Deployments cheatsheet.

Minimal Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web
spec:
  replicas: 3
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      containers:
        - name: web
          image: nginx:1.27
          ports:
            - containerPort: 80

CRUD

kubectl apply -f deploy.yaml
kubectl get deployments
kubectl get deploy web
kubectl describe deploy web
kubectl delete deploy web

Scale

kubectl scale deploy web --replicas=5
kubectl scale deploy web --replicas=0       # stop
kubectl scale deploy --all --replicas=2 -n myns

Update image

kubectl set image deploy/web web=nginx:1.28
kubectl set image deploy/web web=nginx:1.28 --record    # record cause

Or edit YAML + kubectl apply.

Rollout

kubectl rollout status deploy/web
kubectl rollout history deploy/web
kubectl rollout history deploy/web --revision=3

kubectl rollout pause deploy/web
kubectl rollout resume deploy/web

kubectl rollout restart deploy/web          # rolling restart (new pods)

Rollback

kubectl rollout undo deploy/web
kubectl rollout undo deploy/web --to-revision=2

Strategy

spec:
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 25%             # extra pods during update
      maxUnavailable: 25%       # pods allowed missing during update

Or:

spec:
  strategy:
    type: Recreate              # kill all, then create new (downtime)

ReadinessProbe + rolling update

New pod isn’t sent traffic (and old pod isn’t killed) until readiness passes:

containers:
  - name: web
    image: web:v2
    readinessProbe:
      httpGet: { path: /health/ready, port: 8000 }
      initialDelaySeconds: 5
      periodSeconds: 5

Essential for zero-downtime.

minReadySeconds

spec:
  minReadySeconds: 30           # pod must be ready for 30s before counted

Reduces chance of flapping.

progressDeadlineSeconds

spec:
  progressDeadlineSeconds: 600  # fail rollout if no progress in 10min

revisionHistoryLimit

spec:
  revisionHistoryLimit: 10      # keep 10 old ReplicaSets for rollback

Default 10. Set to 0 if you don’t need rollback.

Annotations

metadata:
  annotations:
    kubernetes.io/change-cause: "v1.2 release"

Shows in rollout history.

kubectl annotate deploy/web kubernetes.io/change-cause="v1.2 hotfix"

Resources

containers:
  - name: web
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 500m
        memory: 256Mi
  • requests: minimum guaranteed (scheduler uses).
  • limits: hard cap (CPU throttled, memory OOM).

Probes

livenessProbe:
  httpGet: { path: /health, port: 8000 }
  initialDelaySeconds: 30
  periodSeconds: 30
readinessProbe:
  httpGet: { path: /health/ready, port: 8000 }
  initialDelaySeconds: 5
  periodSeconds: 5
startupProbe:
  httpGet: { path: /health, port: 8000 }
  failureThreshold: 30
  periodSeconds: 10
  • liveness: restart if failing.
  • readiness: take out of service while failing.
  • startup: protects slow-starting apps (delays liveness checks).

EnvFrom

spec:
  containers:
    - name: web
      envFrom:
        - configMapRef:
            name: web-config
        - secretRef:
            name: web-secrets

Image pull policy

imagePullPolicy: IfNotPresent   # default for tagged images
imagePullPolicy: Always         # default for :latest
imagePullPolicy: Never          # only use local

imagePullSecrets

spec:
  imagePullSecrets:
    - name: ghcr-secret

kubectl create secret docker-registry ghcr-secret \
  --docker-server=ghcr.io \
  --docker-username=USER \
  --docker-password=TOKEN

affinity / anti-affinity

spec:
  affinity:
    podAntiAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
        - weight: 100
          podAffinityTerm:
            topologyKey: kubernetes.io/hostname
            labelSelector:
              matchLabels: { app: web }

Spread pods across nodes for HA.

tolerations

spec:
  tolerations:
    - key: dedicated
      operator: Equal
      value: gpu
      effect: NoSchedule

Allow scheduling on tainted nodes.

ReplicaSets

ReplicaSets are managed by Deployments. Don’t create directly.

kubectl get rs                    # see the underlying RS

Common mistakes

  • No readinessProbe → traffic to unready pods.
  • :latest tag with IfNotPresent → stale images.
  • Liveness without grace period → kills slow-start apps.
  • Too-aggressive maxUnavailable → outage during rollout.
  • Forgetting imagePullSecrets for private images.

Read this next

If you want my Deployment templates, they’re at rajpoot.dev .

Building something AI-, backend-, or data-heavy and want a second pair of eyes? I do consulting and freelance work — see my projects and ways to reach me at rajpoot.dev .