llama.cpp’s inference server ships a /metrics endpoint. One flag, Prometheus scraping, a Grafana dashboard loaded via ConfigMap sidecar — AI observability without a proxy layer.
A CPU-only self-hosted LLM stack running on k3s: llama.cpp as the inference server, Open WebUI as the chat interface, deployed as a single Git push.
Rebooting a misbehaving node feels productive. It isn’t. You’re erasing your evidence and skipping the lesson.
Kubernetes rolling updates don’t give you zero-downtime for free. There are four separate things you have to get right, and most clusters get at least one wrong.
Manual kubectl in production is the Kubernetes equivalent of SSH’ing into a server and editing files. It works until it doesn’t, and when it doesn’t, nobody knows why.
Default Kubernetes is a flat network. Every pod can reach every other pod. In a cluster with ten services, that’s ten potential blast radiuses instead of one.
A common interview question in 2026. If your answer is ‘kubeconfig in a CI secret’, you’re not wrong — but you’re also not getting the job.
GitOps says Git is the source of truth. Secrets say don’t put them in Git. These two things appear to be in direct conflict. They’re not.
No open ports. Real TLS at home. One IngressRoute per app. This is the networking setup I landed on after ruling out everything that required a compromise.
I wanted to learn production-grade Kubernetes patterns without breaking production. One node, a full GitOps stack, and a hard rule: no manual kubectl after bootstrap.