Production-grade Kubernetes migration and deployment platform for Google Kubernetes Engine β private clusters, Workload Identity, zero-trust networking, and fully automated CI/CD.
π Live Demo Β· βοΈ CI/CD Pipeline Β· π¦ Release v1.0.0
graph TD
A[Google Cloud Platform] --> B[GKE Regional Cluster]
B --> C[NGINX Ingress Controller]
C --> D[Cloud Load Balancer]
D --> E[Deployments]
D --> F[StatefulSets]
E --> G[Application Pods]
F --> I[Database Pods]
B --> K[Persistent Volumes]
K --> L[GCE Persistent Disks]
B --> M[Google Managed Prometheus]
B --> N[Fluent Bit to Cloud Logging]
B --> O[Calico Network Policies]
A --> P[Cloud SQL]
A --> Q[Cloud Storage]
A --> R[Cloud NAT]
| Feature | This Repo | Typical Portfolio Repos |
|---|---|---|
| Private GKE cluster + Cloud NAT | β | β usually public |
| Workload Identity (no key files) | β | β usually SA keys |
| Binary Authorization | β | β rarely implemented |
| Separate system + app node pools | β | β single pool |
| tfsec security scanning in CI | β | β |
| Google Managed Prometheus | β | β self-managed |
| Default-deny NetworkPolicy | β | β |
| Live demo with Vercel | β | β |
| Surge upgrades (zero max-unavailable) | β | β |
| Dependabot auto-updates | β | β |
| Category | Capability | Status |
|---|---|---|
| Infrastructure | Private GKE cluster, regional, multi-zone | β |
| Security | Workload Identity, Shielded Nodes, Binary Auth | β |
| Networking | VPC-native, Cloud NAT, Calico zero-trust | β |
| Node Pools | System + App pools, autoscaling, surge upgrades | β |
| Packaging | Helm chart, namespaces, quotas, network policies | β |
| Monitoring | Google Managed Prometheus, 8 alert rules | β |
| Logging | Fluent Bit to Cloud Logging | β |
| RBAC | Least-privilege roles with bindings | β |
| CI/CD | fmt β validate β tfsec β preview β production | β |
| Migration | Export/import scripts, rollback plan | β |
| Dependencies | Dependabot weekly auto-updates | β |
kubernetes-gke-migration/
βββ terraform/ # IaC β VPC, GKE, IAM, node pools
β βββ main.tf # Cluster, networking, node pools, IAM
β βββ variables.tf # Typed variables with validation
β βββ outputs.tf # Cluster endpoint, SA, WI pool
β βββ terraform.tfvars.example
βββ helm/gke-platform/ # Platform Helm chart
β βββ Chart.yaml
β βββ values.yaml # Default values
β βββ values-prod.yaml # Production overrides
β βββ templates/ # Namespaces, quotas, policies
βββ k8s/base/ # HPA, PDB, NetworkPolicy, ResourceQuota
βββ monitoring/prometheus/ # Scrape configs + 8 alert rules
βββ logging/ # Fluent Bit ConfigMap
βββ security/ # RBAC roles + bindings, LimitRange
βββ examples/sample-app/ # Production-ready deployment template
βββ scripts/ # health-check, backup, migrate, scale
βββ tests/ # Validation script
βββ docs/ # Architecture, Setup, Migration, Security
βββ .github/
β βββ workflows/terraform.yml # CI/CD pipeline
β βββ dependabot.yml # Automated dependency updates
β βββ PULL_REQUEST_TEMPLATE.md
βββ CONTRIBUTING.md
βββ CHANGELOG.md
# 1. Clone
git clone https://github.com/NyoikePaul/kubernetes-gke-migration
cd kubernetes-gke-migration
# 2. Configure
cd terraform
cp terraform.tfvars.example terraform.tfvars
# Edit: set project_id and master_authorized_networks
# 3. Deploy infrastructure (~15 min)
terraform init
terraform plan -var-file=terraform.tfvars
terraform apply -var-file=terraform.tfvars
# 4. Connect
gcloud container clusters get-credentials gke-platform \
--region us-central1 --project YOUR-PROJECT-ID
# 5. Deploy platform
helm install gke-platform ./helm/gke-platform \
--namespace production --create-namespace \
--values helm/gke-platform/values-prod.yaml
# 6. Apply manifests + security
kubectl apply -f k8s/base/
kubectl apply -f security/
# 7. Validate
make validate # or: bash tests/validate-manifests.shPush to main
β
βΌ
ββββββββββββββ ββββββββββββββ ββββββββββββββ ββββββββββββββ
β Validate ββββΆβ tfsec Scan ββββΆβ Preview ββββΆβ Production β
β fmt+check β β security β βenvironment β βenvironment β
ββββββββββββββ ββββββββββββββ ββββββββββββββ ββββββββββββββ
~9s ~12s ~12s ~12s
Auth via Workload Identity Federation β zero long-lived GCP credentials stored in GitHub.
| Control | Implementation | CIS Benchmark |
|---|---|---|
| Private nodes | No public IPs, egress via Cloud NAT | CIS 6.6.1 |
| Workload Identity | Pods authenticate without key files | CIS 6.2.1 |
| Shielded nodes | Secure boot + vTPM integrity | CIS 6.5.4 |
| Binary Authorization | Blocks unverified images | CIS 7.3 |
| Network policies | Default-deny, Calico | CIS 6.6.7 |
| Least-privilege SA | 5 minimum roles only | CIS 6.2.2 |
| Metadata hardening | Legacy endpoints disabled | CIS 6.4.1 |
| API server access | Master Authorized Networks | CIS 6.6.2 |
make health # Cluster health check
make backup # Backup production namespace
make validate # Validate all manifests
bash scripts/migrate.sh source-ctx target-ctx
bash scripts/scale-cluster.sh 5 app-pool us-central1| Doc | Description |
|---|---|
| ARCHITECTURE.md | System design and network topology |
| SETUP.md | Prerequisites and cluster setup |
| MIGRATION.md | Step-by-step migration runbook |
| SECURITY.md | Security controls and CIS benchmark mapping |
| MONITORING.md | Observability stack and alert tuning |
| CONTRIBUTING.md | How to contribute |
| CHANGELOG.md | Version history |
Paul Nyoike Β· GitHub Β· Portfolio
MIT β see LICENSE
βΈοΈ Enterprise Kubernetes. Cloud Native. Production Ready.