playbooks

home / skills / physics91 / claude-vibe / k8s-reviewer

k8s-reviewer skill

/skills/k8s-reviewer

This skill reviews Kubernetes manifests and Helm charts for resource limits, probes, security, and RBAC to enforce best practices.

npx playbooks add skill physics91/claude-vibe --skill k8s-reviewer

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
8.2 KB
---
name: k8s-reviewer
description: |
  WHEN: Kubernetes manifest review, Helm charts, resource limits, probes, RBAC
  WHAT: Resource configuration + Health probes + Security context + RBAC policies + Helm best practices
  WHEN NOT: Docker only → docker-reviewer, Terraform → terraform-reviewer
---

# Kubernetes Reviewer Skill

## Purpose
Reviews Kubernetes manifests and Helm charts for resource configuration, security, and best practices.

## When to Use
- Kubernetes YAML review
- Helm chart review
- Pod security review
- Resource limits check
- RBAC configuration review

## Project Detection
- `*.yaml` in k8s/, manifests/, deploy/
- `Chart.yaml` (Helm)
- `kustomization.yaml`
- `deployment.yaml`, `service.yaml`

## Workflow

### Step 1: Analyze Project
```
**Manifest Type**: Deployment, Service, Ingress
**Helm**: Chart v3
**Namespace**: production
**Cluster**: EKS/GKE/AKS
```

### Step 2: Select Review Areas
**AskUserQuestion:**
```
"Which areas to review?"
Options:
- Full K8s review (recommended)
- Resource limits and requests
- Health probes configuration
- Security context and RBAC
- Helm chart structure
multiSelect: true
```

## Detection Rules

### Resource Limits
| Check | Recommendation | Severity |
|-------|----------------|----------|
| No resource limits | Add limits and requests | CRITICAL |
| Limits = Requests | Set different values | MEDIUM |
| Too high limits | Right-size based on usage | MEDIUM |
| No LimitRange | Add namespace LimitRange | MEDIUM |

```yaml
# BAD: No resource management
apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      containers:
        - name: app
          image: myapp:latest
          # No resources defined!

# GOOD: Proper resource management
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp
  namespace: production
spec:
  replicas: 3
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
    spec:
      containers:
        - name: app
          image: myapp:v1.2.3
          resources:
            requests:
              cpu: "100m"
              memory: "128Mi"
            limits:
              cpu: "500m"
              memory: "512Mi"
```

### Health Probes
| Check | Recommendation | Severity |
|-------|----------------|----------|
| No liveness probe | Add liveness check | HIGH |
| No readiness probe | Add readiness check | HIGH |
| No startup probe | Add for slow-starting apps | MEDIUM |
| Same liveness/readiness | Differentiate purposes | MEDIUM |

```yaml
# GOOD: Complete probe configuration
spec:
  containers:
    - name: app
      image: myapp:v1.2.3
      ports:
        - containerPort: 8080

      # Startup probe - for slow starting containers
      startupProbe:
        httpGet:
          path: /health/startup
          port: 8080
        failureThreshold: 30
        periodSeconds: 10

      # Liveness probe - restart if unhealthy
      livenessProbe:
        httpGet:
          path: /health/live
          port: 8080
        initialDelaySeconds: 0
        periodSeconds: 10
        timeoutSeconds: 5
        failureThreshold: 3

      # Readiness probe - remove from service if not ready
      readinessProbe:
        httpGet:
          path: /health/ready
          port: 8080
        initialDelaySeconds: 5
        periodSeconds: 5
        timeoutSeconds: 3
        failureThreshold: 3
```

### Security Context
| Check | Recommendation | Severity |
|-------|----------------|----------|
| Running as root | Set runAsNonRoot: true | CRITICAL |
| No security context | Add pod/container security | HIGH |
| Privileged container | Remove privileged: true | CRITICAL |
| Writable root filesystem | Set readOnlyRootFilesystem | HIGH |

```yaml
# BAD: No security constraints
spec:
  containers:
    - name: app
      image: myapp:latest
      # No security context!

# GOOD: Secure configuration
apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000

      containers:
        - name: app
          image: myapp:v1.2.3
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
          volumeMounts:
            - name: tmp
              mountPath: /tmp
            - name: cache
              mountPath: /app/cache

      volumes:
        - name: tmp
          emptyDir: {}
        - name: cache
          emptyDir: {}
```

### Image Policy
| Check | Recommendation | Severity |
|-------|----------------|----------|
| Using :latest tag | Pin specific version | HIGH |
| No image pull policy | Set imagePullPolicy | MEDIUM |
| Public registry | Use private registry | MEDIUM |

```yaml
# BAD
image: myapp:latest
# or
image: myapp  # Implies :latest

# GOOD
image: gcr.io/myproject/myapp:v1.2.3
imagePullPolicy: IfNotPresent
```

### Pod Disruption Budget
| Check | Recommendation | Severity |
|-------|----------------|----------|
| No PDB for critical apps | Add PodDisruptionBudget | HIGH |

```yaml
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: myapp-pdb
spec:
  minAvailable: 2  # or maxUnavailable: 1
  selector:
    matchLabels:
      app: myapp
```

### RBAC
| Check | Recommendation | Severity |
|-------|----------------|----------|
| Using default SA | Create dedicated ServiceAccount | HIGH |
| Cluster-wide permissions | Use namespaced Role | HIGH |
| Wildcard permissions | Specify explicit resources | CRITICAL |

```yaml
# BAD: Overly permissive
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

# GOOD: Least privilege
apiVersion: v1
kind: ServiceAccount
metadata:
  name: myapp-sa
  namespace: production
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: myapp-role
  namespace: production
rules:
  - apiGroups: [""]
    resources: ["configmaps", "secrets"]
    verbs: ["get", "list"]
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: myapp-rolebinding
  namespace: production
subjects:
  - kind: ServiceAccount
    name: myapp-sa
    namespace: production
roleRef:
  kind: Role
  name: myapp-role
  apiGroup: rbac.authorization.k8s.io
```

### Helm Charts
| Check | Recommendation | Severity |
|-------|----------------|----------|
| Hardcoded values | Use values.yaml | MEDIUM |
| No default values | Provide sensible defaults | MEDIUM |
| No NOTES.txt | Add post-install notes | LOW |

```yaml
# values.yaml
replicaCount: 3

image:
  repository: myapp
  tag: "v1.2.3"
  pullPolicy: IfNotPresent

resources:
  requests:
    cpu: 100m
    memory: 128Mi
  limits:
    cpu: 500m
    memory: 512Mi

# templates/deployment.yaml
spec:
  replicas: {{ .Values.replicaCount }}
  template:
    spec:
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
```

## Response Template
```
## Kubernetes Review Results

**Project**: [name]
**Type**: Deployment, Service, Ingress
**Namespace**: production

### Resource Limits
| Status | File | Issue |
|--------|------|-------|
| CRITICAL | deployment.yaml | No resource limits defined |

### Health Probes
| Status | File | Issue |
|--------|------|-------|
| HIGH | deployment.yaml | Missing readiness probe |

### Security
| Status | File | Issue |
|--------|------|-------|
| CRITICAL | deployment.yaml | Running as root |

### RBAC
| Status | File | Issue |
|--------|------|-------|
| HIGH | rbac.yaml | Wildcard permissions |

### Recommended Actions
1. [ ] Add resource requests and limits
2. [ ] Configure liveness and readiness probes
3. [ ] Add security context with non-root user
4. [ ] Apply least privilege RBAC
```

## Best Practices
1. **Resources**: Always set requests and limits
2. **Probes**: All three probe types for production
3. **Security**: Non-root, read-only fs, drop capabilities
4. **RBAC**: Least privilege, namespaced roles
5. **Images**: Pin versions, use private registry

## Integration
- `docker-reviewer`: Container image review
- `terraform-reviewer`: Infrastructure as code
- `infra-security-reviewer`: Cluster security

Overview

This skill reviews Kubernetes manifests and Helm charts to surface configuration, security, and operational issues before deployment. It focuses on resource requests/limits, health probes, security context, RBAC policies, and Helm best practices. The goal is actionable findings with severity guidance and recommended fixes.

How this skill works

The reviewer scans project manifests (k8s/ manifests/ deploy/, Chart.yaml, kustomization.yaml and common filenames) and classifies resource types such as Deployment, Service, Ingress and Helm charts. It detects missing or misconfigured resource limits, absent or incorrect probes, insecure security contexts, overly permissive RBAC, and Helm anti-patterns. For each issue it emits severity, file/location hints, and concise remediation steps.

When to use it

  • Before deploying to staging or production
  • When validating a Helm chart prior to publishing
  • During code review of Kubernetes YAML or kustomize overlays
  • To audit pod security and RBAC for least-privilege compliance
  • When adding resource autoscaling or performance tuning

Best practices

  • Always define CPU/memory requests and limits; use namespace LimitRange where appropriate
  • Configure startup, liveness, and readiness probes; separate liveness and readiness responsibilities
  • Enforce non-root containers, readOnlyRootFilesystem and drop capabilities
  • Use least-privilege RBAC: dedicated ServiceAccount, namespaced Role, explicit resources and verbs
  • Pin image tags and set imagePullPolicy; prefer private registries
  • Provide sensible defaults and templated values in values.yaml for Helm charts

Example use cases

  • CI job that runs a pre-merge manifest audit and blocks PRs with CRITICAL findings
  • Helm chart review to ensure values.yaml covers image, resources and NOTES.txt post-install guidance
  • Security review to detect containers running as root or privileged and recommend securityContext changes
  • Operational check to add probes and PodDisruptionBudget before scaling to production
  • RBAC audit to replace wildcard rules with scoped Role/RoleBinding pairs

FAQ

Which files does the reviewer inspect?

It targets common Kubernetes locations and filenames such as k8s/, manifests/, deploy/, Chart.yaml, kustomization.yaml, deployment.yaml, and service.yaml.

Does it auto-fix issues?

No. It provides precise findings and remediation steps so you can apply fixes intentionally in source control.