<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Citadel Cloud Management</title>
    <description>The latest articles on DEV Community by Citadel Cloud Management (@citadel_cloudmanagement_).</description>
    <link>https://dev.to/citadel_cloudmanagement_</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3886536%2F3de4898c-d155-4468-a139-59d2ec084f6b.jpg</url>
      <title>DEV Community: Citadel Cloud Management</title>
      <link>https://dev.to/citadel_cloudmanagement_</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/citadel_cloudmanagement_"/>
    <language>en</language>
    <item>
      <title>Docker Multi-Stage Build Patterns That Cut My Image Sizes by 80%</title>
      <dc:creator>Citadel Cloud Management</dc:creator>
      <pubDate>Thu, 09 Jul 2026 16:05:32 +0000</pubDate>
      <link>https://dev.to/citadel_cloudmanagement_/docker-multi-stage-build-patterns-that-cut-my-image-sizes-by-80-335m</link>
      <guid>https://dev.to/citadel_cloudmanagement_/docker-multi-stage-build-patterns-that-cut-my-image-sizes-by-80-335m</guid>
      <description>&lt;p&gt;Every Docker image I inherited was over 1GB. After switching to multi-stage builds, the average dropped to 150MB. Here are the exact patterns I use.&lt;/p&gt;

&lt;h2&gt;
  
  
  Pattern 1: Builder and Runtime Separation
&lt;/h2&gt;

&lt;p&gt;The most common pattern. Build dependencies stay in the builder stage; only the compiled output copies to the runtime stage.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight docker"&gt;&lt;code&gt;&lt;span class="c"&gt;# Stage 1: Build&lt;/span&gt;
&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;node:20-alpine&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;builder&lt;/span&gt;
&lt;span class="k"&gt;WORKDIR&lt;/span&gt;&lt;span class="s"&gt; /app&lt;/span&gt;
&lt;span class="k"&gt;COPY&lt;/span&gt;&lt;span class="s"&gt; package*.json ./&lt;/span&gt;
&lt;span class="k"&gt;RUN &lt;/span&gt;npm ci &lt;span class="nt"&gt;--production&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nb"&gt;false&lt;/span&gt;
&lt;span class="k"&gt;COPY&lt;/span&gt;&lt;span class="s"&gt; . .&lt;/span&gt;
&lt;span class="k"&gt;RUN &lt;/span&gt;npm run build

&lt;span class="c"&gt;# Stage 2: Runtime&lt;/span&gt;
&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;node:20-alpine&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;runtime&lt;/span&gt;
&lt;span class="k"&gt;WORKDIR&lt;/span&gt;&lt;span class="s"&gt; /app&lt;/span&gt;
&lt;span class="k"&gt;COPY&lt;/span&gt;&lt;span class="s"&gt; --from=builder /app/dist ./dist&lt;/span&gt;
&lt;span class="k"&gt;COPY&lt;/span&gt;&lt;span class="s"&gt; --from=builder /app/node_modules ./node_modules&lt;/span&gt;
&lt;span class="k"&gt;COPY&lt;/span&gt;&lt;span class="s"&gt; package*.json ./&lt;/span&gt;
&lt;span class="k"&gt;EXPOSE&lt;/span&gt;&lt;span class="s"&gt; 3000&lt;/span&gt;
&lt;span class="k"&gt;CMD&lt;/span&gt;&lt;span class="s"&gt; ["node", "dist/main.js"]&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Result: build stage has TypeScript compiler, test frameworks, dev dependencies. Runtime has only production code.&lt;/p&gt;

&lt;h2&gt;
  
  
  Pattern 2: Distroless for Compiled Languages
&lt;/h2&gt;

&lt;p&gt;For Go, Rust, or any language that produces a static binary:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight docker"&gt;&lt;code&gt;&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;golang:1.22-alpine&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;builder&lt;/span&gt;
&lt;span class="k"&gt;WORKDIR&lt;/span&gt;&lt;span class="s"&gt; /app&lt;/span&gt;
&lt;span class="k"&gt;COPY&lt;/span&gt;&lt;span class="s"&gt; go.* ./&lt;/span&gt;
&lt;span class="k"&gt;RUN &lt;/span&gt;go mod download
&lt;span class="k"&gt;COPY&lt;/span&gt;&lt;span class="s"&gt; . .&lt;/span&gt;
&lt;span class="k"&gt;RUN &lt;/span&gt;&lt;span class="nv"&gt;CGO_ENABLED&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;0 &lt;span class="nv"&gt;GOOS&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;linux go build &lt;span class="nt"&gt;-ldflags&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s1"&gt;'-s -w'&lt;/span&gt; &lt;span class="nt"&gt;-o&lt;/span&gt; /server ./cmd/server

&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="s"&gt; gcr.io/distroless/static-debian12:nonroot&lt;/span&gt;
&lt;span class="k"&gt;COPY&lt;/span&gt;&lt;span class="s"&gt; --from=builder /server /server&lt;/span&gt;
&lt;span class="k"&gt;EXPOSE&lt;/span&gt;&lt;span class="s"&gt; 8080&lt;/span&gt;
&lt;span class="k"&gt;ENTRYPOINT&lt;/span&gt;&lt;span class="s"&gt; ["/server"]&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Distroless images have no shell, no package manager, no OS utilities. Attack surface drops to near zero. Image size: ~15MB.&lt;/p&gt;

&lt;h2&gt;
  
  
  Pattern 3: Python with Virtual Environment Copy
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight docker"&gt;&lt;code&gt;&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;python:3.12-slim&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;builder&lt;/span&gt;
&lt;span class="k"&gt;WORKDIR&lt;/span&gt;&lt;span class="s"&gt; /app&lt;/span&gt;
&lt;span class="k"&gt;RUN &lt;/span&gt;python &lt;span class="nt"&gt;-m&lt;/span&gt; venv /opt/venv
&lt;span class="k"&gt;ENV&lt;/span&gt;&lt;span class="s"&gt; PATH="/opt/venv/bin:$PATH"&lt;/span&gt;
&lt;span class="k"&gt;COPY&lt;/span&gt;&lt;span class="s"&gt; requirements.txt .&lt;/span&gt;
&lt;span class="k"&gt;RUN &lt;/span&gt;pip &lt;span class="nb"&gt;install&lt;/span&gt; &lt;span class="nt"&gt;--no-cache-dir&lt;/span&gt; &lt;span class="nt"&gt;-r&lt;/span&gt; requirements.txt

&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;python:3.12-slim&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;runtime&lt;/span&gt;
&lt;span class="k"&gt;COPY&lt;/span&gt;&lt;span class="s"&gt; --from=builder /opt/venv /opt/venv&lt;/span&gt;
&lt;span class="k"&gt;ENV&lt;/span&gt;&lt;span class="s"&gt; PATH="/opt/venv/bin:$PATH"&lt;/span&gt;
&lt;span class="k"&gt;WORKDIR&lt;/span&gt;&lt;span class="s"&gt; /app&lt;/span&gt;
&lt;span class="k"&gt;COPY&lt;/span&gt;&lt;span class="s"&gt; . .&lt;/span&gt;
&lt;span class="k"&gt;EXPOSE&lt;/span&gt;&lt;span class="s"&gt; 8000&lt;/span&gt;
&lt;span class="k"&gt;CMD&lt;/span&gt;&lt;span class="s"&gt; ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Copying the entire venv avoids reinstalling packages in the runtime stage.&lt;/p&gt;

&lt;h2&gt;
  
  
  Size Comparison
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Approach&lt;/th&gt;
&lt;th&gt;Image Size&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;python:3.12&lt;/code&gt; (no multi-stage)&lt;/td&gt;
&lt;td&gt;1.2 GB&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;python:3.12-slim&lt;/code&gt; (no multi-stage)&lt;/td&gt;
&lt;td&gt;450 MB&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Multi-stage with slim + venv copy&lt;/td&gt;
&lt;td&gt;180 MB&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Go + distroless&lt;/td&gt;
&lt;td&gt;15 MB&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  Common Mistakes
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Copying everything in one COPY instruction.&lt;/strong&gt; Each COPY creates a layer. Copy dependency files first, install, then copy source. This maximizes layer caching.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Not using &lt;code&gt;.dockerignore&lt;/code&gt;.&lt;/strong&gt; Without it, you copy &lt;code&gt;node_modules/&lt;/code&gt;, &lt;code&gt;.git/&lt;/code&gt;, and test fixtures into the build context.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Running as root.&lt;/strong&gt; Add &lt;code&gt;USER nonroot&lt;/code&gt; or &lt;code&gt;USER 1000&lt;/code&gt; in the runtime stage.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Full Docker guide: &lt;a href="https://www.citadelcloudmanagement.com/blogs/news/docker-vs-kubernetes-when-to-use-each-2026" rel="noopener noreferrer"&gt;Docker vs Kubernetes&lt;/a&gt;&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Implementing mTLS Across Multi-Cloud Services with SPIFFE/SPIRE</title>
      <dc:creator>Citadel Cloud Management</dc:creator>
      <pubDate>Thu, 09 Jul 2026 16:04:28 +0000</pubDate>
      <link>https://dev.to/citadel_cloudmanagement_/implementing-mtls-across-multi-cloud-services-with-spiffespire-14gh</link>
      <guid>https://dev.to/citadel_cloudmanagement_/implementing-mtls-across-multi-cloud-services-with-spiffespire-14gh</guid>
      <description>&lt;p&gt;One of the core zero trust principles is "never trust, always verify" -- and that includes service-to-service communication. Here is how I implemented mTLS across AWS, Azure, and GCP using SPIFFE and SPIRE.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why Not Just Use a Service Mesh?
&lt;/h2&gt;

&lt;p&gt;Service meshes (Istio, Linkerd) handle mTLS beautifully within a single Kubernetes cluster. The problem starts when you need mTLS between:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Services in Kubernetes and services on EC2 instances&lt;/li&gt;
&lt;li&gt;Services across different cloud providers&lt;/li&gt;
&lt;li&gt;Services running on-premises that need to communicate with cloud workloads&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;SPIFFE provides a universal identity framework. SPIRE is the reference implementation. Together, they issue short-lived X.509 certificates to workloads regardless of where they run.&lt;/p&gt;

&lt;h2&gt;
  
  
  Architecture Overview
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;                    +-----------------+
                    | SPIRE Server    |
                    | (Root CA)       |
                    +--------+--------+
                             |
              +--------------+--------------+
              |              |              |
     +--------+------+ +----+----+ +-------+------+
     | SPIRE Agent   | | Agent   | | Agent        |
     | (AWS EKS)     | | (Azure) | | (GCP GKE)    |
     +--------+------+ +----+----+ +-------+------+
              |              |              |
     +--------+------+ +----+----+ +-------+------+
     | Workload A    | | Work. B | | Workload C   |
     | SVID issued   | | SVID    | | SVID issued  |
     +---------------+ +---------+ +--------------+
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Key Design Decisions
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Certificate TTL of 1 hour.&lt;/strong&gt; Short-lived certificates mean compromised credentials expire quickly.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Trust domain per organization, not per cloud.&lt;/strong&gt; &lt;code&gt;mycompany.com&lt;/code&gt; spans all three clouds. Workloads in AWS can validate certificates from GCP workloads because they share a trust domain.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Kubernetes PSAT attestation.&lt;/strong&gt; This ties SPIFFE identity to Kubernetes service accounts.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Debugging mTLS Failures
&lt;/h2&gt;

&lt;p&gt;The most common failure: "certificate signed by unknown authority." This means the client does not trust the SPIRE server CA. Check:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Verify the SVID was issued&lt;/span&gt;
spire-agent api fetch x509 &lt;span class="nt"&gt;-socketPath&lt;/span&gt; /run/spire/sockets/agent.sock

&lt;span class="c"&gt;# Check trust bundle&lt;/span&gt;
openssl x509 &lt;span class="nt"&gt;-in&lt;/span&gt; svid.pem &lt;span class="nt"&gt;-text&lt;/span&gt; &lt;span class="nt"&gt;-noout&lt;/span&gt; | &lt;span class="nb"&gt;grep &lt;/span&gt;Issuer
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Full zero trust architecture guide: &lt;a href="https://www.citadelcloudmanagement.com/blogs/news/zero-trust-architecture-multi-cloud" rel="noopener noreferrer"&gt;Zero Trust Multi-Cloud&lt;/a&gt;&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Writing Kubernetes NetworkPolicies That Actually Work</title>
      <dc:creator>Citadel Cloud Management</dc:creator>
      <pubDate>Thu, 09 Jul 2026 16:02:28 +0000</pubDate>
      <link>https://dev.to/citadel_cloudmanagement_/writing-kubernetes-networkpolicies-that-actually-work-2411</link>
      <guid>https://dev.to/citadel_cloudmanagement_/writing-kubernetes-networkpolicies-that-actually-work-2411</guid>
      <description>&lt;p&gt;NetworkPolicies are the most under-used security feature in Kubernetes. Most clusters I audit have zero network segmentation -- every pod can talk to every other pod. Here is how to fix that.&lt;/p&gt;

&lt;h2&gt;
  
  
  Step 1: Default Deny Everything
&lt;/h2&gt;

&lt;p&gt;Apply this to every namespace before writing any allow rules:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;apiVersion&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;networking.k8s.io/v1&lt;/span&gt;
&lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;NetworkPolicy&lt;/span&gt;
&lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;default-deny-all&lt;/span&gt;
  &lt;span class="na"&gt;namespace&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;production&lt;/span&gt;
&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;podSelector&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;{}&lt;/span&gt;
  &lt;span class="na"&gt;policyTypes&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;Ingress&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;Egress&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This blocks ALL traffic to and from every pod in the namespace. Yes, your application will break. That is the point -- now you explicitly allowlist only the traffic that should exist.&lt;/p&gt;

&lt;h2&gt;
  
  
  Step 2: Allow DNS (Critical)
&lt;/h2&gt;

&lt;p&gt;Without DNS egress, nothing works. Apply this immediately after the default deny:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;apiVersion&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;networking.k8s.io/v1&lt;/span&gt;
&lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;NetworkPolicy&lt;/span&gt;
&lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;allow-dns&lt;/span&gt;
  &lt;span class="na"&gt;namespace&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;production&lt;/span&gt;
&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;podSelector&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;{}&lt;/span&gt;
  &lt;span class="na"&gt;policyTypes&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;Egress&lt;/span&gt;
  &lt;span class="na"&gt;egress&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;to&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;namespaceSelector&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="na"&gt;matchLabels&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
              &lt;span class="na"&gt;kubernetes.io/metadata.name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;kube-system&lt;/span&gt;
      &lt;span class="na"&gt;ports&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;protocol&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;UDP&lt;/span&gt;
          &lt;span class="na"&gt;port&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;53&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;protocol&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;TCP&lt;/span&gt;
          &lt;span class="na"&gt;port&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;53&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Step 3: Allow Specific Service-to-Service Traffic
&lt;/h2&gt;

&lt;p&gt;Example: allowing a frontend to talk to an API backend:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;apiVersion&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;networking.k8s.io/v1&lt;/span&gt;
&lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;NetworkPolicy&lt;/span&gt;
&lt;span class="na"&gt;metadata&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;allow-frontend-to-api&lt;/span&gt;
  &lt;span class="na"&gt;namespace&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;production&lt;/span&gt;
&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;podSelector&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;matchLabels&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;app&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;api-backend&lt;/span&gt;
  &lt;span class="na"&gt;policyTypes&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;Ingress&lt;/span&gt;
  &lt;span class="na"&gt;ingress&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;from&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;podSelector&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="na"&gt;matchLabels&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
              &lt;span class="na"&gt;app&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;frontend&lt;/span&gt;
      &lt;span class="na"&gt;ports&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;protocol&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;TCP&lt;/span&gt;
          &lt;span class="na"&gt;port&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;8080&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Common Mistakes
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Forgetting DNS egress.&lt;/strong&gt; Your pods need to resolve service names. Without the DNS egress rule, every network call hangs indefinitely.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Using &lt;code&gt;namespaceSelector: {}&lt;/code&gt; (empty selector).&lt;/strong&gt; This matches ALL namespaces, which defeats the purpose. Always use specific label selectors.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Not testing with a network policy-capable CNI.&lt;/strong&gt; The default kubenet CNI does NOT enforce NetworkPolicies. You need Calico, Cilium, or Weave Net.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Applying directly to production.&lt;/strong&gt; Test in a staging environment first.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Debugging NetworkPolicies
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# List all policies in a namespace&lt;/span&gt;
kubectl get networkpolicy &lt;span class="nt"&gt;-n&lt;/span&gt; production

&lt;span class="c"&gt;# Test connectivity between pods&lt;/span&gt;
kubectl &lt;span class="nb"&gt;exec&lt;/span&gt; &lt;span class="nt"&gt;-n&lt;/span&gt; production frontend-pod &lt;span class="nt"&gt;--&lt;/span&gt; curl &lt;span class="nt"&gt;-m&lt;/span&gt; 5 api-backend:8080/health
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If &lt;code&gt;curl&lt;/code&gt; hangs (no connection refused, just timeout), a NetworkPolicy is blocking the traffic.&lt;/p&gt;

&lt;p&gt;Comprehensive K8s security guide: &lt;a href="https://www.citadelcloudmanagement.com/blogs/news/kubernetes-security-best-practices-2026" rel="noopener noreferrer"&gt;Kubernetes Security Best Practices&lt;/a&gt;&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Building a DevSecOps Pipeline with GitHub Actions: My Production Config</title>
      <dc:creator>Citadel Cloud Management</dc:creator>
      <pubDate>Thu, 09 Jul 2026 15:55:56 +0000</pubDate>
      <link>https://dev.to/citadel_cloudmanagement_/building-a-devsecops-pipeline-with-github-actions-my-production-config-533g</link>
      <guid>https://dev.to/citadel_cloudmanagement_/building-a-devsecops-pipeline-with-github-actions-my-production-config-533g</guid>
      <description>&lt;p&gt;Here is the exact GitHub Actions workflow I use to catch security vulnerabilities before they reach production. Every tool is open source. Total cost: $0.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Workflow File
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;security-pipeline&lt;/span&gt;
&lt;span class="na"&gt;on&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;pull_request&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;branches&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="nv"&gt;main&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
  &lt;span class="na"&gt;push&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;branches&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="nv"&gt;main&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;

&lt;span class="na"&gt;jobs&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;secret-scan&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;runs-on&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;ubuntu-latest&lt;/span&gt;
    &lt;span class="na"&gt;steps&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;uses&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;actions/checkout@v4&lt;/span&gt;
        &lt;span class="na"&gt;with&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="na"&gt;fetch-depth&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Gitleaks secret detection&lt;/span&gt;
        &lt;span class="na"&gt;uses&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;gitleaks/gitleaks-action@v2&lt;/span&gt;
        &lt;span class="na"&gt;env&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="na"&gt;GITHUB_TOKEN&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;${{ secrets.GITHUB_TOKEN }}&lt;/span&gt;

  &lt;span class="na"&gt;dependency-scan&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;runs-on&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;ubuntu-latest&lt;/span&gt;
    &lt;span class="na"&gt;steps&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;uses&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;actions/checkout@v4&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Trivy vulnerability scan&lt;/span&gt;
        &lt;span class="na"&gt;uses&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;aquasecurity/trivy-action@master&lt;/span&gt;
        &lt;span class="na"&gt;with&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="na"&gt;scan-type&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s1"&gt;'&lt;/span&gt;&lt;span class="s"&gt;fs'&lt;/span&gt;
          &lt;span class="na"&gt;scan-ref&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s1"&gt;'&lt;/span&gt;&lt;span class="s"&gt;.'&lt;/span&gt;
          &lt;span class="na"&gt;severity&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s1"&gt;'&lt;/span&gt;&lt;span class="s"&gt;CRITICAL,HIGH'&lt;/span&gt;
          &lt;span class="na"&gt;exit-code&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s1"&gt;'&lt;/span&gt;&lt;span class="s"&gt;1'&lt;/span&gt;

  &lt;span class="na"&gt;container-scan&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;runs-on&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;ubuntu-latest&lt;/span&gt;
    &lt;span class="na"&gt;needs&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="nv"&gt;dependency-scan&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
    &lt;span class="na"&gt;steps&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;uses&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;actions/checkout@v4&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Build container&lt;/span&gt;
        &lt;span class="na"&gt;run&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;docker build -t app:${{ github.sha }} .&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Trivy image scan&lt;/span&gt;
        &lt;span class="na"&gt;uses&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;aquasecurity/trivy-action@master&lt;/span&gt;
        &lt;span class="na"&gt;with&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="na"&gt;image-ref&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s1"&gt;'&lt;/span&gt;&lt;span class="s"&gt;app:${{&lt;/span&gt;&lt;span class="nv"&gt; &lt;/span&gt;&lt;span class="s"&gt;github.sha&lt;/span&gt;&lt;span class="nv"&gt; &lt;/span&gt;&lt;span class="s"&gt;}}'&lt;/span&gt;
          &lt;span class="na"&gt;severity&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s1"&gt;'&lt;/span&gt;&lt;span class="s"&gt;CRITICAL'&lt;/span&gt;
          &lt;span class="na"&gt;exit-code&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s1"&gt;'&lt;/span&gt;&lt;span class="s"&gt;1'&lt;/span&gt;

  &lt;span class="na"&gt;infrastructure-scan&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;runs-on&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;ubuntu-latest&lt;/span&gt;
    &lt;span class="na"&gt;steps&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;uses&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;actions/checkout@v4&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Checkov IaC scan&lt;/span&gt;
        &lt;span class="na"&gt;uses&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;bridgecrewio/checkov-action@master&lt;/span&gt;
        &lt;span class="na"&gt;with&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="na"&gt;directory&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;./terraform&lt;/span&gt;
          &lt;span class="na"&gt;framework&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;terraform&lt;/span&gt;
          &lt;span class="na"&gt;soft_fail&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="kc"&gt;false&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Why This Order Matters
&lt;/h2&gt;

&lt;p&gt;Secret scanning runs first and independently. If there are hardcoded credentials, nothing else matters -- stop the pipeline immediately.&lt;/p&gt;

&lt;p&gt;Dependency scanning runs before container scanning because if the dependency file has a critical CVE, building the container is wasted compute.&lt;/p&gt;

&lt;p&gt;Infrastructure scanning runs independently because it does not depend on the application build.&lt;/p&gt;

&lt;h2&gt;
  
  
  Threshold Tuning
&lt;/h2&gt;

&lt;p&gt;The most important decision is what severity breaks the build:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Secret detection&lt;/strong&gt;: Any finding = build failure. Zero tolerance.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Dependency scanning&lt;/strong&gt;: CRITICAL + HIGH with known exploits = build failure.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Container scanning&lt;/strong&gt;: CRITICAL only = build failure. HIGH creates a ticket.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;IaC scanning&lt;/strong&gt;: Security misconfigurations = build failure. Best practice recommendations = warning.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Getting the thresholds wrong in either direction kills adoption. Too strict, and developers route around the pipeline. Too lenient, and the pipeline provides false confidence.&lt;/p&gt;

&lt;p&gt;Full DevSecOps guide: &lt;a href="https://www.citadelcloudmanagement.com/blogs/news/devsecops-pipeline-tutorial" rel="noopener noreferrer"&gt;DevSecOps Pipeline Tutorial&lt;/a&gt;&lt;/p&gt;

</description>
    </item>
    <item>
      <title>What Is DevOps? Everything You Need to Know in 2026</title>
      <dc:creator>Citadel Cloud Management</dc:creator>
      <pubDate>Mon, 29 Jun 2026 14:41:49 +0000</pubDate>
      <link>https://dev.to/citadel_cloudmanagement_/what-is-devops-everything-you-need-to-know-in-2026-1mhd</link>
      <guid>https://dev.to/citadel_cloudmanagement_/what-is-devops-everything-you-need-to-know-in-2026-1mhd</guid>
      <description>&lt;p&gt;&lt;strong&gt;Quick answer:&lt;/strong&gt; DevOps combines software development (Dev) and IT operations (Ops) to shorten the development lifecycle and deliver high-quality software continuously.&lt;/p&gt;

&lt;h2&gt;
  
  
  Key Numbers
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;7,000+&lt;/strong&gt; deployments per day at elite organizations (DORA 2024)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;208x&lt;/strong&gt; faster lead time for elite vs low performers&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;24x&lt;/strong&gt; faster incident recovery&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;$17.2 billion&lt;/strong&gt; global DevOps market (2025)&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  The Three Pillars
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Culture.&lt;/strong&gt; Shared ownership, blameless postmortems, continuous learning.&lt;br&gt;
&lt;strong&gt;Automation.&lt;/strong&gt; CI/CD pipelines, Infrastructure as Code, automated testing.&lt;br&gt;
&lt;strong&gt;Measurement.&lt;/strong&gt; DORA metrics: deployment frequency, lead time, failure rate, recovery time.&lt;/p&gt;

&lt;h2&gt;
  
  
  Core Practices
&lt;/h2&gt;

&lt;h3&gt;
  
  
  CI/CD
&lt;/h3&gt;

&lt;p&gt;Developers merge frequently. Each merge triggers automated builds and tests.&lt;br&gt;
&lt;strong&gt;Tools:&lt;/strong&gt; GitHub Actions, GitLab CI/CD, Jenkins, ArgoCD&lt;/p&gt;

&lt;h3&gt;
  
  
  Infrastructure as Code
&lt;/h3&gt;

&lt;p&gt;Manage infrastructure through version-controlled config files.&lt;br&gt;
&lt;strong&gt;Tools:&lt;/strong&gt; Terraform, CloudFormation, Pulumi, Ansible&lt;/p&gt;

&lt;h3&gt;
  
  
  Monitoring and Observability
&lt;/h3&gt;

&lt;p&gt;Three pillars: metrics, logs, traces.&lt;br&gt;
&lt;strong&gt;Tools:&lt;/strong&gt; Prometheus, Grafana, Datadog, OpenTelemetry&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;&lt;a href="https://www.citadelcloudmanagement.com/blogs/news/what-is-devops-everything-you-need-to-know-2026" rel="noopener noreferrer"&gt;Read the full guide covering DevSecOps, team structures, and career paths -&amp;gt;&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://www.citadelcloudmanagement.com" rel="noopener noreferrer"&gt;Citadel Cloud Management&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>devops</category>
      <category>cloud</category>
      <category>beginners</category>
      <category>career</category>
    </item>
    <item>
      <title>How to Become a Cloud Architect in 2026: Step-by-Step Career Guide</title>
      <dc:creator>Citadel Cloud Management</dc:creator>
      <pubDate>Mon, 29 Jun 2026 14:41:17 +0000</pubDate>
      <link>https://dev.to/citadel_cloudmanagement_/how-to-become-a-cloud-architect-in-2026-step-by-step-career-guide-4p15</link>
      <guid>https://dev.to/citadel_cloudmanagement_/how-to-become-a-cloud-architect-in-2026-step-by-step-career-guide-4p15</guid>
      <description>&lt;p&gt;Cloud architects earn between $150,000 and $250,000 per year in the US (Robert Half 2026). Remote cloud architects from Africa report $60,000-$120,000 annually.&lt;/p&gt;

&lt;h2&gt;
  
  
  What a Cloud Architect Actually Does
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Designing infrastructure&lt;/strong&gt; -- Selecting AWS, Azure, GCP configurations&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Creating architecture blueprints&lt;/strong&gt; -- System designs for engineering teams&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Security and compliance&lt;/strong&gt; -- IAM, encryption, SOC 2, HIPAA, PCI-DSS&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Cost optimization&lt;/strong&gt; -- Enterprise cloud bills exceed $1M/month&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Stakeholder communication&lt;/strong&gt; -- Presenting to CTOs and VPs&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Required Skills: Four Pillars
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Pillar 1: Cloud Platform Expertise
&lt;/h3&gt;

&lt;p&gt;Deep proficiency in at least one: AWS (31%), Azure (25%), or GCP (11%)&lt;/p&gt;

&lt;h3&gt;
  
  
  Pillar 2: Infrastructure and DevOps
&lt;/h3&gt;

&lt;p&gt;Terraform, Docker, Kubernetes, CI/CD, Monitoring&lt;/p&gt;

&lt;h3&gt;
  
  
  Pillar 3: Security Architecture
&lt;/h3&gt;

&lt;p&gt;IAM, encryption, network security, compliance frameworks&lt;/p&gt;

&lt;h3&gt;
  
  
  Pillar 4: Communication and Leadership
&lt;/h3&gt;

&lt;p&gt;Design documents, executive presentations, technical tradeoffs&lt;/p&gt;

&lt;h2&gt;
  
  
  Career Timeline
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Stage&lt;/th&gt;
&lt;th&gt;Timeline&lt;/th&gt;
&lt;th&gt;Salary (US)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Junior Cloud Engineer&lt;/td&gt;
&lt;td&gt;Years 0-2&lt;/td&gt;
&lt;td&gt;$80K-$120K&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Mid-Level&lt;/td&gt;
&lt;td&gt;Years 2-4&lt;/td&gt;
&lt;td&gt;$120K-$155K&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Senior Cloud Engineer&lt;/td&gt;
&lt;td&gt;Years 4-6&lt;/td&gt;
&lt;td&gt;$150K-$185K&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Cloud Architect&lt;/td&gt;
&lt;td&gt;Years 6-10&lt;/td&gt;
&lt;td&gt;$170K-$220K&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Principal Architect&lt;/td&gt;
&lt;td&gt;Years 10+&lt;/td&gt;
&lt;td&gt;$200K-$300K+&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;




&lt;p&gt;&lt;strong&gt;&lt;a href="https://www.citadelcloudmanagement.com/blogs/news/how-to-become-cloud-architect-2026" rel="noopener noreferrer"&gt;Read the full guide with portfolio projects and interview prep -&amp;gt;&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://www.citadelcloudmanagement.com" rel="noopener noreferrer"&gt;Citadel Cloud Management&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>cloud</category>
      <category>career</category>
      <category>aws</category>
      <category>architecture</category>
    </item>
    <item>
      <title>Top 30 Cloud Architect Interview Questions and Answers [2026]</title>
      <dc:creator>Citadel Cloud Management</dc:creator>
      <pubDate>Mon, 29 Jun 2026 14:41:10 +0000</pubDate>
      <link>https://dev.to/citadel_cloudmanagement_/top-30-cloud-architect-interview-questions-and-answers-2026-3kip</link>
      <guid>https://dev.to/citadel_cloudmanagement_/top-30-cloud-architect-interview-questions-and-answers-2026-3kip</guid>
      <description>&lt;p&gt;I have been on both sides of the cloud architect interview table. As a hiring manager at Lockheed Martin and Cigna Healthcare, I conducted over 200 technical interviews for cloud architecture roles.&lt;/p&gt;

&lt;h2&gt;
  
  
  Foundational Architecture Questions
&lt;/h2&gt;

&lt;h3&gt;
  
  
  1. What is the difference between high availability and fault tolerance?
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;High availability&lt;/strong&gt; minimizes downtime through redundancy. A system with 99.99% availability is highly available. It may experience brief interruptions during failover.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Fault tolerance&lt;/strong&gt; means the system continues operating without any interruption when a component fails. It requires active-active redundancy.&lt;/p&gt;

&lt;h3&gt;
  
  
  2. Explain the CAP theorem and how it applies to cloud database selection.
&lt;/h3&gt;

&lt;p&gt;The CAP theorem states a distributed system can guarantee at most two of: Consistency, Availability, Partition tolerance.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;CP systems&lt;/strong&gt; (DynamoDB strongly consistent, Cloud Spanner): Use for financial transactions.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;AP systems&lt;/strong&gt; (DynamoDB eventually consistent, Cassandra): Use for social feeds, session stores.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  3. How do you design a multi-region active-active architecture?
&lt;/h3&gt;

&lt;p&gt;Key challenges: data replication, conflict resolution, routing.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Data layer&lt;/strong&gt;: globally distributed database&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Application layer&lt;/strong&gt;: identical stacks per region&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Routing&lt;/strong&gt;: Route 53 latency-based or Cloudflare load balancing&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Conflict resolution&lt;/strong&gt;: last-writer-wins or vector clocks&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  4. Containers vs. serverless -- when do you choose each?
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Dimension&lt;/th&gt;
&lt;th&gt;Containers&lt;/th&gt;
&lt;th&gt;Serverless&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Startup time&lt;/td&gt;
&lt;td&gt;Seconds to minutes&lt;/td&gt;
&lt;td&gt;Milliseconds to seconds&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Max execution&lt;/td&gt;
&lt;td&gt;Unlimited&lt;/td&gt;
&lt;td&gt;15 minutes (Lambda)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Cost model&lt;/td&gt;
&lt;td&gt;Per-hour (even idle)&lt;/td&gt;
&lt;td&gt;Per-invocation + duration&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Best for&lt;/td&gt;
&lt;td&gt;Long-running services&lt;/td&gt;
&lt;td&gt;Event-driven processing&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;




&lt;p&gt;&lt;strong&gt;&lt;a href="https://www.citadelcloudmanagement.com/blogs/news/cloud-architect-interview-questions-2026" rel="noopener noreferrer"&gt;Read all 30 questions with detailed answers -&amp;gt;&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://www.citadelcloudmanagement.com" rel="noopener noreferrer"&gt;Citadel Cloud Management&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>cloud</category>
      <category>career</category>
      <category>aws</category>
      <category>interview</category>
    </item>
    <item>
      <title>Remote Cloud Jobs From Africa: How to Land $2K-$8K/Month Working Remotely</title>
      <dc:creator>Citadel Cloud Management</dc:creator>
      <pubDate>Mon, 29 Jun 2026 14:40:27 +0000</pubDate>
      <link>https://dev.to/citadel_cloudmanagement_/remote-cloud-jobs-from-africa-how-to-land-2k-8kmonth-working-remotely-132l</link>
      <guid>https://dev.to/citadel_cloudmanagement_/remote-cloud-jobs-from-africa-how-to-land-2k-8kmonth-working-remotely-132l</guid>
      <description>&lt;p&gt;There are over 47,000 open remote cloud computing positions that accept candidates from African countries (April 2026 data from 14 job platforms). That number was 12,000 in 2022.&lt;/p&gt;

&lt;h2&gt;
  
  
  Salary Ranges
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Nigeria:&lt;/strong&gt; Junior $2K-3.5K/mo, Mid $3.5K-5.5K/mo, Senior $5.5K-8K/mo, Architect $7K-12K/mo&lt;br&gt;
&lt;strong&gt;Kenya:&lt;/strong&gt; Mid-level $3K-5K/mo (Nairobi = Silicon Savannah)&lt;br&gt;
&lt;strong&gt;South Africa:&lt;/strong&gt; Senior $6K-8.5K/mo&lt;br&gt;
&lt;strong&gt;Ghana:&lt;/strong&gt; Mid-level $3K-5K/mo&lt;/p&gt;

&lt;h2&gt;
  
  
  Where to Find These Jobs
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Turing.com&lt;/strong&gt; -- AI-matched, pays in USD&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Toptal&lt;/strong&gt; -- Top 3% screening, premium rates&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Andela&lt;/strong&gt; -- Africa-focused&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Arc.dev&lt;/strong&gt; -- Transparent salaries&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;LinkedIn Remote&lt;/strong&gt; -- Filter Remote, target US/EU companies&lt;/li&gt;
&lt;/ol&gt;




&lt;p&gt;&lt;strong&gt;&lt;a href="https://www.citadelcloudmanagement.com/blogs/news/remote-cloud-jobs-from-africa-2026" rel="noopener noreferrer"&gt;Full guide with payment methods, tax strategies, interview tips -&amp;gt;&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://www.citadelcloudmanagement.com" rel="noopener noreferrer"&gt;Citadel Cloud Management&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>cloud</category>
      <category>career</category>
      <category>remote</category>
      <category>africa</category>
    </item>
    <item>
      <title>Best Cloud Certifications 2026: 12 Certs Ranked by ROI and Salary Impact</title>
      <dc:creator>Citadel Cloud Management</dc:creator>
      <pubDate>Mon, 29 Jun 2026 14:40:00 +0000</pubDate>
      <link>https://dev.to/citadel_cloudmanagement_/best-cloud-certifications-2026-12-certs-ranked-by-roi-and-salary-impact-1bbb</link>
      <guid>https://dev.to/citadel_cloudmanagement_/best-cloud-certifications-2026-12-certs-ranked-by-roi-and-salary-impact-1bbb</guid>
      <description>&lt;p&gt;Certifications are an investment. They cost money, they consume study hours, and they carry an opportunity cost.&lt;/p&gt;

&lt;p&gt;I have held certifications across AWS, Azure, and Kubernetes since 2018. This ranking is built on direct observation combined with 2025-2026 salary data from Global Knowledge, Dice, and LinkedIn.&lt;/p&gt;

&lt;h2&gt;
  
  
  How ROI Was Calculated
&lt;/h2&gt;

&lt;p&gt;ROI score is a weighted composite: Salary uplift (40%), Market demand (25%), Cost efficiency (20%), Time efficiency (15%).&lt;/p&gt;

&lt;h2&gt;
  
  
  Top 5 Certifications by ROI
&lt;/h2&gt;

&lt;h3&gt;
  
  
  1. AWS Solutions Architect Associate (SAA-C03) -- ROI: 9.4/10
&lt;/h3&gt;

&lt;p&gt;Exam Cost: $150 | Study Time: 120-160 hrs | Salary Uplift: +$26K/year&lt;/p&gt;

&lt;h3&gt;
  
  
  2. Azure Administrator (AZ-104) -- ROI: 8.9/10
&lt;/h3&gt;

&lt;h3&gt;
  
  
  3. Terraform Associate -- ROI: 8.7/10
&lt;/h3&gt;

&lt;h3&gt;
  
  
  4. Kubernetes CKA -- ROI: 8.5/10
&lt;/h3&gt;

&lt;h3&gt;
  
  
  5. AWS Solutions Architect Professional -- ROI: 8.3/10
&lt;/h3&gt;

&lt;h2&gt;
  
  
  Certification Stacking Strategy
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Cloud Engineer Stack:&lt;/strong&gt; AWS SAA + Terraform + CKA&lt;br&gt;
&lt;strong&gt;Enterprise Architect Stack:&lt;/strong&gt; AZ-104 + AZ-305 + AWS SAA&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;&lt;a href="https://www.citadelcloudmanagement.com/blogs/news/best-cloud-certifications-2026-ranked" rel="noopener noreferrer"&gt;Read the full ranking of all 12 certifications -&amp;gt;&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://www.citadelcloudmanagement.com" rel="noopener noreferrer"&gt;Citadel Cloud Management&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>cloud</category>
      <category>career</category>
      <category>aws</category>
      <category>certification</category>
    </item>
    <item>
      <title>DevOps vs SRE: Key Differences Explained [2026 Guide]</title>
      <dc:creator>Citadel Cloud Management</dc:creator>
      <pubDate>Mon, 29 Jun 2026 14:38:43 +0000</pubDate>
      <link>https://dev.to/citadel_cloudmanagement_/devops-vs-sre-key-differences-explained-2026-guide-1k34</link>
      <guid>https://dev.to/citadel_cloudmanagement_/devops-vs-sre-key-differences-explained-2026-guide-1k34</guid>
      <description>&lt;p&gt;After managing infrastructure teams at Lockheed Martin, Cigna Healthcare, and BP Refinery, I have seen the DevOps-versus-SRE question play out in hiring committees, organizational redesigns, and vendor negotiations hundreds of times.&lt;/p&gt;

&lt;p&gt;But they are not the same role. The distinction matters for your career trajectory, your compensation, and the type of problems you solve daily.&lt;/p&gt;

&lt;h2&gt;
  
  
  Origins: Where Each Discipline Came From
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;DevOps&lt;/strong&gt; emerged around 2008-2009 from the Agile and Lean movements. The core insight was that separating development and operations into isolated teams created bottlenecks.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Site Reliability Engineering (SRE)&lt;/strong&gt; was formalized at Google by Ben Treynor Sloss around 2003.&lt;/p&gt;

&lt;h2&gt;
  
  
  Core Responsibilities Compared
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Dimension&lt;/th&gt;
&lt;th&gt;DevOps Engineer&lt;/th&gt;
&lt;th&gt;Site Reliability Engineer&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Primary focus&lt;/td&gt;
&lt;td&gt;Delivery velocity and automation&lt;/td&gt;
&lt;td&gt;System reliability and performance&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Key metric&lt;/td&gt;
&lt;td&gt;Deployment frequency, lead time&lt;/td&gt;
&lt;td&gt;SLOs, SLIs, error budgets&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Code ratio&lt;/td&gt;
&lt;td&gt;40-60% automation, 40-60% operations&lt;/td&gt;
&lt;td&gt;50%+ software engineering&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  Salary Comparison (2026)
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Role&lt;/th&gt;
&lt;th&gt;US Average&lt;/th&gt;
&lt;th&gt;Remote (International)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;DevOps Engineer&lt;/td&gt;
&lt;td&gt;$130K-$170K&lt;/td&gt;
&lt;td&gt;$50K-$100K&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Senior DevOps Engineer&lt;/td&gt;
&lt;td&gt;$155K-$195K&lt;/td&gt;
&lt;td&gt;$70K-$120K&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Site Reliability Engineer&lt;/td&gt;
&lt;td&gt;$150K-$200K&lt;/td&gt;
&lt;td&gt;$60K-$120K&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Senior SRE&lt;/td&gt;
&lt;td&gt;$180K-$240K&lt;/td&gt;
&lt;td&gt;$80K-$150K&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;SRE roles consistently pay 10-20% more than equivalent DevOps roles.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;&lt;a href="https://www.citadelcloudmanagement.com/blogs/news/devops-vs-sre-differences-2026" rel="noopener noreferrer"&gt;Read the full comparison with tool stacks, career transition paths, and hiring patterns -&amp;gt;&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://www.citadelcloudmanagement.com" rel="noopener noreferrer"&gt;Citadel Cloud Management&lt;/a&gt;. 17 free cloud courses available -- no credit card required.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>devops</category>
      <category>sre</category>
      <category>cloud</category>
      <category>career</category>
    </item>
    <item>
      <title>Terraform for Beginners: Your First Infrastructure as Code Project</title>
      <dc:creator>Citadel Cloud Management</dc:creator>
      <pubDate>Mon, 29 Jun 2026 14:32:47 +0000</pubDate>
      <link>https://dev.to/citadel_cloudmanagement_/terraform-for-beginners-your-first-infrastructure-as-code-project-6cm</link>
      <guid>https://dev.to/citadel_cloudmanagement_/terraform-for-beginners-your-first-infrastructure-as-code-project-6cm</guid>
      <description>&lt;p&gt;When I first joined Patterson UTI as a cloud architect, the infrastructure team was managing hundreds of EC2 instances through a mix of hand-clicked AWS Console actions and homegrown Bash scripts. Rebuilding the same stack in a disaster recovery scenario took two engineers three days. After we moved to Terraform, that rebuild became a fifteen-minute &lt;code&gt;terraform apply&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;That is the promise of Infrastructure as Code -- not a theoretical improvement, but a concrete operational shift that changes how your team recovers, scales, and audits.&lt;/p&gt;

&lt;h2&gt;
  
  
  What Terraform Is (And What It Is Not)
&lt;/h2&gt;

&lt;p&gt;Terraform is an open-source Infrastructure as Code tool built by HashiCorp. You describe the infrastructure you want in HCL files, and Terraform figures out what to create, modify, or destroy to reach that desired state. It is &lt;strong&gt;declarative&lt;/strong&gt; -- you describe the end state, not the steps to get there.&lt;/p&gt;

&lt;h2&gt;
  
  
  Your First HCL File: The AWS Provider
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight hcl"&gt;&lt;code&gt;&lt;span class="nx"&gt;terraform&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;required_providers&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="nx"&gt;aws&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
      &lt;span class="nx"&gt;source&lt;/span&gt;  &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"hashicorp/aws"&lt;/span&gt;
      &lt;span class="nx"&gt;version&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"~&amp;gt; 5.0"&lt;/span&gt;
    &lt;span class="p"&gt;}&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="nx"&gt;provider&lt;/span&gt; &lt;span class="s2"&gt;"aws"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;region&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"us-east-1"&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Creating an S3 Bucket
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight hcl"&gt;&lt;code&gt;&lt;span class="nx"&gt;resource&lt;/span&gt; &lt;span class="s2"&gt;"aws_s3_bucket"&lt;/span&gt; &lt;span class="s2"&gt;"my_bucket"&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
  &lt;span class="nx"&gt;bucket&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"my-terraform-demo-bucket-2026"&lt;/span&gt;
  &lt;span class="nx"&gt;tags&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="nx"&gt;Environment&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"dev"&lt;/span&gt;
    &lt;span class="nx"&gt;ManagedBy&lt;/span&gt;   &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"terraform"&lt;/span&gt;
  &lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Run these three commands:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;terraform init    &lt;span class="c"&gt;# Download the AWS provider&lt;/span&gt;
terraform plan    &lt;span class="c"&gt;# Preview what Terraform will create&lt;/span&gt;
terraform apply   &lt;span class="c"&gt;# Create the resources&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;p&gt;&lt;strong&gt;&lt;a href="https://www.citadelcloudmanagement.com/blogs/news/terraform-infrastructure-as-code-beginners-2026" rel="noopener noreferrer"&gt;Read the full guide covering modules, workspaces, production patterns, and a complete EC2 + VPC project -&amp;gt;&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://www.citadelcloudmanagement.com" rel="noopener noreferrer"&gt;Citadel Cloud Management&lt;/a&gt;. 17 free cloud courses available -- no credit card required.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>terraform</category>
      <category>devops</category>
      <category>aws</category>
      <category>cloud</category>
    </item>
    <item>
      <title>Kubernetes CKA Certification Study Guide 2026: Pass First Try</title>
      <dc:creator>Citadel Cloud Management</dc:creator>
      <pubDate>Mon, 29 Jun 2026 14:30:03 +0000</pubDate>
      <link>https://dev.to/citadel_cloudmanagement_/kubernetes-cka-certification-study-guide-2026-pass-first-try-46c9</link>
      <guid>https://dev.to/citadel_cloudmanagement_/kubernetes-cka-certification-study-guide-2026-pass-first-try-46c9</guid>
      <description>&lt;p&gt;I passed the CKA exam on my first attempt in 2024. The certification cost $395, required two hours of hands-on problem-solving in a live terminal, and tested knowledge that I use daily in production Kubernetes environments. It was the second most valuable certification I have earned after the AWS Solutions Architect Professional.&lt;/p&gt;

&lt;p&gt;This guide is the study plan I wish I had before starting.&lt;/p&gt;

&lt;h2&gt;
  
  
  CKA Exam Overview: 2026 Format
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Detail&lt;/th&gt;
&lt;th&gt;Value&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Certifying body&lt;/td&gt;
&lt;td&gt;CNCF / Linux Foundation&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Kubernetes version&lt;/td&gt;
&lt;td&gt;1.30+&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Exam format&lt;/td&gt;
&lt;td&gt;Performance-based (live terminal, real clusters)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Duration&lt;/td&gt;
&lt;td&gt;2 hours&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Tasks&lt;/td&gt;
&lt;td&gt;15-20 practical tasks&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Passing score&lt;/td&gt;
&lt;td&gt;66%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Cost&lt;/td&gt;
&lt;td&gt;$395 USD (includes one free retake)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Validity&lt;/td&gt;
&lt;td&gt;3 years&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Allowed resources&lt;/td&gt;
&lt;td&gt;Official Kubernetes docs during exam&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The exam is not multiple choice. You solve real problems in real clusters.&lt;/p&gt;

&lt;h2&gt;
  
  
  Exam Domains and Weights
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Domain&lt;/th&gt;
&lt;th&gt;Weight&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Cluster Architecture, Installation, and Configuration&lt;/td&gt;
&lt;td&gt;25%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Workloads and Scheduling&lt;/td&gt;
&lt;td&gt;15%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Services and Networking&lt;/td&gt;
&lt;td&gt;20%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Storage&lt;/td&gt;
&lt;td&gt;10%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Troubleshooting&lt;/td&gt;
&lt;td&gt;30%&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Two critical observations:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Troubleshooting is 30% of the score.&lt;/strong&gt; If you cannot diagnose a broken cluster, a failed kubelet, or a misconfigured NetworkPolicy under time pressure, you will not pass.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Cluster management is 25%.&lt;/strong&gt; This is frequently under-practiced. You need to upgrade a cluster using kubeadm and restore an etcd snapshot from the command line without looking up every flag.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  8-Week Study Plan (10-15 hrs/week)
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Weeks 1-2: Core Concepts and Cluster Setup
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Kubernetes architecture: control plane and worker node components&lt;/li&gt;
&lt;li&gt;Install a multi-node cluster using kubeadm&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;kubectl&lt;/code&gt; fluency: create, get, describe, edit, delete, apply, explain&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Weeks 3-4: Workloads and Scheduling
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Deployments, ReplicaSets, DaemonSets, StatefulSets&lt;/li&gt;
&lt;li&gt;Resource requests and limits&lt;/li&gt;
&lt;li&gt;Node selectors, affinity, taints, and tolerations&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Weeks 5-6: Services, Networking, and Storage
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;ClusterIP, NodePort, LoadBalancer services&lt;/li&gt;
&lt;li&gt;Ingress controllers and rules&lt;/li&gt;
&lt;li&gt;NetworkPolicies&lt;/li&gt;
&lt;li&gt;PersistentVolumes, PersistentVolumeClaims, StorageClasses&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Weeks 7-8: Troubleshooting and Exam Practice
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Diagnose node failures, pod failures, service connectivity&lt;/li&gt;
&lt;li&gt;Backup and restore etcd&lt;/li&gt;
&lt;li&gt;Cluster upgrades with kubeadm&lt;/li&gt;
&lt;li&gt;Timed practice exams&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Time Management: The Real Exam Skill
&lt;/h2&gt;

&lt;p&gt;The CKA is a speed test. You have 120 minutes for 15-20 tasks. That is 6-8 minutes per task. The candidates who fail are not the ones who lack knowledge -- they are the ones who spend 15 minutes on a 4-point question and run out of time before reaching the 12-point questions.&lt;/p&gt;

&lt;p&gt;My approach: scan all questions first. Answer every question you can solve in under 5 minutes. Flag harder questions for a second pass.&lt;/p&gt;




&lt;p&gt;&lt;strong&gt;&lt;a href="https://www.citadelcloudmanagement.com/blogs/news/kubernetes-cka-study-guide-2026" rel="noopener noreferrer"&gt;Read the complete study guide with kubectl cheat sheet, lab setup instructions, and practice scenarios -&amp;gt;&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Originally published at &lt;a href="https://www.citadelcloudmanagement.com" rel="noopener noreferrer"&gt;Citadel Cloud Management&lt;/a&gt;. 17 free cloud courses available -- no credit card required.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>kubernetes</category>
      <category>devops</category>
      <category>cloud</category>
      <category>certification</category>
    </item>
  </channel>
</rss>
