@intentius/chant-lexicon-k8s 0.0.18 → 0.0.24

package/dist/skills/chant-k8s.md

@@ -8,7 +8,7 @@ user-invocable: true
 
 ## How chant and Kubernetes relate
 
-chant is a **synthesis-only** tool — it compiles TypeScript source files into Kubernetes YAML manifests. chant does NOT call the Kubernetes API. Your job as an agent is to bridge the two:
+chant is a **synthesis compiler** — it compiles TypeScript source files into Kubernetes YAML manifests. `chant build` does not call the Kubernetes API; synthesis is pure and deterministic. The optional `chant state snapshot` command queries the Kubernetes API to capture deployment metadata (pod names, status, UIDs) for observability. Your job as an agent is to bridge synthesis and deployment:
 
 - Use **chant** for: build, lint, diff (local YAML comparison)
 - Use **kubectl / k8s API** for: apply, rollback, monitoring, troubleshooting
@@ -152,7 +152,7 @@ kubectl apply -f manifests.yaml --dry-run=client
 
 Composites are higher-level functions that produce multiple coordinated K8s resources from a single call. They return plain prop objects — not class instances.
 
-### Decision Tree
+### Decision Tree — Core Composites
 
 | Need | Composite | Resources |
 |------|-----------|-----------|
@@ -169,6 +169,13 @@ Composites are higher-level functions that produce multiple coordinated K8s reso
 | Namespace with quotas and isolation | **NamespaceEnv** | Namespace + ResourceQuota + LimitRange + NetworkPolicy |
 | Per-node agent (custom) | **NodeAgent** | DaemonSet + RBAC + optional ConfigMap |
 | Multi-host TLS Ingress (cert-manager) | **SecureIngress** | Ingress + optional Certificate |
+| HPA metrics provider | **MetricsServer** | Deployment + Service + RBAC + APIService |
+| CockroachDB cluster | **CockroachDbCluster** | StatefulSet + Services + PVCs + RBAC + optional CertificateRequests |
+
+### Decision Tree — AWS (EKS) Composites
+
+| Need | Composite | Resources |
+|------|-----------|-----------|
 | EKS IRSA ServiceAccount | **IrsaServiceAccount** | ServiceAccount + optional RBAC |
 | AWS ALB Ingress | **AlbIngress** | Ingress with ALB annotations |
 | EBS StorageClass | **EbsStorageClass** | StorageClass (ebs.csi.aws.com) |
@@ -177,6 +184,30 @@ Composites are higher-level functions that produce multiple coordinated K8s reso
 | ExternalDNS for Route53 | **ExternalDnsAgent** | Deployment + IRSA SA + ClusterRole |
 | ADOT for CloudWatch/X-Ray | **AdotCollector** | DaemonSet + RBAC + ConfigMap |
 
+### Decision Tree — GCP (GKE) Composites
+
+| Need | Composite | Resources |
+|------|-----------|-----------|
+| GKE Gateway API Ingress | **GkeGateway** | Gateway + HTTPRoute + optional HealthCheckPolicy |
+| GKE Ingress (classic) | **GceIngress** | Ingress with GCE annotations + optional BackendConfig |
+| GKE Workload Identity SA | **WorkloadIdentityServiceAccount** | ServiceAccount + optional RBAC (GCP IAM binding annotation) |
+| GCE Persistent Disk StorageClass | **GcePdStorageClass** | StorageClass (pd.csi.storage.gke.io) |
+| Filestore StorageClass | **FilestoreStorageClass** | StorageClass (filestore.csi.storage.gke.io) |
+| GKE Fluent Bit agent | **GkeFluentBitAgent** | DaemonSet + RBAC + ConfigMap (Cloud Logging) |
+| GKE ExternalDNS agent | **GkeExternalDnsAgent** | Deployment + WI SA + ClusterRole (Cloud DNS) |
+| GKE OpenTelemetry Collector | **GkeOtelCollector** | DaemonSet + RBAC + ConfigMap (Cloud Trace/Monitoring) |
+| Config Connector context | **ConfigConnectorContext** | ConfigConnectorContext + Namespace + RBAC |
+
+### Decision Tree — Azure (AKS) Composites
+
+| Need | Composite | Resources |
+|------|-----------|-----------|
+| AKS AGIC Ingress | **AgicIngress** | Ingress with AGIC annotations + optional BackendConfig |
+| Azure Disk StorageClass | **AzureDiskStorageClass** | StorageClass (disk.csi.azure.com) |
+| Azure File StorageClass | **AzureFileStorageClass** | StorageClass (file.csi.azure.com) |
+| AKS ExternalDNS agent | **AksExternalDnsAgent** | Deployment + WI SA + ClusterRole (Azure DNS) |
+| Azure Monitor Collector | **AzureMonitorCollector** | DaemonSet + RBAC + ConfigMap (Azure Monitor) |
+
 ### Hardening options (available on Deployment-based composites)
 
 - `minAvailable` — creates a PodDisruptionBudget (WebApp, StatefulApp, WorkerPool; AutoscaledService always has one)
@@ -199,14 +230,46 @@ Composites are higher-level functions that produce multiple coordinated K8s reso
 | Pod stuck in Pending | Insufficient CPU/memory on nodes | Scale up cluster or reduce resource requests |
 | Pod stuck in Pending | PVC not bound | Check StorageClass exists, PV available |
 | Pod stuck in Pending | Node selector/affinity mismatch | Verify node labels match selectors |
+| Pod stuck in Pending | Too many pods on node | Check `kubectl describe node` for Allocatable vs Allocated |
 | Pod stuck in ContainerCreating | ConfigMap/Secret not found | Ensure referenced ConfigMaps/Secrets exist |
+| Pod stuck in ContainerCreating | Volume mount timeout | Check CSI driver logs, storage provider status |
 | Service returns 503 | No ready endpoints | Check pod readiness probes, selector match |
+| Service returns 503 | Endpoints exist but pod failing probes | Increase `initialDelaySeconds`, check probe path |
 | Ingress returns 404 | Backend service not found | Check Ingress rules, service name/port |
-| HPA not scaling | Metrics server not installed | Install metrics-server |
+| Ingress returns 502 | Backend pods not ready | Check pod readiness, container port matches Service targetPort |
+| HPA not scaling | Metrics server not installed | Install metrics-server or MetricsServer composite |
 | HPA not scaling | Resource requests not set | Add CPU/memory requests to containers |
+| HPA stuck at max | Target utilization too low | Raise `targetCPUUtilizationPercentage`, add nodes |
 | CronJob not running | Invalid cron expression | Validate cron syntax (5-field format) |
+| CronJob not running | `concurrencyPolicy: Forbid` with long jobs | Increase job deadline or switch to `Replace` |
 | NetworkPolicy blocking | Default deny applied | Add explicit allow rules for required traffic |
 | RBAC permission denied | Missing Role/RoleBinding | Check ServiceAccount bindings and verb permissions |
+| RBAC permission denied | ClusterRole vs namespaced Role | Use ClusterRoleBinding for cluster-scoped resources |
+| PDB preventing eviction | minAvailable too high | Lower minAvailable or increase replicas |
+| StatefulSet stuck on update | Pod ordinal blocked | Check PVC status for ordinal, delete stuck pod |
+
+## Troubleshooting decision tree
+
+```
+Pod not running?
+├─ Pending
+│  ├─ "Insufficient cpu/memory" → scale cluster or lower requests
+│  ├─ "no nodes match" → fix nodeSelector / tolerations
+│  └─ "unbound PVC" → check StorageClass, provision PV
+├─ ContainerCreating
+│  ├─ "secret not found" → create missing Secret
+│  └─ "timeout waiting for volume" → check CSI driver
+├─ CrashLoopBackOff
+│  ├─ OOMKilled → increase memory limit
+│  ├─ exit code 1 → check app logs (`kubectl logs --previous`)
+│  └─ exit code 137 → SIGKILL — liveness probe too aggressive
+├─ ImagePullBackOff
+│  ├─ 401 Unauthorized → check imagePullSecrets
+│  └─ manifest unknown → verify image:tag exists in registry
+└─ Running but not Ready
+   ├─ readinessProbe failing → check probe path/port
+   └─ startup probe failing → increase `failureThreshold * periodSeconds`
+```
 
 ## Quick reference
 

package/package.json

@@ -1,7 +1,25 @@
 {
   "name": "@intentius/chant-lexicon-k8s",
-  "version": "0.0.18",
+  "version": "0.0.24",
+  "description": "Kubernetes lexicon for chant — declarative IaC in TypeScript",
   "license": "Apache-2.0",
+  "homepage": "https://intentius.io/chant",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/intentius/chant.git",
+    "directory": "lexicons/k8s"
+  },
+  "bugs": {
+    "url": "https://github.com/intentius/chant/issues"
+  },
+  "keywords": [
+    "infrastructure-as-code",
+    "iac",
+    "typescript",
+    "kubernetes",
+    "k8s",
+    "chant"
+  ],
   "type": "module",
   "files": [
     "src/",
@@ -25,7 +43,7 @@
     "prepack": "bun run generate && bun run bundle && bun run validate"
   },
   "dependencies": {
-    "@intentius/chant": "0.0.18"
+    "@intentius/chant": "0.0.22"
   },
   "devDependencies": {
     "typescript": "^5.9.3"

package/src/composites/adot-collector.ts

@@ -5,6 +5,9 @@
  * with pre-configured pipelines for AWS observability.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { DaemonSet, ServiceAccount, ClusterRole, ClusterRoleBinding, ConfigMap } from "../generated";
+
 export interface AdotCollectorProps {
   /** AWS region. */
   region: string;
@@ -30,14 +33,22 @@ export interface AdotCollectorProps {
   memoryLimit?: string;
   /** IAM Role ARN for IRSA (adds eks.amazonaws.com/role-arn annotation to ServiceAccount). */
   iamRoleArn?: string;
+  /** Per-member defaults for fine-grained overrides. */
+  defaults?: {
+    daemonSet?: Partial<Record<string, unknown>>;
+    serviceAccount?: Partial<Record<string, unknown>>;
+    clusterRole?: Partial<Record<string, unknown>>;
+    clusterRoleBinding?: Partial<Record<string, unknown>>;
+    configMap?: Partial<Record<string, unknown>>;
+  };
 }
 
 export interface AdotCollectorResult {
-  daemonSet: Record<string, unknown>;
-  serviceAccount: Record<string, unknown>;
-  clusterRole: Record<string, unknown>;
-  clusterRoleBinding: Record<string, unknown>;
-  configMap: Record<string, unknown>;
+  daemonSet: InstanceType<typeof DaemonSet>;
+  serviceAccount: InstanceType<typeof ServiceAccount>;
+  clusterRole: InstanceType<typeof ClusterRole>;
+  clusterRoleBinding: InstanceType<typeof ClusterRoleBinding>;
+  configMap: InstanceType<typeof ConfigMap>;
 }
 
 /**
@@ -56,7 +67,7 @@ export interface AdotCollectorResult {
  * });
  * ```
  */
-export function AdotCollector(props: AdotCollectorProps): AdotCollectorResult {
+export const AdotCollector = Composite<AdotCollectorProps>((props) => {
   const {
     region,
     clusterName,
@@ -70,6 +81,7 @@ export function AdotCollector(props: AdotCollectorProps): AdotCollectorResult {
     cpuLimit = "500m",
     memoryLimit = "512Mi",
     iamRoleArn,
+    defaults: defs,
   } = props;
 
   const saName = `${name}-sa`;
@@ -159,7 +171,7 @@ service:
     },
   };
 
-  const daemonSetProps: Record<string, unknown> = {
+  const daemonSet = new DaemonSet(mergeDefaults({
     metadata: {
       name,
       namespace,
@@ -179,18 +191,18 @@ service:
         },
       },
     },
-  };
+  }, defs?.daemonSet));
 
-  const serviceAccountProps: Record<string, unknown> = {
+  const serviceAccount = new ServiceAccount(mergeDefaults({
     metadata: {
       name: saName,
       namespace,
       labels: { ...commonLabels, "app.kubernetes.io/component": "agent" },
       ...(iamRoleArn ? { annotations: { "eks.amazonaws.com/role-arn": iamRoleArn } } : {}),
     },
-  };
+  }, defs?.serviceAccount));
 
-  const clusterRoleProps: Record<string, unknown> = {
+  const clusterRole = new ClusterRole(mergeDefaults({
     metadata: {
       name: clusterRoleName,
       labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
@@ -203,9 +215,9 @@ service:
       { apiGroups: [""], resources: ["nodes/stats", "configmaps", "events"], verbs: ["create", "get"] },
       { apiGroups: [""], resources: ["configmaps"], verbs: ["get", "update", "create"], resourceNames: ["otel-container-insight-clusterleader"] },
     ],
-  };
+  }, defs?.clusterRole));
 
-  const clusterRoleBindingProps: Record<string, unknown> = {
+  const clusterRoleBinding = new ClusterRoleBinding(mergeDefaults({
     metadata: {
       name: bindingName,
       labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
@@ -222,9 +234,9 @@ service:
         namespace,
       },
     ],
-  };
+  }, defs?.clusterRoleBinding));
 
-  const configMapProps: Record<string, unknown> = {
+  const configMap = new ConfigMap(mergeDefaults({
     metadata: {
       name: configMapName,
       namespace,
@@ -233,13 +245,13 @@ service:
     data: {
       "config.yaml": adotConfig,
     },
-  };
+  }, defs?.configMap));
 
   return {
-    daemonSet: daemonSetProps,
-    serviceAccount: serviceAccountProps,
-    clusterRole: clusterRoleProps,
-    clusterRoleBinding: clusterRoleBindingProps,
-    configMap: configMapProps,
+    daemonSet,
+    serviceAccount,
+    clusterRole,
+    clusterRoleBinding,
+    configMap,
   };
-}
+}, "AdotCollector");

package/src/composites/agic-ingress.ts

@@ -5,6 +5,9 @@
  * WAF policy, backend path prefix, and cookie-based affinity.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { Ingress } from "../generated";
+
 export interface AgicIngressHost {
   /** Hostname (e.g., "api.example.com"). */
   hostname: string;
@@ -40,10 +43,14 @@ export interface AgicIngressProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
+  /** Per-member defaults for fine-grained overrides. */
+  defaults?: {
+    ingress?: Partial<Record<string, unknown>>;
+  };
 }
 
 export interface AgicIngressResult {
-  ingress: Record<string, unknown>;
+  ingress: InstanceType<typeof Ingress>;
 }
 
 /**
@@ -68,7 +75,7 @@ export interface AgicIngressResult {
  * });
  * ```
  */
-export function AgicIngress(props: AgicIngressProps): AgicIngressResult {
+export const AgicIngress = Composite<AgicIngressProps>((props) => {
   const {
     name,
     hosts,
@@ -81,6 +88,7 @@ export function AgicIngress(props: AgicIngressProps): AgicIngressResult {
     annotations: extraAnnotations = {},
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -132,7 +140,7 @@ export function AgicIngress(props: AgicIngressProps): AgicIngressResult {
     },
   }));
 
-  const ingressProps: Record<string, unknown> = {
+  const ingress = new Ingress(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -142,7 +150,7 @@ export function AgicIngress(props: AgicIngressProps): AgicIngressResult {
     spec: {
       rules: ingressRules,
     },
-  };
+  }, defs?.ingress));
 
-  return { ingress: ingressProps };
-}
+  return { ingress };
+}, "AgicIngress");

package/src/composites/aks-external-dns-agent.ts

@@ -5,6 +5,9 @@
  * instead of IRSA for Azure DNS management.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { Deployment, ServiceAccount, ClusterRole, ClusterRoleBinding } from "../generated";
+
 export interface AksExternalDnsAgentProps {
   /** Azure managed identity client ID for Workload Identity. */
   clientId: string;
@@ -28,13 +31,20 @@ export interface AksExternalDnsAgentProps {
   namespace?: string;
   /** Additional labels. */
   labels?: Record<string, string>;
+  /** Per-member defaults for fine-grained overrides. */
+  defaults?: {
+    deployment?: Partial<Record<string, unknown>>;
+    serviceAccount?: Partial<Record<string, unknown>>;
+    clusterRole?: Partial<Record<string, unknown>>;
+    clusterRoleBinding?: Partial<Record<string, unknown>>;
+  };
 }
 
 export interface AksExternalDnsAgentResult {
-  deployment: Record<string, unknown>;
-  serviceAccount: Record<string, unknown>;
-  clusterRole: Record<string, unknown>;
-  clusterRoleBinding: Record<string, unknown>;
+  deployment: InstanceType<typeof Deployment>;
+  serviceAccount: InstanceType<typeof ServiceAccount>;
+  clusterRole: InstanceType<typeof ClusterRole>;
+  clusterRoleBinding: InstanceType<typeof ClusterRoleBinding>;
 }
 
 /**
@@ -56,7 +66,7 @@ export interface AksExternalDnsAgentResult {
  * });
  * ```
  */
-export function AksExternalDnsAgent(props: AksExternalDnsAgentProps): AksExternalDnsAgentResult {
+export const AksExternalDnsAgent = Composite<AksExternalDnsAgentProps>((props) => {
   const {
     clientId,
     resourceGroup,
@@ -69,6 +79,7 @@ export function AksExternalDnsAgent(props: AksExternalDnsAgentProps): AksExterna
     image = "registry.k8s.io/external-dns/external-dns:v0.14.0",
     namespace = "kube-system",
     labels: extraLabels = {},
+    defaults: defs,
   } = props;
 
   const saName = `${name}-sa`;
@@ -98,7 +109,7 @@ export function AksExternalDnsAgent(props: AksExternalDnsAgentProps): AksExterna
     args.push(`--txt-owner-id=${txtOwnerId}`);
   }
 
-  const deploymentProps: Record<string, unknown> = {
+  const deployment = new Deployment(mergeDefaults({
     metadata: {
       name,
       namespace,
@@ -142,9 +153,9 @@ export function AksExternalDnsAgent(props: AksExternalDnsAgentProps): AksExterna
         },
       },
     },
-  };
+  }, defs?.deployment));
 
-  const serviceAccountProps: Record<string, unknown> = {
+  const serviceAccount = new ServiceAccount(mergeDefaults({
     metadata: {
       name: saName,
       namespace,
@@ -157,9 +168,9 @@ export function AksExternalDnsAgent(props: AksExternalDnsAgentProps): AksExterna
         "azure.workload.identity/client-id": clientId,
       },
     },
-  };
+  }, defs?.serviceAccount));
 
-  const clusterRoleProps: Record<string, unknown> = {
+  const clusterRole = new ClusterRole(mergeDefaults({
     metadata: {
       name: clusterRoleName,
       labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
@@ -169,9 +180,9 @@ export function AksExternalDnsAgent(props: AksExternalDnsAgentProps): AksExterna
       { apiGroups: ["extensions", "networking.k8s.io"], resources: ["ingresses"], verbs: ["get", "watch", "list"] },
       { apiGroups: [""], resources: ["nodes"], verbs: ["list", "watch"] },
     ],
-  };
+  }, defs?.clusterRole));
 
-  const clusterRoleBindingProps: Record<string, unknown> = {
+  const clusterRoleBinding = new ClusterRoleBinding(mergeDefaults({
     metadata: {
       name: bindingName,
       labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
@@ -188,12 +199,12 @@ export function AksExternalDnsAgent(props: AksExternalDnsAgentProps): AksExterna
         namespace,
       },
     ],
-  };
+  }, defs?.clusterRoleBinding));
 
   return {
-    deployment: deploymentProps,
-    serviceAccount: serviceAccountProps,
-    clusterRole: clusterRoleProps,
-    clusterRoleBinding: clusterRoleBindingProps,
+    deployment,
+    serviceAccount,
+    clusterRole,
+    clusterRoleBinding,
   };
-}
+}, "AksExternalDnsAgent");

package/src/composites/alb-ingress.ts

@@ -5,6 +5,9 @@
  * (shared ALB), SSL redirect, subnets, security groups.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { Ingress } from "../generated";
+
 export interface AlbIngressHost {
   /** Hostname (e.g., "api.example.com"). */
   hostname: string;
@@ -43,10 +46,14 @@ export interface AlbIngressProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
+  /** Per-member defaults for fine-grained overrides. */
+  defaults?: {
+    ingress?: Partial<Record<string, unknown>>;
+  };
 }
 
 export interface AlbIngressResult {
-  ingress: Record<string, unknown>;
+  ingress: InstanceType<typeof Ingress>;
 }
 
 /**
@@ -72,7 +79,7 @@ export interface AlbIngressResult {
  * });
  * ```
  */
-export function AlbIngress(props: AlbIngressProps): AlbIngressResult {
+export const AlbIngress = Composite<AlbIngressProps>((props) => {
   const {
     name,
     hosts,
@@ -86,6 +93,7 @@ export function AlbIngress(props: AlbIngressProps): AlbIngressResult {
     annotations: extraAnnotations = {},
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -135,7 +143,7 @@ export function AlbIngress(props: AlbIngressProps): AlbIngressResult {
     },
   }));
 
-  const ingressProps: Record<string, unknown> = {
+  const ingress = new Ingress(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -146,7 +154,7 @@ export function AlbIngress(props: AlbIngressProps): AlbIngressResult {
       ingressClassName: "alb",
       rules: ingressRules,
     },
-  };
+  }, defs?.ingress));
 
-  return { ingress: ingressProps };
-}
+  return { ingress };
+}, "AlbIngress");

package/src/composites/autoscaled-service.ts

@@ -6,6 +6,8 @@
  * PDB selectors match pod labels, and resource requests are set.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { Deployment, Service, HorizontalPodAutoscaler, PodDisruptionBudget } from "../generated";
 import type { ContainerSecurityContext } from "./security-context";
 
 export interface AutoscaledServiceProps {
@@ -69,13 +71,20 @@ export interface AutoscaledServiceProps {
   volumeMounts?: Array<Record<string, unknown>>;
   /** Convenience: auto-generate emptyDir volumes + mounts for writable temp dirs (e.g. ["/tmp", "/var/cache/nginx"]). */
   tmpDirs?: string[];
+  /** Per-member defaults for fine-grained overrides. */
+  defaults?: {
+    deployment?: Partial<Record<string, unknown>>;
+    service?: Partial<Record<string, unknown>>;
+    hpa?: Partial<Record<string, unknown>>;
+    pdb?: Partial<Record<string, unknown>>;
+  };
 }
 
 export interface AutoscaledServiceResult {
-  deployment: Record<string, unknown>;
-  service: Record<string, unknown>;
-  hpa: Record<string, unknown>;
-  pdb: Record<string, unknown>;
+  deployment: InstanceType<typeof Deployment>;
+  service: InstanceType<typeof Service>;
+  hpa: InstanceType<typeof HorizontalPodAutoscaler>;
+  pdb: InstanceType<typeof PodDisruptionBudget>;
 }
 
 /**
@@ -95,7 +104,7 @@ export interface AutoscaledServiceResult {
  * });
  * ```
  */
-export function AutoscaledService(props: AutoscaledServiceProps): AutoscaledServiceResult {
+export const AutoscaledService = Composite<AutoscaledServiceProps>((props) => {
   const {
     name,
     image,
@@ -123,6 +132,7 @@ export function AutoscaledService(props: AutoscaledServiceProps): AutoscaledServ
     volumes: explicitVolumes = [],
     volumeMounts: explicitMounts = [],
     tmpDirs = [],
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -164,7 +174,7 @@ export function AutoscaledService(props: AutoscaledServiceProps): AutoscaledServ
       : {}),
   };
 
-  const deploymentProps: Record<string, unknown> = {
+  const deployment = new Deployment(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -213,9 +223,9 @@ export function AutoscaledService(props: AutoscaledServiceProps): AutoscaledServ
         },
       },
     },
-  };
+  }, defs?.deployment));
 
-  const serviceProps: Record<string, unknown> = {
+  const service = new Service(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -226,7 +236,7 @@ export function AutoscaledService(props: AutoscaledServiceProps): AutoscaledServ
       ports: [{ port: 80, targetPort: port, protocol: "TCP", name: "http" }],
       type: "ClusterIP",
     },
-  };
+  }, defs?.service));
 
   const metrics: Array<Record<string, unknown>> = [
     {
@@ -248,7 +258,7 @@ export function AutoscaledService(props: AutoscaledServiceProps): AutoscaledServ
     });
   }
 
-  const hpaProps: Record<string, unknown> = {
+  const hpa = new HorizontalPodAutoscaler(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -264,9 +274,9 @@ export function AutoscaledService(props: AutoscaledServiceProps): AutoscaledServ
       maxReplicas,
       metrics,
     },
-  };
+  }, defs?.hpa));
 
-  const pdbProps: Record<string, unknown> = {
+  const pdb = new PodDisruptionBudget(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -276,12 +286,7 @@ export function AutoscaledService(props: AutoscaledServiceProps): AutoscaledServ
       minAvailable,
       selector: { matchLabels: { "app.kubernetes.io/name": name } },
     },
-  };
+  }, defs?.pdb));
 
-  return {
-    deployment: deploymentProps,
-    service: serviceProps,
-    hpa: hpaProps,
-    pdb: pdbProps,
-  };
-}
+  return { deployment, service, hpa, pdb };
+}, "AutoscaledService");