aldengolab/k8s-rwo-deployment-recreate-strategy
skills/k8s-rwo-deployment-recreate-strategy/SKILL.md
Fix for single-replica Kubernetes Deployments with ReadWriteOnce PVCs that deadlock during rolling updates. Use when: (1) a new pod is stuck in Init:0/1 or Pending with 'Multi-Attach error: Volume is already used by pod(s)', (2) the old pod won't terminate because maxUnavailable rounds to 0 for a single-replica Deployment, (3) deleting the old pod causes it to be immediately recreated by its ReplicaSet. Also covers the secondary error 'spec.strategy.rollingUpdate: Forbidden: may not be specified when strategy type is Recreate' when patching a live Deployment.
testing
Updated Apr 2, 2026
$ install --global
skillsauthnpx skillsauth add aldengolab/lorist k8s-rwo-deployment-recreate-strategyInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 2, 2026, 5:09 PM61.5s1 file scanned
SKILL.md
- name:
- k8s-rwo-deployment-recreate-strategy
- description:
- |
- deadlock during rolling updates. Use when:
- (1) a new pod is stuck in
- Init:
- 0/1 or Pending with 'Multi-Attach error: Volume is already used by
- 'spec.strategy.rollingUpdate:
- Forbidden: may not be specified when strategy
Single-Replica RWO Deployment: Recreate Strategy
Problem
A Deployment with one replica and a ReadWriteOnce PVC deadlocks during rolling updates. The new pod cannot start because the old pod holds the RWO volume, and the old pod will not terminate until the new pod is Ready.
Context / Trigger Conditions
- Pod stuck in
Init:0/1orPending - Event:
Multi-Attach error for volume "pvc-...": Volume is already used by pod(s) <old-pod> - Deployment has
replicas: 1and a RWO PVC - Default RollingUpdate strategy:
maxSurge: 25%(rounds to 1),maxUnavailable: 25%(rounds to 0) - Common for Grafana, single-instance databases, or any stateful single-replica app
Solution
Step 1: Set Recreate strategy in Helm values
For kube-prometheus-stack Grafana:
grafana:
deploymentStrategy:
type: Recreate
For a raw Deployment:
spec:
strategy:
type: Recreate
Step 2: Handle the rollingUpdate field conflict
Changing an existing Deployment from RollingUpdate to Recreate via kubectl apply
or ArgoCD sync fails with:
Deployment.apps "<name>" is invalid: spec.strategy.rollingUpdate:
Forbidden: may not be specified when strategy type is 'Recreate'
This happens because the live Deployment still has rollingUpdate sub-fields set.
Fix: delete the Deployment and let the controller recreate it with the new spec.
kubectl delete deployment <name> -n <namespace>
# ArgoCD will immediately recreate it with the correct spec on next sync
argocd app sync <app-name>
Verification
kubectl get deployment <name> -n <namespace> \
-o jsonpath='{.spec.strategy.type}'
# Should output: Recreate
Notes
- Recreate strategy means brief downtime during upgrades (old pod deleted before new one starts). Accept this trade-off for single-replica stateful apps with RWO PVCs.
- Do NOT try to patch
spec.strategyin-place on a live Deployment that hasrollingUpdatefields — always delete and recreate. - Applies to any chart that wraps Deployment creation: kube-prometheus-stack, Bitnami charts, custom charts, etc.
- The intermediate symptom (deleting old pod immediately recreated) is the ReplicaSet controller doing its job — it does not indicate the fix failed, it means the Deployment still has the old RS active.
See Also
k8s-helm-immutable-field-workaround— general pattern for other immutable Helm resource fields (Services, PVCs); includes PreSync hook templatek8s-helm-immutable-field-workaround/references/delete-and-recreate.md— all delete-and-recreate variants (PreSync hook,kubectl replace --forcefor PVs)
Related Skills
aldengolab/ubuntu-secureboot-pxe-netboot
development
VerifiedTrustedCommunity
Build a UEFI Secure Boot PXE netboot server for Ubuntu autoinstall. Use when: designing or implementing network boot infrastructure for automated Ubuntu provisioning with Secure Boot enabled. Covers the complete chain: signed shim+GRUB selection, TFTP layout, kernel parameters, autoinstall config requirements, and post-install bootstrapping scripts. Also applicable when debugging an existing PXE setup that uses the wrong GRUB binary or config paths.
SKILL.mdUpdated Apr 10, 2026
aldengolab/pxe-grub-persistent-server-pattern
development
VerifiedTrustedCommunity
Design pattern for running a persistent PXE/TFTP server that safely coexists with already-installed nodes. Use when: building PXE infrastructure that should stay always-on, designing automated bare-metal provisioning in GitOps/Kubernetes environments, or any PXE setup where UEFI boot order has network boot first. Eliminates boot loops without requiring UEFI firmware changes.
SKILL.mdUpdated Apr 10, 2026
aldengolab/orwell-clear-writing
development
VerifiedTrustedCommunity
This skill governs all prose output — Claude's own responses, documentation, PR descriptions, commit messages, README content, comments, and any text the user asks to draft or edit. It should also be used when the user asks to "review my writing", "edit this for clarity", "make this clearer", "simplify this text", "rewrite this", "check my prose", "tighten this up", or "make this more concise". Based on George Orwell's "Politics and the English Language" (1946).
SKILL.mdUpdated Apr 10, 2026
aldengolab/k8s-hostnetwork-port-conflict
development
VerifiedTrustedCommunity
Debug Kubernetes pods using hostNetwork: true that crash with "Address already in use" or "failed to create listening socket for port N". Use when: (1) a hostNetwork pod container is in CrashLoopBackOff and logs show a port bind failure, (2) the port works fine in non-hostNetwork pods but fails with hostNetwork, (3) you need to identify which host-level process holds a port from within Kubernetes (no SSH). Covers /proc/net/udp inspection and kubectl debug node with nsenter.
SKILL.mdUpdated Apr 10, 2026