Hell Is Other People's Deployments

Or things I fear in k8s operators and helm charts

I’ve spent a lot more time going over other people’s deployments in kubernetes recently, and I’m developing a set of prejudices.

Custom docker images

For lots of popular server software, like Redis, there is an official build supported by both Redis the upstream and Docker Inc with a special, privileged spot in the namespace.

For others, the primary corporate sponsor will have an official image. So if the chart needs a special rebuild- presumably also six months out of date and lighting up all the CVE scanners like a Christmas tree- that’s a minor demerit. Use an init container like everyone else.

CRDs that are literally just a statefulset with a fancy name

I don’t know- what’s the point?

Weird tls support

Configuring TLS should look more or less like configuring TLS on an ingress resource. Weirder structures with different names mean that probably everything is going to get weird fast.

Bad string handling

If I pass a password with special characters and it breaks everything because the gubbins are doing ad-hoc YAML generation in a series of nested bash scripts there’s probably a long tail of other dumb sloppy language security things I’m going to have to start worrying about, and maybe I should bail early.

Requiring me to directly manage the entire config file of a product from deployment

Listen, I realize I’m spoiled here, but if you’re going to abstract something, abstract it.


There are a few operators that are amazing magical things.

Also most of them are less than a quarter finished, have no integration tests, and provide no real value over a Deployment or a Statefulset outside of the “yeet example YAML into a running service” use case. In fact, they have negative value, as they have fun sharp edges where they break things.