kubernetes-devopsWHAT: Kubernetes manifest generation - Deployments, StatefulSets, CronJobs, Services, Ingresses, ConfigMaps, Secrets, and PVCs with production-grade security and health checks. WHEN: User needs to create K8s manifests, deploy containers, configure Services/Ingress, manage ConfigMaps/Secrets, set up persistent storage, or organize multi-environment configs. KEYWORDS: kubernetes, k8s, manifest, deployment, statefulset, cronjob, service, ingress, configmap, secret, pvc, pod, container, yaml, kustomize, helm, namespace, probe, security context
Install via ClawdBot CLI:
clawdbot install wpank/kubernetes-devopsProduction-ready Kubernetes manifest generation covering Deployments, StatefulSets,
CronJobs, Services, Ingresses, ConfigMaps, Secrets, and PVCs with security contexts,
health checks, and resource management.
npx clawhub@latest install kubernetes| Scenario | Example |
|----------|---------|
| Create deployment manifests | New microservice needing Deployment + Service |
| Define networking resources | ClusterIP, LoadBalancer, Ingress with TLS |
| Manage configuration | ConfigMaps for app config, Secrets for credentials |
| Stateful workloads | Databases with StatefulSets + PVCs |
| Scheduled jobs | CronJobs for batch processing |
| Multi-environment setup | Kustomize overlays for dev/staging/prod |
| Workload Type | Resource | When to Use |
|---------------|----------|-------------|
| Stateless app | Deployment | Web servers, APIs, microservices |
| Stateful app | StatefulSet | Databases, message queues, caches |
| One-off task | Job | Migrations, data imports |
| Scheduled task | CronJob | Backups, reports, cleanup |
| Per-node agent | DaemonSet | Log collectors, monitoring agents |
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
namespace: production
labels:
app.kubernetes.io/name: my-app
app.kubernetes.io/version: "1.0.0"
app.kubernetes.io/component: backend
spec:
replicas: 3
selector:
matchLabels:
app.kubernetes.io/name: my-app
template:
metadata:
labels:
app.kubernetes.io/name: my-app
app.kubernetes.io/version: "1.0.0"
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: my-app
image: registry.example.com/my-app:1.0.0
ports:
- containerPort: 8080
name: http
resources:
requests:
cpu: 250m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: [ALL]
livenessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: http
initialDelaySeconds: 5
periodSeconds: 5
env:
- name: LOG_LEVEL
valueFrom:
configMapKeyRef:
name: my-app-config
key: LOG_LEVEL
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: my-app-secret
key: DATABASE_PASSWORDapiVersion: v1
kind: Service
metadata:
name: my-app
namespace: production
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: my-app
ports:
- name: http
port: 80
targetPort: 8080
protocol: TCPapiVersion: v1
kind: Service
metadata:
name: my-app-lb
namespace: production
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
spec:
type: LoadBalancer
selector:
app.kubernetes.io/name: my-app
ports:
- name: http
port: 80
targetPort: 8080| Type | Scope | Use Case |
|------|-------|----------|
| ClusterIP | Cluster-internal | Inter-service communication |
| NodePort | External via node IP | Dev/testing, on-prem |
| LoadBalancer | External via cloud LB | Production external access |
| ExternalName | DNS alias | Mapping to external services |
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app
namespace: production
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/rate-limit: "100"
spec:
ingressClassName: nginx
tls:
- hosts: [app.example.com]
secretName: app-tls
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app
port:
number: 80apiVersion: v1
kind: ConfigMap
metadata:
name: my-app-config
namespace: production
data:
LOG_LEVEL: info
APP_MODE: production
DATABASE_HOST: db.internal.svc.cluster.local
app.properties: |
server.port=8080
server.host=0.0.0.0apiVersion: v1
kind: Secret
metadata:
name: my-app-secret
namespace: production
type: Opaque
stringData:
DATABASE_PASSWORD: "changeme"
API_KEY: "secret-api-key"Important: Never commit plaintext Secrets to Git. Use Sealed Secrets,
External Secrets Operator, or Vault for production.
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: my-app-data
namespace: production
spec:
accessModes: [ReadWriteOnce]
storageClassName: gp3
resources:
requests:
storage: 10GiMount in a container:
containers:
- name: app
volumeMounts:
- name: data
mountPath: /var/lib/app
volumes:
- name: data
persistentVolumeClaim:
claimName: my-app-data| Access Mode | Abbreviation | Use Case |
|-------------|-------------|----------|
| ReadWriteOnce | RWO | Single-pod databases |
| ReadOnlyMany | ROX | Shared config/static assets |
| ReadWriteMany | RWX | Multi-pod shared storage |
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefaultsecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: [ALL]| Check | Status |
|-------|--------|
| runAsNonRoot: true | Required |
| allowPrivilegeEscalation: false | Required |
| readOnlyRootFilesystem: true | Recommended |
| capabilities.drop: [ALL] | Required |
| seccompProfile: RuntimeDefault | Recommended |
| Specific image tags (never :latest) | Required |
| Resource requests and limits set | Required |
metadata:
labels:
app.kubernetes.io/name: my-app
app.kubernetes.io/instance: my-app-prod
app.kubernetes.io/version: "1.0.0"
app.kubernetes.io/component: backend
app.kubernetes.io/part-of: my-system
app.kubernetes.io/managed-by: kubectlmanifests/
āāā configmap.yaml
āāā secret.yaml
āāā deployment.yaml
āāā service.yaml
āāā pvc.yamlbase/
āāā kustomization.yaml
āāā deployment.yaml
āāā service.yaml
āāā configmap.yaml
overlays/
āāā dev/
ā āāā kustomization.yaml
āāā prod/
āāā kustomization.yaml
āāā resource-patch.yaml# Client-side dry run
kubectl apply -f manifest.yaml --dry-run=client
# Server-side validation
kubectl apply -f manifest.yaml --dry-run=server
# Lint with kube-score
kube-score score manifest.yaml
# Lint with kube-linter
kube-linter lint manifest.yaml| Problem | Diagnosis | Fix |
|---------|-----------|-----|
| Pod stuck Pending | kubectl describe pod ā check events | Fix resource requests, node capacity, PVC binding |
| ImagePullBackOff | Wrong image name/tag or missing pull secret | Verify image exists, add imagePullSecrets |
| CrashLoopBackOff | App crashes on start | Check logs: kubectl logs |
| Service not reachable | Selector mismatch | Verify kubectl get endpoints is non-empty |
| ConfigMap not loading | Name mismatch or wrong namespace | Check names match and namespace is correct |
| Readiness probe failing | Wrong path or port | Verify health endpoint works inside container |
| OOMKilled | Memory limit too low | Increase resources.limits.memory |
| Anti-Pattern | Why | Do Instead |
|-------------|-----|------------|
| Use :latest image tag | Non-reproducible deployments | Pin exact version: image:1.2.3 |
| Skip resource limits | Pods can starve the node | Always set requests and limits |
| Run as root | Container escape = full host access | Set runAsNonRoot: true + USER |
| Commit plaintext Secrets | Credentials in Git history forever | Use Sealed Secrets / External Secrets / Vault |
| Skip health checks | K8s can't detect unhealthy pods | Always configure liveness + readiness probes |
| Omit labels | Cannot filter, select, or organize | Use standard app.kubernetes.io/* labels |
| Single replica for production | Zero availability during updates | Use replicas: 3 minimum for HA |
| Hardcode config in containers | Requires rebuild for config changes | Use ConfigMaps and Secrets |
| Template | Description |
|----------|-------------|
| assets/deployment-template.yaml | Production Deployment with security + probes |
| assets/service-template.yaml | ClusterIP, LoadBalancer, NodePort examples |
| assets/configmap-template.yaml | ConfigMap with data types |
| assets/statefulset-template.yaml | StatefulSet with headless Service + PVC |
| assets/cronjob-template.yaml | CronJob with concurrency + history |
| assets/ingress-template.yaml | Ingress with TLS, rate limiting, CORS |
| Reference | Description |
|-----------|-------------|
| references/deployment-spec.md | Detailed Deployment specification |
| references/service-spec.md | Service types and networking details |
Generated Mar 1, 2026
A retail company needs to deploy a new microservice for handling payment processing. The skill generates a Deployment manifest with security contexts, resource limits, and health probes, along with a Service for internal communication and a ConfigMap for environment-specific settings. This ensures the service is production-ready with security and reliability baked in.
A software-as-a-service provider requires a stateful database instance for user data storage. The skill creates a StatefulSet with PersistentVolumeClaims for data persistence, along with Secrets for database credentials and a Service for cluster-internal access. This setup supports high availability and secure credential management.
A healthcare organization needs automated daily backups of patient records. The skill generates a CronJob manifest to run backup scripts at scheduled intervals, using ConfigMaps for configuration and Secrets for encryption keys. This ensures compliance with data retention policies and operational reliability.
A fintech startup wants to expose its API externally with TLS encryption and rate limiting. The skill creates an Ingress resource with TLS configuration and annotations for rate limiting, along with a LoadBalancer Service for external access. This provides secure and scalable public access to the API.
A gaming company needs to manage different configurations for development, staging, and production environments. The skill uses Kustomize overlays to generate manifests with environment-specific ConfigMaps and resource settings, streamlining deployment across environments without code duplication.
Companies offering cloud-based services can use this skill to deploy and manage their application stacks on Kubernetes. It helps generate manifests for microservices, databases, and networking, reducing operational overhead and enabling scalable, multi-tenant architectures. Revenue is generated through monthly or annual subscription fees.
IT consulting firms leverage this skill to assist clients in containerizing and deploying applications on Kubernetes. It provides production-grade templates for deployments, services, and security, speeding up project delivery and ensuring best practices. Revenue comes from hourly rates or fixed-price contracts.
Large enterprises building internal platforms use this skill to standardize Kubernetes manifest generation across teams. It enforces security policies, health checks, and resource management, improving consistency and reducing errors in deployments. Revenue is derived from cost savings and increased operational efficiency.
š¬ Integration Tip
Integrate this skill with CI/CD pipelines to automate manifest generation and deployment, and use tools like Helm or Kustomize for environment-specific customizations to streamline workflows.
Automatically update Clawdbot and all installed skills once daily. Runs via cron, checks for updates, applies them, and messages the user with a summary of what changed.
Full desktop computer use for headless Linux servers. Xvfb + XFCE virtual desktop with xdotool automation. 17 actions (click, type, scroll, screenshot, drag,...
Essential Docker commands and workflows for container management, image operations, and debugging.
Tool discovery and shell one-liner reference for sysadmin, DevOps, and security tasks. AUTO-CONSULT this skill when the user is: troubleshooting network issues, debugging processes, analyzing logs, working with SSL/TLS, managing DNS, testing HTTP endpoints, auditing security, working with containers, writing shell scripts, or asks 'what tool should I use for X'. Source: github.com/trimstray/the-book-of-secret-knowledge
Deploy applications and manage projects with complete CLI reference. Commands for deployments, projects, domains, environment variables, and live documentation access.
Monitor topics of interest and proactively alert when important developments occur. Use when user wants automated monitoring of specific subjects (e.g., product releases, price changes, news topics, technology updates). Supports scheduled web searches, AI-powered importance scoring, smart alerts vs weekly digests, and memory-aware contextual summaries.