Kubernetes & Orchestration

Kubernetes is at the heart of modern, scalable infrastructures. I plan, install, and operate Kubernetes clusters that manage containerized workloads securely, reproducibly, and automatically.
My focus is on self-hosting, security, transparency, and automation—in other words, on Kubernetes operations that function independently of cloud providers but offer the same convenience. I rely on Kubespray (Ansible) for provisioning, Helm and Kustomize for deployment, and GitOps processes for automated maintenance of clusters and workloads. With KubeVirt, I combine classic virtualization with Kubernetes so that virtual machines and containers can be orchestrated together on one platform.

Comeli dragon as a Kubernetes operator wearing a hard hat, stacks container blocks to orchestrate Kubernetes workloads.

Architecture & Cluster Setup

I design cluster architectures that combine performance, security, and scalability. I focus on a clear separation of control and data planes, redundant control planes, and automated provisioning.

  • Cluster setup with Kubespray (Ansible) or manually via kubeadm
  • Multi-master designs with HAProxy / Keepalived
  • Integration of Longhorn, Ceph, or ZFS as persistent volume backends
  • Cluster hardening (RBAC, network policies, PodSecurityStandards)
  • Automated node registration and labeling

Deployment & Configuration

I structure deployments in a modular and reusable way to clearly separate workloads, manage complexity, and keep environments reproducible over time. The focus is on clean configuration boundaries and predictable, controlled rollouts.

  • Helm charts, Kustomize, kubectl apply pipelines
  • Namespace design and multi-tenant concepts
  • ConfigMaps, secrets, and PodPresets
  • Lifecycle management via GitOps and ArgoCD
  • Automated validation of YAMLs and templates

Security &
Policies

Security in Kubernetes is multi-layered. I combine access control, isolation mechanisms, and compliance checks into a coherent security model that remains transparent, auditable, and operable in day-to-day production.

  • RBAC, OPA/Gatekeeper, and pod security policies
  • TLS/certificate management for API and services
  • Secrets encryption and rotation
  • Audit logs and admission controllers
  • Compliance scans via OpenSCAP or kube-bench

Network & Service Mesh

I implement powerful, traceable cluster networks – from pod networks to external service communication.

  • CNI plugins such as Calico, Flannel, or Cilium
  • Ingress controllers (NGINX, Traefik) and load balancer integration
  • DNS, CoreDNS tuning, and service discovery
  • Service mesh with Istio or Linkerd for monitoring and traffic control
  • Network segmentation with network policies

Monitoring & Operation

I fully integrate Kubernetes into monitoring, logging, and alerting structures.

This keeps the entire cluster—from pod to node—transparent and measurable.

  • Prometheus Operator, Grafana Dashboards, Alertmanager
  • Loki, Fluentd, Elasticsearch/Kibana (EFK)
  • Health checks, resource metrics, cluster autoscaler
  • Audit and event monitoring with alert integration

Integration & Extensions

I specifically extend Kubernetes with services and integrations that round off and simplify operations.

This creates a complete ecosystem of infrastructure, automation, and self-hosting.

  • KubeVirt: Integration of KVM-based VMs into the cluster
  • Longhorn / Ceph RBD: Distributed storage solutions for stateful workloads
  • GitOps workflows with ArgoCD or Flux
  • Backup and disaster recovery with Velero
  • Integration into central authentication (LDAP / OIDC)
The Comeli dragon is teaching at the blackboard at ComelioCademy.

Trainings

You can find specific trainings and current topics in the Comelio GmbH training catalog.
Available in-house at your company, as a webinar, or as an open training—designed to meet different requirements.

View trainings

Frequently asked questions about Kubernetes

In this FAQ, you will find the topics that come up most frequently in consultations and training sessions. Each answer is kept brief and refers to further content where necessary. Can’t find your question? Feel free to contact me.

Comeli dragon leans against a “FAQ” sign and answers questions about Kubernetes.

kubeadm or Kubespray – which should I use for bare metal/VMs?

kubeadm is minimal and gives you full control – ideal for manual fine-tuning. Kubespray automates HA clusters in a reproducible way (Ansible, idempotence, rollbacks). The choice depends on team size, standardization, and lifecycle automation.

Calico, Cilium, or Flannel – which CNI?

Flannel: simple for labs. Calico: robust policies, proven in production (VXLAN/BGP). Cilium: eBPF-based with a sophisticated observability/policy stack and mesh features – the first choice when performance and visibility matter.

How do I implement multi-tenancy and security cleanly?

Namespaces + RBAC, NetworkPolicies, and Pod Security Admission/Standards (PSA). Admission controls (OPA/Gatekeeper/Kyverno), image signing (cosign), secret encryption on etcd, short-lived tokens/OIDC – plus regular audits & benchmarks.