基础设施工程师技能指南：DevOps、多云平台、Kubernetes、Docker、FinOps、DevSecOps 实践

infra-engineer by samhvw8/dotfiles

78 周安装量

12 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/samhvw8/dotfiles --skill infra-engineer

云服务开发运维系统架构

🇨🇳中文介绍

基础设施工程技能

现代基础设施工程综合指南，涵盖 DevOps 实践、多云平台（AWS、Azure、GCP、Cloudflare）、FinOps 成本优化和 DevSecOps 安全实践。

何时使用此技能

在以下情况下使用此技能：

DevOps ：设置 CI/CD 流水线（GitHub Actions、GitLab CI、Jenkins），实施 GitOps 工作流（ArgoCD、Flux）
AWS ：部署到 EC2、Lambda、ECS、EKS，管理 S3、RDS，使用 CloudFormation/CDK
Azure ：使用 Azure 虚拟机、应用服务、AKS、Azure 函数、存储账户
GCP ：管理计算引擎、GKE、Cloud Run、云存储、应用引擎
Cloudflare ：部署 Workers、R2 存储、D1 数据库、Pages 应用
Kubernetes ：管理集群、部署、服务、入口、Helm 图表、操作器
Docker ：容器化应用、多阶段构建、Docker Compose、注册表
FinOps ：分析云成本、优化支出、预留实例、竞价实例、资源优化
DevSecOps ：安全扫描（SAST/DAST）、漏洞管理、密钥管理、合规性
IaC ：Terraform、CloudFormation、Pulumi、配置管理
监控：设置可观测性、日志记录、指标、告警、分布式追踪

平台选择指南

何时使用 AWS

最适合：

大规模通用云计算
拥有 200 多项服务的成熟生态系统
具有合规性要求的企业工作负载
使用 AWS Outposts 的混合云
广泛的第三方集成
高级网络和安全控制

关键服务：

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

何时使用 Cloudflare

具有全球分布的边缘优先应用
超低延迟要求（<50ms）
带有无服务器功能的静态站点
零出口成本场景（R2 存储）
WebSocket/实时应用（Durable Objects）
边缘 AI/ML（Workers AI）

Workers（无服务器函数）
R2（对象存储、S3 兼容）
D1（具有全局复制的 SQLite 数据库）
KV（键值存储）
Pages（静态托管 + 函数）
Durable Objects（有状态计算）
Browser Rendering（无头浏览器自动化）

成本概况： 按请求付费、慷慨的免费套餐、零出口费用

何时使用 Kubernetes

大规模容器编排
具有 10 个以上服务的微服务架构
多云和混合部署
自愈和自动扩缩容工作负载
复杂的部署策略（蓝绿、金丝雀）
服务网格架构（Istio、Linkerd）
带有操作器的有状态应用

声明式配置（YAML 清单）
自动滚动更新和回滚
服务发现和负载均衡
自愈（重启失败的容器）
水平 Pod 自动扩缩容
密钥和配置管理
存储编排
批处理作业执行

托管选项： EKS（AWS）、AKS（Azure）、GKE（GCP）、托管 k8s 提供商

成本概况： 集群管理费 + 节点成本（通过竞价实例、集群自动扩缩容进行优化）

本地开发一致性
微服务架构
多语言栈应用
传统 VPS/虚拟机部署
Kubernetes 工作负载的基础
CI/CD 构建环境
数据库容器化（开发/测试）

应用隔离和可移植性
用于优化的多阶段构建
用于多容器应用的 Docker Compose
用于数据持久化的卷管理
网络配置和服务发现
跨平台兼容性（amd64、arm64）
用于改进构建性能的 BuildKit

成本概况： 仅基础设施成本（计算 + 存储），无编排开销

何时使用 Google Cloud

企业级应用
数据分析和 ML 流水线（BigQuery、Vertex AI）
混合/多云部署
大规模 Kubernetes（GKE）
托管数据库（Cloud SQL、Firestore、Spanner）
复杂的 IAM 和合规性要求

计算引擎（虚拟机）
GKE（托管 Kubernetes）
Cloud Run（容器化无服务器）
应用引擎（PaaS）
云存储（对象存储）
Cloud SQL（托管数据库）

成本概况： 多样化的定价、持续使用折扣、承诺使用合同

# Install AWS CLI
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip && sudo ./aws/install

# Configure credentials
aws configure

# Create Lambda function with SAM
sam init --runtime python3.11
sam build && sam deploy --guided

参见：references/aws-lambda.md

AWS EKS Kubernetes 集群

# Install eksctl
brew install eksctl  # or curl download

# Create cluster
eksctl create cluster \
  --name my-cluster \
  --region us-west-2 \
  --nodegroup-name standard-workers \
  --node-type t3.medium \
  --nodes 3 \
  --nodes-min 1 \
  --nodes-max 4

参见：references/kubernetes-basics.md

# Install Azure CLI
curl -L https://aka.ms/InstallAzureCli | bash

# Login and create resources
az login
az group create --name myResourceGroup --location eastus
az webapp create --resource-group myResourceGroup \
  --name myapp --runtime "NODE:18-lts"

参见：references/azure-basics.md

# Install Wrangler CLI
npm install -g wrangler

# Create and deploy Worker
wrangler init my-worker
cd my-worker
wrangler deploy

参见：references/cloudflare-workers-basics.md

# Create deployment
kubectl create deployment nginx --image=nginx:latest
kubectl expose deployment nginx --port=80 --type=LoadBalancer

# Apply from manifest
kubectl apply -f deployment.yaml

# Check status
kubectl get pods,services,deployments

参见：references/kubernetes-basics.md

# Create Dockerfile
cat > Dockerfile <<EOF
FROM node:20-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci --production
COPY . .
EXPOSE 3000
CMD ["node", "server.js"]
EOF

# Build and run
docker build -t myapp .
docker run -p 3000:3000 myapp

参见：references/docker-basics.md

AWS (Amazon Web Services)

aws-overview.md - AWS 基础、账户设置、IAM 基础
aws-ec2.md - EC2 实例、AMI、安全组、自动扩缩容
aws-lambda.md - 无服务器函数、SAM、事件源、层
aws-ecs-eks.md - 容器编排、ECS 与 EKS、Fargate
aws-s3-rds.md - S3 存储、RDS 数据库、备份策略
aws-cloudformation.md - 基础设施即代码、CDK、最佳实践
aws-networking.md - VPC、子网、安全组、负载均衡器

Azure (Microsoft Azure)

azure-basics.md - Azure 基础、订阅、资源组
azure-compute.md - 虚拟机、应用服务、AKS、Azure 函数
azure-storage.md - 存储账户、Blob、文件、托管磁盘

cloudflare-platform.md - 边缘计算概述、关键组件
cloudflare-workers-basics.md - 入门、处理器类型、基本模式
cloudflare-workers-advanced.md - 高级模式、性能、优化
cloudflare-workers-apis.md - 运行时 API、绑定、集成
cloudflare-r2-storage.md - R2 对象存储、S3 兼容性、最佳实践
cloudflare-d1-kv.md - D1 SQLite 数据库、KV 存储、用例
browser-rendering.md - Cloudflare 上的 Puppeteer/Playwright 自动化

Kubernetes 和容器编排

kubernetes-basics.md - 核心概念、Pod、部署、服务
kubernetes-advanced.md - StatefulSet、操作器、自定义资源
kubernetes-networking.md - 入口、服务网格、网络策略
helm-charts.md - 包管理、图表、仓库

docker-basics.md - 核心概念、Dockerfile、镜像、容器
docker-compose.md - 多容器应用、网络、卷
docker-security.md - 镜像扫描、密钥、最佳实践

Google Cloud Platform

gcloud-platform.md - GCP 概述、gcloud CLI、身份验证
gcloud-services.md - 计算引擎、GKE、Cloud Run、应用引擎

cicd-github-actions.md - GitHub Actions 工作流、运行器、密钥
cicd-gitlab.md - GitLab CI/CD 流水线、制品、缓存
gitops-argocd.md - ArgoCD 设置、应用的应用模式、同步策略
gitops-flux.md - Flux 控制器、GitOps 工具包、多租户

FinOps (成本优化)

finops-basics.md - 成本优化原则、FinOps 生命周期
finops-aws.md - AWS 成本优化、RI、Savings Plans、竞价实例
finops-azure.md - Azure 成本管理、预留、混合权益
finops-gcp.md - GCP 成本优化、承诺使用、持续使用
finops-tools.md - 成本分析工具、Kubecost、CloudHealth、Infracost

devsecops-basics.md - 安全最佳实践、左移安全
devsecops-scanning.md - SAST、DAST、SCA、容器扫描
secrets-management.md - Vault、AWS Secrets Manager、密封密钥
compliance.md - SOC2、HIPAA、PCI-DSS、审计日志记录

基础设施即代码

terraform-basics.md - Terraform 基础、提供者、状态
terraform-advanced.md - 模块、工作区、远程状态
cloudformation-basics.md - CloudFormation 模板、堆栈、变更集

实用工具和脚本

scripts/cloudflare-deploy.py - 自动化 Cloudflare Worker 部署
scripts/docker-optimize.py - 分析和优化 Dockerfile
scripts/cost-analyzer.py - 云成本分析和报告
scripts/security-scanner.py - 自动化安全扫描

# Edge Layer: Cloudflare Workers (global routing, caching)
# Compute Layer: AWS ECS/Lambda or Azure App Service (application logic)
# Data Layer: AWS RDS or Azure SQL (persistent storage)
# CDN/Storage: Cloudflare R2 or AWS S3 (static assets)

Benefits:
- Best-of-breed services per layer
- Geographic redundancy
- Cost optimization across providers

使用 CI/CD 的 AWS ECS 部署

# GitHub Actions workflow
name: Deploy to ECS
on: push
jobs:
  deploy:
    - Build Docker image
    - Push to ECR
    - Update ECS task definition
    - Deploy to ECS service
    - Wait for deployment stabilization

使用 ArgoCD 的 Kubernetes GitOps

# Git repository structure
/apps
  /production
    - deployment.yaml
    - service.yaml
    - ingress.yaml
  /staging
    - deployment.yaml

# ArgoCD syncs cluster state from Git
# Changes: Git commit → ArgoCD detects → Auto-sync to cluster

多阶段 Docker 构建

# Build stage
FROM node:20-alpine AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build

# Production stage
FROM node:20-alpine
WORKDIR /app
COPY --from=build /app/dist ./dist
COPY --from=build /app/node_modules ./node_modules
USER node
CMD ["node", "dist/server.js"]

FinOps 成本优化工作流

# 1. Discovery: Identify untagged resources
# 2. Analysis: Right-size instances (CPU/memory utilization)
# 3. Optimization:
#    - Convert to reserved instances (predictable workloads)
#    - Use spot instances (fault-tolerant workloads)
#    - Schedule start/stop (dev environments)
# 4. Monitoring: Set budget alerts, track savings
# 5. Governance: Enforce tagging policies

DevSecOps 安全流水线

# 1. Code Commit
# 2. SAST Scan: SonarQube, Semgrep (static code analysis)
# 3. Dependency Check: Snyk, Trivy (vulnerability scanning)
# 4. Build: Docker image
# 5. Container Scan: Trivy, Grype (image vulnerabilities)
# 6. DAST Scan: OWASP ZAP (runtime security testing)
# 7. Deploy: Only if all scans pass
# 8. Runtime Protection: Falco, AWS GuardDuty

Terraform 基础设施部署

# 1. Write: Define infrastructure in .tf files
# 2. Init: terraform init (download providers)
# 3. Plan: terraform plan (preview changes)
# 4. Apply: terraform apply (create/update resources)
# 5. State: Store state in S3 with DynamoDB locking
# 6. Modules: Reuse common patterns across environments

CI/CD ：自动化测试和部署，使用功能标志进行渐进式发布
GitOps ：声明式基础设施，Git 作为单一事实来源，自动同步
监控：实施可观测性（日志、指标、追踪），设置告警
事件管理 ：操作手册、事后分析、无责文化
自动化 ：基础设施即代码、配置管理、自助服务平台

左移：在流水线早期进行安全扫描（SAST、依赖项检查）
密钥管理 ：使用 Vault、AWS Secrets Manager 或密封密钥（切勿在代码/Git 中）
容器安全 ：以非 root 用户运行、最小化基础镜像、定期扫描
网络安全 ：零信任架构、服务网格、网络策略
访问控制 ：最小权限 IAM、MFA、临时凭证
合规性 ：审计日志记录、静态/传输中加密、定期安全审查
运行时保护 ：安全监控、入侵检测、自动响应

成本优化 (FinOps)

标记：强制执行资源标记以进行成本分配和跟踪
资源优化 ：分析利用率，缩减过度配置的资源
预留容量 ：为可预测的工作负载购买 RI/Savings Plans（最高 72% 折扣）
竞价/可抢占实例 ：用于容错工作负载（最高 90% 折扣）
调度：在非工作时间自动停止开发/测试环境
存储优化 ：生命周期策略、归档到更便宜的层级、删除孤立资源
监控：预算告警、成本异常检测、成本分摊/成本展示
治理：昂贵资源的审批工作流、配额管理

资源管理 ：设置请求/限制，使用水平 Pod 自动扩缩容
高可用性 ：多可用区集群、Pod 中断预算、反亲和性规则
安全：RBAC、Pod 安全策略、网络策略、准入控制器
可观测性 ：Prometheus 指标、分布式追踪、集中式日志记录
GitOps ：使用 ArgoCD/Flux 进行声明式部署，自动漂移修正

计算：自动扩缩容、负载均衡、多区域以实现低延迟
缓存：CDN、内存缓存（Redis/Memcached）、边缘计算
存储：选择适当的层级（SSD 与 HDD）、启用缓存、静态资产的 CDN
容器：多阶段构建、最小化镜像、层缓存
数据库 ：连接池、只读副本、查询优化、索引

本地开发 ：使用 Docker Compose 实现一致的环境、开发容器
测试：在 CI/CD 流水线中进行单元、集成、端到端测试
基础设施即代码 ：使用 Terraform/CloudFormation 实现可重复性
文档：架构图、操作手册、API 文档
版本控制 ：用于代码和基础设施的 Git、语义化版本控制

需求	选择
计算
全球范围内低于 50 毫秒的延迟	Cloudflare Workers
无服务器函数（AWS 生态系统）	AWS Lambda
无服务器函数（Azure 生态系统）	Azure Functions
容器化工作负载（托管）	AWS ECS/Fargate、Azure AKS、GCP Cloud Run
大规模 Kubernetes	AWS EKS、Azure AKS、GCP GKE
具有完全控制权的虚拟机	AWS EC2、Azure 虚拟机、GCP 计算引擎
存储
对象存储（S3 兼容）	AWS S3、Cloudflare R2（零出口）、Azure Blob
用于虚拟机的块存储	AWS EBS、Azure 托管磁盘、GCP 持久磁盘
文件存储（NFS/SMB）	AWS EFS、Azure 文件、GCP Filestore
数据库
托管 SQL（AWS）	AWS RDS（PostgreSQL、MySQL、SQL Server）
托管 SQL（Azure）	Azure SQL 数据库
托管 SQL（GCP）	Cloud SQL
NoSQL 键值存储	AWS DynamoDB、Azure Cosmos DB、Cloudflare KV
全局 SQL（边缘读取）	Cloudflare D1、AWS Aurora Global
CI/CD 和 GitOps
GitHub 集成的 CI/CD	GitHub Actions
自托管 CI/CD	GitLab CI/CD、Jenkins
Kubernetes GitOps	ArgoCD、Flux
成本优化
可预测的工作负载	预留实例、Savings Plans
容错工作负载	竞价实例（AWS）、可抢占虚拟机（GCP）
开发/测试环境	自动调度、预算告警
安全
密钥管理	HashiCorp Vault、AWS Secrets Manager、Azure Key Vault
容器扫描	Trivy、Snyk、AWS ECR 扫描
SAST/DAST	SonarQube、Semgrep、OWASP ZAP
特殊用例
静态站点 + 边缘函数	Cloudflare Pages、AWS Amplify
WebSocket/实时	Cloudflare Durable Objects、AWS API Gateway WebSocket
ML/AI 流水线	AWS SageMaker、GCP Vertex AI、Azure ML
浏览器自动化	Cloudflare Browser Rendering、AWS Lambda + Puppeteer

AWS 文档： https://docs.aws.amazon.com
Azure 文档： https://docs.microsoft.com/azure
GCP 文档： https://cloud.google.com/docs
Cloudflare 文档： https://developers.cloudflare.com

Docker 文档： https://docs.docker.com
Kubernetes 文档： https://kubernetes.io/docs
Helm： https://helm.sh/docs

基础设施即代码

FinOps 和成本优化

FinOps 基金会： https://www.finops.org
AWS 成本优化： https://aws.amazon.com/pricing/cost-optimization
Kubecost： https://www.kubecost.com

安装 AWS CLI 和 SAM CLI
配置 AWS 凭证（访问密钥、秘密密钥）
使用 SAM 模板创建 Lambda 函数
配置 IAM 角色和策略
使用 sam local invoke 在本地测试
使用 sam deploy 部署
设置 CloudWatch 监控和告警

AWS EKS Kubernetes 集群

安装 kubectl、eksctl、aws-cli
配置 AWS 凭证
使用 eksctl 创建 EKS 集群
配置 kubectl 上下文
安装集群自动扩缩容器
为包管理设置 Helm
使用 kubectl/Helm 部署应用
配置入口控制器（ALB/NGINX）

安装 Azure CLI
使用 az login 登录
创建资源组
部署应用服务或 AKS
配置持续部署
使用 Application Insights 设置监控

在任何云上的 Kubernetes

安装 kubectl 和 helm
连接到集群（更新 kubeconfig）
为环境创建命名空间
应用 RBAC 策略
部署应用（部署、服务）
为外部访问配置入口
设置监控（Prometheus、Grafana）
使用 ArgoCD/Flux 实施 GitOps

CI/CD 流水线 (GitHub Actions)

创建 .github/workflows/deploy.yml
配置密钥（云凭证、API 密钥）
添加构建和测试作业
添加容器构建并推送到注册表
添加部署作业到云平台
设置分支保护规则
启用状态检查和通知

实施资源标记策略
启用成本分配标记
设置预算告警
分析资源利用率（CloudWatch、Azure Monitor）
识别资源优化机会
为可预测的工作负载购买预留实例
配置自动扩缩容和调度
定期成本审查和优化

向 CI/CD 添加 SAST 扫描（SonarQube、Semgrep）
添加依赖项扫描（Snyk、Trivy）
实施容器镜像扫描
设置密钥管理（Vault、云提供商）
配置安全组和网络策略
启用审计日志记录
实施安全监控和告警
定期漏洞评估

安装 Wrangler CLI
创建 Worker 项目
配置 wrangler.toml（绑定、路由）
使用 wrangler dev 在本地测试
使用 wrangler deploy 部署

使用多阶段构建编写 Dockerfile
创建 .dockerignore 文件
在本地测试构建
推送到注册表（ECR、ACR、GCR、Docker Hub）
部署到目标平台

2026 年 1 月 21 日

🇺🇸English

Infrastructure Engineering Skill

Comprehensive guide for modern infrastructure engineering covering DevOps practices, multi-cloud platforms (AWS, Azure, GCP, Cloudflare), FinOps cost optimization, and DevSecOps security practices.

When to Use This Skill

Use this skill when:

DevOps : Setting up CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins), implementing GitOps workflows (ArgoCD, Flux)
AWS : Deploying to EC2, Lambda, ECS, EKS, managing S3, RDS, using CloudFormation/CDK
Azure : Working with Azure VMs, App Service, AKS, Azure Functions, Storage Accounts
GCP : Managing Compute Engine, GKE, Cloud Run, Cloud Storage, App Engine
Cloudflare : Deploying Workers, R2 storage, D1 databases, Pages applications
Kubernetes : Managing clusters, deployments, services, ingress, Helm charts, operators
Docker : Containerizing applications, multi-stage builds, Docker Compose, registries
FinOps : Analyzing cloud costs, optimizing spend, reserved instances, spot instances, rightsizing
DevSecOps : Security scanning (SAST/DAST), vulnerability management, secrets management, compliance
IaC : Terraform, CloudFormation, Pulumi, configuration management
Monitoring : Setting up observability, logging, metrics, alerting, distributed tracing

Platform Selection Guide

When to Use AWS

Best For:

General-purpose cloud computing at scale
Mature ecosystem with 200+ services
Enterprise workloads with compliance requirements
Hybrid cloud with AWS Outposts
Extensive third-party integrations
Advanced networking and security controls

Key Services:

EC2 (virtual machines, flexible compute)
Lambda (serverless functions, event-driven)
ECS/EKS (container orchestration)
S3 (object storage, industry standard)
RDS (managed relational databases)
DynamoDB (NoSQL, global tables)
CloudFormation/CDK (infrastructure as code)
IAM (identity and access management)
VPC (virtual private cloud networking)

Cost Profile: Pay-as-you-go, reserved instances (up to 72% discount), savings plans, spot instances (up to 90% discount)

When to Use Azure

Best For:

Microsoft-centric organizations (.NET, Active Directory)
Hybrid cloud scenarios (Azure Arc, Stack)
Enterprise agreements with Microsoft
Windows Server and SQL Server workloads
Integration with Microsoft 365 and Dynamics
Strong compliance certifications (90+ certifications)

Key Services:

Virtual Machines (Windows/Linux compute)
App Service (PaaS for web apps)
AKS (managed Kubernetes)
Azure Functions (serverless compute)
Storage Accounts (Blob, File, Queue, Table)
SQL Database (managed SQL Server)
Active Directory (identity management)
ARM Templates/Bicep (infrastructure as code)

Cost Profile: Pay-as-you-go, reserved instances, Azure Hybrid Benefit for Windows/SQL Server licenses

When to Use Cloudflare

Best For:

Edge-first applications with global distribution
Ultra-low latency requirements (<50ms)
Static sites with serverless functions
Zero egress cost scenarios (R2 storage)
WebSocket/real-time applications (Durable Objects)
AI/ML at the edge (Workers AI)

Key Products:

Workers (serverless functions)
R2 (object storage, S3-compatible)
D1 (SQLite database with global replication)
KV (key-value store)
Pages (static hosting + functions)
Durable Objects (stateful compute)
Browser Rendering (headless browser automation)

Cost Profile: Pay-per-request, generous free tier, zero egress fees

When to Use Kubernetes

Best For:

Container orchestration at scale
Microservices architectures with 10+ services
Multi-cloud and hybrid deployments
Self-healing and auto-scaling workloads
Complex deployment strategies (blue/green, canary)
Service mesh architectures (Istio, Linkerd)
Stateful applications with operators

Key Features:

Declarative configuration (YAML manifests)
Automated rollouts and rollbacks
Service discovery and load balancing
Self-healing (restarts failed containers)
Horizontal pod autoscaling
Secret and configuration management
Storage orchestration
Batch job execution

Managed Options: EKS (AWS), AKS (Azure), GKE (GCP), managed k8s providers

Cost Profile: Cluster management fees + node costs (optimize with spot instances, cluster autoscaling)

When to Use Docker

Best For:

Local development consistency
Microservices architectures
Multi-language stack applications
Traditional VPS/VM deployments
Foundation for Kubernetes workloads
CI/CD build environments
Database containerization (dev/test)

Key Capabilities:

Application isolation and portability
Multi-stage builds for optimization
Docker Compose for multi-container apps
Volume management for data persistence
Network configuration and service discovery
Cross-platform compatibility (amd64, arm64)
BuildKit for improved build performance

Cost Profile: Infrastructure cost only (compute + storage), no orchestration overhead

When to Use Google Cloud

Best For:

Enterprise-scale applications
Data analytics and ML pipelines (BigQuery, Vertex AI)
Hybrid/multi-cloud deployments
Kubernetes at scale (GKE)
Managed databases (Cloud SQL, Firestore, Spanner)
Complex IAM and compliance requirements

Key Services:

Compute Engine (VMs)
GKE (managed Kubernetes)
Cloud Run (containerized serverless)
App Engine (PaaS)
Cloud Storage (object storage)
Cloud SQL (managed databases)

Cost Profile: Varied pricing, sustained use discounts, committed use contracts

Quick Start

AWS Lambda Function

# Install AWS CLI
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip && sudo ./aws/install

# Configure credentials
aws configure

# Create Lambda function with SAM
sam init --runtime python3.11
sam build && sam deploy --guided

See: references/aws-lambda.md

AWS EKS Kubernetes Cluster

# Install eksctl
brew install eksctl  # or curl download

# Create cluster
eksctl create cluster \
  --name my-cluster \
  --region us-west-2 \
  --nodegroup-name standard-workers \
  --node-type t3.medium \
  --nodes 3 \
  --nodes-min 1 \
  --nodes-max 4

See: references/kubernetes-basics.md

Azure Deployment

# Install Azure CLI
curl -L https://aka.ms/InstallAzureCli | bash

# Login and create resources
az login
az group create --name myResourceGroup --location eastus
az webapp create --resource-group myResourceGroup \
  --name myapp --runtime "NODE:18-lts"

See: references/azure-basics.md

Cloudflare Workers

# Install Wrangler CLI
npm install -g wrangler

# Create and deploy Worker
wrangler init my-worker
cd my-worker
wrangler deploy

See: references/cloudflare-workers-basics.md

Kubernetes Deployment

# Create deployment
kubectl create deployment nginx --image=nginx:latest
kubectl expose deployment nginx --port=80 --type=LoadBalancer

# Apply from manifest
kubectl apply -f deployment.yaml

# Check status
kubectl get pods,services,deployments

See: references/kubernetes-basics.md

Docker Container

# Create Dockerfile
cat > Dockerfile <<EOF
FROM node:20-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci --production
COPY . .
EXPOSE 3000
CMD ["node", "server.js"]
EOF

# Build and run
docker build -t myapp .
docker run -p 3000:3000 myapp

See: references/docker-basics.md

Reference Navigation

AWS (Amazon Web Services)

aws-overview.md - AWS fundamentals, account setup, IAM basics
aws-ec2.md - EC2 instances, AMIs, security groups, auto-scaling
aws-lambda.md - Serverless functions, SAM, event sources, layers
aws-ecs-eks.md - Container orchestration, ECS vs EKS, Fargate
aws-s3-rds.md - S3 storage, RDS databases, backup strategies
aws-cloudformation.md - Infrastructure as code, CDK, best practices
aws-networking.md - VPC, subnets, security groups, load balancers

Azure (Microsoft Azure)

azure-basics.md - Azure fundamentals, subscriptions, resource groups
azure-compute.md - VMs, App Service, AKS, Azure Functions
azure-storage.md - Storage Accounts, Blob, Files, managed disks

Cloudflare Platform

cloudflare-platform.md - Edge computing overview, key components
cloudflare-workers-basics.md - Getting started, handler types, basic patterns
cloudflare-workers-advanced.md - Advanced patterns, performance, optimization
cloudflare-workers-apis.md - Runtime APIs, bindings, integrations
cloudflare-r2-storage.md - R2 object storage, S3 compatibility, best practices
cloudflare-d1-kv.md - D1 SQLite database, KV store, use cases
browser-rendering.md - Puppeteer/Playwright automation on Cloudflare

Kubernetes & Container Orchestration

kubernetes-basics.md - Core concepts, pods, deployments, services
kubernetes-advanced.md - StatefulSets, operators, custom resources
kubernetes-networking.md - Ingress, service mesh, network policies
helm-charts.md - Package management, charts, repositories

Docker Containerization

docker-basics.md - Core concepts, Dockerfile, images, containers
docker-compose.md - Multi-container apps, networking, volumes
docker-security.md - Image scanning, secrets, best practices

Google Cloud Platform

gcloud-platform.md - GCP overview, gcloud CLI, authentication
gcloud-services.md - Compute Engine, GKE, Cloud Run, App Engine

CI/CD & GitOps

cicd-github-actions.md - GitHub Actions workflows, runners, secrets
cicd-gitlab.md - GitLab CI/CD pipelines, artifacts, caching
gitops-argocd.md - ArgoCD setup, app of apps pattern, sync policies
gitops-flux.md - Flux controllers, GitOps toolkit, multi-tenancy

FinOps (Cost Optimization)

finops-basics.md - Cost optimization principles, FinOps lifecycle
finops-aws.md - AWS cost optimization, RI, savings plans, spot
finops-azure.md - Azure cost management, reservations, hybrid benefit
finops-gcp.md - GCP cost optimization, committed use, sustained use
finops-tools.md - Cost analysis tools, Kubecost, CloudHealth, Infracost

DevSecOps (Security)

devsecops-basics.md - Security best practices, shift-left security
devsecops-scanning.md - SAST, DAST, SCA, container scanning
secrets-management.md - Vault, AWS Secrets Manager, sealed secrets
compliance.md - SOC2, HIPAA, PCI-DSS, audit logging

Infrastructure as Code

terraform-basics.md - Terraform fundamentals, providers, state
terraform-advanced.md - Modules, workspaces, remote state
cloudformation-basics.md - CloudFormation templates, stacks, change sets

Utilities & Scripts

scripts/cloudflare-deploy.py - Automate Cloudflare Worker deployments
scripts/docker-optimize.py - Analyze and optimize Dockerfiles
scripts/cost-analyzer.py - Cloud cost analysis and reporting
scripts/security-scanner.py - Automated security scanning

Common Workflows

Multi-Cloud Architecture

# Edge Layer: Cloudflare Workers (global routing, caching)
# Compute Layer: AWS ECS/Lambda or Azure App Service (application logic)
# Data Layer: AWS RDS or Azure SQL (persistent storage)
# CDN/Storage: Cloudflare R2 or AWS S3 (static assets)

Benefits:
- Best-of-breed services per layer
- Geographic redundancy
- Cost optimization across providers

AWS ECS Deployment with CI/CD

# GitHub Actions workflow
name: Deploy to ECS
on: push
jobs:
  deploy:
    - Build Docker image
    - Push to ECR
    - Update ECS task definition
    - Deploy to ECS service
    - Wait for deployment stabilization

Kubernetes GitOps with ArgoCD

# Git repository structure
/apps
  /production
    - deployment.yaml
    - service.yaml
    - ingress.yaml
  /staging
    - deployment.yaml

# ArgoCD syncs cluster state from Git
# Changes: Git commit → ArgoCD detects → Auto-sync to cluster

Multi-Stage Docker Build

# Build stage
FROM node:20-alpine AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build

# Production stage
FROM node:20-alpine
WORKDIR /app
COPY --from=build /app/dist ./dist
COPY --from=build /app/node_modules ./node_modules
USER node
CMD ["node", "dist/server.js"]

FinOps Cost Optimization Workflow

# 1. Discovery: Identify untagged resources
# 2. Analysis: Right-size instances (CPU/memory utilization)
# 3. Optimization:
#    - Convert to reserved instances (predictable workloads)
#    - Use spot instances (fault-tolerant workloads)
#    - Schedule start/stop (dev environments)
# 4. Monitoring: Set budget alerts, track savings
# 5. Governance: Enforce tagging policies

DevSecOps Security Pipeline

# 1. Code Commit
# 2. SAST Scan: SonarQube, Semgrep (static code analysis)
# 3. Dependency Check: Snyk, Trivy (vulnerability scanning)
# 4. Build: Docker image
# 5. Container Scan: Trivy, Grype (image vulnerabilities)
# 6. DAST Scan: OWASP ZAP (runtime security testing)
# 7. Deploy: Only if all scans pass
# 8. Runtime Protection: Falco, AWS GuardDuty

Terraform Infrastructure Deployment

# 1. Write: Define infrastructure in .tf files
# 2. Init: terraform init (download providers)
# 3. Plan: terraform plan (preview changes)
# 4. Apply: terraform apply (create/update resources)
# 5. State: Store state in S3 with DynamoDB locking
# 6. Modules: Reuse common patterns across environments

Best Practices

DevOps

CI/CD : Automate testing and deployment, use feature flags for progressive rollouts
GitOps : Declarative infrastructure, Git as single source of truth, automated sync
Monitoring : Implement observability (logs, metrics, traces), set up alerting
Incident Management : Runbooks, postmortems, blameless culture
Automation : Infrastructure as code, configuration management, self-service platforms

Security (DevSecOps)

Shift Left : Security scanning early in pipeline (SAST, dependency checks)
Secrets Management : Use Vault, AWS Secrets Manager, or sealed secrets (never in code/Git)
Container Security : Run as non-root, minimal base images, regular scanning
Network Security : Zero-trust architecture, service mesh, network policies
Access Control : Least privilege IAM, MFA, temporary credentials
Compliance : Audit logging, encryption at rest/transit, regular security reviews
Runtime Protection : Security monitoring, intrusion detection, automated response

Cost Optimization (FinOps)

Tagging : Enforce resource tagging for cost allocation and tracking
Rightsizing : Analyze utilization, downsize over-provisioned resources
Reserved Capacity : Purchase RI/savings plans for predictable workloads (up to 72% discount)
Spot/Preemptible : Use for fault-tolerant workloads (up to 90% discount)
Scheduling : Auto-stop dev/test environments during off-hours
Storage Optimization : Lifecycle policies, archive to cheaper tiers, delete orphaned resources
Monitoring : Budget alerts, cost anomaly detection, chargeback/showback
Governance : Approval workflows for expensive resources, quota management

Kubernetes

Resource Management : Set requests/limits, use horizontal pod autoscaling
High Availability : Multi-zone clusters, pod disruption budgets, anti-affinity rules
Security : RBAC, pod security policies, network policies, admission controllers
Observability : Prometheus metrics, distributed tracing, centralized logging
GitOps : ArgoCD/Flux for declarative deployments, automatic drift correction

Performance

Compute : Auto-scaling, load balancing, multi-region for low latency
Caching : CDN, in-memory caching (Redis/Memcached), edge computing
Storage : Choose appropriate tier (SSD vs HDD), enable caching, CDN for static assets
Containers : Multi-stage builds, minimal images, layer caching
Databases : Connection pooling, read replicas, query optimization, indexing

Development

Local Development : Docker Compose for consistent environments, dev containers
Testing : Unit, integration, end-to-end tests in CI/CD pipeline
Infrastructure as Code : Terraform/CloudFormation for repeatability
Documentation : Architecture diagrams, runbooks, API documentation
Version Control : Git for code and infrastructure, semantic versioning

Decision Matrix

Need	Choose
Compute
Sub-50ms latency globally	Cloudflare Workers
Serverless functions (AWS ecosystem)	AWS Lambda
Serverless functions (Azure ecosystem)	Azure Functions
Containerized workloads (managed)	AWS ECS/Fargate, Azure AKS, GCP Cloud Run
Kubernetes at scale	AWS EKS, Azure AKS, GCP GKE
VMs with full control	AWS EC2, Azure VMs, GCP Compute Engine
Storage
Object storage (S3-compatible)	AWS S3, Cloudflare R2 (zero egress), Azure Blob
Block storage for VMs	AWS EBS, Azure Managed Disks, GCP Persistent Disk
File storage (NFS/SMB)	AWS EFS, Azure Files, GCP Filestore
Database

Resources

Implementation Checklist

AWS Lambda Deployment

Install AWS CLI and SAM CLI
Configure AWS credentials (access key, secret key)
Create Lambda function with SAM template
Configure IAM role and policies
Test locally with sam local invoke
Deploy with sam deploy
Set up CloudWatch monitoring and alarms

AWS EKS Kubernetes Cluster

Install kubectl, eksctl, aws-cli
Configure AWS credentials
Create EKS cluster with eksctl
Configure kubectl context
Install cluster autoscaler
Set up Helm for package management
Deploy applications with kubectl/Helm
Configure ingress controller (ALB/NGINX)

Azure Deployment

Install Azure CLI
Login with az login
Create resource group
Deploy App Service or AKS
Configure continuous deployment
Set up monitoring with Application Insights

Kubernetes on Any Cloud

Install kubectl and helm
Connect to cluster (update kubeconfig)
Create namespaces for environments
Apply RBAC policies
Deploy applications (deployments, services)
Configure ingress for external access
Set up monitoring (Prometheus, Grafana)
Implement GitOps with ArgoCD/Flux

CI/CD Pipeline (GitHub Actions)

Create .github/workflows/deploy.yml
Configure secrets (cloud credentials, API keys)
Add build and test jobs
Add container build and push to registry
Add deployment job to cloud platform
Set up branch protection rules
Enable status checks and notifications

FinOps Cost Optimization

Implement resource tagging strategy
Enable cost allocation tags
Set up budget alerts
Analyze resource utilization (CloudWatch, Azure Monitor)
Identify rightsizing opportunities
Purchase reserved instances for predictable workloads
Configure auto-scaling and scheduling
Regular cost reviews and optimization

DevSecOps Security

Add SAST scanning to CI/CD (SonarQube, Semgrep)
Add dependency scanning (Snyk, Trivy)
Implement container image scanning
Set up secrets management (Vault, cloud provider)
Configure security groups and network policies
Enable audit logging
Implement security monitoring and alerting
Regular vulnerability assessments

Cloudflare Workers

Install Wrangler CLI
Create Worker project
Configure wrangler.toml (bindings, routes)
Test locally with wrangler dev
Deploy with wrangler deploy

Docker

Write Dockerfile with multi-stage builds
Create .dockerignore file
Test build locally
Push to registry (ECR, ACR, GCR, Docker Hub)
Deploy to target platform

Weekly Installs

Repository

samhvw8/dotfiles

GitHub Stars

First Seen

Jan 21, 2026

Security Audits

Gen Agent Trust HubFail SocketPass SnykWarn

Installed on

opencode67

codex64

gemini-cli63

claude-code63

cursor62

github-copilot58

基础设施工程师技能指南：DevOps、多云平台、Kubernetes、Docker、FinOps、DevSecOps 实践

🇨🇳中文介绍

基础设施工程技能

何时使用此技能

平台选择指南

何时使用 AWS

相关 Skills

何时使用 Azure

何时使用 Cloudflare

何时使用 Kubernetes

何时使用 Docker

何时使用 Google Cloud

快速开始

AWS Lambda 函数

AWS EKS Kubernetes 集群

Azure 部署

Cloudflare Workers

Kubernetes 部署

Docker 容器

参考导航

AWS (Amazon Web Services)

Azure (Microsoft Azure)

Cloudflare 平台

Kubernetes 和容器编排

Docker 容器化

Google Cloud Platform

CI/CD 和 GitOps

FinOps (成本优化)

DevSecOps (安全)

基础设施即代码

实用工具和脚本

常见工作流

多云架构

使用 CI/CD 的 AWS ECS 部署

使用 ArgoCD 的 Kubernetes GitOps

多阶段 Docker 构建

FinOps 成本优化工作流

DevSecOps 安全流水线

Terraform 基础设施部署

最佳实践

DevOps

安全 (DevSecOps)

成本优化 (FinOps)

Kubernetes

性能

开发

决策矩阵

资源

云提供商

容器和编排

CI/CD 和 GitOps

基础设施即代码

安全和合规性

FinOps 和成本优化

实施清单

AWS Lambda 部署

AWS EKS Kubernetes 集群

Azure 部署

在任何云上的 Kubernetes

CI/CD 流水线 (GitHub Actions)

FinOps 成本优化

DevSecOps 安全

Cloudflare Workers

Docker

🇺🇸English

Infrastructure Engineering Skill

When to Use This Skill

Platform Selection Guide

When to Use AWS

When to Use Azure

When to Use Cloudflare

When to Use Kubernetes

When to Use Docker

When to Use Google Cloud

Quick Start

AWS Lambda Function

AWS EKS Kubernetes Cluster

Azure Deployment

Cloudflare Workers

Kubernetes Deployment