achreftlili/kubernetes-manifests
infrastructure/kubernetes-manifests/SKILL.md
Generate Kubernetes manifests for Deployments, Services, Ingress, ConfigMaps, Secrets, HPA, PVCs with kustomize overlay structure, health probes, and resource limits.
$ install --global
skillsauthnpx skillsauth add achreftlili/deep-dev-skills kubernetes-manifestsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 2:49 PM5.6s1 file scanned
SKILL.md
- name:
- kubernetes-manifests
- description:
- >
- category:
- infrastructure
- agent-type:
- devops
- compatibility:
- kubectl >= 1.30, kustomize >= 5.x, A Kubernetes cluster, Container images pushed to a registry
Kubernetes Manifests
Generate Kubernetes manifests for Deployments, Services, Ingress, ConfigMaps, Secrets, HPA, PVCs with kustomize overlay structure, health probes, and resource limits.
Prerequisites
- kubectl >= 1.30
- kustomize >= 5.x (built into kubectl)
- A Kubernetes cluster (minikube, kind, EKS, GKE, AKS)
- Container images pushed to a registry
Scaffold Command
mkdir -p k8s/base k8s/overlays/dev k8s/overlays/staging k8s/overlays/production
# Base manifests
touch k8s/base/kustomization.yaml
touch k8s/base/namespace.yaml
touch k8s/base/deployment.yaml
touch k8s/base/service.yaml
touch k8s/base/configmap.yaml
touch k8s/base/ingress.yaml
touch k8s/base/hpa.yaml
# Overlay kustomizations
touch k8s/overlays/dev/kustomization.yaml
touch k8s/overlays/staging/kustomization.yaml
touch k8s/overlays/production/kustomization.yaml
Project Structure
k8s/
base/
kustomization.yaml # Lists all base resources
namespace.yaml # Namespace definition
deployment.yaml # Application deployment
service.yaml # ClusterIP service
configmap.yaml # Non-secret configuration
ingress.yaml # Ingress rules
hpa.yaml # Horizontal Pod Autoscaler
pvc.yaml # Persistent Volume Claims (if needed)
overlays/
dev/
kustomization.yaml # Dev-specific patches and images
replica-patch.yaml
staging/
kustomization.yaml
replica-patch.yaml
production/
kustomization.yaml
replica-patch.yaml
hpa-patch.yaml
resource-patch.yaml
Key Conventions
- Use kustomize overlays instead of Helm for straightforward apps. Base contains shared manifests; overlays patch per environment.
- Always set resource requests and limits on every container.
- Always define liveness, readiness, and startup probes.
- Use
namespacein kustomization, not in individual manifests (kustomize applies it). - Store secrets via
SealedSecrets,ExternalSecrets, or cloud-native secret managers — never plainSecretmanifests committed to git. - Use labels consistently:
app.kubernetes.io/name,app.kubernetes.io/version,app.kubernetes.io/component. - Pin image tags to digests or semver in production. Never use
latest.
Essential Patterns
Kustomize Base (k8s/base/kustomization.yaml)
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
app.kubernetes.io/name: myapp
app.kubernetes.io/managed-by: kustomize
resources:
- namespace.yaml
- deployment.yaml
- service.yaml
- configmap.yaml
- ingress.yaml
- hpa.yaml
Namespace (k8s/base/namespace.yaml)
apiVersion: v1
kind: Namespace
metadata:
name: myapp
Deployment (k8s/base/deployment.yaml)
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: myapp
template:
metadata:
labels:
app.kubernetes.io/name: myapp
spec:
serviceAccountName: myapp
securityContext:
runAsNonRoot: true
runAsUser: 1001
fsGroup: 1001
containers:
- name: myapp
# Replace with your registry/image. Use kustomize to override per environment:
# kustomization.yaml → images: [{name: ghcr.io/org/myapp, newName: your-registry/your-app, newTag: v1.0.0}]
image: ghcr.io/org/myapp:latest
ports:
- containerPort: 3000
protocol: TCP
envFrom:
- configMapRef:
name: myapp-config
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: myapp-secrets
key: database-url
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
livenessProbe:
httpGet:
path: /health
port: 3000
initialDelaySeconds: 10
periodSeconds: 15
timeoutSeconds: 3
failureThreshold: 3
readinessProbe:
httpGet:
path: /health/ready
port: 3000
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 3
failureThreshold: 3
startupProbe:
httpGet:
path: /health
port: 3000
initialDelaySeconds: 0
periodSeconds: 5
failureThreshold: 30
terminationGracePeriodSeconds: 30
Service (k8s/base/service.yaml)
apiVersion: v1
kind: Service
metadata:
name: myapp
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: myapp
ports:
- port: 80
targetPort: 3000
protocol: TCP
Ingress (k8s/base/ingress.yaml)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myapp
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/rate-limit: "100"
nginx.ingress.kubernetes.io/rate-limit-window: "1m"
spec:
ingressClassName: nginx
tls:
- hosts:
- myapp.example.com
secretName: myapp-tls
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: myapp
port:
number: 80
ConfigMap (k8s/base/configmap.yaml)
apiVersion: v1
kind: ConfigMap
metadata:
name: myapp-config
data:
NODE_ENV: production
LOG_LEVEL: info
PORT: "3000"
HPA (k8s/base/hpa.yaml)
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: myapp
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: myapp
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80
behavior:
scaleDown:
stabilizationWindowSeconds: 300
PVC (k8s/base/pvc.yaml)
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: myapp-data
spec:
accessModes:
- ReadWriteOnce
storageClassName: gp3
resources:
requests:
storage: 10Gi
Dev Overlay (k8s/overlays/dev/kustomization.yaml)
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: myapp-dev
resources:
- ../../base
patches:
- path: replica-patch.yaml
images:
- name: ghcr.io/org/myapp
newTag: dev-latest
Dev Replica Patch (k8s/overlays/dev/replica-patch.yaml)
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
replicas: 1
Production Overlay (k8s/overlays/production/kustomization.yaml)
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: myapp-prod
resources:
- ../../base
patches:
- path: replica-patch.yaml
- path: resource-patch.yaml
images:
- name: ghcr.io/org/myapp
newTag: v1.2.3
Production Resource Patch (k8s/overlays/production/resource-patch.yaml)
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
template:
spec:
containers:
- name: myapp
resources:
requests:
cpu: 250m
memory: 256Mi
limits:
cpu: "1"
memory: 1Gi
Common Commands
# Preview rendered manifests
kubectl kustomize k8s/overlays/dev
# Apply to cluster
kubectl apply -k k8s/overlays/dev
# Apply production overlay
kubectl apply -k k8s/overlays/production
# Check deployment status
kubectl -n myapp-prod rollout status deployment/myapp
# View pods
kubectl -n myapp-prod get pods -l app.kubernetes.io/name=myapp
# View pod logs
kubectl -n myapp-prod logs -l app.kubernetes.io/name=myapp -f
# Describe a failing pod
kubectl -n myapp-prod describe pod <pod-name>
# Port-forward for local access
kubectl -n myapp-dev port-forward svc/myapp 3000:80
# Scale manually (overrides HPA temporarily)
kubectl -n myapp-prod scale deployment/myapp --replicas=5
# Restart deployment (rolling)
kubectl -n myapp-prod rollout restart deployment/myapp
# View HPA status
kubectl -n myapp-prod get hpa
# Diff before apply
kubectl diff -k k8s/overlays/production
Integration Notes
- Docker: Images must be built and pushed to a registry before deploying. Pair with
dockerfile-generatorandgithub-actions-ciskills. - CI/CD: Pair with
github-actions-ciskill to runkubectl apply -kor use ArgoCD for GitOps-style continuous delivery. - Terraform: Pair with
terraform-starterskill to provision the Kubernetes cluster (EKS, GKE, AKS) and supporting infrastructure. - Secrets: Use External Secrets Operator with AWS Secrets Manager / GCP Secret Manager, or Sealed Secrets for git-committed encrypted secrets.
- Monitoring: Add Prometheus ServiceMonitor and Grafana dashboards. Ensure
/metricsendpoint is exposed.
Related Skills
achreftlili/vitest-testing-skill
testing
VerifiedTrustedCommunity
Set up Vitest 2.x with TypeScript for unit and component testing using test/describe/it, vi.fn/vi.mock/vi.spyOn, component testing with Testing Library, coverage (v8/istanbul), workspace config, and snapshot testing.
1SKILL.mdUpdated Apr 25, 2026
achreftlili/pytest-testing-skill
testing
VerifiedTrustedCommunity
Set up pytest 8.x with Python for unit and integration testing using fixtures (scope, autouse, parametrize), async tests (pytest-asyncio), mocking (unittest.mock, pytest-mock), coverage (pytest-cov), conftest.py patterns, and markers.
1SKILL.mdUpdated Apr 25, 2026
achreftlili/playwright-testing-skill
testing
VerifiedTrustedCommunity
Set up Playwright 1.49+ with TypeScript for E2E testing using page object model, fixtures, test.describe/test blocks, assertions, selectors, network mocking, CI configuration, and trace viewer.
1SKILL.mdUpdated Apr 25, 2026
achreftlili/jest-testing-skill
testing
VerifiedTrustedCommunity
Set up Jest 30+ with TypeScript for unit tests, integration tests, mocking (jest.fn, jest.mock, jest.spyOn), coverage configuration, custom matchers, snapshot testing, and setup/teardown patterns.
1SKILL.mdUpdated Apr 25, 2026