Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apecloud/kubeblocks-expose-service

Name: kubeblocks-expose-service
Author: apecloud

skills/kubeblocks-expose-service/SKILL.md

npx skillsauth add apecloud/kubeblocks-skills kubeblocks-expose-service

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Expose Database Service Externally

Overview

By default, KubeBlocks database clusters are only accessible within the Kubernetes cluster. Use the Expose OpsRequest to create external-facing services via LoadBalancer or NodePort, allowing access from outside the cluster.

Official docs: https://kubeblocks.io/docs/preview/user_docs/connect-databases/expose-database-service

Pre-Check

Before proceeding, verify the cluster is healthy and no other operation is running:

# Cluster must be Running
kubectl get cluster <cluster-name> -n <namespace> -o jsonpath='{.status.phase}'

# No pending OpsRequests
kubectl get opsrequest -n <namespace> -l app.kubernetes.io/instance=<cluster-name> --field-selector=status.phase!=Succeed

If the cluster is not Running or has a pending OpsRequest, wait for it to complete before proceeding.

Check current services for the cluster:

kubectl get svc -n <namespace> -l app.kubernetes.io/instance=<cluster-name>

Workflow

- [ ] Step 1: Choose exposure method
- [ ] Step 2: Create Expose OpsRequest
- [ ] Step 3: Verify external service
- [ ] Step 4: Connect from outside

Step 1: Choose Exposure Method

| Method | Use Case | Requirements | |--------|----------|-------------| | LoadBalancer | Cloud environments (AWS, Azure, GCP, Alibaba) | Cloud LB controller | | NodePort | On-premises or local clusters | None |

Step 2: Create Expose OpsRequest

Enable External Access

apiVersion: operations.kubeblocks.io/v1alpha1
kind: OpsRequest
metadata:
  name: <cluster>-expose
  namespace: <ns>
spec:
  clusterName: <cluster>
  type: Expose
  expose:
  - componentName: <component>
    switch: Enable
    services:
    - name: <cluster>-<component>-internet
      roleSelector: primary
      serviceType: LoadBalancer

switch: Enable to create the service, Disable to remove it
roleSelector: primary exposes only the primary node (recommended for writes)
serviceType: LoadBalancer or NodePort

Cloud Provider Annotations

Add annotations for cloud-specific load balancer configuration:

AWS (Network Load Balancer):

    services:
    - name: <cluster>-<component>-internet
      roleSelector: primary
      serviceType: LoadBalancer
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: nlb
        service.beta.kubernetes.io/aws-load-balancer-internal: "false"

Azure:

    services:
    - name: <cluster>-<component>-internet
      roleSelector: primary
      serviceType: LoadBalancer
      annotations:
        service.beta.kubernetes.io/azure-load-balancer-internal: "false"

GCP:

    services:
    - name: <cluster>-<component>-internet
      roleSelector: primary
      serviceType: LoadBalancer
      annotations:
        networking.gke.io/load-balancer-type: External

Alibaba Cloud:

    services:
    - name: <cluster>-<component>-internet
      roleSelector: primary
      serviceType: LoadBalancer
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: internet

NodePort (for local / on-premises clusters)

    services:
    - name: <cluster>-<component>-nodeport
      roleSelector: primary
      serviceType: NodePort

Before applying, validate with dry-run:

kubectl apply -f expose-ops.yaml --dry-run=server

If dry-run reports errors, fix the YAML before proceeding.

Apply it:

kubectl apply -f expose-ops.yaml
kubectl get ops <cluster>-expose -n <ns> -w

Success condition: .status.phase = Succeed | Typical: 1-2min | If stuck >5min: kubectl describe ops <cluster>-expose -n <ns>

Disable External Access

apiVersion: operations.kubeblocks.io/v1alpha1
kind: OpsRequest
metadata:
  name: <cluster>-unexpose
  namespace: <ns>
spec:
  clusterName: <cluster>
  type: Expose
  expose:
  - componentName: <component>
    switch: Disable
    services:
    - name: <cluster>-<component>-internet
      roleSelector: primary
      serviceType: LoadBalancer

Step 3: Verify External Service

kubectl get svc -n <ns> | grep internet

Expected output (LoadBalancer):

mycluster-mysql-internet   LoadBalancer   10.96.x.x   a1b2c3.elb.amazonaws.com   3306:30123/TCP   2m

Wait for the EXTERNAL-IP to be assigned (may take 1-2 minutes on cloud providers).

For NodePort:

kubectl get svc -n <ns> | grep nodeport

mycluster-mysql-nodeport   NodePort   10.96.x.x   <none>   3306:31234/TCP   2m

Step 4: Connect from Outside

LoadBalancer

# MySQL
mysql -h <EXTERNAL-IP> -P 3306 -u root -p

# PostgreSQL
psql -h <EXTERNAL-IP> -p 5432 -U postgres

# Redis
redis-cli -h <EXTERNAL-IP> -p 6379 -a <password>

# MongoDB
mongosh mongodb://<user>:<password>@<EXTERNAL-IP>:27017

NodePort

# Use any node's IP + the assigned NodePort
mysql -h <NODE-IP> -P <NODE-PORT> -u root -p

Get a node's IP:

kubectl get nodes -o jsonpath='{.items[0].status.addresses[?(@.type=="ExternalIP")].address}'

Troubleshooting

LoadBalancer EXTERNAL-IP stuck in <pending>:

Ensure cloud LB controller is running
Check cloud provider quotas
For local clusters, use MetalLB or switch to NodePort

Connection timeout:

Check security groups / firewall rules on the cloud provider
Verify the service is pointing to a healthy pod: kubectl describe svc <svc-name> -n <ns>
Ensure the database is listening on the exposed port

Additional Resources

For complete cloud provider annotations, exposing read replicas, local development without cloud LB (MetalLB, port-forward), and security considerations, see reference.md.

For general agent safety conventions (dry-run, status confirmation, production protection), see safety-patterns.md.

apecloud/kubeblocks-expose-service

skills/kubeblocks-expose-service/SKILL.md

Expose KubeBlocks database clusters externally via LoadBalancer or NodePort services using the Expose OpsRequest. Includes cloud-specific annotations for AWS NLB, Azure LB, GCP, and Alibaba Cloud. Use when the user wants to access the database from outside the Kubernetes cluster, expose a service externally, set up external connectivity, or create a public endpoint. NOT for configuring internal ClusterIP services (default behavior) or setting up TLS for connections (see configure-tls).

2 stars

testing

Updated Apr 18, 2026

$ install --global

skillsauth

npx skillsauth add apecloud/kubeblocks-skills kubeblocks-expose-service

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 18, 2026, 8:00 AM24.2s2 files scanned

SKILL.md

name:: kubeblocks-expose-service
version:: 0.1.0
description:: Expose KubeBlocks database clusters externally via LoadBalancer or NodePort services using the Expose OpsRequest. Includes cloud-specific annotations for AWS NLB, Azure LB, GCP, and Alibaba Cloud. Use when the user wants to access the database from outside the Kubernetes cluster, expose a service externally, set up external connectivity, or create a public endpoint. NOT for configuring internal ClusterIP services (default behavior) or setting up TLS for connections (see configure-tls).

Expose Database Service Externally

Overview

Official docs: https://kubeblocks.io/docs/preview/user_docs/connect-databases/expose-database-service

Pre-Check

Before proceeding, verify the cluster is healthy and no other operation is running:

# Cluster must be Running
kubectl get cluster <cluster-name> -n <namespace> -o jsonpath='{.status.phase}'

# No pending OpsRequests
kubectl get opsrequest -n <namespace> -l app.kubernetes.io/instance=<cluster-name> --field-selector=status.phase!=Succeed

If the cluster is not Running or has a pending OpsRequest, wait for it to complete before proceeding.

Check current services for the cluster:

kubectl get svc -n <namespace> -l app.kubernetes.io/instance=<cluster-name>

Workflow

- [ ] Step 1: Choose exposure method
- [ ] Step 2: Create Expose OpsRequest
- [ ] Step 3: Verify external service
- [ ] Step 4: Connect from outside

Step 1: Choose Exposure Method

Step 2: Create Expose OpsRequest

Enable External Access

apiVersion: operations.kubeblocks.io/v1alpha1
kind: OpsRequest
metadata:
  name: <cluster>-expose
  namespace: <ns>
spec:
  clusterName: <cluster>
  type: Expose
  expose:
  - componentName: <component>
    switch: Enable
    services:
    - name: <cluster>-<component>-internet
      roleSelector: primary
      serviceType: LoadBalancer

switch: Enable to create the service, Disable to remove it
roleSelector: primary exposes only the primary node (recommended for writes)
serviceType: LoadBalancer or NodePort

Cloud Provider Annotations

Add annotations for cloud-specific load balancer configuration:

AWS (Network Load Balancer):

    services:
    - name: <cluster>-<component>-internet
      roleSelector: primary
      serviceType: LoadBalancer
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: nlb
        service.beta.kubernetes.io/aws-load-balancer-internal: "false"

Azure:

    services:
    - name: <cluster>-<component>-internet
      roleSelector: primary
      serviceType: LoadBalancer
      annotations:
        service.beta.kubernetes.io/azure-load-balancer-internal: "false"

GCP:

    services:
    - name: <cluster>-<component>-internet
      roleSelector: primary
      serviceType: LoadBalancer
      annotations:
        networking.gke.io/load-balancer-type: External

Alibaba Cloud:

    services:
    - name: <cluster>-<component>-internet
      roleSelector: primary
      serviceType: LoadBalancer
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: internet

NodePort (for local / on-premises clusters)

    services:
    - name: <cluster>-<component>-nodeport
      roleSelector: primary
      serviceType: NodePort

Before applying, validate with dry-run:

kubectl apply -f expose-ops.yaml --dry-run=server

If dry-run reports errors, fix the YAML before proceeding.

Apply it:

kubectl apply -f expose-ops.yaml
kubectl get ops <cluster>-expose -n <ns> -w

Success condition: .status.phase = Succeed | Typical: 1-2min | If stuck >5min: kubectl describe ops <cluster>-expose -n <ns>

Disable External Access

apiVersion: operations.kubeblocks.io/v1alpha1
kind: OpsRequest
metadata:
  name: <cluster>-unexpose
  namespace: <ns>
spec:
  clusterName: <cluster>
  type: Expose
  expose:
  - componentName: <component>
    switch: Disable
    services:
    - name: <cluster>-<component>-internet
      roleSelector: primary
      serviceType: LoadBalancer

Step 3: Verify External Service

kubectl get svc -n <ns> | grep internet

Expected output (LoadBalancer):

mycluster-mysql-internet   LoadBalancer   10.96.x.x   a1b2c3.elb.amazonaws.com   3306:30123/TCP   2m

Wait for the EXTERNAL-IP to be assigned (may take 1-2 minutes on cloud providers).

For NodePort:

kubectl get svc -n <ns> | grep nodeport

mycluster-mysql-nodeport   NodePort   10.96.x.x   <none>   3306:31234/TCP   2m

Step 4: Connect from Outside

LoadBalancer

# MySQL
mysql -h <EXTERNAL-IP> -P 3306 -u root -p

# PostgreSQL
psql -h <EXTERNAL-IP> -p 5432 -U postgres

# Redis
redis-cli -h <EXTERNAL-IP> -p 6379 -a <password>

# MongoDB
mongosh mongodb://<user>:<password>@<EXTERNAL-IP>:27017

NodePort

# Use any node's IP + the assigned NodePort
mysql -h <NODE-IP> -P <NODE-PORT> -u root -p

Get a node's IP:

kubectl get nodes -o jsonpath='{.items[0].status.addresses[?(@.type=="ExternalIP")].address}'

Troubleshooting

LoadBalancer EXTERNAL-IP stuck in <pending>:

Ensure cloud LB controller is running
Check cloud provider quotas
For local clusters, use MetalLB or switch to NodePort

Connection timeout:

Check security groups / firewall rules on the cloud provider
Verify the service is pointing to a healthy pod: kubectl describe svc <svc-name> -n <ns>
Ensure the database is listening on the exposed port

Additional Resources

For complete cloud provider annotations, exposing read replicas, local development without cloud LB (MetalLB, port-forward), and security considerations, see reference.md.

For general agent safety conventions (dry-run, status confirmation, production protection), see safety-patterns.md.

Related Skills

apecloud/kubeblocks-volume-expansion

devops

VerifiedTrustedCommunity

Expand persistent volume storage for KubeBlocks database clusters via OpsRequest. Requires the StorageClass to support volume expansion (allowVolumeExpansion=true). Use when the user needs more disk space, wants to increase storage, expand volumes, or resize PVCs. NOT for changing CPU/memory (see vertical-scaling) or adding more replicas (see horizontal-scaling). Note that volume shrinking is not supported by Kubernetes.

2SKILL.mdUpdated Apr 18, 2026

apecloud/kubeblocks-volume-expansion

apecloud/kubeblocks-vertical-scaling

data-ai

VerifiedTrustedCommunity

Scale CPU and memory resources for KubeBlocks database clusters via OpsRequest (vertical scaling). Supports in-place updates when the feature gate is enabled. Use when the user wants to change, increase, decrease, resize, or adjust CPU or memory resources of a database cluster. NOT for adding/removing replicas or shards (see horizontal-scaling) or expanding disk storage (see volume-expansion).

2SKILL.mdUpdated Apr 18, 2026

apecloud/kubeblocks-vertical-scaling

apecloud/kubeblocks-upgrade

data-ai

VerifiedTrustedCommunity

Upgrade the KubeBlocks operator itself via Helm. Covers update operator, upgrade to v1.0, update kubeblocks version, and CRD updates. Use when the user wants to upgrade KubeBlocks, update the operator, or upgrade to a new KubeBlocks release. NOT for upgrading database engine versions (see minor-version-upgrade).

2SKILL.mdUpdated Apr 18, 2026

apecloud/kubeblocks-upgrade

apecloud/kubeblocks-troubleshoot

development

VerifiedTrustedCommunity

Diagnostic guide for KubeBlocks-managed database clusters. Use when the user reports troubleshoot, debug, diagnose, not working, error, failed, stuck, CrashLoopBackOff, cluster exception, or similar problems with their database cluster. This skill guides the agent through diagnostic steps — it does NOT perform actions.

2SKILL.mdUpdated Apr 18, 2026

apecloud/kubeblocks-troubleshoot

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apecloud/kubeblocks-skills.git

# Copy into Claude Code skills folder (global)
cp -r kubeblocks-skills/skills/kubeblocks-expose-service ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apecloud/kubeblocks-skills

2 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT