Skill
Generate Production-Ready Kubernetes Manifests
Expert skill for generating production-ready Kubernetes YAML manifests with security best practices, resource limits, health checks, and operational excellence
Why it matters
Automate the creation of secure, reliable, and production-ready Kubernetes manifests. This asset ensures adherence to best practices for resource organization, security, and operational excellence.
Outcomes
What it gets done
01
Generate Deployment manifests with resource requests, limits, and health checks.
02
Create Service and Ingress configurations for network exposure and TLS.
03
Manage application settings via ConfigMaps and sensitive data with Secrets.
04
Implement Horizontal Pod Autoscalers and Resource Quotas for scalability and control.
Install
Add it to your toolbox
Run in your project directory:
curl -fsSL https://spark.entire.vc/get/vb-kubernetes-manifest-creator | bash Capabilities
What this skill does
Generate code
Writes source code or scripts from a description.
Deploy / CI
Runs build pipelines, tests, and deploys to environments.
Manage secrets
Stores, rotates, and injects API keys and credentials.
Review code
Analyzes code for bugs, style issues, and improvements.
Overview
Kubernetes Manifest Creator
What it does
A specialized AI skill that generates production-ready Kubernetes manifests following security best practices and operational standards
How it connects
When you need to create or template Kubernetes YAML configurations for Deployments, Services, Ingress, ConfigMaps, Secrets, HorizontalPodAutoscalers, NetworkPolicies, or ResourceQuotas with proper security contexts, resource limits, and health probes
Source README
Kubernetes Manifest Creator
You are an expert in creating production-ready Kubernetes manifests with deep knowledge of Kubernetes resources, best practices, security considerations, and operational excellence. You create well-structured, secure, and maintainable YAML manifests that follow industry standards.
Core Principles
Resource Organization
- Use consistent naming conventions with environment prefixes
- Apply comprehensive labels and annotations for organization and monitoring
- Group related resources logically using namespaces
- Implement proper resource quotas and limits
Security First
- Never run containers as root (set securityContext)
- Use least-privilege service accounts
- Implement network policies for traffic control
- Configure pod security standards appropriately
- Use secrets for sensitive data, never hardcode credentials
Reliability and Operations
- Define resource requests and limits for all containers
- Configure appropriate health checks (liveness, readiness, startup probes)
- Set up horizontal pod autoscaling when applicable
- Use anti-affinity rules for high availability
Deployment Manifests
Standard Application Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: webapp-prod
namespace: production
labels:
app: webapp
version: v1.2.3
environment: production
spec:
replicas: 3
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
selector:
matchLabels:
app: webapp
environment: production
template:
metadata:
labels:
app: webapp
version: v1.2.3
environment: production
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8080"
prometheus.io/path: "/metrics"
spec:
serviceAccountName: webapp-sa
securityContext:
runAsNonRoot: true
runAsUser: 1001
fsGroup: 1001
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- webapp
topologyKey: kubernetes.io/hostname
containers:
- name: webapp
image: myregistry/webapp:v1.2.3
imagePullPolicy: Always
ports:
- containerPort: 8080
name: http
protocol: TCP
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: webapp-secrets
key: database-url
- name: ENVIRONMENT
value: "production"
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "512Mi"
cpu: "500m"
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 2
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
volumeMounts:
- name: tmp
mountPath: /tmp
- name: cache
mountPath: /app/cache
volumes:
- name: tmp
emptyDir: {}
- name: cache
emptyDir:
sizeLimit: 1Gi
Service and Networking
Service Configuration
apiVersion: v1
kind: Service
metadata:
name: webapp-service
namespace: production
labels:
app: webapp
environment: production
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
spec:
type: LoadBalancer
selector:
app: webapp
environment: production
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
sessionAffinity: None
Ingress with TLS
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: webapp-ingress
namespace: production
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
- hosts:
- webapp.example.com
secretName: webapp-tls
rules:
- host: webapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: webapp-service
port:
number: 80
Configuration and Secrets
ConfigMap for Application Settings
apiVersion: v1
kind: ConfigMap
metadata:
name: webapp-config
namespace: production
labels:
app: webapp
environment: production
data:
app.properties: |
server.port=8080
logging.level.root=INFO
cache.ttl=3600
nginx.conf: |
upstream backend {
server localhost:8080;
}
server {
listen 80;
location / {
proxy_pass http://backend;
}
}
Secret Management
apiVersion: v1
kind: Secret
metadata:
name: webapp-secrets
namespace: production
labels:
app: webapp
environment: production
type: Opaque
data:
database-url: <base64-encoded-value>
api-key: <base64-encoded-value>
Resource Management
Horizontal Pod Autoscaler
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: webapp-hpa
namespace: production
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: webapp-prod
minReplicas: 3
maxReplicas: 20
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80
behavior:
scaleUp:
stabilizationWindowSeconds: 60
policies:
- type: Percent
value: 50
periodSeconds: 60
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Percent
value: 10
periodSeconds: 60
Resource Quotas
apiVersion: v1
kind: ResourceQuota
metadata:
name: production-quota
namespace: production
spec:
hard:
requests.cpu: "20"
requests.memory: 40Gi
limits.cpu: "40"
limits.memory: 80Gi
persistentvolumeclaims: "10"
pods: "50"
secrets: "20"
configmaps: "20"
services: "10"
Security Policies
Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: webapp-netpol
namespace: production
spec:
podSelector:
matchLabels:
app: webapp
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
- podSelector:
matchLabels:
app: monitoring
ports:
- protocol: TCP
port: 8080
egress:
- to:
- namespaceSelector:
matchLabels:
name: database
ports:
- protocol: TCP
port: 5432
- to: []
ports:
- protocol: TCP
port: 443
- protocol: UDP
port: 53
Best Practices Checklist
Manifest Quality
- Always specify resource requests and limits
- Use specific image tags, never ":latest" in production
- Implement comprehensive health checks
- Set appropriate security contexts
- Use multi-document YAML files with "---" separators
- Validate manifests with
kubectl --dry-run=client
Operational Excellence
- Include monitoring annotations for Prometheus
- Set up proper logging configuration
- Configure appropriate pod disruption budgets
- Use init containers for setup tasks
- Implement graceful shutdown handling
- Plan for backup and disaster recovery
Security Hardening
- Run containers as non-root users
- Use read-only root filesystems where possible
- Drop all unnecessary Linux capabilities
- Implement pod security policies or pod security standards
- Use service mesh for advanced traffic management
- Regularly scan container images for vulnerabilities
Discussion
Questions & comments · 0
Sign In Sign in to leave a comment.