Source from repo
Kubernetes Specialist

Deploy and manage Kubernetes workloads: manifests, RBAC, Helm charts, service mesh, GitOps, and troubleshooting.
jeffallanGitHub jeffallanSource repo Original GitHub link Publisher page
Files
Skill
n/a
Size
129.5 KB
Entrypoint
SKILL.md
Format
git-repo
Open file
SKILL.md

Syntax-highlighted preview of this file as included in the skill package.
Rendered Source
markdown244 linesEntrypointFree
SKILL.md
1---
2name: kubernetes-specialist
3description: Use when deploying or managing Kubernetes workloads. Invoke to create deployment manifests, configure pod security policies, set up service accounts, define network isolation rules, debug pod crashes, analyze resource limits, inspect container logs, or right-size workloads. Use for Helm charts, RBAC policies, NetworkPolicies, storage configuration, performance optimization, GitOps pipelines, and multi-cluster management.
4license: MIT
5metadata:
6  author: https://github.com/Jeffallan
7  version: "1.1.1"
8  domain: infrastructure
9  triggers: Kubernetes, K8s, kubectl, Helm, container orchestration, pod deployment, RBAC, NetworkPolicy, Ingress, StatefulSet, Operator, CRD, CustomResourceDefinition, ArgoCD, Flux, GitOps, Istio, Linkerd, service mesh, multi-cluster, cost optimization, VPA, spot instances
10  role: specialist
11  scope: infrastructure
12  output-format: manifests
13  related-skills: devops-engineer, cloud-architect, sre-engineer, terraform-engineer, security-reviewer, chaos-engineer
14---
15 
16# Kubernetes Specialist
17 
18## When to Use This Skill
19 
20- Deploying workloads (Deployments, StatefulSets, DaemonSets, Jobs)
21- Configuring networking (Services, Ingress, NetworkPolicies)
22- Managing configuration (ConfigMaps, Secrets, environment variables)
23- Setting up persistent storage (PV, PVC, StorageClasses)
24- Creating Helm charts for application packaging
25- Troubleshooting cluster and workload issues
26- Implementing security best practices
27 
28## Core Workflow
29 
301. **Analyze requirements** — Understand workload characteristics, scaling needs, security requirements
312. **Design architecture** — Choose workload types, networking patterns, storage solutions
323. **Implement manifests** — Create declarative YAML with proper resource limits, health checks
334. **Secure** — Apply RBAC, NetworkPolicies, Pod Security Standards, least privilege
345. **Validate** — Run `kubectl rollout status`, `kubectl get pods -w`, and `kubectl describe pod <name>` to confirm health; roll back with `kubectl rollout undo` if needed
35 
36## Reference Guide
37 
38Load detailed guidance based on context:
39 
40| Topic | Reference | Load When |
41|-------|-----------|-----------|
42| Workloads | `references/workloads.md` | Deployments, StatefulSets, DaemonSets, Jobs, CronJobs |
43| Networking | `references/networking.md` | Services, Ingress, NetworkPolicies, DNS |
44| Configuration | `references/configuration.md` | ConfigMaps, Secrets, environment variables |
45| Storage | `references/storage.md` | PV, PVC, StorageClasses, CSI drivers |
46| Helm Charts | `references/helm-charts.md` | Chart structure, values, templates, hooks, testing, repositories |
47| Troubleshooting | `references/troubleshooting.md` | kubectl debug, logs, events, common issues |
48| Custom Operators | `references/custom-operators.md` | CRD, Operator SDK, controller-runtime, reconciliation |
49| Service Mesh | `references/service-mesh.md` | Istio, Linkerd, traffic management, mTLS, canary |
50| GitOps | `references/gitops.md` | ArgoCD, Flux, progressive delivery, sealed secrets |
51| Cost Optimization | `references/cost-optimization.md` | VPA, HPA tuning, spot instances, quotas, right-sizing |
52| Multi-Cluster | `references/multi-cluster.md` | Cluster API, federation, cross-cluster networking, DR |
53 
54## Constraints
55 
56### MUST DO
57- Use declarative YAML manifests (avoid imperative kubectl commands)
58- Set resource requests and limits on all containers
59- Include liveness and readiness probes
60- Use secrets for sensitive data (never hardcode credentials)
61- Apply least privilege RBAC permissions
62- Implement NetworkPolicies for network segmentation
63- Use namespaces for logical isolation
64- Label resources consistently for organization
65- Document configuration decisions in annotations
66 
67### MUST NOT DO
68- Deploy to production without resource limits
69- Store secrets in ConfigMaps or as plain environment variables
70- Use default ServiceAccount for application pods
71- Allow unrestricted network access (default allow-all)
72- Run containers as root without justification
73- Skip health checks (liveness/readiness probes)
74- Use latest tag for production images
75- Expose unnecessary ports or services
76 
77## Common YAML Patterns
78 
79### Deployment with resource limits, probes, and security context
80 
81```yaml
82apiVersion: apps/v1
83kind: Deployment
84metadata:
85  name: my-app
86  namespace: my-namespace
87  labels:
88    app: my-app
89    version: "1.2.3"
90spec:
91  replicas: 3
92  selector:
93    matchLabels:
94      app: my-app
95  template:
96    metadata:
97      labels:
98        app: my-app
99        version: "1.2.3"
100    spec:
101      serviceAccountName: my-app-sa   # never use default SA
102      securityContext:
103        runAsNonRoot: true
104        runAsUser: 1000
105        fsGroup: 2000
106      containers:
107        - name: my-app
108          image: my-registry/my-app:1.2.3   # never use latest
109          ports:
110            - containerPort: 8080
111          resources:
112            requests:
113              cpu: "100m"
114              memory: "128Mi"
115            limits:
116              cpu: "500m"
117              memory: "512Mi"
118          livenessProbe:
119            httpGet:
120              path: /healthz
121              port: 8080
122            initialDelaySeconds: 15
123            periodSeconds: 20
124          readinessProbe:
125            httpGet:
126              path: /ready
127              port: 8080
128            initialDelaySeconds: 5
129            periodSeconds: 10
130          securityContext:
131            allowPrivilegeEscalation: false
132            readOnlyRootFilesystem: true
133            capabilities:
134              drop: ["ALL"]
135          envFrom:
136            - secretRef:
137                name: my-app-secret   # pull credentials from Secret, not ConfigMap
138```
139 
140### Minimal RBAC (least privilege)
141 
142```yaml
143apiVersion: v1
144kind: ServiceAccount
145metadata:
146  name: my-app-sa
147  namespace: my-namespace
148---
149apiVersion: rbac.authorization.k8s.io/v1
150kind: Role
151metadata:
152  name: my-app-role
153  namespace: my-namespace
154rules:
155  - apiGroups: [""]
156    resources: ["configmaps"]
157    verbs: ["get", "list"]   # grant only what is needed
158---
159apiVersion: rbac.authorization.k8s.io/v1
160kind: RoleBinding
161metadata:
162  name: my-app-rolebinding
163  namespace: my-namespace
164subjects:
165  - kind: ServiceAccount
166    name: my-app-sa
167    namespace: my-namespace
168roleRef:
169  kind: Role
170  name: my-app-role
171  apiGroup: rbac.authorization.k8s.io
172```
173 
174### NetworkPolicy (default-deny + explicit allow)
175 
176```yaml
177# Deny all ingress and egress by default
178apiVersion: networking.k8s.io/v1
179kind: NetworkPolicy
180metadata:
181  name: default-deny-all
182  namespace: my-namespace
183spec:
184  podSelector: {}
185  policyTypes: ["Ingress", "Egress"]
186---
187# Allow only specific traffic
188apiVersion: networking.k8s.io/v1
189kind: NetworkPolicy
190metadata:
191  name: allow-my-app
192  namespace: my-namespace
193spec:
194  podSelector:
195    matchLabels:
196      app: my-app
197  policyTypes: ["Ingress"]
198  ingress:
199    - from:
200        - podSelector:
201            matchLabels:
202              app: frontend
203      ports:
204        - protocol: TCP
205          port: 8080
206```
207 
208## Validation Commands
209 
210After deploying, verify health and security posture:
211 
212```bash
213# Watch rollout complete
214kubectl rollout status deployment/my-app -n my-namespace
215 
216# Stream pod events to catch crash loops or image pull errors
217kubectl get pods -n my-namespace -w
218 
219# Inspect a specific pod for failures
220kubectl describe pod <pod-name> -n my-namespace
221 
222# Check container logs
223kubectl logs <pod-name> -n my-namespace --previous   # use --previous for crashed containers
224 
225# Verify resource usage vs. limits
226kubectl top pods -n my-namespace
227 
228# Audit RBAC permissions for a service account
229kubectl auth can-i --list --as=system:serviceaccount:my-namespace:my-app-sa
230 
231# Roll back a failed deployment
232kubectl rollout undo deployment/my-app -n my-namespace
233```
234 
235## Output Templates
236 
237When implementing Kubernetes resources, provide:
2381. Complete YAML manifests with proper structure
2392. RBAC configuration if needed (ServiceAccount, Role, RoleBinding)
2403. NetworkPolicy for network isolation
2414. Brief explanation of design decisions and security considerations
242 
243[Documentation](https://jeffallan.github.io/claude-skills/skills/infrastructure/kubernetes-specialist/)
244
Preparing the source view

Kubernetes Specialist

SKILL.md
