overthinkos/ov:test-k8s
ov-advanced/skills/eval-k8s/SKILL.md
Kubernetes cluster probe verb — `ov eval k8s <method>` for nodes, pods, ingress, storage class, addon health, apply/delete, and arbitrary resource GETs. Hermetic via vendored client-go; no external kubectl required.
tools
Updated May 10, 2026
$ install --global
skillsauthnpx skillsauth add overthinkos/overthink-plugins ov:test-k8sInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 10, 2026, 5:16 AM129.7s1 file scanned
SKILL.md
- name:
- ov:test-k8s
- description:
- Kubernetes cluster probe verb — `ov eval k8s <method>` for nodes, pods, ingress, storage class, addon health, apply/delete, and arbitrary resource GETs. Hermetic via vendored client-go; no external kubectl required.
- allowed-tools:
- Bash, Read
MUST be invoked before any work involving: ov eval k8s commands,
cluster-readiness probes from test scripts, ingress / storage class
assertions, k3s default-addon health checks, or declarative k8s:
checks on eval: blocks in layer.yml.
Command surface
ov eval k8s nodes # <name> <Ready|NotReady> per line
ov eval k8s wait-nodes [--count=N] [--name=<host>] [--timeout=120s] # block until N (or named) Ready
ov eval k8s pods [--namespace=<ns>] [--label=<sel>] # <ns>/<name> <phase> per line
ov eval k8s wait-ready --kind <K> --name <N> [--namespace=<ns>] [--timeout=120s] # block until resource Ready
ov eval k8s ingress [--namespace=<ns>] # <ns>/<name> class=<c> hosts=<h> backends=<b>
ov eval k8s ingressclass # <name> default=<bool>
ov eval k8s storageclass # <name> default=<bool>
ov eval k8s service [--namespace=<ns>] # <ns>/<name> <type> <clusterIP> <externalIP>
ov eval k8s lb-external-ip --namespace=<ns> --name=<svc> [--timeout=60s] # print assigned external IP
ov eval k8s addons [--namespace=kube-system] [--timeout=180s] # roll-up: Traefik + ServiceLB + local-path all Ready
ov eval k8s apply --file=<manifest.yaml> [--namespace=<ns>] # apply multi-doc YAML via dynamic client
ov eval k8s delete --file=<manifest.yaml> [--namespace=<ns>] # delete resources from manifest
ov eval k8s raw --resource=<plural> [--group=<g>] [--version=v1] [--name=<n>] [--namespace=<ns>]
Cluster selection
Every verb accepts the same three cluster-selection flags, resolved in this precedence:
--kubeconfig <path>— direct kubeconfig file pointer. Overrides everything.--cluster <name>— a ClusterProfile name (~/.config/ov/clusters/<name>.yamlor./clusters/<name>.yaml). The profile'skubeconfig_context:selects the context; kubeconfig path defaults to$KUBECONFIGthen~/.kube/config.--context <name>— override the kubeconfig context directly.- Neither given → current-context of the default kubeconfig
(matches
kubectlwith no flags).
ov deploy add vm:k3s-srv (or any deploy whose layers include
k3s-server) automatically writes a ClusterProfile named after the
deploy, so after provisioning you can do:
ov eval k8s nodes --cluster k3s-srv
ov eval k8s addons --cluster k3s-srv
Declarative k8s: checks on layer tests
The verb is also callable from a layer's eval: block via the k8s:
discriminator field on Check. Every subcommand above maps to a method
name; shared modifiers (name:, namespace:, cluster:, timeout:,
kubeconfig:, k8s_kind:, k8s_count:, manifest:, k8s_resource:,
k8s_group:, k8s_version:) are available.
Example from layers/k3s-server/layer.yml:
eval:
- id: cluster-nodes-ready
scope: deploy
k8s: wait-nodes
cluster: "${deploy_name}"
k8s_count: 1
timeout: 180s
stdout: { contains: "Ready" }
- id: traefik-ingressclass
scope: deploy
k8s: ingressclass
cluster: "${deploy_name}"
stdout: { contains: "traefik" }
- id: addons-healthy
scope: deploy
k8s: addons
cluster: "${deploy_name}"
timeout: 240s
wait-nodes with name: set matches a single specific node (used by
k3s-agent's join-confirmation test). Without name:, it waits until
k8s_count: nodes are Ready.
Method notes
- apply / delete — limited to the kinds in
kindToPluralResource()ink8s_cmd.go. Static table by design; adding a new kind is a one-line addition, avoiding the RESTMapper discovery bloat. Documents without a namespace inherit--namespace. - raw — escape hatch for any resource not covered by the named
verbs.
ov eval k8s raw --resource nodeslists nodes;ov eval k8s raw --resource configmaps -n kube-system --name fooprints one ConfigMap as JSON. - addons — assumes the stock k3s addon stack (Traefik, ServiceLB,
local-path-provisioner) in
kube-system. Explicitdisable:in a k3s-server layer will cause this method to fail — the failure is intentional since the test speaks to "default k3s stack healthy". - lb-external-ip — polls
.status.loadBalancer.ingress[].ip/[].hostnameuntil one appears; for k3s this is ServiceLB (klipper-lb) advertising the host's node IP.
Implementation
ov/k8s_cmd.go— the 13K8s<Method>Cmdstructs + sharedk8sClusterFlags. Dynamic-client viak8s.io/client-go/dynamic+unstructuredwalkers, no typed clientset (keeps binary bloat ~5-8 MB instead of ~15 MB with the typed clients).ov/testspec.go:55+—K8sdiscriminator onCheckplus the shared resource-identity modifiers (Name,Namespace,Label,Cluster,Manifest,K8sKind,K8sContext,Kubeconfig,K8sCount,K8sResource,K8sGroup,K8sVersion).ov/testrun_ov_verbs.go—k8sMethodstable +runK8sdispatcherposK8s*flag builders. Matches the existingrunLibvirt/runSpicesubprocess-delegation pattern.
ov/k8s_config.go:162 LoadClusterProfile— how--cluster <name>resolves to a kubeconfig + context.
Related Skills
overthinkos/agents
development
VerifiedTrustedCommunity
Claude Code multi-agent support in Overthink — sub-agents, dynamic workflows, and agent teams, and how each drives the existing `ov eval` disposable beds to test and verify. MUST be invoked before authoring or invoking an ov sub-agent / dynamic workflow / agent team, wiring agent-lifecycle hooks, or asking "which primitive should drive the R10 beds?".
SKILL.mdUpdated May 31, 2026
overthinkos/workspace-mount
tools
VerifiedTrustedCommunity
Mounts a virtiofs share tagged `workspace` at /workspace inside a VM guest via a systemd .mount unit. Use when a kind:vm entity shares a host directory into the guest and you need it auto-mounted (and re-mounted at every boot).
SKILL.mdUpdated May 30, 2026
overthinkos/android
development
VerifiedTrustedCommunity
MUST be invoked before any work involving: the `kind: android` schema kind, a `target: android` deploy, the `apk:` layer package format (installing Android apps declaratively), AndroidDeployTarget, an in-pod emulator OR a remote/physical adb-endpoint device, or nested `pod → android` deployment. The first-class Android device + app surface that sits above `ov eval adb`/`appium`.
SKILL.mdUpdated May 26, 2026
overthinkos/git-workflow
tools
VerifiedTrustedCommunity
Use when committing, branching, pushing, merging, tagging, creating PRs, or approving/merging PRs with gh — the feat/-branch, R10-gated, never-force-push landing workflow across the main repo + the plugins submodule + image/<distro> submodules. Covers sync-to-upstream, branch/worktree pruning, the fork+PR path for contributors without write access, and cross-repo @github landing order.
SKILL.mdUpdated May 25, 2026