A Tezos Bakery on Kubernetes

Cattle, not pets. Deploy your infrastructure in a repeatable fashion. Photo by Christopher Burns on Unsplash

Blockchains on Kubernetes

The cloud is not good enough for the baking key

  • the software may be exploited. In this setup, the node runs in a container hosted in a VM on cloud servers. Any layer may be vulnerable.
  • you may accidentally leak your secrets (operator error)
  • your credentials may get stolen
  • the cloud provider may terminate your account

Double-baking risk

  • the regional Kubernetes cluster gets in a split-brain situation where two availablility zones loose communication between each other and each ones starts a baking node
  • the Ledger app contains a protection against double baking. The high watermark increases after every operation, so two operations at the same block height are impossible on the same Ledger. The load balancer always targets signer 1 unless it becomes offline. If signer 1 becomes unreachable, then signer 2 may sign an operation at the same block height.

Pay your rewards… on time

Nothing comes without an effort


  • internal monitoring: is the baking node connected to two public nodes ? Are the two remote signers ready to sign operations ? Is the most recent block current ?
    Prometheus seems to be a good candidate to monitor these metrics. A Tezos prometheus exporter exists and should be appropriate to run as a sidecar of the baking node.
    Google Stackdriver has some alerting capabilities that may be useful to act upon these metrics.
  • external monitoring: while cluster observability is essential, you must also roll out an external node to observe the behavior of the baker from the point of view of the network itself. We recommend deploying tezos-network-monitor from Polychain Labs.

Hey, Tezos developers ! Feature requests

Special storage mode for bakers

Ping Ledger

tezos-client get ledger authorized path for <account-alias-or-ledger-uri>

Please contribute




Staking-as-a-service provider.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Creator Interview With David Thorpe

Creator Interview with David Thorpe

Switch Statements to the Rescue

How to Parse JSON in Scala

Create an instance attached to EFS using Terraform

SQL Challenge: 15 Days of Learning SQL

3com 3c905c Driver For Windows 7

My Steps Towards A Successful IT Career

Problems with a software project estimates

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Staking-as-a-service provider.

More from Medium

Integrating Open Policy Agent(OPA)with Kubernetes using OPA Gatekeeper

Vault-agent-injector fetches secret twice when using dynamic secret with environment variable on…

Enterprises Easily Integrate Kubernetes… Neglecting Security

How to execute Incident Response script on Kubernetes node using EDR agent in a privileged pod.