What This Is
An honest assessment of what I know about GKE/platform engineering based on production work, mapped against what the market expects for SRE and Platform Engineering roles.
Evidence basis:
- Production GKE platform work at a Fortune 10 tech company (namespace provisioning, Kafka upgrades, certificate renewals, incident response)
- Google Cloud Professional Cloud DevOps Engineer certification scope
- CNCF Cloud Native Maturity Model (2026)
- CNCF Annual Cloud Native Survey (2026)
Skills Assessment
Strong — Demonstrated with Production Evidence
| Skill | What I’ve Done |
|---|---|
| GKE namespace provisioning | Designed and executed end-to-end provisioning of isolated namespaces on shared cluster. 7-step dependency chain. |
| GitOps / Config Sync | All changes via code review → config sync → cluster reconciliation. No direct cluster mutations. Understand OCI-based sync, reconciliation timing, and failure modes. |
| Kustomize | Base + per-namespace overlays. Patches (JSON patch ops), configMapGenerator, managed vs manual sections. |
| RBAC | Namespace-scoped RoleBindings, ClusterRoles, operator permissions. Debugged real RBAC incident that blocked an entire namespace. |
| Workload Identity | Three-layer SA model: GCP SA → IAM bindings → KSA annotation. Understand the full chain from pod to Cloud SQL. |
| Cloud SQL on GKE | Proxy sidecar pattern, Workload Identity auth, private IP, fresh install vs clone, schema provisioning via one-time Jobs. |
| Kafka / Streaming Operator (Strimzi) | Shared operator managing per-namespace Kafka. Protocol version upgrades (3.5→3.9), RBAC requirements, pause-reconciliation pattern. Led upgrade from operator 0.36→0.45. |
| Elasticsearch on Kubernetes | 3-replica StatefulSet, PKCS12 certificates, certificate renewal (generate → extract → GitOps → rolling restart via annotation bump). Search/Reporting Service integration. |
| Certificate Management | ES certs (PKCS12), Kafka CA certs, TLS ingress certs. Renewal process end-to-end. Understand shared vs per-env cert decisions. |
| Secret Management | Secret Manager CSI driver (SecretProviderClass), Kubernetes secrets in GitOps, base64 encoding patterns. |
| Incident Response | Namespace sync blocked by missing RBAC (KNV2009). Certificate expiry approaching. Kafka upgrade compatibility issues. |
| Node Pool Management & Workload Placement | 3 dedicated node pools (regular, ES, Kafka) with taints/tolerations (dedicated=elasticsearch:NO_SCHEDULE, dedicated=kafka:NO_SCHEDULE). Stateful workloads isolated on dedicated nodes. Same pattern applies to GPU scheduling. |
| Infrastructure Automation | Understand how central config files trigger auto-generation of Terraform, IAM, DNS, IPs, and service accounts. Know which files are auto-managed vs manual. |
| CI/CD Pipeline (platform-level) | Rapid workflows build + attest container images. BinAuthz enforces signed images at admission. SHA256 digests (not tags) in all YAMLs. Artifact Registry at us-central1-docker.pkg.dev. |
Partial — Know the Concepts, Limited Hands-On
| Skill | What I Know | Gap |
|---|---|---|
| Terraform | Can read and understand auto-generated TF (Cloud SQL, IAM, networking). Know modules, state, plan/apply flow. | Haven’t written Terraform from scratch for a new service. Need hands-on with modules, remote state, workspaces. |
| Ingress / Networking | Global static IPs, hostname-based routing, TLS termination at GCLB, NEGs (cloud.google.com/neg), BackendConfig (timeouts, draining, Cloud Armor). | No NetworkPolicies in our cluster (verified). No service mesh. Need to add default-deny + allow rules. |
| Helm | Understand Helm charts conceptually (Strimzi uses them). Can read values.yaml and templates. | Haven’t authored a Helm chart or managed Helm releases in production. |
| Database Operations | Provisioning, proxy setup, schema creation, fresh install. | Limited experience with backup/restore, point-in-time recovery, connection pooling, migration strategies at scale. |
| Kafka Deep | Broker config, protocol upgrades, CA certs, operator lifecycle. | Limited experience with topic management, consumer groups, monitoring, Schema Registry, performance tuning. |
| Production Operations | Incident debugging, safe rollout (dependency-ordered CLs), verification gates. | No formal on-call rotation experience. No postmortem writing. |
Need Deliberate Practice
| Skill | Market Expectation | Current State |
|---|---|---|
| CI/CD Pipelines | Cloud Build, Cloud Deploy, GitHub Actions, ArgoCD, Jenkins. Build + test + deploy automation for both apps and infrastructure. | Our platform uses Rapid workflows + BinAuthz attestation (discovered in image_workflows/). Understand the CD side. Need hands-on building CI pipelines from scratch. |
| Observability | Prometheus, Grafana, OpenTelemetry, structured logging, custom metrics, alerting rules, SLI/SLO dashboards. | More than expected: Platform has Google Cloud Managed Prometheus, PodMonitoring CRDs, custom Cloudprober (Go probes: psql, mx, bug), SLOs in infra_slo.tf. Gap is operating dashboards + writing custom alert rules. |
| Service Mesh | Istio, Envoy, mTLS between services, traffic management, fault injection. | No hands-on experience. |
| Policy-as-Code | OPA/Gatekeeper, Kyverno, Pod Security Standards, admission controllers. | No PSA labels on namespaces (verified). BinAuthz IS policy enforcement (admission control for images). No OPA/Gatekeeper. |
| IaC from Scratch | Write Terraform for new GCP projects, modules, state backends, CI/CD for Terraform. | Can read/modify existing TF but haven’t built from zero. |
| Cost Optimization | Resource requests/limits tuning, right-sizing, committed use discounts, GKE Autopilot vs Standard, cost dashboards. | Set resource limits on deployments but no systematic FinOps practice. |
| ArgoCD | Open-source GitOps equivalent of the internal config sync system. | Strong conceptual understanding from config sync experience. Need hands-on ArgoCD setup. |
Learning Roadmap
Priority order (highest interview ROI first):
Tier 1 — Highest Impact (fill biggest gaps)
- CI/CD pipeline — Build a complete pipeline (GitHub Actions or Cloud Build) for a sample app: build → test → push image → deploy to GKE. This fills the most visible gap.
- Observability stack — Deploy Prometheus + Grafana on a local/dev cluster. Create custom dashboards, alerting rules, SLI/SLO. OpenTelemetry for tracing.
- Terraform from scratch — Provision a GKE cluster + Cloud SQL + networking using Terraform modules. Remote state in GCS.
Tier 2 — Strong Differentiators
- ArgoCD — Set up ArgoCD on a cluster, sync from Git. Compare/contrast with the enterprise config sync system (strong interview talking point).
- Policy-as-code — OPA/Gatekeeper policies on a test cluster. Enforce resource limits, label requirements, image source restrictions.
- Service mesh basics — Istio on a test cluster. mTLS, traffic splitting, fault injection.
Tier 3 — Depth & Polish
- Helm charting — Author a Helm chart for a multi-component app. Values, templates, dependencies.
- Cost optimization — VPA, resource right-sizing, GKE cost dashboards.
- Incident response formalization — Write a postmortem for the RBAC incident. Practice structured incident communication.
Target Roles (From Market Research)
Based on the combination of GKE platform + AI/ML skills:
- MLOps Engineer / ML Platform Engineer — Build the IDP for data scientists. Abstract Kubernetes away so they deploy models easily (Kubeflow, Ray, KServe on your GKE infrastructure).
- AI Infrastructure Engineer — Manage GKE clusters for ML: GPU scheduling, high-throughput training, low-latency inference, network optimization.
- Platform Engineer (AI/Data Focus) — Central platform team onboarding AI initiatives. The Kubernetes expert ensuring AI agents deploy securely using GitOps and IAM.
For detailed interview questions with answers mapped to each skill, see 17 GKE Whiteboard Questions.
How to Talk About Gaps in Interviews
Don’t hide gaps. Frame them as:
“My production experience is strongest in GitOps config management, Kubernetes namespace provisioning, identity/RBAC, and infrastructure automation. I’ve operated Kafka and Elasticsearch at scale on GKE. My growth areas are CI/CD pipeline authoring, the Prometheus/Grafana observability stack, and service mesh — I understand the concepts from working adjacent to them, and I’m actively building hands-on labs to close those gaps.”
This shows self-awareness, credibility (you name specific things you’ve done), and initiative (actively learning).