>2</td> <td>Tried as absolute first (2 ≥ 2) → resolves immediately on direct lookup</td> </tr> <tr> <td><code>api.example.com</code></td> <td>2</td> <td>Tried as absolute first → resolves directly, no search domain penalty</td> </tr> </tbody> </table></div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Pod-level configuration</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">dnsPolicy</span><span class="pi">:</span> <span class="s">ClusterFirst</span> <span class="na">dnsConfig</span><span class="pi">:</span> <span class="na">options</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ndots</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> </code></pre> </div> <p>To enforce <code>ndots: 2</code> cluster-wide without editing every single Deployment YAML, you must use a <code>Mutating Admission Webhook</code> (like Kyverno or OPA Gatekeeper) to inject the dnsConfig block into pods as they are created.</p> <p><strong>Impact measurement:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Before: 312 pods × 8 calls × 5 retries = 12,480 external queries/min After: 312 pods × 8 calls × 1 direct = 2,496 external queries/min Reduction: 80% </code></pre> </div> <h3> Step 2: Deploy NodeLocal DNSCache The Game Changer </h3> <p>Before you deploy the manifest, understand what changes architecturally:</p> <p><strong>What it is:</strong> A lightweight CoreDNS cache instance running as a DaemonSet on <strong>every node</strong>, bound to the link-local IP <code>169.254.20.10</code>. Pods resolve DNS locally instead of sending queries across the cluster to CoreDNS pods.</p> <p><strong>The architecture shift:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>BEFORE (today): ┌─────┐ ┌──────────────────────────────────────┐ │ Pod A│───▶│ kube-dns Service (ClusterIP: 10.96.0.10) │ └─────┘ └───────────┬──────────────────────────┘ │ ┌───────────▼───────────┐ │ CoreDNS Pod (Node 3) │──▶ Upstream (8.8.8.8) │ CoreDNS Pod (Node 7) │──▶ Upstream (8.8.4.4) └───────────────────────┘ ↑ Network hop on EVERY query Cross-node traffic CoreDNS pods are the bottleneck AFTER (with NodeLocal DNSCache): ┌─────┐ ┌──────────────────────┐ │ Pod A│───▶│ Node Cache (169.254.20.10) │───▶ Cache hit → instant └─────┘ │ (same node) │ └───────────┬──────────┘ │ (only on cache miss) ┌───────────▼───────────┐ │ CoreDNS Pod (any node)│──▶ Upstream (8.8.8.8) └───────────────────────┘ No cross-node traffic for cached queries CoreDNS load drops ~90% </code></pre> </div> <p><strong>Why this matters:</strong> For a large cluster, the majority of DNS queries are for services that haven't changed recently and can be cached. By keeping the cache local, you eliminate the network round-trip <em>and</em> reduce CoreDNS load simultaneously.</p> <p><strong>Deployment steps:</strong></p> <p><strong>Step 2a: Test on a subset of nodes first (rollback safety)</strong></p> <p>Before deploying cluster-wide, validate on a small canary node group:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Can beary subset deploy to specific nodes first</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DaemonSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nodelocaldns</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kube-system</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">k8s-app</span><span class="pi">:</span> <span class="s">kube-dns</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">k8s-app</span><span class="pi">:</span> <span class="s">kube-dns</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">k8s-app</span><span class="pi">:</span> <span class="s">kube-dns</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">priorityClassName</span><span class="pi">:</span> <span class="s">system-node-critical</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">nodelocaldns</span> <span class="na">hostNetwork</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">dnsPolicy</span><span class="pi">:</span> <span class="s">Default</span> <span class="na">tolerations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">Exists</span> <span class="c1"># RESTRICT TO CANARY NODES FIRST:</span> <span class="na">nodeSelector</span><span class="pi">:</span> <span class="na">node-role</span><span class="pi">:</span> <span class="s">worker-canary</span> <span class="c1"># Label only your test nodes</span> <span class="c1"># Once validated, remove nodeSelector for full deployment</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">node-cache</span> <span class="na">image</span><span class="pi">:</span> <span class="s">registry.k8s.io/dns/k8s-dns-node-cache:1.23.0</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-localip=169.254.20.10"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-conf=/etc/Corefile/Corefile"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-upstreamsvc=kube-dns-upstream"</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">5Mi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">50m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">15Mi</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">53</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dns-udp</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">UDP</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">53</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dns-tcp</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9259</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metrics</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">privileged</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">config-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/etc/Corefile</span> <span class="na">readOnly</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">xtables-lock</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/run/xtables.lock</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">xtables-lock</span> <span class="na">hostPath</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/run/xtables.lock</span> <span class="na">type</span><span class="pi">:</span> <span class="s">FileOrCreate</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">config-volume</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nodelocaldns</span> <span class="na">items</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">Corefile</span> <span class="na">path</span><span class="pi">:</span> <span class="s">Corefile</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nodelocaldns</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kube-system</span> <span class="na">data</span><span class="pi">:</span> <span class="na">Corefile</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cluster.local {</span> <span class="s">errors</span> <span class="s">cache {</span> <span class="s">success 99840 30 # Positive cache: up to ~28 hours</span> <span class="s">denial 30 # NXDOMAIN cache: 30 seconds</span> <span class="s">}</span> <span class="s">reload</span> <span class="s">forward . __PILLAR__CLUSTER__DNS__</span> <span class="s">}</span> <span class="s">in-addr.arpa {</span> <span class="s">errors</span> <span class="s">cache 30</span> <span class="s">reload</span> <span class="s">forward . __PILLAR__CLUSTER__DNS__</span> <span class="s">}</span> <span class="s">ip6.arpa {</span> <span class="s">errors</span> <span class="s">cache 30</span> <span class="s">reload</span> <span class="s">forward . __PILLAR__CLUSTER__DNS__</span> <span class="s">}</span> <span class="s">. {</span> <span class="s">errors</span> <span class="s">cache 30</span> <span class="s">reload</span> <span class="s">forward . __PILLAR__UPSTREAM__SERVERS__</span> <span class="s">}</span> </code></pre> </div> <blockquote> <p><strong>Important:</strong> When using the official kubeadm deployment (<code>kubeadm init --feature-gates=NodeLocalDNSCache=true</code>), the <code>__PILLAR__</code> placeholders are automatically substituted. For manual deployment, replace <code>__PILLAR__CLUSTER__DNS__</code> with the kube-dns ClusterIP (e.g., <code>10.96.0.10</code>) and <code>__PILLAR__UPSTREAM__SERVERS__</code> with upstream resolvers (e.g., <code>8.8.8.8 8.8.4.4</code>).</p> </blockquote> <p><strong>Rollback procedure:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># If issues arise on canary nodes:</span> <span class="c"># 1. Remove the DaemonSet pods revert to using kube-dns service immediately</span> kubectl delete daemonset nodelocaldns <span class="nt">-n</span> kube-system <span class="c"># 2. Verify DNS is working again through the normal path</span> kubectl <span class="nb">exec</span> <span class="nt">-it</span> &lt;pod&gt; <span class="nt">--</span> nslookup order-processor.production.svc.cluster.local <span class="c"># Should resolve through kube-dns service again</span> <span class="c"># 3. Investigate and fix before re-deploying</span> </code></pre> </div> <p>If NodeLocal DNSCache intercepts all DNS traffic and the upstream is misconfigured, pods will experience resolution failures. The <code>nodeSelector</code> approach above lets you validate on a subset before cluster-wide rollout.</p> <h3> Step 3: Tune the Corefile Make CoreDNS Efficient </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">coredns</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kube-system</span> <span class="na">data</span><span class="pi">:</span> <span class="na">Corefile</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">.:53 {</span> <span class="s">errors</span> <span class="s">health {</span> <span class="s">lameduck 5s</span> <span class="s">}</span> <span class="s">ready</span> <span class="s"># Aggressive caching layer</span> <span class="s">cache {</span> <span class="s">success 99840 30 # Successful responses cached for ~28 hours</span> <span class="s">denial 60 # NXDOMAIN cached for 60s (prevents repeated failed lookups)</span> <span class="s">prefetch 120 1200 4 25 # Proactively refresh popular entries at 25% TTL remaining</span> <span class="s">}</span> <span class="s"># Kubernetes service discovery hardened</span> <span class="s">kubernetes cluster.local {</span> <span class="s">pods verified # Don't resolve pods that aren't in Running state</span> <span class="s">fallthrough in-addr.arpa ip6.arpa</span> <span class="s">ttl 30 # Lower TTL for faster cluster change propagation</span> <span class="s">}</span> <span class="s"># External upstream resilient configuration</span> <span class="s">forward . 8.8.8.8 8.8.4.4 1.1.1.1 {</span> <span class="s">max_concurrent 1000 # Prevent upstream saturation</span> <span class="s">prefer_tcp # TCP handles retries and large responses reliably</span> <span class="s">health_check 30s # Detect upstream failures quickly</span> <span class="s">policy random # Distribute load across upstreams</span> <span class="s">expire 10s # Retry interval for failed upstreams</span> <span class="s">serve_tcp # Support both protocols</span> <span class="s">serve_udp</span> <span class="s">}</span> <span class="s"># Allow runtime Corefile reload without pod restart</span> <span class="s">reload</span> <span class="s"># Metrics for monitoring</span> <span class="s">prometheus :9153</span> <span class="s">}</span> </code></pre> </div> <p><strong>Key directives explained:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Directive</th> <th>Why It Matters</th> </tr> </thead> <tbody> <tr> <td><code>max_concurrent 1000</code></td> <td>Prevents a single upstream from being overwhelmed during bursts</td> </tr> <tr> <td><code>prefetch</code></td> <td>Proactively refreshes popular entries before TTL expires, preventing cache stampedes</td> </tr> <tr> <td><code>pods verified</code></td> <td>Avoids DNS entries for terminating pods prevents stale connections</td> </tr> <tr> <td><code>fallthrough</code></td> <td>Lets external resolvers handle non-Kubernetes names instead of failing</td> </tr> <tr> <td><code>prefer_tcp</code></td> <td>TCP handles large responses and retries better than UDP, reducing silent packet loss</td> </tr> <tr> <td><code>denial 60</code></td> <td>Negative caching for 60s stops repeated NXDOMAIN lookups for non-existent names</td> </tr> </tbody> </table></div> <h3> Step 4: Right-Size Resources Stop Starving the Go Runtime </h3> <p><strong>Forget the default</strong> <code>100m</code> <strong>CPU limit.</strong> CoreDNS is a Go binary with concurrent goroutines servicing all cluster DNS. The official CoreDNS scaling benchmarks show:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Single CoreDNS replica on 2 vCPU node: - Internal queries: 33,669 QPS (2.6ms latency) - External queries: 6,733 QPS (12ms latency, client perspective) - At this load, both vCPUs were pegged at ~1900m </code></pre> </div> <p><strong>Memory formula</strong> (from <a href="https://github.com/coredns/deployment/tree/master/kubernetes/Scaling_CoreDNS.md" rel="noopener noreferrer">CoreDNS Scaling Guide</a>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Memory (default settings) = (Pods + Services) / 1000 + 54 MB </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Cluster Scale</th> <th>Pods + Services</th> <th>Memory Needed</th> </tr> </thead> <tbody> <tr> <td>Small (&lt; 50 pods)</td> <td>~60</td> <td>~55 Mi</td> </tr> <tr> <td>Medium (500 pods)</td> <td>~600</td> <td>~59 Mi</td> </tr> <tr> <td>Large (5000 pods)</td> <td>~6,000</td> <td>~64 Mi</td> </tr> <tr> <td>XLarge (150K pods)</td> <td>~158,000</td> <td>~212 Mi</td> </tr> </tbody> </table></div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Resource requests/limits no more starving the Go runtime</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">200m"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">150Mi"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">250Mi"</span> </code></pre> </div> <p>After this change in our cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Before: throttled_time = 294 seconds/minute (97% of time throttled) After: throttled_time = 0 seconds/minute </code></pre> </div> <h3> Step 5: Deploy CPA Cluster Proportional Autoscaler </h3> <p>This is <strong>not</strong> regular HPA. The <a href="https://github.com/kubernetes-sigs/cluster-proportional-autoscaler" rel="noopener noreferrer">Cluster Proportional Autoscaler</a> is specifically designed for infrastructure add-ons like CoreDNS that need to scale proportionally with cluster size. Unlike HPA, which requires a metrics pipeline and custom metrics API, CPA watches node count and adjusts replicas via a simple formula.</p> <p><strong>The formula:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>replicas = max(ceil(nodes / nodesPerReplica), ceil(cores / coresPerReplica)) </code></pre> </div> <p>With a floor of 2 when <code>preventSinglePointFailure: true</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">coredns-cpa-config</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kube-system</span> <span class="na">data</span><span class="pi">:</span> <span class="na">linear</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">{"coresPerReplica": 128, "nodesPerReplica": 4, "preventSinglePointFailure": true}</span> </code></pre> </div> <p><strong>Scaling examples (annotated which constraint is binding):</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Nodes</th> <th>Cores</th> <th>Calculation</th> <th>Replicas</th> <th>Binding Constraint</th> </tr> </thead> <tbody> <tr> <td>8</td> <td>16</td> <td>max(8/4, 16/128) = max(2, 0.125)</td> <td><strong>2</strong></td> <td> <code>nodesPerReplica</code> (2 &gt; 0.125). Also hits <code>preventSinglePointFailure</code> floor of 2.</td> </tr> <tr> <td>24</td> <td>48</td> <td>max(24/4, 48/128) = max(6, 0.375)</td> <td><strong>6</strong></td> <td> <code>nodesPerReplica</code> (6 &gt; 0.375)</td> </tr> <tr> <td>100</td> <td>200</td> <td>max(100/4, 200/128) = max(25, 1.56)</td> <td><strong>25</strong></td> <td> <code>nodesPerReplica</code> (25 &gt; 1.56)</td> </tr> </tbody> </table></div> <p>In every example above, <code>nodesPerReplica</code> is the binding constraint the CPU-based calculation produces a value below 1, so it doesn't contribute. This is typical for CoreDNS, which is more sensitive to the number of nodes (and therefore the number of NodeLocal DNSCache instances generating upstream queries) than to raw cluster compute.</p> <blockquote> <p><strong>Cloud vendor endorsement:</strong> Oracle OKE, AWS EKS, and Azure AKS all recommend CPA for CoreDNS autoscaling. <a href="https://docs.aws.amazon.com/eks/latest/best-practices/scale-cluster-services.html" rel="noopener noreferrer">EKS Best Practices</a> explicitly states: <em>"It's recommended you use NodeLocal DNS or the cluster proportional autoscaler to scale CoreDNS."</em><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Deploy CPA via Helm</span> helm <span class="nb">install </span>coredns-cpa cluster-proportional-autoscaler <span class="se">\</span> <span class="nt">--repo</span> https://kubernetes-sigs.github.io/cluster-proportional-autoscaler <span class="se">\</span> <span class="nt">--namespace</span> kube-system <span class="se">\</span> <span class="nt">--set</span> rbac.create<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> image.tag<span class="o">=</span>v1.12.0 <span class="se">\</span> <span class="nt">--set</span> defaultRequests.cpu<span class="o">=</span>100m <span class="se">\</span> <span class="nt">--set</span> defaultRequests.memory<span class="o">=</span>70Mi <span class="se">\</span> <span class="nt">--set</span> defaultLimits.cpu<span class="o">=</span>500m <span class="se">\</span> <span class="nt">--set</span> defaultLimits.memory<span class="o">=</span>250Mi <span class="se">\</span> <span class="nt">--set</span> <span class="nv">configMap</span><span class="o">=</span>coredns-cpa-config </code></pre> </div> <h3> Step 6: PodDisruptionBudget Never Take All DNS Down at Once </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">policy/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PodDisruptionBudget</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">coredns-pdb</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kube-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">minAvailable</span><span class="pi">:</span> <span class="m">2</span> <span class="c1"># Never fewer than 2 running CoreDNS pods</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">k8s-app</span><span class="pi">:</span> <span class="s">kube-dns</span> </code></pre> </div> <p>Without a PDB, a node drain or rolling update can kill all CoreDNS replicas simultaneously instant cluster-wide DNS blackout. This is especially dangerous when using NodeLocal DNSCache, because the node-local caches still forward misses to CoreDNS pods. If all CoreDNS pods are evicted, every cache miss fails.</p> <h2> Chapter 5 Verification: Did It Work? </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. DNS resolution speed should be &lt;5ms now</span> <span class="nv">$ </span><span class="nb">time </span>nslookup google.com real 0m0.003s <span class="c"># ← was 5 seconds before</span> <span class="nv">$ </span><span class="nb">time </span>nslookup order-processor.production.svc.cluster.local real 0m0.002s <span class="c"># ← was timing out before</span> <span class="c"># 2. CoreDNS resource usage should have massive headroom</span> <span class="nv">$ </span>kubectl top pods <span class="nt">-n</span> kube-system <span class="nt">-l</span> k8s-app<span class="o">=</span>kube-dns NAME CPU<span class="o">(</span>cores<span class="o">)</span> MEMORY<span class="o">(</span>bytes<span class="o">)</span> coredns-5d78c9fd5d-4kx2m 28m 88Mi <span class="c"># ← was 97m/100m</span> <span class="c"># 3. CPU throttling should be zero</span> kubectl debug <span class="nt">-it</span> <span class="nt">-n</span> kube-system coredns-5d78c9fd5d-4kx2m <span class="nt">--image</span><span class="o">=</span>busybox <span class="nt">--target</span><span class="o">=</span>coredns <span class="nt">--</span> <span class="nb">cat</span> /sys/fs/cgroup/cpu.stat nr_throttled 0 throttled_time 0 <span class="c"># ← was 294 seconds/minute</span> <span class="c"># 4. Node-local cache hit rate should be &gt;90%</span> <span class="nv">$ </span>kubectl <span class="nb">exec</span> <span class="nt">-n</span> kube-system <span class="nt">-l</span> k8s-app<span class="o">=</span>kube-dns <span class="nt">--</span> curl <span class="nt">-s</span> localhost:9153/metrics | <span class="nb">grep </span>cache coredns_cache_hits_total 48291 coredns_cache_misses_total 4892 <span class="c"># Hit ratio: 90.7% </span> <span class="c"># 5. CPA working verify replicas scaled</span> <span class="nv">$ </span>kubectl describe deployment coredns | <span class="nb">grep </span>Replicas Replicas: 6 <span class="o">(</span>desired<span class="o">)</span> </code></pre> </div> <h2> Chapter 6 Monitoring: No More Surprises </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Prometheus alerting rules add to your rules file</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">coredns.rules</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">rules</span><span class="pi">:</span> <span class="c1"># ALERT: CoreDNS error rate &gt; 5% for 3 minutes</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">CoreDNSHighErrorRate</span> <span class="na">expr</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">(</span> <span class="s">rate(coredns_dns_requests_total{rcode=~"SERVFAIL|REFUSED|TIMEOUT"}[5m])</span> <span class="s">/</span> <span class="s">rate(coredns_dns_requests_total[5m])</span> <span class="s">) &gt; 0.05</span> <span class="na">for</span><span class="pi">:</span> <span class="s">3m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CoreDNS</span><span class="nv"> </span><span class="s">error</span><span class="nv"> </span><span class="s">rate</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$value</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">humanize</span><span class="nv"> </span><span class="s">}}"</span> <span class="c1"># ALERT: DNS resolution slow (p99 &gt; 50ms)</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">CoreDNSHighLatency</span> <span class="na">expr</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">histogram_quantile(0.99,</span> <span class="s">rate(coredns_dns_request_duration_seconds_bucket[5m])</span> <span class="s">) &gt; 0.05</span> <span class="na">for</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CoreDNS</span><span class="nv"> </span><span class="s">p99</span><span class="nv"> </span><span class="s">latency</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$value</span><span class="nv"> </span><span class="s">}}s"</span> <span class="c1"># ALERT: Cache efficiency dropping</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">CoreDNSCacheHitRateLow</span> <span class="na">expr</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">(</span> <span class="s">rate(coredns_cache_hits_total[10m])</span> <span class="s">/</span> <span class="s">(rate(coredns_cache_hits_total[10m]) + rate(coredns_cache_misses_total[10m]))</span> <span class="s">) &lt; 0.80</span> <span class="na">for</span><span class="pi">:</span> <span class="s">10m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CoreDNS</span><span class="nv"> </span><span class="s">cache</span><span class="nv"> </span><span class="s">hit</span><span class="nv"> </span><span class="s">ratio</span><span class="nv"> </span><span class="s">below</span><span class="nv"> </span><span class="s">80%"</span> <span class="c1"># ALERT: CPU throttling detected</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">CoreDNSCPUThrottling</span> <span class="na">expr</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">rate(container_cpu_cfs_throttled_periods_total{container="coredns"}[5m]) &gt; 0</span> <span class="na">for</span><span class="pi">:</span> <span class="s">2m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CoreDNS</span><span class="nv"> </span><span class="s">pod</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$labels.pod</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">being</span><span class="nv"> </span><span class="s">CPU</span><span class="nv"> </span><span class="s">throttled"</span> <span class="c1"># ALERT: CoreDNS pod restarting</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">CoreDNSPodRestarts</span> <span class="na">expr</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">increase(kube_pod_container_status_restarts_total{container="coredns"}[1h]) &gt; 3</span> <span class="na">for</span><span class="pi">:</span> <span class="s">10m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> </code></pre> </div> <h2> Chapter 7 The Playbook: TL;DR Checklist </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>╔══════════════════════════════════════════════════════════════╗ ║ COREDNS PRODUCTION HARDENING CHECKLIST ║ ╠══════════════════════════════════════════════════════════════╣ ║ □ 1. Set ndots: 2 (immediate 80% query reduction) ║ ║ □ 2. Deploy NodeLocal DNSCache (game changer for clusters ║ ║ with &gt;50 pods test on canary nodes first, then ║ ║ roll out cluster-wide) ║ ║ □ 3. Tune Corefile: cache, prefetch, max_concurrent, ║ ║ prefer_tcp, pods verified ║ ║ □ 4. Right-size CPU limits (min 200m request, 500m limit ║ ║ Go needs breathing room) ║ ║ □ 5. Deploy CPA (Cluster Proportional Autoscaler) ║ ║ NOT regular HPA scales with cluster size ║ ║ □ 6. Set PodDisruptionBudget (minAvailable: 2) ║ ║ □ 7. Add monitoring alerts (error rate, latency, ║ ║ cache hit ratio, CPU throttling) ║ ║ □ 8. Test with: kubectl exec &lt;pod&gt; -- nslookup ║ ║ &lt;service&gt; &amp;&amp; verify &lt;5ms, zero errors ║ ╚══════════════════════════════════════════════════════════════╝ </code></pre> </div> <p><strong>Priority order do them in this sequence:</strong></p> <ol> <li><p><code>ndots: 2</code> → 5 minutes, 80% of the problem solved</p></li> <li><p>NodeLocal DNSCache → 15 minutes, eliminates cross-node traffic (test on canary nodes first)</p></li> <li><p>Resource increase → 5 minutes, un-throttles the Go runtime</p></li> <li><p>Corefile tuning → 10 minutes, cache + prefetch + failover</p></li> <li><p>CPA + PDB → 20 minutes, future-proofs against cluster growth</p></li> <li><p>Monitoring → 30 minutes, prevents the next incident</p></li> </ol> <h2> Epilogue </h2> <p>That Wednesday night, we applied Steps 1–4 between 12:00 AM and 12:47 AM. DNS resolution went from <strong>5-second timeouts</strong> to <strong>2-millisecond responses</strong>. We deployed CPA the following day. The cluster hasn't had a DNS-related incident since.</p> <p>DNS is boring until it breaks, and when it breaks, everything breaks. CoreDNS isn't a set-and-forget service at scale, it's critical infrastructure that demands deliberate sizing, caching strategy, and proportional autoscaling. The Cluster Proportional Autoscaler exists specifically because <code>kubectl scale deployment coredns --replicas=X</code> doesn't scale when your cluster goes from 24 nodes to 240.</p> <p>Monitor it. Size it. Cache it. Scale it.</p> <p>Your 3 AM pager will thank you. 🌙</p> <h2> References </h2> <ul> <li><p><a href="https://github.com/coredns/deployment/tree/master/kubernetes/Scaling_CoreDNS.md" rel="noopener noreferrer">CoreDNS Scaling Guide (GitHub)</a></p></li> <li><p><a href="https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/" rel="noopener noreferrer">NodeLocal DNSCache Kubernetes Official Docs</a></p></li> <li><p><a href="https://docs.aws.amazon.com/eks/latest/best-practices/scale-cluster-services.html" rel="noopener noreferrer">EKS Best Practices Scaling Cluster Services</a></p></li> <li><p><a href="https://github.com/kubernetes-sigs/cluster-proportional-autoscaler" rel="noopener noreferrer">Cluster Proportional Autoscaler (kubernetes-sigs)</a></p></li> <li><p><a href="https://neon.com/blog/improving-dns-performance-with-nodelocaldns" rel="noopener noreferrer">Improving DNS Performance with NodeLocalDNS Neon Engineering Blog</a></p></li> <li><p><a href="https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengbestpractices_topic-Large-Scale-Clusters-best-practices.htm" rel="noopener noreferrer">Oracle OKE Large Cluster Best Practices</a></p></li> <li><p><a href="https://coredns.io/plugins/kubernetes/" rel="noopener noreferrer">CoreDNS Kubernetes Plugin Documentation</a></p></li> <li><p><a href="https://coredns.io/plugins/cache/" rel="noopener noreferrer">CoreDNS Cache Plugin Documentation</a></p></li> </ul> kubernetes devops networking sre Akshat Sinha Thu, 07 May 2026 05:00:00 +0000 https://forem.com/pingtoprod/argo-rollouts-in-production-canary-analysistemplates-and-the-gotchas-nobody-documents-10fi https://forem.com/pingtoprod/argo-rollouts-in-production-canary-analysistemplates-and-the-gotchas-nobody-documents-10fi <p>It started with a routine Tuesday deploy. Nothing fancy, a small config change to our ingress controller across a few clusters. We'd done this a hundred times. Standard values.yaml modification and then letting ArgoCD do its magic, watch the rolling update do its thing, grab a Tea ( personal preference, you can grab a coffee as well ).</p> <p>Famous last words.</p> <p>By the time I checked the dashboards, three clusters were throwing 502s. The rolling update had dutifully cycled through pods, but it had no clue that the new config was messing up our TLS termination. It just kept going. <strong>That's the thing about Kubernetes Deployments, they're optimistic to a fault.</strong> They'll roll out bad code with the same enthusiasm as good code, and by the time your metrics catch up, you've already blasted through all your replicas.</p> <p>I spent the afternoon writing rollback scripts and explaining to stakeholders why "production-ready" Kubernetes had just taken down three environments.</p> <p>That was the day I stopped trusting <code>kind: Deployment</code> for anything that matters atleast on production.</p> <h2> The Problem Isn't Rolling Updates. Actually It's What They Can't See </h2> <p>Here's what they don't tell you in the tutorials: <code>RollingUpdate</code> isn't a deployment strategy, it's a pod replacement algorithm (yes I said what I said). It knows how to swap old pods for new ones without downtime. It has zero clue whether your application is actually <em>working</em>.</p> <p>Think about what the native Deployment actually gives you:</p> <ul> <li><p><strong>Readiness probes</strong> — checks if <em>a pod</em> is ready, not if your <em>release</em> is healthy</p></li> <li><p><strong>Rolling updates</strong> — controls <em>speed</em>, not <em>safety</em></p></li> <li><p><strong>Pause support</strong> — you can halt, but there's no automated rollback on failure</p></li> <li><p><strong>Umm, that's pretty much it, not counting the Pre-stop hooks and stuff</strong></p></li> </ul> <p>No traffic management between old and new versions. No external metric validation. No blast radius control. No ability to preview a release before it gets real traffic. Research tells us that <strong>80% of production outages are caused by small changes</strong>, and the native Deployment has no opinion about any of them.</p> <p>You want canary? Write it yourself with two Deployments and a fragile mess of Service selectors. You want automated rollback based on error rates? Build a custom controller. You want blue-green with preview environments? Good luck.</p> <p>The Kubernetes community will tell you "use Argo Rollouts!" — and they're right. But most tutorials stop at "here's how to replace Deployment with Rollout for blue-green." Let me show you what actually matters when you're running this in anger.</p> <h2> <code>kind: Rollout</code> vs <code>kind: Deployment</code> — The Actual Diff </h2> <p>The first CRD is <code>kind: Rollout</code>. It's marketed as a drop-in replacement for <code>kind: Deployment</code>, and it mostly is but as a DevOps Engineer you can't bet everything on <strong>mostly it should work</strong>, so let's be precise about what changes.</p> <p>Here's a native Deployment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">10</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RollingUpdate</span> <span class="na">rollingUpdate</span><span class="pi">:</span> <span class="na">maxSurge</span><span class="pi">:</span> <span class="m">1</span> <span class="na">maxUnavailable</span><span class="pi">:</span> <span class="m">0</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">my-app:v1</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <p>And here's the equivalent <code>kind: Rollout</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="c1"># &lt;-- changed</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Rollout</span> <span class="c1"># &lt;-- changed</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">10</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">strategy</span><span class="pi">:</span> <span class="c1"># &lt;-- this whole block changes</span> <span class="na">canary</span><span class="pi">:</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">10</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="na">duration</span><span class="pi">:</span> <span class="s">10m.</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">50</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="na">duration</span><span class="pi">:</span> <span class="s">10m</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">100</span> <span class="na">analysis</span><span class="pi">:</span> <span class="na">templates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">templateName</span><span class="pi">:</span> <span class="s">standard-health-check</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">service</span> <span class="na">value</span><span class="pi">:</span> <span class="s">my-app.default.svc.cluster.local</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">my-app:v1</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <p>Three things change: the <code>apiVersion</code>, the <code>kind</code>, and the <code>strategy</code> block. Everything else — <code>selector</code>, <code>replicas</code>, <code>template</code>, container spec — is identical. The controller picks it up and manages two ReplicaSets (stable + canary) behind the scenes.</p> <p><strong>One important gotcha:</strong> Argo Rollouts creates and manages its own ReplicaSets, so if you migrate an existing Deployment, delete the Deployment first. Running both simultaneously causes a conflict over the same pods.</p> <p><em>How to migrate from</em> <strong><em>kind: Deployment</em></strong> <em>to</em> <strong><em>kind: Rollout</em></strong> <em>without downtime is a whole differet story, that would need a seperate blog post.</em></p> <h2> The Canary Problem Nobody Talks About </h2> <p>Before we go further, there's a widely misunderstood behaviour that'll bite you if you skip it.</p> <p>When you set <code>setWeight: 30</code> in a canary step, most people assume 30% of your <em>users</em> get the new version. <strong>That's not what happens.</strong> Argo Rollouts guarantees that 30% of <em>network requests</em> go to canary, but those requests are completely random. The same user can hit stable on request 1, canary on request 2, and stable again on request 3. For stateless APIs this is tolerable. For anything with session state, user-specific features, or UI changes, this is a disaster.</p> <h3> The Fix: Header-Based Routing </h3> <p>You need a traffic provider (NGINX Ingress, Istio, Traefik, etc.) and a dedicated canary URL per user group. Here's how it looks with NGINX:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Rollout</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">canary</span><span class="pi">:</span> <span class="na">canaryService</span><span class="pi">:</span> <span class="s">my-app-canary</span> <span class="c1"># separate Service for canary pods</span> <span class="na">stableService</span><span class="pi">:</span> <span class="s">my-app-stable</span> <span class="c1"># separate Service for stable pods</span> <span class="na">trafficRouting</span><span class="pi">:</span> <span class="na">nginx</span><span class="pi">:</span> <span class="na">stableIngress</span><span class="pi">:</span> <span class="s">my-app-ingress</span> <span class="na">annotationPrefix</span><span class="pi">:</span> <span class="s">nginx.ingress.kubernetes.io</span> <span class="na">additionalIngressAnnotations</span><span class="pi">:</span> <span class="na">canary-by-header</span><span class="pi">:</span> <span class="s">X-Canary-User</span> <span class="na">canary-by-header-value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">10</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="na">duration</span><span class="pi">:</span> <span class="s">10m</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">50</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="na">duration</span><span class="pi">:</span> <span class="s">10m</span> </code></pre> </div> <p>Now requests with the header <code>X-Canary-User: true</code> always hit the canary. Everyone else stays on stable. You can give this header to internal testers, beta users, or a specific account tier — controlled, consistent, reproducible canary exposure.</p> <h3> Decoupling Traffic from Replicas: <code>setCanaryScale</code> </h3> <p>By default, Argo Rollouts scales canary replicas proportionally to traffic weight. At 10% traffic, you get ~10% of your total replica count. This can cause resource issues — at 10 replicas total, 10% traffic with 1 canary pod means that pod is handling a tenth of your prod load with zero redundancy.</p> <p><code>setCanaryScale</code> fixes this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">10</span> <span class="pi">-</span> <span class="na">setCanaryScale</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="c1"># always keep 3 canary pods regardless of weight</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="na">duration</span><span class="pi">:</span> <span class="s">10m</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">50</span> <span class="pi">-</span> <span class="na">setCanaryScale</span><span class="pi">:</span> <span class="na">matchTrafficWeight</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># now scale proportionally</span> </code></pre> </div> <p>This is critical for cost efficiency in large clusters so you're not spinning up 50 canary pods the moment you hit 50% traffic weight.</p> <h3> Manual Gates: Explicit Human Approval </h3> <p>Automated analysis is great. But sometimes you want a person to look at dashboards before traffic increases. Use <code>pause: {duration: 0}</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">10</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="na">duration</span><span class="pi">:</span> <span class="s">10m</span> <span class="c1"># timed pause — auto-advances</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">30</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="pi">{}</span> <span class="c1"># indefinite pause — REQUIRES manual promotion</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">100</span> </code></pre> </div> <p>An indefinite pause blocks until someone runs <code>kubectl argo rollouts promote my-app</code> or clicks Promote in the dashboard. Ideal for compliance-gated releases or high-stakes deploys.</p> <h2> AnalysisTemplate: Executable Success Criteria </h2> <p>I used to think monitoring was enough. "We'll watch the dashboards and roll back if things go south." Cute. By the time a you are back after grabbing the cup of tea, you've already served errors to real users for minutes.</p> <p><code>AnalysisTemplate</code> is where you define what "goooood" looks like, not vague SLOs buried in a wiki, but actual executable queries against your metrics provider.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">AnalysisTemplate</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">error-rate-check</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">service-name</span> <span class="na">metrics</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">success-rate</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">successCondition</span><span class="pi">:</span> <span class="s">result[0] &gt;= </span><span class="m">0.95</span> <span class="na">failureLimit</span><span class="pi">:</span> <span class="m">3</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">prometheus</span><span class="pi">:</span> <span class="na">address</span><span class="pi">:</span> <span class="s">http://prometheus:9090</span> <span class="na">query</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">sum(rate(</span> <span class="s">requests_total{service="{{args.service-name}}",status!~"5.."}[5m]</span> <span class="s">)) /</span> <span class="s">sum(rate(</span> <span class="s">requests_total{service="{{args.service-name}}"}[5m]</span> <span class="s">))</span> </code></pre> </div> <p>The <code>failureLimit: 3</code> is important, it means the analysis can fail up to 3 consecutive checks before the rollout aborts. This prevents a single metric spike from triggering a premature rollback. Tune this based on your traffic patterns.</p> <h3> Beyond Prometheus — The Providers You're Not Using </h3> <p>Most blogs show only Prometheus. Here's the full picture:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Provider</th> <th>Use Case</th> </tr> </thead> <tbody> <tr> <td><strong>Prometheus</strong></td> <td>Error rates, latency, saturation — the default</td> </tr> <tr> <td><strong>Datadog</strong></td> <td>If your org is Datadog-first; same PromQL-style queries</td> </tr> <tr> <td><strong>New Relic / CloudWatch</strong></td> <td>Cloud-native shops already invested in these</td> </tr> <tr> <td><strong>InfluxDB / Wavefront</strong></td> <td>IoT or high-frequency telemetry workloads</td> </tr> <tr> <td><strong>HTTP Endpoint</strong></td> <td>Call any arbitrary URL and evaluate the response</td> </tr> <tr> <td><strong>Kubernetes Job</strong></td> <td>Run any test script as a gate — massively underrated</td> </tr> </tbody> </table></div> <p>The <strong>Kubernetes Job provider</strong> deserves special attention. It lets you run integration tests, smoke tests, or any shell script as an analysis step:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">metrics</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">integration-test</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">job</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-runner</span> <span class="na">image</span><span class="pi">:</span> <span class="s">my-test-runner:latest</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">pytest"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">tests/smoke/"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-v"</span><span class="pi">]</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s">Never</span> <span class="na">backoffLimit</span><span class="pi">:</span> <span class="m">0</span> </code></pre> </div> <p>If the Job exits 0, analysis passes. Non-zero means failure, rollback triggers. This is how you gate a canary on actual test results, not just infrastructure metrics.</p> <h3> ClusterAnalysisTemplate — Define Once, Use Everywhere </h3> <p>If you're managing multiple namespaces (and you are), use <code>ClusterAnalysisTemplate</code> instead of <code>AnalysisTemplate</code>. It's cluster-scoped — define it once, reference it from any Rollout in any namespace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterAnalysisTemplate</span> <span class="c1"># &lt;-- cluster-scoped</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">standard-health-check</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">service</span> <span class="na">metrics</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">success-rate</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">successCondition</span><span class="pi">:</span> <span class="s">result[0] &gt;= </span><span class="m">0.95</span> <span class="na">failureLimit</span><span class="pi">:</span> <span class="m">3</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">prometheus</span><span class="pi">:</span> <span class="na">address</span><span class="pi">:</span> <span class="s">http://prometheus.monitoring:9090</span> <span class="na">query</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">sum(rate(</span> <span class="s">istio_requests_total{</span> <span class="s">destination_service=~"{{args.service}}",</span> <span class="s">response_code!~"5.*"</span> <span class="s">}[5m]</span> <span class="s">)) /</span> <span class="s">sum(rate(</span> <span class="s">istio_requests_total{</span> <span class="s">destination_service=~"{{args.service}}"</span> <span class="s">}[5m]</span> <span class="s">))</span> </code></pre> </div> <p>When your Prometheus address changes (and it will), you update one file. Not fifty.</p> <h2> AnalysisRun: The Live Execution You Should Actually Inspect </h2> <p><code>AnalysisRun</code> is the third CRD, and it's the one people forget to look at during an active rollout. It's the live execution of an <code>AnalysisTemplate</code> — one gets created automatically each time a Rollout triggers an analysis.</p> <p>An <code>AnalysisRun</code> has three possible outcomes:</p> <ul> <li><p><strong>Successful</strong> → Argo Rollouts advances to the next step</p></li> <li><p><strong>Failed</strong> → Rollout aborts, traffic snaps back to stable, canary scales to zero</p></li> <li><p><strong>Inconclusive</strong> → Rollout pauses, waits for manual judgment (useful when metrics are ambiguous)</p></li> </ul> <p>The most useful thing you can do during a live canary is inspect the AnalysisRun directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># See all analysis runs for a rollout</span> kubectl argo rollouts get rollout my-app <span class="c"># Detailed view of a specific analysis run</span> kubectl describe analysisrun my-app-&lt;<span class="nb">hash</span><span class="o">&gt;</span> <span class="c"># Watch it live</span> kubectl argo rollouts get rollout my-app <span class="nt">--watch</span> </code></pre> </div> <p>The <code>--watch</code> flag is your best friend. It gives you a live terminal view of step progression, traffic weights, and analysis status without needing to open the dashboard.</p> <p>You can also run an <code>AnalysisTemplate</code> independently, outside of a Rollout, for dry-run validation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">AnalysisRun</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dry-run-health-check</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">service-name</span> <span class="na">value</span><span class="pi">:</span> <span class="s">my-app.default.svc.cluster.local</span> <span class="na">templates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">templateName</span><span class="pi">:</span> <span class="s">error-rate-check</span> </code></pre> </div> <p>Run this before wiring analysis into a production Rollout. Validate your PromQL actually returns what you think it returns. Save yourself the embarrassment of an analysis that always passes because the query is wrong.</p> <h2> <code>kind: Experiment</code>- A/B Testing Inside Your Pipeline </h2> <p>Last year, we were migrating from GKE to a multi-cloud setup. Needed to verify our app behaved identically across regions with different latency profiles. Normally, you'd do this manually spin up a test deployment, run some benchmarks, compare.</p> <p>Enter <code>kind: Experiment</code>. It lets you run multiple ReplicaSets side-by-side for a set duration, with optional analysis on each. Think of it as Kayenta-style comparison analysis, but native to your deployment pipeline.</p> <p>The most common use case isn't standalone experiments though — it's embedding them as a <strong>canary step</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Inside a Rollout's canary steps</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">experiment</span><span class="pi">:</span> <span class="na">duration</span><span class="pi">:</span> <span class="s">30m</span> <span class="na">templates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">baseline</span> <span class="na">specRef</span><span class="pi">:</span> <span class="s">stable</span> <span class="c1"># uses the current stable spec</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">canary</span> <span class="na">specRef</span><span class="pi">:</span> <span class="s">canary</span> <span class="c1"># uses the new canary spec</span> <span class="na">analyses</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">compare-latency</span> <span class="na">templateName</span><span class="pi">:</span> <span class="s">p95-latency-comparison</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">baseline-service</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{templates.baseline.service.name}}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">canary-service</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{templates.canary.service.name}}"</span> </code></pre> </div> <p>Both versions run in parallel for 30 minutes. Your analysis compares their p95 latency side-by-side. If canary is statistically worse, the experiment fails and the rollout aborts, before a single real user sees the new version.</p> <p>That's not a deployment strategy. That's engineering confidence.</p> <h2> The Argo Rollouts Dashboard: Yes There's a GUI of your Control Room </h2> <p>Here's what most tutorials skip entirely: there's a full web UI, and it's actually good.</p> <p>Install the kubectl plugin first if you haven't:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># macOS</span> brew <span class="nb">install </span>argoproj/tap/kubectl-argo-rollouts <span class="c"># Linux</span> curl <span class="nt">-LO</span> https://github.com/argoproj/argo-rollouts/releases/latest/download/kubectl-argo-rollouts-linux-amd64 <span class="nb">chmod</span> +x kubectl-argo-rollouts-linux-amd64 <span class="nb">mv </span>kubectl-argo-rollouts-linux-amd64 /usr/local/bin/kubectl-argo-rollouts </code></pre> </div> <p>Then launch the dashboard:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl argo rollouts dashboard </code></pre> </div> <p>It opens on <code>http://localhost:3100</code>. What you get:</p> <ul> <li><p><strong>Live rollout status</strong> — step progression, current traffic weights, active canary vs stable pod counts</p></li> <li><p><strong>AnalysisRun status</strong> — each metric check, pass/fail, consecutive failures, timestamps</p></li> <li><p><strong>One-click controls</strong> — Promote, Abort, Retry directly from the UI without touching kubectl</p></li> <li><p><strong>Rollout history</strong> — every revision with its status and timestamp</p></li> </ul> <p>This is the thing to show your team when you're making the case for Argo Rollouts. Watching a canary step from 10% → 50% in real-time while analysis checks tick green is more persuasive than any architecture diagram.</p> <p><strong>For production</strong>, you can use the argo-rollouts controller helm chart and enable dashboard there, they also support enabling ingress for dashboard so you are mostly set. If you have already migrated the nginx controller to Gateway you might have to write a seperate HTTPRoute, if not you can use a loadbalancer to access it. Make sure that its only internally accessible and not public facing :).</p> <p>Here's the Github Repo Link to Helm chart incase:- <a href="https://github.com/argoproj/argo-helm/tree/main/charts/argo-rollouts" rel="noopener noreferrer">https://github.com/argoproj/argo-helm/tree/main/charts/argo-rollouts</a></p> <h2> Notifications — The Part Everyone Gets Wrong </h2> <p>Argo Rollouts has native notification support since v1.1, with self-service namespace configuration since v1.6, but most setups are half-baked. Teams wire up on-rollout-aborted and call it done, which is one event out of nine and usually not even the most actionable one. Most blogs show the annotation and stop there. Here's the full wiring.</p> <h3> Step 1: Create the Slack Token Secret </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create secret generic argo-rollouts-notification-secret <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span>slack-token<span class="o">=</span>xoxb-your-slack-bot-token <span class="se">\</span> <span class="nt">-n</span> argo-rollouts </code></pre> </div> <h3> Step 2: Configure the Notification ConfigMap </h3> <p>This is where triggers and templates live. Apply it in the <code>argo-rollouts</code> namespace for cluster-wide defaults:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argo-rollouts-notification-cm</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argo-rollouts</span> <span class="na">data</span><span class="pi">:</span> <span class="c1"># Slack integration</span> <span class="na">service.slack</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">token: $slack-token</span> <span class="c1"># Message templates</span> <span class="na">template.rollout-aborted</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">message: |</span> <span class="s">:red_circle: Rollout *{{.rollout.metadata.name}}* aborted in namespace *{{.rollout.metadata.namespace}}*</span> <span class="s">Reason: {{.rollout.status.message}}</span> <span class="s">Canary weight at time of abort: {{.rollout.status.currentPodHash}}</span> <span class="na">template.analysis-run-failed</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">message: |</span> <span class="s">:warning: Analysis failed for *{{.rollout.metadata.name}}*</span> <span class="s">Failed metric: {{range .analysisRun.status.metricResults}}{{if eq .phase "Failed"}}{{.name}}{{end}}{{end}}</span> <span class="s">Initiating automatic rollback.</span> <span class="na">template.rollout-completed</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">message: |</span> <span class="s">:white_check_mark: Rollout *{{.rollout.metadata.name}}* completed successfully.</span> <span class="s">New stable image: {{range .rollout.spec.template.spec.containers}}{{.image}}{{end}}</span> <span class="na">template.rollout-paused</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">message: |</span> <span class="s">:pause_button: Rollout *{{.rollout.metadata.name}}* paused — awaiting manual promotion.</span> <span class="s">Promote with: `kubectl argo rollouts promote {{.rollout.metadata.name}} -n {{.rollout.metadata.namespace}}`</span> <span class="c1"># Triggers — maps events to templates</span> <span class="na">trigger.on-rollout-aborted</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- send: [rollout-aborted]</span> <span class="na">trigger.on-analysis-run-failed</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- send: [analysis-run-failed]</span> <span class="na">trigger.on-rollout-completed</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- send: [rollout-completed]</span> <span class="na">trigger.on-rollout-paused</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- send: [rollout-paused]</span> </code></pre> </div> <h3> Step 3: Annotate Your Rollout </h3> <p>Now teams can self-subscribe to any trigger without touching the central configmap (the v1.6 self-service model):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Rollout</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">annotations</span><span class="pi">:</span> <span class="c1"># Alert on abort and analysis failure</span> <span class="na">notifications.argoproj.io/subscribe.on-rollout-aborted.slack</span><span class="pi">:</span> <span class="s2">"</span><span class="s">#alerts-team-a"</span> <span class="na">notifications.argoproj.io/subscribe.on-analysis-run-failed.slack</span><span class="pi">:</span> <span class="s2">"</span><span class="s">#alerts-team-a"</span> <span class="c1"># Notify on success too — close the loop</span> <span class="na">notifications.argoproj.io/subscribe.on-rollout-completed.slack</span><span class="pi">:</span> <span class="s2">"</span><span class="s">#deploys-team-a"</span> <span class="c1"># Alert when a manual gate is waiting for promotion</span> <span class="na">notifications.argoproj.io/subscribe.on-rollout-paused.slack</span><span class="pi">:</span> <span class="s2">"</span><span class="s">#deploys-team-a"</span> </code></pre> </div> <p>The nine built-in triggers cover the full lifecycle:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Trigger</th> <th>When It Fires</th> </tr> </thead> <tbody> <tr> <td><code>on-rollout-updated</code></td> <td>A new rollout revision starts</td> </tr> <tr> <td><code>on-rollout-step-completed</code></td> <td>Each canary step completes</td> </tr> <tr> <td><code>on-rollout-paused</code></td> <td>Rollout pauses (manual gate or analysis inconclusive)</td> </tr> <tr> <td><code>on-rollout-completed</code></td> <td>Rollout reaches 100% stable</td> </tr> <tr> <td><code>on-rollout-aborted</code></td> <td>Rollout aborts for any reason</td> </tr> <tr> <td><code>on-analysis-run-started</code></td> <td>An AnalysisRun begins</td> </tr> <tr> <td><code>on-analysis-run-completed</code></td> <td>An AnalysisRun finishes</td> </tr> <tr> <td><code>on-analysis-run-failed</code></td> <td>An AnalysisRun fails</td> </tr> <tr> <td><code>on-analysis-run-error</code></td> <td>Provider error (e.g., Prometheus unreachable)</td> </tr> </tbody> </table></div> <p>The <code>on-analysis-run-error</code> trigger is one people forget. If your Prometheus goes down mid-canary, you want to know immediately, not discover it when you wonder why the rollout is stuck.</p> <h2> Argo Rollouts + Argo CD: The GitOps Stack </h2> <p>A common source of confusion: <strong>Argo CD and Argo Rollouts are not the same tool, and they solve different problems.</strong></p> <ul> <li><p><strong>Argo CD</strong> ensures your cluster matches the desired state in Git. It's a reconciliation engine. It sees your <code>kind: Rollout</code> manifest in Git and syncs it to the cluster.</p></li> <li><p><strong>Argo Rollouts</strong> controls <em>how</em> the transition from old to new happens once that manifest lands. It manages the traffic shifting, analysis, and promotion/rollback logic.</p></li> </ul> <p>The workflow looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer pushes new image tag to Git ↓ Argo CD detects the diff and syncs the Rollout spec ↓ Argo Rollouts controller picks up the new spec ↓ Canary step begins: 10% traffic → AnalysisRun starts ↓ Analysis passes → 50% → analysis passes → 100% ↓ New version is stable. Argo CD shows "Synced + Healthy" </code></pre> </div> <p>One important config when using both together: set <code>ignoreDifferences</code> in your Argo CD Application <strong>and</strong> enable <code>respectIgnoreDifferences</code> to avoid Argo CD fighting Argo Rollouts over the replica count during a canary.</p> <p><strong>Step 1 — Argo CD Application:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">syncOptions</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">RespectIgnoreDifferences=true</span> <span class="na">ignoreDifferences</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s">argoproj.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Rollout</span> <span class="na">jsonPointers</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/spec/replicas</span> <span class="c1"># Argo Rollouts manages this during canary</span> </code></pre> </div> <p>Without both, Argo CD will try to sync the replica count back to what's in Git while Argo Rollouts is actively scaling canary pods. The two controllers fight each other and you get undefined behaviour.</p> <h2> The Complete Production Ready Example </h2> <p>Here's everything tied together, the kind of manifest I wish someone had shown me before I learned it the expensive way:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># 1. ClusterAnalysisTemplate — define once, use everywhere</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterAnalysisTemplate</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">standard-health-check</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">service</span> <span class="na">metrics</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">success-rate</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">successCondition</span><span class="pi">:</span> <span class="s">result[0] &gt;= </span><span class="m">0.95</span> <span class="na">failureLimit</span><span class="pi">:</span> <span class="m">3</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">prometheus</span><span class="pi">:</span> <span class="na">address</span><span class="pi">:</span> <span class="s">http://prometheus.monitoring:9090</span> <span class="na">query</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">sum(rate(</span> <span class="s">istio_requests_total{</span> <span class="s">destination_service=~"{{args.service}}",</span> <span class="s">response_code!~"5.*"</span> <span class="s">}[5m]</span> <span class="s">)) /</span> <span class="s">sum(rate(</span> <span class="s">istio_requests_total{</span> <span class="s">destination_service=~"{{args.service}}"</span> <span class="s">}[5m]</span> <span class="s">))</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">p95-latency</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">successCondition</span><span class="pi">:</span> <span class="s">result[0] &lt;= </span><span class="m">500</span> <span class="c1"># ms</span> <span class="na">failureLimit</span><span class="pi">:</span> <span class="m">2</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">prometheus</span><span class="pi">:</span> <span class="na">address</span><span class="pi">:</span> <span class="s">http://prometheus.monitoring:9090</span> <span class="na">query</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">histogram_quantile(0.95,</span> <span class="s">sum(rate(</span> <span class="s">istio_request_duration_milliseconds_bucket{</span> <span class="s">destination_service=~"{{args.service}}"</span> <span class="s">}[5m]</span> <span class="s">)) by (le)</span> <span class="s">)</span> <span class="s">---</span> <span class="c1"># 2. The Rollout</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Rollout</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">notifications.argoproj.io/subscribe.on-rollout-aborted.slack</span><span class="pi">:</span> <span class="s2">"</span><span class="s">#alerts-my-team"</span> <span class="na">notifications.argoproj.io/subscribe.on-analysis-run-failed.slack</span><span class="pi">:</span> <span class="s2">"</span><span class="s">#alerts-my-team"</span> <span class="na">notifications.argoproj.io/subscribe.on-rollout-completed.slack</span><span class="pi">:</span> <span class="s2">"</span><span class="s">#deploys-my-team"</span> <span class="na">notifications.argoproj.io/subscribe.on-rollout-paused.slack</span><span class="pi">:</span> <span class="s2">"</span><span class="s">#deploys-my-team"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">10</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">my-app:v2</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">canary</span><span class="pi">:</span> <span class="na">canaryService</span><span class="pi">:</span> <span class="s">my-app-canary</span> <span class="na">stableService</span><span class="pi">:</span> <span class="s">my-app-stable</span> <span class="na">trafficRouting</span><span class="pi">:</span> <span class="na">nginx</span><span class="pi">:</span> <span class="c1"># Can use ALB, Istio, Traefik (Gateway is Supported via plugins haven't explored it yet) </span> <span class="na">stableIngress</span><span class="pi">:</span> <span class="s">my-app-ingress</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">10</span> <span class="pi">-</span> <span class="na">setCanaryScale</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="c1"># stable replica count regardless of weight</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="na">duration</span><span class="pi">:</span> <span class="s">10m</span> <span class="c1"># timed: auto-advances after 10m</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">30</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="pi">{}</span> <span class="c1"># manual gate: requires explicit promotion</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">60</span> <span class="pi">-</span> <span class="na">pause</span><span class="pi">:</span> <span class="na">duration</span><span class="pi">:</span> <span class="s">10m</span> <span class="pi">-</span> <span class="na">setWeight</span><span class="pi">:</span> <span class="m">100</span> <span class="na">analysis</span><span class="pi">:</span> <span class="na">startingStep</span><span class="pi">:</span> <span class="m">1</span> <span class="c1"># analysis starts after first setWeight</span> <span class="na">templates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">templateName</span><span class="pi">:</span> <span class="s">standard-health-check</span> <span class="na">clusterScope</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># use ClusterAnalysisTemplate</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">service</span> <span class="na">value</span><span class="pi">:</span> <span class="s">my-app.default.svc.cluster.local</span> </code></pre> </div> <h2> Flagger: The Elephant in the Room </h2> <p>Flagger is worth mentioning because the question always comes up. The fundamental difference is architectural: Flagger <em>wraps</em> your existing <code>kind: Deployment</code> rather than replacing it, which matters if migrating manifests feels risky or if you're already deep in the Flux ecosystem. Argo Rollouts also supports <a href="https://argo-rollouts.readthedocs.io/en/stable/migrating/#reference-deployment-from-rollout" rel="noopener noreferrer">referencing an existing Deployment</a> without replacing it, similar to how Flagger works.</p> <p>But tradeoff is real. Flagger's surface area is smaller and its GitOps integration with Flux is excellent. Argo Rollouts gives you more granular step control, a dashboard, and the <code>Experiment</code> CRD. Neither is wrong, they reflect different team philosophies. If you're Flux-native, evaluate Flagger first. If you want the full progressive delivery toolkit in one place, you're already in the right article.</p> <h2> When NOT to Use Argo Rollouts </h2> <p>This is the section most blogs skip because it doesn't sell the tool. But every senior engineer respects a writer who gives them the failure modes upfront.</p> <p><strong>Don't use Argo Rollouts for:</strong></p> <ul> <li><p><strong>Infrastructure controllers</strong> — cert-manager, nginx, coredns, sealed-secrets. These aren't application deployments; they're cluster plumbing. A canary of your ingress controller is chaos.</p></li> <li><p><strong>Applications with shared mutable state</strong> — if your app writes to a shared file, a shared queue, or a shared database schema without backward compatibility, running two versions simultaneously will corrupt data.</p></li> <li><p><strong>Worker/queue consumers</strong> — apps that pull from a queue typically can't handle two versions processing the same messages. Argo Rollouts doesn't control queue routing.</p></li> <li><p><strong>Long-lived parallel versions</strong> — Argo Rollouts assumes a brief deployment window (15–60 minutes typically, 1–2 hours max). Running canary for days or weeks before deciding to promote creates operational complexity and rollback ambiguity.</p></li> <li><p><strong>Multi-cluster rollouts</strong> — Argo Rollouts operates within a single cluster. If you need coordinated rollouts across clusters, look at Argo CD ApplicationSets or multi-cluster progressive delivery tools.</p></li> <li><p><strong>Legacy apps that can't run multiple versions concurrently</strong> — some apps hold exclusive locks, bind to fixed ports, or have singleton assumptions. For these, Blue-Green (not canary) is your only option, and even that requires validation.</p></li> </ul> <p>And a note on StatefulSets and DaemonSets: as of Argo Rollouts 1.9, support for these workload types is in active development. Don't try to use <code>kind: Rollout</code> as a drop-in for <code>kind: StatefulSet</code>. NO it won't work for now.</p> <h2> The Bottom Line for Production Deployments </h2> <p>If you're still using <code>kind: Deployment</code> for anything that matters, you're gambling. Not because Kubernetes is bad, it's not. But Deployments were designed for a simpler era. They assume your code is either "ready" or "not ready." Real production systems are more nuanced than that.</p> <p>The four CRDs <code>Rollout</code>, <code>AnalysisTemplate</code>, <code>AnalysisRun</code>, and <code>Experiment</code> aren't just features. They're the difference between "deploy and hope" and actual progressive delivery. Layer in the dashboard for visibility, notifications for observability and header-based routing for controlled canary exposure and you've built a deployment pipeline that can catch problems before your users do.</p> <p>Start with <code>Rollout</code> as a drop-in replacement. Add <code>ClusterAnalysisTemplate</code> when you're ready to automate pass/fail decisions. Use the dashboard during live canaries. Wire up notifications properly — all the triggers, not just abort. And when you're feeling brave, <code>Experiment</code> will change how you think about pre-production testing.</p> <p>One more thing: set <code>pause: {}</code> for your first few production canaries. Get comfortable promoting manually. Understand what "good" looks like in your AnalysisRun output. Then, and only then, remove the manual gate and let the system decide.</p> <p>Future you will thank present you when a canary fails at 2 AM and the right Slack channel gets paged before any person notices.</p> <p>Now you don't need to hurry back after grabbing your tea, go and have an easy sip, let Rollouts handle the prod.</p> <p><em>Working with Kubernetes across multi-cloud setups, one bad deploy at a time. Follow along as I document the stuff they don't put in the docs.</em></p> devops devex kubernetes productivity