Containerization and orchestration

1) Why containers and k8s in iGaming

Rate of change: predictable images, single CI/CD pipeline.
Stability: auto-restarts, horizontal scale, self-healing.
Data/region isolation: namespaces/clusters under jurisdictions.
Operational standards: resource policies, single log/metrics/trails.

When not needed: a small team, 2-3 services, rare releases - start with PaaS/modular monolith.

2) Images and registries (OCI/Docker)

2. 1 Image Assembly - Principles

Multi-stage: build → runtime (thin base images' distroless', 'alpine' with caution).
Repeatability: fix versions/sha256, 'COPY --chown', '--mount = type = cache' in BuildKit.
SBOM and signature: 'cosign sign/verify', 'slsa provenance', 'signed only' policy.
Slim-down: delete dev-tools, include 'USER nonroot', 'readOnlyRootFilesystem'.

Example Dockerfile (Node. js)

dockerfile build
FROM node:22-bookworm AS build
WORKDIR /app
COPY package. json./
RUN npm ci --omit=dev
COPY..
RUN npm run build

runtime (distroless)
FROM gcr. io/distroless/nodejs22
WORKDIR /srv
COPY --from=build /app/dist./dist
COPY --from=build /app/node_modules./node_modules
USER 10001
ENV NODE_ENV=production
CMD ["dist/server. js"]

2. 2 Registers and policies

Private registry + geo-replicas (EU/NA) to reduce latency and GDPR compliance.
Retention/immunity - prevent overwriting of tags, warm up the cache in PoP.
Admission control: only signed/scanned images (cosign + Trivy/Grype).

3) Orchestration: basic Kubernetes patterns

3. 1 Primitives

Deployment - stateless services (lobby, API).
StatefulSet - wallet/queues/storage (fixed name, stable volumes).
DaemonSet - log agents/network components.
Job/CronJob - migrations, reports, ETL.

3. 2 Resources and QoS

Specify'requests/limits' (CPU/Memory) → QoS classes and predictable scheduling.
Burstable only where it is conscious; critical - Guaranteed.
Place critical payment pods on dedicated pools (tains/tolerations, node-affinity).

3. 3 Sustainability and releases

Probes: 'startup', 'liveness', 'readiness' (with timeouts and periods).
Rollout: `maxSurge/maxUnavailable`, canary через вес в Ingress/Gateway/Service Mesh.
PDB (PodDisruptionBudget) + graceful shutdown (PreStop hook, `terminationGracePeriodSeconds`).
Drain/cordon nodes for upgrades.

4) Network: CNI, services, input traffic

4. 1 CNI layer

Calico/Cilium/Weave - NetworkPolicy, eBPF for performance.
Inter-space rules: minimum required egress/ingress.

4. 2 Services and login

Service: `ClusterIP/NodePort/LoadBalancer`.
Ingress or Gateway API for L7: path/header/host routes, TLS, canary weights.
mTLS within the cluster: via service-mesh (Istio/Linkerd) - interception of TLS and politics.

HTTPRoute Example (Gateway API, Canary Weight)

yaml apiVersion: gateway. networking. k8s. io/v1 kind: HTTPRoute spec:
rules:
- backendRefs:
- name: lobby-v1 weight: 90 port: 8080
- name: lobby-v2 weight: 10 port: 8080

5) Storage: CSI/PV/PVC, volume classes

Provider CSI drivers (EBS/PD/Premium SSD) + 'storageClass' with performance parameters.
RWX for sharing (NFS/FSx/Filestore) - careful with locks.
Backup/restore: Velero/Kasten, periodic snapshots, recovery check.
Disk-level and database-level (KMS) encryption.

6) Auto-scaling: HPA/VPA/KEDA

HPA (by CPU/RAM/custom metrics - RPS, p95): for API/lobby.
VPA (recommendations/auto) - for stable workers.
KEDA (event-driven) - scale by Kafka/SQS/Redis queues, Cron-shedula.
Cluster Autoscaler - load nodes; warm pools for peaks (tournaments/streams).

7) Service-mesh (if necessary)

mTLS/ servis↔servis policies, identity authorization (SPIFFE).
Circuit-breaker/timeout/retry, outlier-ejection, shadow.
Telemetry out of the box: uniform metrics and tracks.
Use where you need subtle traffic management (payments, game providers).

8) Security: Secrets, Politics, Compliance

Secrets: external manager (AWS/GCP/Azure KMS, External Secrets), rotation.
Policy-as-code: OPA/Gatekeeper/Kyverno - deny ': latest', root-USER, hostPath, privileges.
Rights escalation: Namespaces + RBAC, Dev/Stage/Prod split, audit.
Image Security: scan in CI/CD, signing (cosign), admission by signature.
mTLS and JWT inside (mesh), WAF/Rate-limit input (Ingress/Gateway).

9) Observability and SLO

Metrics: Prometheus/OpenTelemetry, p50/95/99, 4xx/5xx, saturations.
Logs: structural JSON → Loki/Elastic, PII/PAN/IBAN masking.
Traces: OTLP → Tempo/Jaeger; 'trace _ id' comes from the gateway.
SLO: e.g. 'Deposit p95 ≤ 300 ms, success ≥ 98. 5% ', alerts burn-rate.
Proactivity: per-service/per-route dashboards, DLQ watchdog and queue lags.

10) CI/CD, Helm, GitOps

CI: linters, tests (unit/contract/integration), SAST/DAST, SBOM.
Helm/Jsonnet/Kustomize: declarative charts with 'values.' on environments.
GitOps (ArgoCD/Flux): single-source-of-truth, PR manifest review, rollback button.
Strategies: blue-green, canary, shadow; schema migrations - expand-and-contract.

Values fragment. yaml (resources/samples)

yaml resources:
requests: { cpu: "200m", memory: "256Mi" }
limits:  { cpu: "500m", memory: "512Mi" }
livenessProbe: { httpGet: { path: /healthz, port: 8080 }, initialDelaySeconds: 20, periodSeconds: 10 }
readinessProbe: { httpGet: { path: /readyz, port: 8080 }, initialDelaySeconds: 5, periodSeconds: 5 }

11) Planning and isolation

NodePools: Separate payments/wallet into "low noise" nodes with fast disk.
Tains/Tolerations: protected pools for critical loads.
(Anti-) Affinity: Smear replicas by zone/node (HA).

ResourceQuota/LimitRange on namespaces - protection against "noisy neighbors."

12) Multicluster, multi-region, DR

Split by jurisdiction: EU/LatAm/ROW clusters; resident data - locally.
GSLB/Anycast input, per-class observability and alerts.

• Warm standby (recommended): replica of critical databases, periodic failover checks.
• Active-active for reads/regional routing.
• Backup: backups (Velero), rehearsal recovery.

13) iGaming specificity

Payments/wallet: p95 ≤ 300-500 ms, individual pools and strict PDB; canary 1→5→10%.
Lobby/content: aggressive HPA by RPS/INP, heated images/vector cache.
Live games/streams: LC/minimum retrays, long socket timeouts, sticky on the connection.
Compliance: neimspaces with tough Policy, secrets through KMS, audit of changes to Helm releases.
Responsible game: limit/blocking service - priority traffic (fail-open/close by policy).

14) Checklists

Before laying out the service

• Multi-stage image, USER nonroot, cosign signature, scan passed.
• Requests/limits, probes, env/secret from external manager.
• PDB, `maxUnavailable ≤ 1`, graceful shutdown.
• SLO/alerts, tracing from gateway to DB.
• Canary pattern and rollback plan.
• OPA/Kyverno policies pass (no root, no hostPath, no: latest).

Cluster/Platform

• CNI and NetworkPolicy enabled; mTLS (mesh) where necessary.
• StorageClass/retention, backup/restore checked.
• HPA/VPA/KEDA configured; Cluster Autoscaler и warm-pool.
• RBAC is minimal, auditing is enabled, secrets are from KMS.
• GitOps: charts/manifests in repository, PR review required.

15) Anti-patterns

'Latest'images, root user, thick base layers.
No'requests/limits' → evictions/throttling.
Readiness = liveness.
Mixing statefull/stateless on the same pool without taints.
Migrations of schemes "head-on" without expand-and-contract.
The only cluster "to all markets" without regional isolation.
Logs with PII/PAN, secrets in ConfigMap.
Lack of PDB/drainage → breaks in peaks and during upgrades.

16) Platform metrics (minimum)

Кластер: CPU/mem requests vs allocatable, pod-churn, node-pressure.
Network: p95 per-route, 4xx/5xx, reset/timeout, retry-rate, mTLS errors.
Storage: IOPS/latency, queue-depth, CSI errors.
Autoscale: HPA decisions, CA events, warm-up time.
Business: TTP, TtW, FTD-success, refusal of payments on the provider.
Security: OPA inconsistencies, non-signed images, expired secrets.

17) Examples of manifestos

Deployment (API, canary label)

yaml apiVersion: apps/v1 kind: Deployment metadata: { name: wallet-api, labels: { app: wallet, track: stable } }
spec:
replicas: 4 strategy: { type: RollingUpdate, rollingUpdate: { maxSurge: 1, maxUnavailable: 1 } }
selector: { matchLabels: { app: wallet, track: stable } }
template:
metadata: { labels: { app: wallet, track: stable } }
spec:
serviceAccountName: wallet-sa containers:
- name: api image: registry. local/wallet/api@sha256:...
ports: [{ containerPort: 8080 }]
resources:
requests: { cpu: "250m", memory: "256Mi" }
limits:  { cpu: "500m", memory: "512Mi" }
readinessProbe: { httpGet: { path: /readyz, port: 8080 }, periodSeconds: 5 }
livenessProbe: { httpGet: { path: /healthz, port: 8080 }, initialDelaySeconds: 20 }
securityContext:
runAsNonRoot: true readOnlyRootFilesystem: true

PDB (wallet)

yaml apiVersion: policy/v1 kind: PodDisruptionBudget spec:
minAvailable: 3 selector: { matchLabels: { app: wallet } }

HPA (via RPS via custom-metrics)

yaml apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler spec:
minReplicas: 4 maxReplicas: 40 metrics:
- type: Pods pods:
metric:
name: http_requests_per_second target:
type: AverageValue averageValue: "50"

18) Implementation process (by sprints)

1. Image assembly and security: multi-stage, SBOM, signatures, admission policy.
2. Base platform k8s: CNI, Ingress/Gateway, monitoring/logs/trails, StorageClass.
3. CI/CD and GitOps: Helm charts, Wednesdays, canary/rollback, schema migrations.
4. Scale and resilience: HPA/VPA/KEDA, PDB, node pools, tains/affinity, DR plan.

Final cheat sheet

Thin, signed images + admission policy = security foundation.
Samples, resources, PDB, drain = release robustness.
HPA/VPA/KEDA + tuning pools = scale without drawdowns.
Gateway/Ingress + mTLS/OPA = secure perimeter and intercom.
Observability + SLO + GitOps = Managed Changes.
Regional isolation and DR = compliance and fault tolerance.