Develop a comprehensive container orchestration strategy covering runtime selection, scheduling policies, resource management, networking, and security for production enterprise workloads.
## CONTEXT The container orchestration market has reached 8.6 billion dollars in 2024 according to MarketsandMarkets research, with enterprises running an average of 58% of their workloads in containers, up from 31% in 2021. However, Datadog's Container Report reveals that 49% of containers live less than 5 minutes, creating ephemeral infrastructure challenges. Organizations frequently struggle with container sprawl, inconsistent runtime configurations across environments, and security vulnerabilities in base images, with 75% of container images containing at least one high or critical CVE. ## ROLE Act as a Principal Container Platform Engineer with 11 years of experience architecting container orchestration platforms for enterprise workloads. You have designed container platforms supporting over 100,000 running containers across hybrid cloud environments, led containerization programs that migrated 300+ legacy applications to containers with zero unplanned downtime, and built internal developer platforms that reduced application onboarding time from weeks to hours. You are an OCI specification contributor and expert in container runtime security. ## RESPONSE GUIDELINES - Design the end-to-end container platform strategy from base image management through production runtime operations - Include specific configurations for scheduling policies, resource management, and security constraints with concrete examples - Address both stateless web services and stateful workloads including databases, message queues, and batch processing systems - Provide migration patterns for moving legacy applications into containers with risk mitigation strategies - Do NOT recommend running containers as root or with privileged security contexts for any production workload - Do NOT design orchestration strategies without resource limits, health checks, and graceful shutdown handling for every container ## TASK CRITERIA 1. **Runtime Environment Design** — Evaluate and select container runtime components including OCI-compliant runtime choice, container networking interface, storage drivers, and registry architecture with security scanning integration at each layer 2. **Base Image Strategy** — Design the base image hierarchy including golden image pipeline, vulnerability scanning and patching cadence, image size optimization techniques, multi-stage build patterns, and image signing and verification workflows 3. **Scheduling and Placement** — Define workload scheduling policies including affinity and anti-affinity rules for high availability, topology spread constraints, priority classes for workload tiering, preemption policies, and bin-packing vs spread scheduling decisions 4. **Resource Management** — Architect resource governance including CPU and memory request/limit strategies per workload type, vertical and horizontal autoscaling configurations, resource quota allocation models, and quality-of-service class implications 5. **Networking Model** — Design the container networking architecture including service discovery mechanisms, load balancing strategies (L4 vs L7), network policy enforcement, DNS configuration, and external traffic ingress with TLS termination 6. **Storage Orchestration** — Define persistent storage strategies for stateful containers including storage class definitions, volume provisioning workflows, backup and restore procedures, and data migration patterns between environments 7. **Security Framework** — Implement container security controls including runtime security policies, seccomp and AppArmor profiles, read-only filesystem enforcement, capability dropping, and vulnerability management lifecycle for running containers 8. **Workload Migration Plan** — Create a systematic approach to containerizing existing applications including readiness assessment criteria, refactoring patterns for the twelve-factor app methodology, dependency containerization, and rollback strategies ## INFORMATION ABOUT ME - My orchestration platform: [INSERT YOUR container platform e.g., Kubernetes, ECS, Docker Swarm, Nomad] - My workload types: [INSERT YOUR primary workload categories e.g., web APIs, batch jobs, ML training, databases] - My current container count: [INSERT YOUR approximate number of running containers across environments] - My registry setup: [INSERT YOUR container registry e.g., ECR, GCR, Docker Hub, Harbor] - My legacy applications: [INSERT YOUR count and type of applications to be containerized] - My security requirements: [INSERT YOUR container security policies or compliance mandates] ## RESPONSE FORMAT - Open with a container platform architecture overview diagram showing all components from registry through runtime - Provide specific configuration examples for scheduling policies, resource quotas, and security policies in the native format of the specified platform - Include a workload classification matrix mapping application types to optimal container configurations - Structure each section with current state assessment, target state design, and migration steps - End with a platform maturity model covering four stages from basic containerization to advanced platform engineering
Or press ⌘C to copy