| name | Kubernetes |
| description | Kubernetes development and operations best practices. USE WHEN working with kubectl commands, K8s manifests, deployments, debugging pods, managing resources, RBAC, or cluster operations. |
Kubernetes
Expert guidance on Kubernetes operations, kubectl command-line usage, and cloud-native development best practices.
Context Detection
This skill activates when:
- Current directory contains Kubernetes manifests (
.yamlor.ymlfiles withkind:,apiVersion:) - User asks about kubectl commands or Kubernetes resources
- User mentions pods, deployments, services, namespaces, or other K8s concepts
- Commands like
kubectl,helm, ork9sare mentioned - User is troubleshooting Kubernetes issues or debugging pods
Workflow Routing
When executing a workflow, output this notification directly:
Running the **WorkflowName** workflow from the **Kubernetes** skill...
| Workflow | Trigger | File |
|---|---|---|
| Debug | "debug pod", "troubleshoot", "pod logs", "pod errors" | workflows/Debug.md |
| Deploy | "deploy", "apply manifests", "rollout", "update deployment" | workflows/Deploy.md |
| Context | "kubectl context", "namespace", "switch cluster" | workflows/Context.md |
| Resources | "create resource", "manifest", "yaml", "configmap", "secret" | workflows/Resources.md |
| Security | "RBAC", "pod security", "network policy", "security best practices" | workflows/Security.md |
| Scaling | "scale deployment", "HPA", "autoscaling", "replicas" | workflows/Scaling.md |
kubectl Productivity
Essential Aliases
alias k=kubectl
alias kgp='kubectl get pods'
alias kgs='kubectl get svc'
alias kgd='kubectl get deployments'
alias kgn='kubectl get nodes'
alias kdp='kubectl describe pod'
alias kdd='kubectl describe deployment'
alias kl='kubectl logs'
alias kx='kubectl exec -it'
alias kaf='kubectl apply -f'
alias kdel='kubectl delete'
Quick Commands
Get resources with custom output:
kubectl get pods -o wide
kubectl get pods -o yaml
kubectl get pods -o json | jq '.items[].metadata.name'
kubectl get pods --sort-by=.metadata.creationTimestamp
Watch resources:
kubectl get pods -w
kubectl get events -w
Context and namespace:
kubectl config get-contexts
kubectl config use-context <context>
kubectl config set-context --current --namespace=<namespace>
Key Best Practices
Resource Definitions
Always specify:
- Resource limits and requests
- Readiness and liveness probes
- Labels and selectors
- Pod disruption budgets for production
- Security context (non-root user, read-only filesystem)
Example deployment manifest:
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
labels:
app: myapp
version: v1.0.0
spec:
replicas: 3
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
version: v1.0.0
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
containers:
- name: myapp
image: myapp:v1.0.0
ports:
- containerPort: 8080
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
livenessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumeMounts:
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir: {}
Recommended Labels
metadata:
labels:
app.kubernetes.io/name: myapp
app.kubernetes.io/instance: myapp-prod
app.kubernetes.io/version: "1.0.0"
app.kubernetes.io/component: backend
app.kubernetes.io/part-of: myplatform
app.kubernetes.io/managed-by: kubectl
Anti-Patterns to Avoid
- NEVER use
:latesttag - Always use specific version tags - NEVER skip health probes - Always define readiness/liveness probes
- NEVER run as root - Use non-root user in security context
- NEVER hardcode configuration - Use ConfigMaps and Secrets
- NEVER ignore resource limits - Always set requests and limits
- NEVER use default namespace - Create and use specific namespaces
- NEVER skip labels - Use consistent labeling strategy
- NEVER deploy without testing - Use
kubectl apply --dry-run=client - NEVER expose secrets in env - Use volume mounts for secrets
- NEVER skip RBAC - Use principle of least privilege
Security Checklist
- Run containers as non-root user
- Use read-only root filesystem
- Drop all capabilities, add only required ones
- Enable Pod Security Standards (Baseline or Restricted)
- Use Network Policies to restrict traffic
- Scan images for vulnerabilities
- Use secrets for sensitive data (never in env vars directly)
- Enable RBAC with least privilege
- Use service accounts per application
- Enable audit logging
Debugging Workflow
- Check pod status:
kubectl get pods - Describe pod:
kubectl describe pod <pod-name> - View logs:
kubectl logs <pod-name> [-c <container>] - Previous logs:
kubectl logs <pod-name> --previous - Exec into pod:
kubectl exec -it <pod-name> -- /bin/sh - Check events:
kubectl get events --sort-by=.metadata.creationTimestamp - Port forward:
kubectl port-forward pod/<pod-name> 8080:8080
Examples
Example 1: Debug failing pod
User: "My pod is in CrashLoopBackOff, help me debug it"
→ Invokes Debug workflow
→ Checks pod status and events
→ Reviews logs for errors
→ Validates resource definitions
→ Identifies root cause and suggests fix
Example 2: Deploy application
User: "Deploy my application to Kubernetes with best practices"
→ Invokes Deploy workflow
→ Creates manifest with security contexts
→ Adds health probes and resource limits
→ Validates with dry-run
→ Applies and monitors rollout
Example 3: Set up RBAC
User: "Create RBAC for my application with minimal permissions"
→ Invokes Security workflow
→ Creates ServiceAccount
→ Defines Role with specific permissions
→ Creates RoleBinding
→ Tests permissions
Integration
This skill integrates with:
- Git skill: For version controlling manifests and GitOps workflows
- Golang skill: For developing Kubernetes operators and controllers
- Nix skill: For managing Kubernetes tools in NixOS environments
- Homelab skill: For managing K3s/K8s clusters in homelab setup