DevOps Engineer Roadmap

Module 1

Every tool in this roadmap runs on Linux. Get fluent with the shell, file system, processes, networking, and scripting — the skills that separate people who use DevOps tools from people who understand them.

• The Shell & Navigationcd, ls, pwd & moving around fast
• Pipes & RedirectionComposing tools with | > >> <
• File Permissionsrwx, chmod, chown explained
• Users, Groups & sudoWho can do what on a Linux box
• Processes & Signalsps, top, kill & what happens on Ctrl-C
• systemd ServicesHow Linux runs (and restarts) software
• Cron & Scheduled JobsRunning things on a schedule
• Ports, IPs & DNSNetworking in three concepts
• Firewallsiptables and ufw, just enough
• Shell Scripting BasicsVariables, loops & exit codes
• Debugging Failing Commandsset -e, $?, strace & real fixes

Project: Spin up an Ubuntu VM, configure SSH key-based login, create a deploy user with sudo access, and write a bash script that checks disk usage, memory, and running services — scheduled with cron to log every 5 minutes.

Module 2

Every pipeline, every GitOps tool, every IaC repo assumes you understand Git deeply. Get past 'git pull, git push' to actually controlling history and collaborating safely.

• How Git Stores ThingsBlobs, trees, commits & SHA hashes
• Branching & MergingWhat a branch actually is
• Rebase vs MergeTwo ways to combine work, when to use each
• Pull Request WorkflowThe default collaboration pattern
• Trunk-Based DevelopmentWhy short-lived branches win
• Branch Protection & CODEOWNERSGuardrails that scale teams

Project: Initialize the DeployBot repo, set up branch protection on main, configure CODEOWNERS, and run through a realistic PR workflow including a feature branch, conflict resolution, and a clean rebase.

Module 3

Build real pipelines that lint, test, build images, and trigger deploys — not toy examples. By the end you'll know why every step is there.

• Workflow AnatomyThe YAML you'll write a lot
• Triggers & Eventspush, PR, schedule, manual
• Jobs, Steps & RunnersWhere your code actually executes
• Secrets & GitHub OIDCNo more hardcoded AWS keys
• Caching BuildsMake CI 5x faster
• Matrix BuildsTest across versions in parallel
• Reusable WorkflowsDon't repeat YAML across repos
• Custom ActionsWhen to package your own step

Project: Build a GitHub Actions pipeline for DeployBot: on every push, run lint and tests in parallel, build a Docker image with a git SHA tag, push it to ECR via OIDC, and post a Slack notification on result. Add a manual approval gate for prod.

Module 4

Containers are the unit of deployment in modern infra. Learn to build small, secure, reproducible images — and what Docker is actually doing under the hood.

• What a Container Actually IsHint: not a tiny VM
• Namespaces & cgroupsThe two Linux primitives behind it all
• Writing a DockerfileFROM, RUN, COPY, CMD — properly
• Layer CachingWhy order in your Dockerfile matters
• Multi-Stage BuildsBuild heavy, ship light
• Distroless & Image SizeSmaller image, smaller attack surface
• Running as Non-RootThe single biggest container security win
• Vulnerability ScanningTrivy, Grype & what to actually fix
• Docker ComposeMulti-service local dev that mirrors prod

Project: Containerize DeployBot with a multi-stage Dockerfile producing a distroless image (~50MB). Add Docker Compose with the app, Postgres, and Redis for local dev. Run Trivy to scan for vulnerabilities.

Module 5

Before deploying to Kubernetes, you need infrastructure. Understand the AWS building blocks — networking, identity, storage — that everything sits on.

• VPCs & SubnetsYour private slice of AWS
• Route Tables & NATHow traffic actually moves
• Security Groups vs NACLsTwo firewalls, very different
• IAM Users vs RolesWhen to use each, and why
• IAM Policies & TrustAllow, Deny, and assume-role
• Least Privilege in PracticeTightening from * to specific
• ECR for ImagesWhere your containers live in AWS
• S3 for Object StorageBuckets, versioning & state files
• EKS at a GlanceHow AWS runs Kubernetes for you

Project: Manually set up DeployBot's staging environment in AWS: VPC with public/private subnets across two AZs, NAT gateway, security groups, ECR repo, and an S3 bucket for Terraform state. Document every step — you'll automate it next.

Module 6

Clicking through the AWS console doesn't scale. Define infra as code, version it, review it in PRs, and apply it safely with terraform plan.

• Why Infrastructure as CodeReplacing ClickOps with PRs
• Providers & ResourcesTerraform's two main building blocks
• plan and applyThe diff-driven loop
• Terraform StateWhat it is and why it's special
• Variables & OutputsConfigurable, composable infra
• Locals & Data SourcesReading existing infra into your config
• ModulesReusable infrastructure as code
• Remote State & LockingWhy state should never live on a laptop
• Terraform in CIPlan on PR, apply on merge

Project: Rewrite everything you built manually in AWS as Terraform modules — VPC, EKS, ECR. Use remote state in S3 with DynamoDB locking. Separate tfvars for staging and prod. Run terraform plan as a PR check in CI.

Module 7

Deploy DeployBot to the EKS cluster you provisioned. Learn how Kubernetes schedules, networks, scales, and self-heals containers — and the resources that make it all work.

• Why KubernetesWhat problem it actually solves
• Cluster ArchitectureControl plane, nodes & scheduling
• PodsThe smallest deployable unit
• Deployments & ReplicaSetsHow you actually run apps
• ServicesStable networking for ephemeral pods
• IngressRouting HTTP traffic into your cluster
• ConfigMapsConfiguration without rebuilding images
• SecretsSensitive config, done right (and wrong)
• Requests & LimitsHow Kubernetes packs your nodes
• Liveness & Readiness ProbesTelling Kubernetes what 'healthy' means
• Rolling UpdatesZero-downtime deploys, explained
• Horizontal Pod AutoscalerScaling on CPU, memory & custom metrics
• Debugging with kubectllogs, exec, describe, events
• When Pods Don't StartImagePullBackOff, CrashLoopBackOff & friends

Project: Deploy DeployBot to EKS with a Deployment, Service, and Ingress with TLS via cert-manager. Use ConfigMaps and Secrets. Add an HPA on CPU. Verify a rolling update completes with zero downtime.

Module 8

A pipeline that deploys without visibility is a liability. Build the metrics, dashboards, and alerts that let you sleep at night and actually debug problems when they happen.

• Metrics, Logs & TracesThe three pillars and when you need each
• Prometheus ArchitectureHow scraping actually works
• PromQL EssentialsQuerying time series without tears
• Grafana DashboardsBuilding views your team will use
• The RED MethodRate, errors, duration for services
• The USE MethodUtilization, saturation, errors for resources
• Alerting BasicsWhat to alert on (and what not to)
• Alertmanager RoutingRight alert, right person, right channel

Project: Deploy Prometheus + Grafana via Helm. Instrument DeployBot with /metrics. Build a Grafana dashboard with the RED method (rate, errors, duration). Configure alerts for >1% error rate and >500ms p95 — routed to Slack via Alertmanager.

Module 9

Raw YAML doesn't scale past one environment. Learn to template, version, and share manifests so staging and prod use the same source with different values.

• Why Helm ExistsThe problem with raw YAML at scale
• Chart Anatomytemplates, values, _helpers.tpl
• Templating in PracticeConditionals, loops & overrides
• Chart DependenciesComposing charts from charts
• Helm HooksMigrations and pre/post deploy steps
• Kustomize BasicsOverlays without templating
• Helm vs KustomizePicking the right tool

Project: Convert DeployBot's manifests into a Helm chart. Use templates with conditionals for staging vs prod (replicas, limits, hostname). Add Postgres as a chart dependency. Compare with a Kustomize-based approach.

Module 10

Stop running kubectl apply from your laptop. Argo CD watches your Git repo and reconciles your cluster to match — if it drifts, it self-heals. This is how mature teams ship.

• GitOps PrinciplesWhy the repo is the source of truth
• Installing Argo CDBootstrap and first app
• Applications & ProjectsArgo CD's two key resources
• Sync PoliciesAuto-sync, self-heal, prune
• Multi-Environment PatternsApp-of-apps, ApplicationSets
• Argo Image UpdaterClosing the loop from CI to CD
• Progressive DeliveryArgo Rollouts, canaries & blue/green

Project: Install Argo CD on EKS. Create Applications for DeployBot staging and prod pointing at different branches. Auto-sync with self-heal on staging; manual sync with approval on prod. Wire up Argo Image Updater so new images deploy without manifest edits.

Module 11

Modern attacks target the build pipeline, not the running app. Learn to sign images, generate SBOMs, manage secrets without shoving them in env vars, and enforce policy at the cluster door.

• What an SBOM IsAnd why every regulator now wants one
• Image Signing with CosignProvable build provenance
• SLSA LevelsThe supply chain maturity model
• External Secrets OperatorPulling secrets from AWS into K8s
• AWS Secrets Manager & SSMWhere secrets actually belong
• Sealed SecretsEncrypted secrets safe to commit
• Policy as CodeOPA Gatekeeper & Kyverno

Project: Sign DeployBot images with Cosign in CI, generate a CycloneDX SBOM, and enforce signed-images-only on the cluster with a Kyverno policy. Replace inline secrets with External Secrets Operator + AWS Secrets Manager.