AgentSkillsCN

kubernetes

精通Kubernetes资源管理。在编写或审查Kubernetes清单、Helm图表、Kustomize叠加层、RBAC、网络配置、Pod安全、资源配额,或进行工作负载配置时,可使用此功能。

SKILL.md
--- frontmatter
name: kubernetes
description: >
  Kubernetes resource management expertise. Use when writing or reviewing
  Kubernetes manifests, Helm charts, Kustomize overlays, RBAC, networking,
  pod security, resource quotas, or workload configuration.

Manifest Standards

Workloads

  • Always set resource requests AND limits for CPU and memory
  • Use PodDisruptionBudget for all production Deployments
  • Set terminationGracePeriodSeconds appropriate to the workload
  • Use topologySpreadConstraints for HA across zones
  • Prefer Deployment unless ordering matters (StatefulSet) or every-node is needed (DaemonSet)
  • Always set securityContext:
    yaml
    securityContext:
      runAsNonRoot: true
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      capabilities:
        drop: ["ALL"]
    

Labels and Annotations

  • Required labels: app.kubernetes.io/name, app.kubernetes.io/version, app.kubernetes.io/component, app.kubernetes.io/managed-by
  • Use annotations for tooling metadata, not selectors

ConfigMaps and Secrets

  • Mount as volumes, not environment variables, for rotation support
  • Use immutable: true for ConfigMaps/Secrets that should not change
  • Use ExternalSecrets or Sealed Secrets for sensitive data — never plain Secrets in git

Networking

  • Use NetworkPolicy to restrict traffic by default (deny all, allow specific)
  • Services: ClusterIP by default, LoadBalancer only via Ingress/Gateway API
  • Prefer Gateway API over Ingress for new projects

Helm

  • Values files: values.yaml (defaults), values-dev.yaml, values-prod.yaml
  • Template all labels consistently via _helpers.tpl
  • Use {{- include }} not {{- template }} for named templates
  • Validate with helm lint and helm template before merge

Kustomize

  • Base in base/, overlays in overlays/{dev,staging,prod}/
  • Use configMapGenerator and secretGenerator over raw manifests
  • Strategic merge patches for environment-specific changes