Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

curiositech/kubernetes-manifest-generator

Name: kubernetes-manifest-generator
Author: curiositech

skills/kubernetes-manifest-generator/SKILL.md

npx skillsauth add curiositech/windags-skills kubernetes-manifest-generator

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Kubernetes Manifest Generator

Expert in generating production-grade Kubernetes manifests, Helm charts, and Kustomize overlays with security and reliability built in.

Activation Triggers

Activate on: "Kubernetes manifest", "K8s YAML", "Helm chart", "HPA", "PodDisruptionBudget", "Ingress", "NetworkPolicy", "Kustomize", "deployment config", "service mesh", "resource limits"

NOT for: Docker image building → docker-multi-stage-optimizer | Cluster provisioning → terraform-module-builder | CI/CD → github-actions-pipeline-builder

Quick Start

Define the workload — Deployment, StatefulSet, or Job based on use case
Set resource requests/limits — always specify both CPU and memory
Add reliability primitives — HPA, PDB, health probes, topology spread
Secure the workload — NetworkPolicy, SecurityContext, RBAC
Package for environments — Helm chart or Kustomize overlays for dev/staging/prod

Core Capabilities

| Domain | Technologies | |--------|-------------| | Workloads | Deployment, StatefulSet, DaemonSet, Job, CronJob | | Autoscaling | HPA (CPU/memory/custom), VPA, KEDA event-driven | | Networking | Ingress (nginx/traefik), Gateway API, NetworkPolicy, Service Mesh | | Reliability | PDB, TopologySpreadConstraints, PriorityClasses, Pod Anti-Affinity | | Packaging | Helm 3, Kustomize, Timoni (CUE-based) |

Architecture Patterns

Production Deployment Template

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ .name }}
  labels:
    app.kubernetes.io/name: {{ .name }}
    app.kubernetes.io/version: {{ .version }}
spec:
  replicas: 3
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0        # Zero-downtime deploys
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ .name }}
  template:
    spec:
      securityContext:
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: {{ .name }}
          image: {{ .image }}
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 512Mi
          livenessProbe:
            httpGet: { path: /healthz, port: 8080 }
            initialDelaySeconds: 10
          readinessProbe:
            httpGet: { path: /readyz, port: 8080 }
            initialDelaySeconds: 5
      topologySpreadConstraints:
        - maxSkew: 1
          topologyKey: topology.kubernetes.io/zone
          whenUnsatisfiable: DoNotSchedule

HPA + PDB Pairing

HPA ensures enough pods exist for load:
  minReplicas: 3  →  maxReplicas: 20
  ├─ CPU target: 70%
  └─ Custom metric: requests_per_second target 1000

PDB ensures enough pods survive disruptions:
  minAvailable: 2  (or maxUnavailable: 1)
  └─ Guarantees service during node drains, upgrades

Gateway API (replaces Ingress, K8s 1.31+)

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: api-routes
spec:
  parentRefs:
    - name: main-gateway
  rules:
    - matches:
        - path: { type: PathPrefix, value: /api/v1 }
      backendRefs:
        - name: api-service
          port: 8080
          weight: 90
        - name: api-service-canary
          port: 8080
          weight: 10          # 10% canary traffic

Anti-Patterns

No resource limits — pods consume unbounded resources and starve neighbors. Always set both requests and limits.
Missing health probes — K8s cannot detect unhealthy pods. Define both liveness (restart stuck pods) and readiness (stop routing to unready pods).
PDB without HPA — PDB alone does not scale. Pair with HPA so disruptions do not reduce capacity below minimum.
Privileged containers — privileged: true grants host-level access. Use securityContext.runAsNonRoot: true and drop all capabilities.
Hardcoded image tags — :latest in production is non-reproducible. Use digest or semver tags.

Quality Checklist

[ ] All containers have resource requests AND limits
[ ] Liveness and readiness probes defined
[ ] SecurityContext sets runAsNonRoot: true
[ ] NetworkPolicy restricts ingress/egress
[ ] PodDisruptionBudget defined for stateless workloads
[ ] HPA configured with appropriate min/max replicas
[ ] TopologySpreadConstraints for multi-zone resilience
[ ] Image tags pinned (no :latest in prod)
[ ] Labels follow app.kubernetes.io conventions
[ ] Secrets mounted as volumes, not environment variables
[ ] Helm chart passes `helm lint` and `helm template` validation
[ ] Kustomize overlays tested for dev, staging, and prod

curiositech/kubernetes-manifest-generator

skills/kubernetes-manifest-generator/SKILL.md

Kubernetes manifest and Helm chart generator for production workloads. Activate on: K8s config, Deployment YAML, HPA autoscaling, PodDisruptionBudget, Ingress rules, NetworkPolicy, Helm chart, Kustomize. NOT for: Docker image building (use docker-multi-stage-optimizer), IaC provisioning of clusters (use terraform-module-builder), CI/CD pipeline config (use github-actions-pipeline-builder).

development

Updated Apr 4, 2026

$ install --global

skillsauth

npx skillsauth add curiositech/windags-skills kubernetes-manifest-generator

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 4, 2026, 2:15 PM4.5s1 file scanned

SKILL.md

license:: Apache-2.0
name:: kubernetes-manifest-generator
description:: Kubernetes manifest and Helm chart generator for production workloads. Activate on: K8s config, Deployment YAML, HPA autoscaling, PodDisruptionBudget, Ingress rules, NetworkPolicy, Helm chart, Kustomize. NOT for: Docker image building (use docker-multi-stage-optimizer), IaC provisioning of clusters (use terraform-module-builder), CI/CD pipeline config (use github-actions-pipeline-builder).
allowed-tools:: Read,Write,Edit,Bash(docker:*,kubectl:*,terraform:*,npm:*,npx:*)
category:: DevOps & Infrastructure
- skill:: docker-multi-stage-optimizer
reason:: Produces the images these manifests deploy

Kubernetes Manifest Generator

Expert in generating production-grade Kubernetes manifests, Helm charts, and Kustomize overlays with security and reliability built in.

Activation Triggers

Activate on: "Kubernetes manifest", "K8s YAML", "Helm chart", "HPA", "PodDisruptionBudget", "Ingress", "NetworkPolicy", "Kustomize", "deployment config", "service mesh", "resource limits"

NOT for: Docker image building → docker-multi-stage-optimizer | Cluster provisioning → terraform-module-builder | CI/CD → github-actions-pipeline-builder

Quick Start

Define the workload — Deployment, StatefulSet, or Job based on use case
Set resource requests/limits — always specify both CPU and memory
Add reliability primitives — HPA, PDB, health probes, topology spread
Secure the workload — NetworkPolicy, SecurityContext, RBAC
Package for environments — Helm chart or Kustomize overlays for dev/staging/prod

Core Capabilities

Architecture Patterns

Production Deployment Template

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ .name }}
  labels:
    app.kubernetes.io/name: {{ .name }}
    app.kubernetes.io/version: {{ .version }}
spec:
  replicas: 3
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0        # Zero-downtime deploys
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ .name }}
  template:
    spec:
      securityContext:
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: {{ .name }}
          image: {{ .image }}
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 512Mi
          livenessProbe:
            httpGet: { path: /healthz, port: 8080 }
            initialDelaySeconds: 10
          readinessProbe:
            httpGet: { path: /readyz, port: 8080 }
            initialDelaySeconds: 5
      topologySpreadConstraints:
        - maxSkew: 1
          topologyKey: topology.kubernetes.io/zone
          whenUnsatisfiable: DoNotSchedule

HPA + PDB Pairing

HPA ensures enough pods exist for load:
  minReplicas: 3  →  maxReplicas: 20
  ├─ CPU target: 70%
  └─ Custom metric: requests_per_second target 1000

PDB ensures enough pods survive disruptions:
  minAvailable: 2  (or maxUnavailable: 1)
  └─ Guarantees service during node drains, upgrades

Gateway API (replaces Ingress, K8s 1.31+)

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: api-routes
spec:
  parentRefs:
    - name: main-gateway
  rules:
    - matches:
        - path: { type: PathPrefix, value: /api/v1 }
      backendRefs:
        - name: api-service
          port: 8080
          weight: 90
        - name: api-service-canary
          port: 8080
          weight: 10          # 10% canary traffic

Anti-Patterns

No resource limits — pods consume unbounded resources and starve neighbors. Always set both requests and limits.
Missing health probes — K8s cannot detect unhealthy pods. Define both liveness (restart stuck pods) and readiness (stop routing to unready pods).
PDB without HPA — PDB alone does not scale. Pair with HPA so disruptions do not reduce capacity below minimum.
Privileged containers — privileged: true grants host-level access. Use securityContext.runAsNonRoot: true and drop all capabilities.
Hardcoded image tags — :latest in production is non-reproducible. Use digest or semver tags.

Quality Checklist

[ ] All containers have resource requests AND limits
[ ] Liveness and readiness probes defined
[ ] SecurityContext sets runAsNonRoot: true
[ ] NetworkPolicy restricts ingress/egress
[ ] PodDisruptionBudget defined for stateless workloads
[ ] HPA configured with appropriate min/max replicas
[ ] TopologySpreadConstraints for multi-zone resilience
[ ] Image tags pinned (no :latest in prod)
[ ] Labels follow app.kubernetes.io conventions
[ ] Secrets mounted as volumes, not environment variables
[ ] Helm chart passes `helm lint` and `helm template` validation
[ ] Kustomize overlays tested for dev, staging, and prod

Related Skills

curiositech/circuit-breakers-and-retries

tools

VerifiedTrustedCommunity

Building resilient distributed systems with circuit breakers, retries with full-jitter exponential backoff, retry budgets (per-request 3-attempt + per-client 10% ratio per Google SRE), deadline propagation, and the cascading-failure math (4 layers × 3 retries = 64x amplification). Grounded in Resilience4j, Microsoft Cloud Patterns, AWS Architecture Blog (Marc Brooker), and Google SRE Book.

4SKILL.mdUpdated May 6, 2026

curiositech/circuit-breakers-and-retries

curiositech/cdn-cache-control-headers

testing

VerifiedTrustedCommunity

Designing HTTP cache headers that work correctly across browsers, CDNs, and shared proxies — `Cache-Control` directives per RFC 9111, `stale-while-revalidate` and `stale-if-error` per RFC 5861, the Vary header for varying responses, and surrogate keys for tag-based purging. Grounded in IETF RFCs and Cloudflare/Fastly docs.

4SKILL.mdUpdated May 5, 2026

curiositech/cdn-cache-control-headers

curiositech/content-security-policy-headers

development

VerifiedTrustedCommunity

Use when designing or fixing a Content Security Policy on a real site, choosing between nonce-based and hash-based CSP, adding strict-dynamic, debugging "Refused to execute inline script" errors, deploying CSP in report-only mode first, configuring report-to / report-uri, or auditing an existing policy for unsafe-inline / unsafe-eval / wildcards. Triggers: "CSP blocks legitimate inline script", strict-dynamic, nonce-{RANDOM}, sha256-{HASH}, object-src none, base-uri none, frame-ancestors, Trusted Types, X-Content-Security-Policy obsolete, report-only vs enforced. NOT for general HTTP security headers (HSTS, COOP/COEP), Trusted Types deep dive, CORS configuration, or building a WAF.

3SKILL.mdUpdated May 4, 2026

curiositech/content-security-policy-headers

curiositech/api-versioning-strategy

tools

VerifiedTrustedCommunity

Choosing and operating an HTTP API versioning strategy that doesn't break clients — Stripe's date-based pinned versions, the Deprecation/Sunset header pair (RFC 9745 + RFC 8594), URI vs header vs media-type approaches, and the version-transformer pattern. Grounded in Stripe's published architecture and IETF RFCs.

3SKILL.mdUpdated May 4, 2026

curiositech/api-versioning-strategy

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/curiositech/windags-skills.git

# Copy into Claude Code skills folder (global)
cp -r windags-skills/skills/kubernetes-manifest-generator ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

curiositech/windags-skills

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT