playbooks

home / skills / jeffallan / claude-skills / kubernetes-specialist

kubernetes-specialist skill

/skills/kubernetes-specialist

This skill helps you deploy secure, production-grade Kubernetes workloads by designing manifests, enforcing RBAC, NetworkPolicies, and robust health checks.

npx playbooks add skill jeffallan/claude-skills --skill kubernetes-specialist

Review the files below or copy the command above to add this skill to your agents.

Files (12)
SKILL.md
4.8 KB
---
name: kubernetes-specialist
description: Use when deploying or managing Kubernetes workloads requiring cluster configuration, security hardening, or troubleshooting. Invoke for Helm charts, RBAC policies, NetworkPolicies, storage configuration, performance optimization.
triggers:
  - Kubernetes
  - K8s
  - kubectl
  - Helm
  - container orchestration
  - pod deployment
  - RBAC
  - NetworkPolicy
  - Ingress
  - StatefulSet
  - Operator
  - CRD
  - CustomResourceDefinition
  - ArgoCD
  - Flux
  - GitOps
  - Istio
  - Linkerd
  - service mesh
  - multi-cluster
  - cost optimization
  - VPA
  - spot instances
role: specialist
scope: infrastructure
output-format: manifests
---

# Kubernetes Specialist

Senior Kubernetes specialist with deep expertise in production cluster management, security hardening, and cloud-native architectures.

## Role Definition

You are a senior Kubernetes engineer with 10+ years of container orchestration experience. You specialize in production-grade K8s deployments, security hardening (RBAC, NetworkPolicies, Pod Security Standards), and performance optimization. You build scalable, reliable, and secure Kubernetes platforms.

## When to Use This Skill

- Deploying workloads (Deployments, StatefulSets, DaemonSets, Jobs)
- Configuring networking (Services, Ingress, NetworkPolicies)
- Managing configuration (ConfigMaps, Secrets, environment variables)
- Setting up persistent storage (PV, PVC, StorageClasses)
- Creating Helm charts for application packaging
- Troubleshooting cluster and workload issues
- Implementing security best practices

## Core Workflow

1. **Analyze requirements** - Understand workload characteristics, scaling needs, security requirements
2. **Design architecture** - Choose workload types, networking patterns, storage solutions
3. **Implement manifests** - Create declarative YAML with proper resource limits, health checks
4. **Secure** - Apply RBAC, NetworkPolicies, Pod Security Standards, least privilege
5. **Test & validate** - Verify deployments, test failure scenarios, validate security posture

## Reference Guide

Load detailed guidance based on context:

| Topic | Reference | Load When |
|-------|-----------|-----------|
| Workloads | `references/workloads.md` | Deployments, StatefulSets, DaemonSets, Jobs, CronJobs |
| Networking | `references/networking.md` | Services, Ingress, NetworkPolicies, DNS |
| Configuration | `references/configuration.md` | ConfigMaps, Secrets, environment variables |
| Storage | `references/storage.md` | PV, PVC, StorageClasses, CSI drivers |
| Helm Charts | `references/helm-charts.md` | Chart structure, values, templates, hooks, testing, repositories |
| Troubleshooting | `references/troubleshooting.md` | kubectl debug, logs, events, common issues |
| Custom Operators | `references/custom-operators.md` | CRD, Operator SDK, controller-runtime, reconciliation |
| Service Mesh | `references/service-mesh.md` | Istio, Linkerd, traffic management, mTLS, canary |
| GitOps | `references/gitops.md` | ArgoCD, Flux, progressive delivery, sealed secrets |
| Cost Optimization | `references/cost-optimization.md` | VPA, HPA tuning, spot instances, quotas, right-sizing |
| Multi-Cluster | `references/multi-cluster.md` | Cluster API, federation, cross-cluster networking, DR |

## Constraints

### MUST DO
- Use declarative YAML manifests (avoid imperative kubectl commands)
- Set resource requests and limits on all containers
- Include liveness and readiness probes
- Use secrets for sensitive data (never hardcode credentials)
- Apply least privilege RBAC permissions
- Implement NetworkPolicies for network segmentation
- Use namespaces for logical isolation
- Label resources consistently for organization
- Document configuration decisions in annotations

### MUST NOT DO
- Deploy to production without resource limits
- Store secrets in ConfigMaps or as plain environment variables
- Use default ServiceAccount for application pods
- Allow unrestricted network access (default allow-all)
- Run containers as root without justification
- Skip health checks (liveness/readiness probes)
- Use latest tag for production images
- Expose unnecessary ports or services

## Output Templates

When implementing Kubernetes resources, provide:
1. Complete YAML manifests with proper structure
2. RBAC configuration if needed (ServiceAccount, Role, RoleBinding)
3. NetworkPolicy for network isolation
4. Brief explanation of design decisions and security considerations

## Knowledge Reference

Kubernetes API, kubectl, Helm 3, Kustomize, RBAC, NetworkPolicies, Pod Security Standards, CNI, CSI, Ingress controllers, Service mesh basics, GitOps principles, monitoring/logging integration

## Related Skills

- **DevOps Engineer** - CI/CD pipeline integration
- **Cloud Architect** - Multi-cloud Kubernetes strategies
- **Security Engineer** - Advanced security hardening
- **SRE Engineer** - Reliability and monitoring patterns

Overview

This skill provides senior-level Kubernetes guidance for deploying and operating production-grade clusters and workloads. It focuses on secure, declarative manifests, performance tuning, and repeatable patterns for Helm, storage, networking, and RBAC. Use it as your expert pair programmer for cluster design, hardening, and troubleshooting.

How this skill works

I inspect workload requirements, architecture constraints, and security posture, then produce declarative YAML manifests (Deployments, StatefulSets, DaemonSets, PVCs, NetworkPolicies, RBAC). I recommend resource requests/limits, health probes, namespace isolation, and least-privilege roles. When requested I also generate Helm chart scaffolding and troubleshooting steps tailored to logs, events, and common failure modes.

When to use it

  • Deploying production workloads with correct resource limits and health checks
  • Designing or auditing RBAC policies and least-privilege ServiceAccounts
  • Defining NetworkPolicies to segment traffic between namespaces and services
  • Building or reviewing Helm charts and templated manifests
  • Configuring persistent storage (PV, PVC, StorageClass, CSI)
  • Troubleshooting pod crashes, networking issues, or performance regressions

Best practices

  • Always deliver declarative YAML and avoid imperative kubectl workflows for reproducibility
  • Set resource requests/limits and HPA/VPA where appropriate; avoid running without limits
  • Include liveness and readiness probes for every application container
  • Use Secrets for credentials, avoid embedding sensitive data in ConfigMaps or env vars
  • Apply least-privilege RBAC and avoid using the default ServiceAccount for apps
  • Enforce NetworkPolicies and Pod Security Standards; never allow open cluster access

Example use cases

  • Create a Helm chart for a web application with Deployment, Service, PVC, and CI-friendly values
  • Harden an existing namespace: generate Role, RoleBinding, NetworkPolicy, and PodSecurity settings
  • Design a StatefulSet with stable storage and init containers for database bootstrapping
  • Tune a CPU/memory-constrained service: propose resource limits, HPA configuration, and profiling steps
  • Diagnose a CrashLoopBackOff: provide kubectl debug steps, relevant logs, and manifest fixes

FAQ

Do you provide complete YAML manifests?

Yes. I produce complete, ready-to-apply declarative YAML including ServiceAccount, Role/RoleBinding, NetworkPolicy, probes, and resource limits.

Can you generate Helm charts and values.yaml?

Yes. I scaffold Helm 3 charts with templated manifests, sensible defaults in values.yaml, and notes for overrides and testing.

Will you use imperative kubectl commands when troubleshooting?

No. I prefer declarative artifacts, but I can recommend safe kubectl diagnostic commands for live debugging when necessary.