Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

sawrus/cluster-operations

Name: cluster-operations
Author: sawrus

areas/devops/kubernetes/skills/cluster-operations/SKILL.md

npx skillsauth add sawrus/agent-guides cluster-operations

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Skill: Cluster Operations

Expertise: Safe day-2 operations on self-hosted Kubernetes clusters — node drain, etcd ops, cert rotation.

When to load

When draining nodes for maintenance, rotating certificates, backing up etcd, or troubleshooting control plane issues.

Node Lifecycle Operations

# --- CORDON (stop scheduling new pods, don't evict existing) ---
kubectl cordon <node-name>
# Use case: pre-drain notification, temporary maintenance hold

# --- DRAIN (evict all pods, mark unschedulable) ---
kubectl drain <node-name> \
  --ignore-daemonsets \          # DaemonSet pods can't be evicted
  --delete-emptydir-data \       # required for pods using emptyDir
  --grace-period=60 \            # give pods time to shut down cleanly
  --timeout=300s                 # abort if takes > 5 minutes
# After drain: node is unschedulable and empty (except daemonsets)

# --- UNCORDON (return to service) ---
kubectl uncordon <node-name>

# --- Verify node is empty before maintenance ---
kubectl get pods -A --field-selector=spec.nodeName=<node-name>

etcd Backup (bare-metal / kubeadm)

# --- Take snapshot (run on a control plane node) ---
ETCDCTL_API=3 etcdctl snapshot save /backup/etcd-$(date +%Y%m%d-%H%M%S).db \
  --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
  --key=/etc/kubernetes/pki/etcd/healthcheck-client.key

# --- Verify snapshot ---
ETCDCTL_API=3 etcdctl snapshot status /backup/etcd-latest.db --write-out=table

# --- Restore snapshot (disaster recovery — only when cluster is down) ---
ETCDCTL_API=3 etcdctl snapshot restore /backup/etcd-latest.db \
  --data-dir=/var/lib/etcd-restored \
  --initial-cluster=master-1=https://192.168.1.10:2380 \
  --initial-advertise-peer-urls=https://192.168.1.10:2380 \
  --name=master-1
# Then update etcd static pod manifest to point to new data-dir

Certificate Rotation (kubeadm)

# --- Check certificate expiry ---
kubeadm certs check-expiration

# --- Renew all certificates (run on each control plane node) ---
kubeadm certs renew all

# --- Restart control plane components after renewal ---
# (kubeadm renews certs but doesn't restart static pods automatically)
for pod in kube-apiserver kube-controller-manager kube-scheduler; do
  kubectl -n kube-system delete pod -l component=$pod
done

# --- Update kubeconfig after cert renewal ---
cp /etc/kubernetes/admin.conf ~/.kube/config

Namespace Lifecycle

# --- Create namespace with standard labels ---
kubectl create namespace my-team-prod
kubectl label namespace my-team-prod \
  environment=production \
  team=my-team \
  pod-security.kubernetes.io/enforce=restricted

# --- Apply default NetworkPolicy and LimitRange immediately ---
kubectl apply -f infra/namespaces/defaults/ -n my-team-prod

# --- Safe namespace deletion (check for resources first) ---
kubectl get all -n <namespace-to-delete>
kubectl delete namespace <name>   # blocks until all resources are gone
# If stuck in Terminating:
kubectl get namespace <name> -o json | \
  jq '.spec.finalizers = []' | \
  kubectl replace --raw "/api/v1/namespaces/<name>/finalize" -f -

Control Plane Health Checks

# API server, scheduler, controller-manager
kubectl get componentstatuses       # deprecated in 1.19+ but still useful
kubectl get pods -n kube-system     # all system pods should be Running

# etcd cluster health
ETCDCTL_API=3 etcdctl endpoint health \
  --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
  --key=/etc/kubernetes/pki/etcd/healthcheck-client.key

# Node conditions
kubectl describe nodes | grep -A5 "Conditions:"

Useful Aliases / One-liners

# All pods not Running
kubectl get pods -A --field-selector=status.phase!=Running,status.phase!=Succeeded

# Recent events by namespace
kubectl get events -n <ns> --sort-by='.lastTimestamp'

# Resource usage by namespace
kubectl top pods -A --sort-by=memory | head -20

# Find pods on a specific node
kubectl get pods -A -o wide | grep <node-name>

sawrus/cluster-operations

areas/devops/kubernetes/skills/cluster-operations/SKILL.md

Day-2 cluster operations — node management, etcd backup/restore, certificate rotation, namespace lifecycle.

12 stars

tools

Updated Apr 18, 2026

$ install --global

skillsauth

npx skillsauth add sawrus/agent-guides cluster-operations

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 18, 2026, 4:51 AM12.7s1 file scanned

SKILL.md

name:: cluster-operations
type:: skill
description:: Day-2 cluster operations — node management, etcd backup/restore, certificate rotation, namespace lifecycle.
allowed-tools:: Read, Bash

Skill: Cluster Operations

Expertise: Safe day-2 operations on self-hosted Kubernetes clusters — node drain, etcd ops, cert rotation.

When to load

When draining nodes for maintenance, rotating certificates, backing up etcd, or troubleshooting control plane issues.

Node Lifecycle Operations

# --- CORDON (stop scheduling new pods, don't evict existing) ---
kubectl cordon <node-name>
# Use case: pre-drain notification, temporary maintenance hold

# --- DRAIN (evict all pods, mark unschedulable) ---
kubectl drain <node-name> \
  --ignore-daemonsets \          # DaemonSet pods can't be evicted
  --delete-emptydir-data \       # required for pods using emptyDir
  --grace-period=60 \            # give pods time to shut down cleanly
  --timeout=300s                 # abort if takes > 5 minutes
# After drain: node is unschedulable and empty (except daemonsets)

# --- UNCORDON (return to service) ---
kubectl uncordon <node-name>

# --- Verify node is empty before maintenance ---
kubectl get pods -A --field-selector=spec.nodeName=<node-name>

etcd Backup (bare-metal / kubeadm)

# --- Take snapshot (run on a control plane node) ---
ETCDCTL_API=3 etcdctl snapshot save /backup/etcd-$(date +%Y%m%d-%H%M%S).db \
  --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
  --key=/etc/kubernetes/pki/etcd/healthcheck-client.key

# --- Verify snapshot ---
ETCDCTL_API=3 etcdctl snapshot status /backup/etcd-latest.db --write-out=table

# --- Restore snapshot (disaster recovery — only when cluster is down) ---
ETCDCTL_API=3 etcdctl snapshot restore /backup/etcd-latest.db \
  --data-dir=/var/lib/etcd-restored \
  --initial-cluster=master-1=https://192.168.1.10:2380 \
  --initial-advertise-peer-urls=https://192.168.1.10:2380 \
  --name=master-1
# Then update etcd static pod manifest to point to new data-dir

Certificate Rotation (kubeadm)

# --- Check certificate expiry ---
kubeadm certs check-expiration

# --- Renew all certificates (run on each control plane node) ---
kubeadm certs renew all

# --- Restart control plane components after renewal ---
# (kubeadm renews certs but doesn't restart static pods automatically)
for pod in kube-apiserver kube-controller-manager kube-scheduler; do
  kubectl -n kube-system delete pod -l component=$pod
done

# --- Update kubeconfig after cert renewal ---
cp /etc/kubernetes/admin.conf ~/.kube/config

Namespace Lifecycle

# --- Create namespace with standard labels ---
kubectl create namespace my-team-prod
kubectl label namespace my-team-prod \
  environment=production \
  team=my-team \
  pod-security.kubernetes.io/enforce=restricted

# --- Apply default NetworkPolicy and LimitRange immediately ---
kubectl apply -f infra/namespaces/defaults/ -n my-team-prod

# --- Safe namespace deletion (check for resources first) ---
kubectl get all -n <namespace-to-delete>
kubectl delete namespace <name>   # blocks until all resources are gone
# If stuck in Terminating:
kubectl get namespace <name> -o json | \
  jq '.spec.finalizers = []' | \
  kubectl replace --raw "/api/v1/namespaces/<name>/finalize" -f -

Control Plane Health Checks

# API server, scheduler, controller-manager
kubectl get componentstatuses       # deprecated in 1.19+ but still useful
kubectl get pods -n kube-system     # all system pods should be Running

# etcd cluster health
ETCDCTL_API=3 etcdctl endpoint health \
  --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
  --key=/etc/kubernetes/pki/etcd/healthcheck-client.key

# Node conditions
kubectl describe nodes | grep -A5 "Conditions:"

Useful Aliases / One-liners

# All pods not Running
kubectl get pods -A --field-selector=status.phase!=Running,status.phase!=Succeeded

# Recent events by namespace
kubectl get events -n <ns> --sort-by='.lastTimestamp'

# Resource usage by namespace
kubectl top pods -A --sort-by=memory | head -20

# Find pods on a specific node
kubectl get pods -A -o wide | grep <node-name>

Related Skills

sawrus/qa_expert

testing

VerifiedTrustedCommunity

QA Expert for writing E2E tests, test scenarios, test plans, and ensuring test coverage quality.

12SKILL.mdUpdated Apr 18, 2026

sawrus/design_expert

development

VerifiedTrustedCommunity

Expert UI/UX design intelligence for creating distinctive, high-craft, and mobile-first interfaces. Focuses on premium aesthetics, touch-first ergonomics, and Flutter performance.

12SKILL.mdUpdated Apr 18, 2026

sawrus/code_review_expert

development

VerifiedTrustedCommunity

Code Review Expert for static analysis, security auditing, architecture review, and ensuring code quality standards.

12SKILL.mdUpdated Apr 18, 2026

sawrus/code_review_expert

sawrus/babysit-pr

development

VerifiedTrustedCommunity

Babysit a GitHub pull request after creation by continuously polling review comments, CI checks/workflow runs, and mergeability state until the PR is merged/closed or user help is required. Diagnose failures, retry likely flaky failures up to 3 times, auto-fix/push branch-related issues when appropriate, and keep watching open PRs so fresh review feedback is surfaced promptly. Use when the user asks Codex to monitor a PR, watch CI, handle review comments, or keep an eye on failures and feedback on an open PR.

12SKILL.mdUpdated Apr 18, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/sawrus/agent-guides.git

# Copy into Claude Code skills folder (global)
cp -r agent-guides/areas/devops/kubernetes/skills/cluster-operations ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

sawrus/agent-guides

12 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT