alexei-led/managing-infra
dist/codex/plugins/infra-ops/skills/managing-infra/SKILL.md
Infrastructure patterns for Kubernetes, Terraform, Helm, Kustomize, and GitHub Actions. Use when making K8s architectural decisions, choosing between Helm vs Kustomize, structuring Terraform modules, writing CI/CD workflows, or applying security best practices. NOT for cloud CLI commands (see using-cloud-cli) or deploy validation and apply workflows (see deploying-infra).
$ install --global
skillsauthnpx skillsauth add alexei-led/claude-code-config managing-infraInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 18, 2026, 3:43 AM141.0s1 file scanned
SKILL.md
- description:
- Infrastructure patterns for Kubernetes, Terraform, Helm, Kustomize, and
- name:
- managing-infra
Infrastructure Patterns
Role-gated action
Detect your capability from your tools, not from prose:
- Write-capable role (engineer): run the read-only dry-run, present the diff, get confirmation, then apply and verify.
- Read-only role (reviewer): a reviewer has no Bash — it cannot run
terraform planorkubectl diff. Review the manifests/modules in scope from the files and caller-supplied plan output, and emit changes in the Proposed Changes contract under Output. Apply nothing.
Detect the infra tool and load references
Detect the tool from the files in scope and load the matching reference:
*.tf/*.tfvars→ TERRAFORM.md- K8s manifests /
kustomization.yaml→ KUBERNETES.md Chart.yaml/templates/*.yaml→ HELM.md- workflow YAML under
.github/workflows/→ GITHUB-ACTIONS.md Dockerfile→ DOCKERFILE.mdMakefile→ MAKEFILE.md
Mixed stacks: load each matching reference. Unknown tool: use the core patterns below only.
Safety: Dry-Run Before Apply
NEVER run state-changing commands (kubectl apply, terraform apply, helm upgrade --install) without first presenting the plan/diff to the user.
Always run the read-only equivalent first:
terraform planbeforeterraform applykubectl diffbeforekubectl applyhelm upgrade --dry-runbeforehelm upgrade
If the user explicitly asks to apply, confirm before executing.
When to Use What
- Raw K8s YAML — Simple deployments, one-off resources
- Kustomize — Environment variations, overlays without templating
- Helm — Complex apps, third-party charts, heavy templating
- Terraform — Cloud resources, infrastructure lifecycle
- GitHub Actions — CI/CD, automated testing, releases
- Makefile — Build automation, self-documenting targets
- Dockerfile — Container builds, multi-stage, multi-arch
K8s Security Defaults
Every workload: non-root user, read-only filesystem, no privilege escalation, dropped capabilities, network policies.
GitHub Actions Patterns
- CI workflow: Lint, test, compile on PRs (run on both x86 + ARM)
- Terraform CI: include
terraform fmt -check,terraform init -backend=false,terraform validate, andterraform planfor changed stacks where credentials allow - Release workflow: Multi-arch Docker build on tags (native ARM runners)
- Pin actions by SHA, least-privilege permissions
Terraform Module Structure
For shared VPC, service accounts, and app environments:
- Put shared network primitives and organization-wide IAM in shared/foundation modules.
- Put app-specific service accounts, bindings, and deploy-time config in app/environment modules.
- Keep module inputs/outputs explicit; pass IDs, self-links, emails, and subnet names instead of reaching into sibling state implicitly.
- Choose backend/state boundaries deliberately: shared foundations change slowly; app environments can have separate state for safer rollout and ownership.
- Apply least-privilege IAM per service account and environment.
- Require CI validation for changed Terraform stacks:
terraform fmt -check,terraform init -backend=false,terraform validate, andterraform planwhere credentials allow.
Failure Cases
- User asks to apply without reviewing a plan: stop, run the read-only equivalent first, present the diff, then require explicit confirmation.
- Terraform plan shows unexpected resource destruction: halt, surface the full destroy list, do not proceed until the user explicitly confirms each affected resource.
Output
Engineer (applied after dry-run):
INFRA APPLY COMPLETE
====================
Tool: terraform | kubectl | helm
Dry-run: <command run> — diff shown
Confirmation: <what the user approved>
Status: APPLIED | ABORTED | PARTIAL
Changes:
- <resource> — created/modified/destroyed
Verification:
- <command> — pass/fail
If the user did not confirm or the plan showed unexpected destruction, status is ABORTED — state the blocker, do not apply.
Reviewer (reviewed only — emit changes as a proposal, apply nothing):
## Proposed Changes
### Change 1: <brief description>
File: `path/to/manifest`
Action: CREATE | MODIFY | DELETE
Code:
<the manifest/module content>
Rationale: <security/structure issue this addresses>
References
- KUBERNETES.md - K8s resource patterns
- HELM.md - Helm chart structure and templating patterns
- TERRAFORM.md - Terraform module patterns
- GITHUB-ACTIONS.md - CI/CD workflow patterns
- MAKEFILE.md - Build automation patterns
- DOCKERFILE.md - Container build patterns
- templates/ - Ready-to-use templates
Commands
kubectl apply -k ./ # Apply kustomize
helm upgrade --install NAME . # Install/upgrade chart
terraform plan && terraform apply
Related Skills
alexei-led/writing-shell
tools
VerifiedTrustedCommunity
Idiomatic shell development for POSIX sh, Bash, Zsh, Fish, hooks, CI shell steps, and scriptable CLI glue. Use when writing or changing `.sh`, `.bash`, `.zsh`, `.fish`, `.bats`, shell functions, shell pipelines, or command-runner recipes. Emphasizes portability, quoting, safe filesystem/process handling, non-TUI CLI tools, ShellCheck, shfmt, Bats, and ShellSpec. NOT for Python, TypeScript, Go, web code, or infrastructure operations.
33SKILL.mdUpdated Jun 5, 2026
alexei-led/spec-flow
tools
VerifiedTrustedCommunity
Use when planning, executing, checkpointing, finishing, or inspecting lightweight spec-driven work. Runs one task at a time using `.spec/` markdown files and the bundled `specctl` helper. NOT for broad product discovery beyond a short requirement interview.
33SKILL.mdUpdated Jun 5, 2026
alexei-led/operating-infra
testing
VerifiedTrustedCommunity
Author, inspect, troubleshoot, and review infrastructure across IaC, Kubernetes, cloud resources, containers, CI/CD, and Linux hosts. Use when changing Terraform/OpenTofu, Kubernetes, Helm, Kustomize, Dockerfiles, GitHub Actions, AWS, GCP, Cloud Run, BigQuery, IAM, logs, instances, or service health. NOT for deploy/apply/rollback workflows (see deploying-infra). NOT for shell scripts or generic command pipelines (see writing-shell).
33SKILL.mdUpdated Jun 5, 2026
alexei-led/configuring-git-hygiene
development
VerifiedTrustedCommunity
Configure safe git workflow hygiene: pre-commit/pre-push hooks, Gitleaks secret scanning, .gitignore rules, local git config, and guardrails. Use when setting up git hooks, gitleaks/git leaks, staged pre-commit checks, pre-push validation, core.hooksPath, .gitignore, or git config best practices. NOT for creating commits (use committing-code), cleaning branches/worktrees (use cleanup-git), or creating worktrees (use using-git-worktrees).
33SKILL.mdUpdated Jun 5, 2026