overthinkos/ov:test-k8s
ov/skills/test-k8s/SKILL.md
Kubernetes cluster probe verb — `ov test k8s <method>` for nodes, pods, ingress, storage class, addon health, apply/delete, and arbitrary resource GETs. Hermetic via vendored client-go; no external kubectl required.
tools
Updated Apr 27, 2026
$ install --global
skillsauthnpx skillsauth add overthinkos/overthink-plugins ov:test-k8sInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 27, 2026, 9:45 AM53.3s1 file scanned
SKILL.md
- name:
- ov:test-k8s
- description:
- Kubernetes cluster probe verb — `ov test k8s <method>` for nodes, pods, ingress, storage class, addon health, apply/delete, and arbitrary resource GETs. Hermetic via vendored client-go; no external kubectl required.
- allowed-tools:
- Bash, Read
MUST be invoked before any work involving: ov test k8s commands,
cluster-readiness probes from test scripts, ingress / storage class
assertions, k3s default-addon health checks, or declarative k8s:
checks on tests: blocks in layer.yml.
Command surface
ov test k8s nodes # <name> <Ready|NotReady> per line
ov test k8s wait-nodes [--count=N] [--name=<host>] [--timeout=120s] # block until N (or named) Ready
ov test k8s pods [--namespace=<ns>] [--label=<sel>] # <ns>/<name> <phase> per line
ov test k8s wait-ready --kind <K> --name <N> [--namespace=<ns>] [--timeout=120s] # block until resource Ready
ov test k8s ingress [--namespace=<ns>] # <ns>/<name> class=<c> hosts=<h> backends=<b>
ov test k8s ingressclass # <name> default=<bool>
ov test k8s storageclass # <name> default=<bool>
ov test k8s service [--namespace=<ns>] # <ns>/<name> <type> <clusterIP> <externalIP>
ov test k8s lb-external-ip --namespace=<ns> --name=<svc> [--timeout=60s] # print assigned external IP
ov test k8s addons [--namespace=kube-system] [--timeout=180s] # roll-up: Traefik + ServiceLB + local-path all Ready
ov test k8s apply --file=<manifest.yaml> [--namespace=<ns>] # apply multi-doc YAML via dynamic client
ov test k8s delete --file=<manifest.yaml> [--namespace=<ns>] # delete resources from manifest
ov test k8s raw --resource=<plural> [--group=<g>] [--version=v1] [--name=<n>] [--namespace=<ns>]
Cluster selection
Every verb accepts the same three cluster-selection flags, resolved in this precedence:
--kubeconfig <path>— direct kubeconfig file pointer. Overrides everything.--cluster <name>— a ClusterProfile name (~/.config/ov/clusters/<name>.yamlor./clusters/<name>.yaml). The profile'skubeconfig_context:selects the context; kubeconfig path defaults to$KUBECONFIGthen~/.kube/config.--context <name>— override the kubeconfig context directly.- Neither given → current-context of the default kubeconfig
(matches
kubectlwith no flags).
ov deploy add vm:k3s-srv (or any deploy whose layers include
k3s-server) automatically writes a ClusterProfile named after the
deploy, so after provisioning you can do:
ov test k8s nodes --cluster k3s-srv
ov test k8s addons --cluster k3s-srv
Declarative k8s: checks on layer tests
The verb is also callable from a layer's tests: block via the k8s:
discriminator field on Check. Every subcommand above maps to a method
name; shared modifiers (name:, namespace:, cluster:, timeout:,
kubeconfig:, k8s_kind:, k8s_count:, manifest:, k8s_resource:,
k8s_group:, k8s_version:) are available.
Example from layers/k3s-server/layer.yml:
tests:
- id: cluster-nodes-ready
scope: deploy
k8s: wait-nodes
cluster: "${deploy_name}"
k8s_count: 1
timeout: 180s
stdout: { contains: "Ready" }
- id: traefik-ingressclass
scope: deploy
k8s: ingressclass
cluster: "${deploy_name}"
stdout: { contains: "traefik" }
- id: addons-healthy
scope: deploy
k8s: addons
cluster: "${deploy_name}"
timeout: 240s
wait-nodes with name: set matches a single specific node (used by
k3s-agent's join-confirmation test). Without name:, it waits until
k8s_count: nodes are Ready.
Method notes
- apply / delete — limited to the kinds in
kindToPluralResource()ink8s_cmd.go. Static table by design; adding a new kind is a one-line addition, avoiding the RESTMapper discovery bloat. Documents without a namespace inherit--namespace. - raw — escape hatch for any resource not covered by the named
verbs.
ov test k8s raw --resource nodeslists nodes;ov test k8s raw --resource configmaps -n kube-system --name fooprints one ConfigMap as JSON. - addons — assumes the stock k3s addon stack (Traefik, ServiceLB,
local-path-provisioner) in
kube-system. Explicitdisable:in a k3s-server layer will cause this method to fail — the failure is intentional since the test speaks to "default k3s stack healthy". - lb-external-ip — polls
.status.loadBalancer.ingress[].ip/[].hostnameuntil one appears; for k3s this is ServiceLB (klipper-lb) advertising the host's node IP.
Implementation
ov/k8s_cmd.go— the 13K8s<Method>Cmdstructs + sharedk8sClusterFlags. Dynamic-client viak8s.io/client-go/dynamic+unstructuredwalkers, no typed clientset (keeps binary bloat ~5-8 MB instead of ~15 MB with the typed clients).ov/testspec.go:55+—K8sdiscriminator onCheckplus the shared resource-identity modifiers (Name,Namespace,Label,Cluster,Manifest,K8sKind,K8sContext,Kubeconfig,K8sCount,K8sResource,K8sGroup,K8sVersion).ov/testrun_ov_verbs.go—k8sMethodstable +runK8sdispatcherposK8s*flag builders. Matches the existingrunLibvirt/runSpicesubprocess-delegation pattern.
ov/k8s_config.go:162 LoadClusterProfile— how--cluster <name>resolves to a kubeconfig + context.
Related Skills
overthinkos/charly
tools
VerifiedTrustedCommunity
OpenCharly CLI (charly) binary installed into container/VM images for in-container use. Use when working with charly binary deployment inside containers, native D-Bus support, or the full charly toolchain (charly binary + virtualization + gocryptfs + socat).
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-cachyos
development
VerifiedTrustedCommunity
Operator CachyOS workstation profile — a kind:local template + target:local deploy that installs the full dev stack (30 candies) onto a CachyOS host via ShellExecutor. Lives in the overthinkos/cachyos submodule. MUST be invoked before editing or applying the charly-cachyos workstation profile.
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-fedora
tools
VerifiedTrustedCommunity
Fedora box with the full charly toolchain using shared candies. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Same candy list as charly-arch. Includes NVIDIA GPU runtime. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-fedora box.
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-arch
tools
VerifiedTrustedCommunity
Arch Linux box with the full charly toolchain. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Composes /charly-coder:charly-mcp so the box is reachable as an MCP gateway on port 18765. NVIDIA GPU runtime composed in. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-arch box.
SKILL.mdUpdated Jun 10, 2026