How to Read a Reference Architecture
Summary
- A reference architecture is a documented, opinionated example of a working system that you adapt rather than copy verbatim.
- Insight: The value is in the decisions and their rationale, not the YAML. Two teams with identical manifests can have wildly different outcomes if they misread the trade-offs.
- Key Concepts: the golden path, the isolation boundary (namespace, node pool, cluster, account), the control plane vs data plane split, and the GitOps source of truth.
- When to Use: when you are standing up a new platform, justifying an architecture review, or onboarding engineers who need a shared mental model.
- Limitations/Trade-offs: every reference encodes a context (team size, compliance, cloud, scale). A pattern that is correct for a 200-service EKS platform is over-engineering for a five-service startup.
- Related Topics: multi-tenancy, GitOps, node autoscaling, Pod Security Standards, cost and blast-radius isolation.
Foundations
A reference architecture answers one question: given these constraints, what does a defensible design look like?
It is a worked example. Like a solved math problem, the point is following the reasoning, not memorizing the final number.
Every good reference has three layers. The first is the narrative - the constraints and goals. The second is the decisions - what was chosen and, crucially, what was rejected. The third is the artifacts - the manifests, Dockerfiles, and Helm values that implement the decisions.
Beginners read only the artifacts. Experienced engineers read the narrative first, because the constraints tell you whether the artifacts even apply to you.
The core mental model is the isolation boundary. Every platform decides how strongly to separate tenants, teams, or environments.
The cheapest boundary is a Kubernetes namespace. Stronger boundaries are separate node pools, then separate clusters, then separate cloud accounts. Cost and operational overhead rise as isolation strengthens.
A reference architecture is, at heart, a set of choices about where to place these boundaries.
Mechanics & Interactions
To read a reference well, decompose it along the same axes every production platform shares.
Control plane versus data plane. The control plane (the Kubernetes API server, etcd, controllers) manages desired state. The data plane (your pods, running on nodes with containerd via CRI) serves traffic. A reference should tell you which parts are managed for you (EKS runs the control plane) and which you own.
The golden path. This is the paved road a developer follows to ship: build an image, sign it, push it, and let GitOps roll it out. If a reference cannot describe its golden path in five steps, it is not production-grade - it is a pile of components.
The source of truth. In modern platforms this is a Git repository reconciled by Argo CD or Flux. The cluster converges toward what Git says. Reading a reference means finding this repo and understanding what it does and does not control.
The trust boundary. Where does untrusted input enter? Usually at an ingress or Gateway. A reference should show default-deny NetworkPolicies, Pod Security Standards set to restricted, and image provenance checks. If security is bolted on at the end, treat the whole design with suspicion.
These axes interact. Stronger isolation (separate node pools) changes how autoscaling and scheduling work. A strict Pod Security Standard changes what base images and Dockerfiles are viable. Read the whole system, not one manifest.
Here is the shape of a golden-path deployment most references converge on.
apiVersion: apps/v1
kind: Deployment
metadata:
name: web
namespace: team-payments
spec:
replicas: 3
selector:
matchLabels: { app: web }
template:
metadata:
labels: { app: web }
spec:
securityContext:
runAsNonRoot: true
seccompProfile: { type: RuntimeDefault }
containers:
- name: web
# digest-pinned, scanned, signed upstream
image: 123456789012.dkr.ecr.us-east-1.amazonaws.com/web@sha256:abc123
ports: [{ containerPort: 8080 }]
resources:
requests: { cpu: 100m, memory: 128Mi }
limits: { memory: 256Mi }
readinessProbe:
httpGet: { path: /healthz, port: 8080 }
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }Notice how much intent is encoded: non-root, dropped capabilities, digest-pinned image, requests and limits, a probe. A reference architecture is a collection of these encoded intents at scale.
Advanced Considerations & Applications
The hardest skill is reading what a reference leaves out.
A reference for a regulated environment will spend pages on audit logging and image signing, and almost nothing on developer velocity. That is a signal about its context, not an oversight.
Watch the pinned versions. A design tested on Kubernetes 1.36 may rely on Gateway API being GA or on scheduler behavior that differed two minors ago. Always record the minor version and CNI, because upgrades can invalidate assumptions.
Apply a reference by grading your own context against its constraints. If your team is smaller, collapse boundaries: a namespace instead of a node pool. If your compliance is stricter, harden further.
The worked examples in this section - the multi-tenant EKS platform, the worker-heavy cluster, the regulated environment, and two before/after migrations - are meant to be read this way. Extract the decisions, map them to your constraints, and only then reach for the YAML.
Common Misconceptions
"A reference architecture is a template I can kubectl apply." No. It is a set of decisions. Applying it blind imports someone else's constraints you do not share.
"More components means more production-ready." Complexity is a cost. A three-service app on a full multi-tenant platform is usually a mistake, not maturity.
"The manifests are the architecture." The manifests are the output. The architecture is the reasoning that produced them, including the rejected options.
"If it worked for them, it will work for me." Scale, team size, cloud, and compliance change everything. Their spot-heavy worker cluster may bankrupt your latency SLO.
"Once documented, it is done." References rot. A design pinned to an old Kubernetes minor or a deprecated Ingress API needs to be replayed and revalidated on every upgrade.
FAQs
How is a reference architecture different from a tutorial? A tutorial teaches one mechanic in isolation. A reference shows many mechanics interacting under real constraints, including the trade-offs.
Should I copy the exact manifests? Copy the structure and intent, then re-derive the specifics for your context, versions, and cloud. Never paste a digest or account ID.
How do I know if a reference is trustworthy? It states its constraints, shows rejected alternatives, pins versions, and treats security as a default rather than an appendix.
What is the single most important thing to extract? The isolation boundaries and why they were placed where they are. Almost everything else follows from that.
How often should a reference be revisited? On every Kubernetes minor upgrade and any CNI or ingress-controller change, replay the key assumptions and update the pinned versions.
Related
- Reference: Multi-Tenant EKS Platform
- Reference: Worker-Heavy Cluster
- Reference: Regulated Environment
- Before/After: Compose to EKS Migration
- Case Studies Best Practices
Stack versions: This page was written for Kubernetes 1.36.2, Docker Engine 29.6.1 (BuildKit default), containerd (CRI runtime on nodes), Helm 3, Compose v2, Argo CD (latest - verify at build), and Gateway API (GA - verify controller support at build).