agim-cli 1.2.147 → 1.2.149
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +158 -0
- package/dist/core/skills/builtin/ECC_LICENSE +21 -0
- package/dist/core/skills/builtin/ECC_NOTICE.md +28 -0
- package/dist/core/skills/builtin/accessibility/SKILL.md +146 -0
- package/dist/core/skills/builtin/agent-eval/SKILL.md +145 -0
- package/dist/core/skills/builtin/agent-harness-construction/SKILL.md +73 -0
- package/dist/core/skills/builtin/agent-introspection-debugging/SKILL.md +153 -0
- package/dist/core/skills/builtin/agentic-engineering/SKILL.md +63 -0
- package/dist/core/skills/builtin/ai-first-engineering/SKILL.md +51 -0
- package/dist/core/skills/builtin/ai-regression-testing/SKILL.md +385 -0
- package/dist/core/skills/builtin/android-clean-architecture/SKILL.md +339 -0
- package/dist/core/skills/builtin/angular-developer/SKILL.md +154 -0
- package/dist/core/skills/builtin/angular-developer/references/angular-animations.md +160 -0
- package/dist/core/skills/builtin/angular-developer/references/angular-aria.md +410 -0
- package/dist/core/skills/builtin/angular-developer/references/cli.md +86 -0
- package/dist/core/skills/builtin/angular-developer/references/component-harnesses.md +59 -0
- package/dist/core/skills/builtin/angular-developer/references/component-styling.md +91 -0
- package/dist/core/skills/builtin/angular-developer/references/components.md +117 -0
- package/dist/core/skills/builtin/angular-developer/references/creating-services.md +97 -0
- package/dist/core/skills/builtin/angular-developer/references/data-resolvers.md +69 -0
- package/dist/core/skills/builtin/angular-developer/references/define-routes.md +67 -0
- package/dist/core/skills/builtin/angular-developer/references/defining-providers.md +72 -0
- package/dist/core/skills/builtin/angular-developer/references/di-fundamentals.md +120 -0
- package/dist/core/skills/builtin/angular-developer/references/e2e-testing.md +56 -0
- package/dist/core/skills/builtin/angular-developer/references/effects.md +83 -0
- package/dist/core/skills/builtin/angular-developer/references/hierarchical-injectors.md +43 -0
- package/dist/core/skills/builtin/angular-developer/references/host-elements.md +80 -0
- package/dist/core/skills/builtin/angular-developer/references/injection-context.md +63 -0
- package/dist/core/skills/builtin/angular-developer/references/inputs.md +101 -0
- package/dist/core/skills/builtin/angular-developer/references/linked-signal.md +59 -0
- package/dist/core/skills/builtin/angular-developer/references/loading-strategies.md +61 -0
- package/dist/core/skills/builtin/angular-developer/references/mcp.md +108 -0
- package/dist/core/skills/builtin/angular-developer/references/navigate-to-routes.md +69 -0
- package/dist/core/skills/builtin/angular-developer/references/outputs.md +86 -0
- package/dist/core/skills/builtin/angular-developer/references/reactive-forms.md +122 -0
- package/dist/core/skills/builtin/angular-developer/references/rendering-strategies.md +44 -0
- package/dist/core/skills/builtin/angular-developer/references/resource.md +77 -0
- package/dist/core/skills/builtin/angular-developer/references/route-animations.md +56 -0
- package/dist/core/skills/builtin/angular-developer/references/route-guards.md +52 -0
- package/dist/core/skills/builtin/angular-developer/references/router-lifecycle.md +45 -0
- package/dist/core/skills/builtin/angular-developer/references/router-testing.md +87 -0
- package/dist/core/skills/builtin/angular-developer/references/show-routes-with-outlets.md +68 -0
- package/dist/core/skills/builtin/angular-developer/references/signal-forms.md +795 -0
- package/dist/core/skills/builtin/angular-developer/references/signals-overview.md +94 -0
- package/dist/core/skills/builtin/angular-developer/references/tailwind-css.md +69 -0
- package/dist/core/skills/builtin/angular-developer/references/template-driven-forms.md +114 -0
- package/dist/core/skills/builtin/angular-developer/references/testing-fundamentals.md +65 -0
- package/dist/core/skills/builtin/api-connector-builder/SKILL.md +120 -0
- package/dist/core/skills/builtin/api-design/SKILL.md +523 -0
- package/dist/core/skills/builtin/architecture-decision-records/SKILL.md +179 -0
- package/dist/core/skills/builtin/article-writing/SKILL.md +79 -0
- package/dist/core/skills/builtin/automation-audit-ops/SKILL.md +142 -0
- package/dist/core/skills/builtin/autonomous-agent-harness/SKILL.md +273 -0
- package/dist/core/skills/builtin/autonomous-loops/SKILL.md +610 -0
- package/dist/core/skills/builtin/backend-patterns/SKILL.md +561 -0
- package/dist/core/skills/builtin/benchmark/SKILL.md +93 -0
- package/dist/core/skills/builtin/benchmark-optimization-loop/SKILL.md +69 -0
- package/dist/core/skills/builtin/blueprint/SKILL.md +105 -0
- package/dist/core/skills/builtin/browser-qa/SKILL.md +87 -0
- package/dist/core/skills/builtin/bun-runtime/SKILL.md +84 -0
- package/dist/core/skills/builtin/cisco-ios-patterns/SKILL.md +163 -0
- package/dist/core/skills/builtin/claude-devfleet/SKILL.md +111 -0
- package/dist/core/skills/builtin/click-path-audit/SKILL.md +244 -0
- package/dist/core/skills/builtin/clickhouse-io/SKILL.md +439 -0
- package/dist/core/skills/builtin/code-tour/SKILL.md +236 -0
- package/dist/core/skills/builtin/codebase-onboarding/SKILL.md +233 -0
- package/dist/core/skills/builtin/codehealth-mcp/SKILL.md +166 -0
- package/dist/core/skills/builtin/coding-standards/SKILL.md +550 -0
- package/dist/core/skills/builtin/compose-multiplatform-patterns/SKILL.md +299 -0
- package/dist/core/skills/builtin/config-gc/SKILL.md +119 -0
- package/dist/core/skills/builtin/content-engine/SKILL.md +131 -0
- package/dist/core/skills/builtin/content-hash-cache-pattern/SKILL.md +161 -0
- package/dist/core/skills/builtin/context-budget/SKILL.md +135 -0
- package/dist/core/skills/builtin/continuous-agent-loop/SKILL.md +45 -0
- package/dist/core/skills/builtin/continuous-learning/SKILL.md +131 -0
- package/dist/core/skills/builtin/continuous-learning/config.json +18 -0
- package/dist/core/skills/builtin/continuous-learning/evaluate-session.sh +69 -0
- package/dist/core/skills/builtin/continuous-learning-v2/SKILL.md +360 -0
- package/dist/core/skills/builtin/continuous-learning-v2/agents/observer-loop.sh +335 -0
- package/dist/core/skills/builtin/continuous-learning-v2/agents/observer.md +198 -0
- package/dist/core/skills/builtin/continuous-learning-v2/agents/session-guardian.sh +150 -0
- package/dist/core/skills/builtin/continuous-learning-v2/agents/start-observer.sh +248 -0
- package/dist/core/skills/builtin/continuous-learning-v2/config.json +8 -0
- package/dist/core/skills/builtin/continuous-learning-v2/hooks/observe.sh +498 -0
- package/dist/core/skills/builtin/continuous-learning-v2/scripts/detect-project.sh +322 -0
- package/dist/core/skills/builtin/continuous-learning-v2/scripts/instinct-cli.py +1914 -0
- package/dist/core/skills/builtin/continuous-learning-v2/scripts/lib/homunculus-dir.sh +31 -0
- package/dist/core/skills/builtin/continuous-learning-v2/scripts/migrate-homunculus.sh +62 -0
- package/dist/core/skills/builtin/continuous-learning-v2/scripts/test_parse_instinct.py +1045 -0
- package/dist/core/skills/builtin/cost-aware-llm-pipeline/SKILL.md +183 -0
- package/dist/core/skills/builtin/cost-tracking/SKILL.md +147 -0
- package/dist/core/skills/builtin/council/SKILL.md +203 -0
- package/dist/core/skills/builtin/cpp-coding-standards/SKILL.md +723 -0
- package/dist/core/skills/builtin/cpp-testing/SKILL.md +324 -0
- package/dist/core/skills/builtin/crosspost/SKILL.md +111 -0
- package/dist/core/skills/builtin/csharp-testing/SKILL.md +321 -0
- package/dist/core/skills/builtin/customs-trade-compliance/SKILL.md +263 -0
- package/dist/core/skills/builtin/dart-flutter-patterns/SKILL.md +563 -0
- package/dist/core/skills/builtin/dashboard-builder/SKILL.md +108 -0
- package/dist/core/skills/builtin/data-scraper-agent/SKILL.md +764 -0
- package/dist/core/skills/builtin/data-throughput-accelerator/SKILL.md +72 -0
- package/dist/core/skills/builtin/database-migrations/SKILL.md +429 -0
- package/dist/core/skills/builtin/deep-research/SKILL.md +159 -0
- package/dist/core/skills/builtin/defi-amm-security/SKILL.md +166 -0
- package/dist/core/skills/builtin/deployment-patterns/SKILL.md +427 -0
- package/dist/core/skills/builtin/design-system/SKILL.md +82 -0
- package/dist/core/skills/builtin/django-celery/SKILL.md +457 -0
- package/dist/core/skills/builtin/django-patterns/SKILL.md +734 -0
- package/dist/core/skills/builtin/django-security/SKILL.md +593 -0
- package/dist/core/skills/builtin/django-tdd/SKILL.md +729 -0
- package/dist/core/skills/builtin/django-verification/SKILL.md +469 -0
- package/dist/core/skills/builtin/dmux-workflows/SKILL.md +191 -0
- package/dist/core/skills/builtin/docker-patterns/SKILL.md +364 -0
- package/dist/core/skills/builtin/documentation-lookup/SKILL.md +90 -0
- package/dist/core/skills/builtin/dotnet-patterns/SKILL.md +321 -0
- package/dist/core/skills/builtin/dynamic-workflow-mode/SKILL.md +123 -0
- package/dist/core/skills/builtin/e2e-testing/SKILL.md +326 -0
- package/dist/core/skills/builtin/email-ops/SKILL.md +121 -0
- package/dist/core/skills/builtin/energy-procurement/SKILL.md +228 -0
- package/dist/core/skills/builtin/enterprise-agent-ops/SKILL.md +50 -0
- package/dist/core/skills/builtin/error-handling/SKILL.md +376 -0
- package/dist/core/skills/builtin/eval-harness/SKILL.md +270 -0
- package/dist/core/skills/builtin/evm-token-decimals/SKILL.md +130 -0
- package/dist/core/skills/builtin/exa-search/SKILL.md +107 -0
- package/dist/core/skills/builtin/fal-ai-media/SKILL.md +288 -0
- package/dist/core/skills/builtin/fastapi-patterns/SKILL.md +513 -0
- package/dist/core/skills/builtin/finance-billing-ops/SKILL.md +127 -0
- package/dist/core/skills/builtin/flox-environments/SKILL.md +496 -0
- package/dist/core/skills/builtin/flutter-dart-code-review/SKILL.md +435 -0
- package/dist/core/skills/builtin/foundation-models-on-device/SKILL.md +243 -0
- package/dist/core/skills/builtin/frontend-a11y/SKILL.md +445 -0
- package/dist/core/skills/builtin/frontend-design-direction/SKILL.md +92 -0
- package/dist/core/skills/builtin/frontend-patterns/SKILL.md +656 -0
- package/dist/core/skills/builtin/frontend-slides/SKILL.md +184 -0
- package/dist/core/skills/builtin/frontend-slides/STYLE_PRESETS.md +330 -0
- package/dist/core/skills/builtin/frontend-slides/animation-patterns.md +122 -0
- package/dist/core/skills/builtin/frontend-slides/html-template.md +419 -0
- package/dist/core/skills/builtin/frontend-slides/scripts/export-pdf.sh +418 -0
- package/dist/core/skills/builtin/frontend-slides/scripts/extract-pptx.py +96 -0
- package/dist/core/skills/builtin/frontend-slides/viewport-base.css +153 -0
- package/dist/core/skills/builtin/fsharp-testing/SKILL.md +280 -0
- package/dist/core/skills/builtin/gan-style-harness/SKILL.md +278 -0
- package/dist/core/skills/builtin/gateguard/SKILL.md +132 -0
- package/dist/core/skills/builtin/git-workflow/SKILL.md +715 -0
- package/dist/core/skills/builtin/github-ops/SKILL.md +144 -0
- package/dist/core/skills/builtin/golang-patterns/SKILL.md +674 -0
- package/dist/core/skills/builtin/golang-testing/SKILL.md +720 -0
- package/dist/core/skills/builtin/healthcare-cdss-patterns/SKILL.md +245 -0
- package/dist/core/skills/builtin/healthcare-emr-patterns/SKILL.md +159 -0
- package/dist/core/skills/builtin/healthcare-eval-harness/SKILL.md +207 -0
- package/dist/core/skills/builtin/healthcare-phi-compliance/SKILL.md +145 -0
- package/dist/core/skills/builtin/hermes-imports/SKILL.md +88 -0
- package/dist/core/skills/builtin/hexagonal-architecture/SKILL.md +276 -0
- package/dist/core/skills/builtin/hipaa-compliance/SKILL.md +78 -0
- package/dist/core/skills/builtin/hookify-rules/SKILL.md +128 -0
- package/dist/core/skills/builtin/inherit-legacy-style/SKILL.md +156 -0
- package/dist/core/skills/builtin/intent-driven-development/SKILL.md +360 -0
- package/dist/core/skills/builtin/inventory-demand-planning/SKILL.md +247 -0
- package/dist/core/skills/builtin/ios-icon-gen/SKILL.md +157 -0
- package/dist/core/skills/builtin/ios-icon-gen/scripts/generate_icons.swift +258 -0
- package/dist/core/skills/builtin/ios-icon-gen/scripts/iconify_gen.sh +235 -0
- package/dist/core/skills/builtin/iterative-retrieval/SKILL.md +211 -0
- package/dist/core/skills/builtin/java-coding-standards/SKILL.md +383 -0
- package/dist/core/skills/builtin/jira-integration/SKILL.md +302 -0
- package/dist/core/skills/builtin/jpa-patterns/SKILL.md +151 -0
- package/dist/core/skills/builtin/knowledge-ops/SKILL.md +154 -0
- package/dist/core/skills/builtin/kotlin-coroutines-flows/SKILL.md +284 -0
- package/dist/core/skills/builtin/kotlin-exposed-patterns/SKILL.md +719 -0
- package/dist/core/skills/builtin/kotlin-ktor-patterns/SKILL.md +689 -0
- package/dist/core/skills/builtin/kotlin-patterns/SKILL.md +711 -0
- package/dist/core/skills/builtin/kotlin-testing/SKILL.md +824 -0
- package/dist/core/skills/builtin/kubernetes-patterns/SKILL.md +755 -0
- package/dist/core/skills/builtin/laravel-patterns/SKILL.md +415 -0
- package/dist/core/skills/builtin/laravel-plugin-discovery/SKILL.md +229 -0
- package/dist/core/skills/builtin/laravel-security/SKILL.md +947 -0
- package/dist/core/skills/builtin/laravel-tdd/SKILL.md +674 -0
- package/dist/core/skills/builtin/laravel-verification/SKILL.md +179 -0
- package/dist/core/skills/builtin/latency-critical-systems/SKILL.md +73 -0
- package/dist/core/skills/builtin/lead-intelligence/SKILL.md +321 -0
- package/dist/core/skills/builtin/lead-intelligence/agents/enrichment-agent.md +85 -0
- package/dist/core/skills/builtin/lead-intelligence/agents/mutual-mapper.md +75 -0
- package/dist/core/skills/builtin/lead-intelligence/agents/outreach-drafter.md +98 -0
- package/dist/core/skills/builtin/lead-intelligence/agents/signal-scorer.md +60 -0
- package/dist/core/skills/builtin/liquid-glass-design/SKILL.md +279 -0
- package/dist/core/skills/builtin/llm-trading-agent-security/SKILL.md +146 -0
- package/dist/core/skills/builtin/logistics-exception-management/SKILL.md +222 -0
- package/dist/core/skills/builtin/make-interfaces-feel-better/SKILL.md +151 -0
- package/dist/core/skills/builtin/market-research/SKILL.md +75 -0
- package/dist/core/skills/builtin/marketing-campaign/SKILL.md +113 -0
- package/dist/core/skills/builtin/mcp-server-patterns/SKILL.md +69 -0
- package/dist/core/skills/builtin/messages-ops/SKILL.md +104 -0
- package/dist/core/skills/builtin/mle-workflow/SKILL.md +346 -0
- package/dist/core/skills/builtin/motion-advanced/SKILL.md +596 -0
- package/dist/core/skills/builtin/motion-foundations/SKILL.md +299 -0
- package/dist/core/skills/builtin/motion-patterns/SKILL.md +434 -0
- package/dist/core/skills/builtin/motion-ui/SKILL.md +575 -0
- package/dist/core/skills/builtin/mysql-patterns/SKILL.md +412 -0
- package/dist/core/skills/builtin/nanoclaw-repl/SKILL.md +33 -0
- package/dist/core/skills/builtin/nestjs-patterns/SKILL.md +230 -0
- package/dist/core/skills/builtin/netmiko-ssh-automation/SKILL.md +173 -0
- package/dist/core/skills/builtin/network-bgp-diagnostics/SKILL.md +167 -0
- package/dist/core/skills/builtin/network-config-validation/SKILL.md +210 -0
- package/dist/core/skills/builtin/network-interface-health/SKILL.md +152 -0
- package/dist/core/skills/builtin/nextjs-turbopack/SKILL.md +57 -0
- package/dist/core/skills/builtin/nodejs-keccak256/SKILL.md +102 -0
- package/dist/core/skills/builtin/nutrient-document-processing/SKILL.md +167 -0
- package/dist/core/skills/builtin/nuxt4-patterns/SKILL.md +100 -0
- package/dist/core/skills/builtin/openclaw-persona-forge/SKILL.md +288 -0
- package/dist/core/skills/builtin/openclaw-persona-forge/gacha.py +224 -0
- package/dist/core/skills/builtin/openclaw-persona-forge/gacha.sh +5 -0
- package/dist/core/skills/builtin/openclaw-persona-forge/references/avatar-style.md +124 -0
- package/dist/core/skills/builtin/openclaw-persona-forge/references/boundary-rules.md +53 -0
- package/dist/core/skills/builtin/openclaw-persona-forge/references/error-handling.md +53 -0
- package/dist/core/skills/builtin/openclaw-persona-forge/references/identity-tension.md +48 -0
- package/dist/core/skills/builtin/openclaw-persona-forge/references/naming-system.md +39 -0
- package/dist/core/skills/builtin/openclaw-persona-forge/references/output-template.md +166 -0
- package/dist/core/skills/builtin/opensource-pipeline/SKILL.md +255 -0
- package/dist/core/skills/builtin/orch-add-feature/SKILL.md +44 -0
- package/dist/core/skills/builtin/orch-build-mvp/SKILL.md +48 -0
- package/dist/core/skills/builtin/orch-change-feature/SKILL.md +42 -0
- package/dist/core/skills/builtin/orch-fix-defect/SKILL.md +42 -0
- package/dist/core/skills/builtin/orch-pipeline/SKILL.md +120 -0
- package/dist/core/skills/builtin/orch-refine-code/SKILL.md +43 -0
- package/dist/core/skills/builtin/parallel-execution-optimizer/SKILL.md +72 -0
- package/dist/core/skills/builtin/perl-patterns/SKILL.md +504 -0
- package/dist/core/skills/builtin/perl-security/SKILL.md +503 -0
- package/dist/core/skills/builtin/perl-testing/SKILL.md +475 -0
- package/dist/core/skills/builtin/plan-orchestrate/SKILL.md +262 -0
- package/dist/core/skills/builtin/plankton-code-quality/SKILL.md +236 -0
- package/dist/core/skills/builtin/postgres-patterns/SKILL.md +147 -0
- package/dist/core/skills/builtin/prediction-market-oracle-research/SKILL.md +63 -0
- package/dist/core/skills/builtin/prediction-market-risk-review/SKILL.md +60 -0
- package/dist/core/skills/builtin/prisma-patterns/SKILL.md +371 -0
- package/dist/core/skills/builtin/product-capability/SKILL.md +141 -0
- package/dist/core/skills/builtin/product-lens/SKILL.md +92 -0
- package/dist/core/skills/builtin/production-audit/SKILL.md +206 -0
- package/dist/core/skills/builtin/production-scheduling/SKILL.md +238 -0
- package/dist/core/skills/builtin/prompt-optimizer/SKILL.md +398 -0
- package/dist/core/skills/builtin/python-patterns/SKILL.md +750 -0
- package/dist/core/skills/builtin/python-testing/SKILL.md +816 -0
- package/dist/core/skills/builtin/pytorch-patterns/SKILL.md +396 -0
- package/dist/core/skills/builtin/quality-nonconformance/SKILL.md +260 -0
- package/dist/core/skills/builtin/quarkus-patterns/SKILL.md +722 -0
- package/dist/core/skills/builtin/quarkus-security/SKILL.md +467 -0
- package/dist/core/skills/builtin/quarkus-tdd/SKILL.md +811 -0
- package/dist/core/skills/builtin/quarkus-verification/SKILL.md +479 -0
- package/dist/core/skills/builtin/ralphinho-rfc-pipeline/SKILL.md +67 -0
- package/dist/core/skills/builtin/react-patterns/SKILL.md +341 -0
- package/dist/core/skills/builtin/react-performance/SKILL.md +574 -0
- package/dist/core/skills/builtin/react-testing/SKILL.md +423 -0
- package/dist/core/skills/builtin/recsys-pipeline-architect/SKILL.md +114 -0
- package/dist/core/skills/builtin/recursive-decision-ledger/SKILL.md +79 -0
- package/dist/core/skills/builtin/redis-patterns/SKILL.md +403 -0
- package/dist/core/skills/builtin/regex-vs-llm-structured-text/SKILL.md +220 -0
- package/dist/core/skills/builtin/repo-scan/SKILL.md +78 -0
- package/dist/core/skills/builtin/research-ops/SKILL.md +112 -0
- package/dist/core/skills/builtin/returns-reverse-logistics/SKILL.md +240 -0
- package/dist/core/skills/builtin/rules-distill/SKILL.md +264 -0
- package/dist/core/skills/builtin/rules-distill/scripts/scan-rules.sh +58 -0
- package/dist/core/skills/builtin/rules-distill/scripts/scan-skills.sh +129 -0
- package/dist/core/skills/builtin/rust-patterns/SKILL.md +499 -0
- package/dist/core/skills/builtin/rust-testing/SKILL.md +500 -0
- package/dist/core/skills/builtin/safety-guard/SKILL.md +75 -0
- package/dist/core/skills/builtin/santa-method/SKILL.md +306 -0
- package/dist/core/skills/builtin/scientific-db-pubmed-database/SKILL.md +175 -0
- package/dist/core/skills/builtin/scientific-db-uspto-database/SKILL.md +177 -0
- package/dist/core/skills/builtin/scientific-pkg-gget/SKILL.md +166 -0
- package/dist/core/skills/builtin/scientific-thinking-literature-review/SKILL.md +192 -0
- package/dist/core/skills/builtin/scientific-thinking-scholar-evaluation/SKILL.md +160 -0
- package/dist/core/skills/builtin/search-first/SKILL.md +182 -0
- package/dist/core/skills/builtin/security-bounty-hunter/SKILL.md +99 -0
- package/dist/core/skills/builtin/security-review/SKILL.md +503 -0
- package/dist/core/skills/builtin/security-review/cloud-infrastructure-security.md +361 -0
- package/dist/core/skills/builtin/security-scan/SKILL.md +165 -0
- package/dist/core/skills/builtin/seo/SKILL.md +154 -0
- package/dist/core/skills/builtin/skill-comply/SKILL.md +58 -0
- package/dist/core/skills/builtin/skill-comply/fixtures/compliant_trace.jsonl +5 -0
- package/dist/core/skills/builtin/skill-comply/fixtures/noncompliant_trace.jsonl +3 -0
- package/dist/core/skills/builtin/skill-comply/fixtures/tdd_spec.yaml +44 -0
- package/dist/core/skills/builtin/skill-comply/prompts/classifier.md +24 -0
- package/dist/core/skills/builtin/skill-comply/prompts/scenario_generator.md +62 -0
- package/dist/core/skills/builtin/skill-comply/prompts/spec_generator.md +42 -0
- package/dist/core/skills/builtin/skill-comply/pyproject.toml +15 -0
- package/dist/core/skills/builtin/skill-comply/scripts/__init__.py +0 -0
- package/dist/core/skills/builtin/skill-comply/scripts/classifier.py +85 -0
- package/dist/core/skills/builtin/skill-comply/scripts/grader.py +124 -0
- package/dist/core/skills/builtin/skill-comply/scripts/parser.py +107 -0
- package/dist/core/skills/builtin/skill-comply/scripts/report.py +170 -0
- package/dist/core/skills/builtin/skill-comply/scripts/run.py +127 -0
- package/dist/core/skills/builtin/skill-comply/scripts/runner.py +186 -0
- package/dist/core/skills/builtin/skill-comply/scripts/scenario_generator.py +70 -0
- package/dist/core/skills/builtin/skill-comply/scripts/spec_generator.py +72 -0
- package/dist/core/skills/builtin/skill-comply/scripts/utils.py +13 -0
- package/dist/core/skills/builtin/skill-comply/tests/test_grader.py +197 -0
- package/dist/core/skills/builtin/skill-comply/tests/test_parser.py +90 -0
- package/dist/core/skills/builtin/skill-comply/tests/test_runner.py +172 -0
- package/dist/core/skills/builtin/skill-scout/SKILL.md +140 -0
- package/dist/core/skills/builtin/skill-stocktake/SKILL.md +194 -0
- package/dist/core/skills/builtin/skill-stocktake/scripts/quick-diff.sh +87 -0
- package/dist/core/skills/builtin/skill-stocktake/scripts/save-results.sh +56 -0
- package/dist/core/skills/builtin/skill-stocktake/scripts/scan.sh +170 -0
- package/dist/core/skills/builtin/springboot-patterns/SKILL.md +314 -0
- package/dist/core/skills/builtin/springboot-security/SKILL.md +272 -0
- package/dist/core/skills/builtin/springboot-tdd/SKILL.md +158 -0
- package/dist/core/skills/builtin/springboot-verification/SKILL.md +231 -0
- package/dist/core/skills/builtin/strategic-compact/SKILL.md +135 -0
- package/dist/core/skills/builtin/swift-actor-persistence/SKILL.md +143 -0
- package/dist/core/skills/builtin/swift-concurrency-6-2/SKILL.md +216 -0
- package/dist/core/skills/builtin/swift-protocol-di-testing/SKILL.md +190 -0
- package/dist/core/skills/builtin/swiftui-patterns/SKILL.md +259 -0
- package/dist/core/skills/builtin/tdd-workflow/SKILL.md +463 -0
- package/dist/core/skills/builtin/team-agent-orchestration/SKILL.md +110 -0
- package/dist/core/skills/builtin/team-builder/SKILL.md +168 -0
- package/dist/core/skills/builtin/terminal-ops/SKILL.md +109 -0
- package/dist/core/skills/builtin/tinystruct-patterns/SKILL.md +203 -0
- package/dist/core/skills/builtin/tinystruct-patterns/references/architecture.md +90 -0
- package/dist/core/skills/builtin/tinystruct-patterns/references/data-handling.md +60 -0
- package/dist/core/skills/builtin/tinystruct-patterns/references/database.md +99 -0
- package/dist/core/skills/builtin/tinystruct-patterns/references/routing.md +64 -0
- package/dist/core/skills/builtin/tinystruct-patterns/references/system-usage.md +97 -0
- package/dist/core/skills/builtin/tinystruct-patterns/references/testing.md +72 -0
- package/dist/core/skills/builtin/token-budget-advisor/SKILL.md +133 -0
- package/dist/core/skills/builtin/ui-demo/SKILL.md +465 -0
- package/dist/core/skills/builtin/ui-to-vue/SKILL.md +134 -0
- package/dist/core/skills/builtin/uncloud/SKILL.md +343 -0
- package/dist/core/skills/builtin/unified-notifications-ops/SKILL.md +187 -0
- package/dist/core/skills/builtin/verification-loop/SKILL.md +126 -0
- package/dist/core/skills/builtin/video-editing/SKILL.md +310 -0
- package/dist/core/skills/builtin/videodb/SKILL.md +374 -0
- package/dist/core/skills/builtin/videodb/reference/api-reference.md +550 -0
- package/dist/core/skills/builtin/videodb/reference/capture-reference.md +407 -0
- package/dist/core/skills/builtin/videodb/reference/capture.md +101 -0
- package/dist/core/skills/builtin/videodb/reference/editor.md +443 -0
- package/dist/core/skills/builtin/videodb/reference/generative.md +331 -0
- package/dist/core/skills/builtin/videodb/reference/rtstream-reference.md +564 -0
- package/dist/core/skills/builtin/videodb/reference/rtstream.md +65 -0
- package/dist/core/skills/builtin/videodb/reference/search.md +230 -0
- package/dist/core/skills/builtin/videodb/reference/streaming.md +406 -0
- package/dist/core/skills/builtin/videodb/reference/use-cases.md +118 -0
- package/dist/core/skills/builtin/videodb/scripts/ws_listener.py +282 -0
- package/dist/core/skills/builtin/visa-doc-translate/README.md +86 -0
- package/dist/core/skills/builtin/visa-doc-translate/SKILL.md +117 -0
- package/dist/core/skills/builtin/vite-patterns/SKILL.md +449 -0
- package/dist/core/skills/builtin/windows-desktop-e2e/SKILL.md +887 -0
- package/dist/core/skills/builtin/x-api/SKILL.md +234 -0
- package/dist/core/skills/loader.d.ts +23 -12
- package/dist/core/skills/loader.d.ts.map +1 -1
- package/dist/core/skills/loader.js +105 -2
- package/dist/core/skills/loader.js.map +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1,755 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: kubernetes-patterns
|
|
3
|
+
description: [ECC] Kubernetes workload patterns, resource management, RBAC, probes, autoscaling, ConfigMap/Secret handling, and kubectl debugging for production-grade deployments.
|
|
4
|
+
origin: ECC
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Kubernetes Patterns
|
|
8
|
+
|
|
9
|
+
Production-grade Kubernetes patterns for deploying, managing, and debugging workloads reliably.
|
|
10
|
+
|
|
11
|
+
## When to Activate
|
|
12
|
+
|
|
13
|
+
- Writing Kubernetes manifests (Deployments, Services, Ingress, Jobs)
|
|
14
|
+
- Configuring resource requests/limits, liveness/readiness probes
|
|
15
|
+
- Setting up RBAC, namespaces, or ServiceAccounts
|
|
16
|
+
- Managing configuration and secrets in K8s
|
|
17
|
+
- Debugging CrashLoopBackOff, OOMKilled, pending pods, or image pull errors
|
|
18
|
+
- Configuring HPA (Horizontal Pod Autoscaler) or PodDisruptionBudgets
|
|
19
|
+
- Reviewing K8s YAML for security or correctness
|
|
20
|
+
|
|
21
|
+
## When to Use
|
|
22
|
+
|
|
23
|
+
> Same as **When to Activate** above. This alias satisfies repo skill-format conventions. Use this skill any time you are writing, reviewing, or debugging Kubernetes YAML and workloads.
|
|
24
|
+
|
|
25
|
+
## How It Works
|
|
26
|
+
|
|
27
|
+
This skill provides **copy-pasteable, production-grade YAML patterns** and **kubectl debugging commands** organized by task:
|
|
28
|
+
|
|
29
|
+
1. **Deployment template** — A fully configured production `Deployment` with security context, rolling update strategy, all three probe types, resource limits, and environment injection from ConfigMap/Secret.
|
|
30
|
+
2. **Probes** — Decision table for startup vs liveness vs readiness, with correct `failureThreshold × periodSeconds` math.
|
|
31
|
+
3. **Services & Ingress** — ClusterIP, LoadBalancer, and TLS Ingress patterns with cert-manager annotations.
|
|
32
|
+
4. **ConfigMaps & Secrets** — `envFrom`, file-mount, and external secrets guidance.
|
|
33
|
+
5. **Resource management** — Requests vs limits rules of thumb by workload type (web API, JVM, worker, sidecar).
|
|
34
|
+
6. **RBAC** — Least-privilege ServiceAccount → Role → RoleBinding chain.
|
|
35
|
+
7. **HPA & PDB** — Autoscaling and node-drain safety configurations.
|
|
36
|
+
8. **Jobs & CronJobs** — One-off and scheduled workload patterns with correct `restartPolicy`.
|
|
37
|
+
9. **kubectl cheatsheet** — Logs, exec, rollback, port-forward, dry-run, and common error diagnosis commands.
|
|
38
|
+
10. **Anti-patterns & checklist** — What NOT to do, and a security/reliability/observability checklist.
|
|
39
|
+
|
|
40
|
+
## Examples
|
|
41
|
+
|
|
42
|
+
See the sections below for complete, runnable examples. Quick references:
|
|
43
|
+
|
|
44
|
+
| Task | Jump to |
|
|
45
|
+
|------|---------|
|
|
46
|
+
| Full production Deployment YAML | [Core Workload Patterns](#core-workload-patterns) |
|
|
47
|
+
| Probe configuration | [Probes](#probes--liveness-readiness-startup) |
|
|
48
|
+
| RBAC least-privilege setup | [RBAC](#rbac--roles-and-serviceaccounts) |
|
|
49
|
+
| Debug a CrashLoopBackOff | [kubectl Debugging Cheatsheet](#kubectl-debugging-cheatsheet) |
|
|
50
|
+
| Autoscaling | [HPA](#horizontal-pod-autoscaler-hpa) |
|
|
51
|
+
|
|
52
|
+
---
|
|
53
|
+
|
|
54
|
+
## Core Workload Patterns
|
|
55
|
+
|
|
56
|
+
### Deployment — Production Template
|
|
57
|
+
|
|
58
|
+
```yaml
|
|
59
|
+
apiVersion: apps/v1
|
|
60
|
+
kind: Deployment
|
|
61
|
+
metadata:
|
|
62
|
+
name: my-app
|
|
63
|
+
namespace: my-namespace
|
|
64
|
+
labels:
|
|
65
|
+
app: my-app
|
|
66
|
+
version: "1.0.0"
|
|
67
|
+
spec:
|
|
68
|
+
replicas: 3
|
|
69
|
+
selector:
|
|
70
|
+
matchLabels:
|
|
71
|
+
app: my-app
|
|
72
|
+
strategy:
|
|
73
|
+
type: RollingUpdate
|
|
74
|
+
rollingUpdate:
|
|
75
|
+
maxSurge: 1 # Allow 1 extra pod during update
|
|
76
|
+
maxUnavailable: 0 # Never reduce below desired count
|
|
77
|
+
template:
|
|
78
|
+
metadata:
|
|
79
|
+
labels:
|
|
80
|
+
app: my-app
|
|
81
|
+
version: "1.0.0"
|
|
82
|
+
spec:
|
|
83
|
+
# Security context at pod level
|
|
84
|
+
securityContext:
|
|
85
|
+
runAsNonRoot: true
|
|
86
|
+
runAsUser: 1001
|
|
87
|
+
fsGroup: 1001
|
|
88
|
+
|
|
89
|
+
# Graceful shutdown
|
|
90
|
+
terminationGracePeriodSeconds: 30
|
|
91
|
+
|
|
92
|
+
containers:
|
|
93
|
+
- name: my-app
|
|
94
|
+
image: ghcr.io/org/my-app:1.0.0 # Never use :latest
|
|
95
|
+
imagePullPolicy: IfNotPresent
|
|
96
|
+
|
|
97
|
+
ports:
|
|
98
|
+
- containerPort: 8080
|
|
99
|
+
protocol: TCP
|
|
100
|
+
|
|
101
|
+
# Resource requests AND limits are both required
|
|
102
|
+
resources:
|
|
103
|
+
requests:
|
|
104
|
+
cpu: "100m"
|
|
105
|
+
memory: "128Mi"
|
|
106
|
+
limits:
|
|
107
|
+
cpu: "500m"
|
|
108
|
+
memory: "256Mi"
|
|
109
|
+
|
|
110
|
+
# Container security context
|
|
111
|
+
securityContext:
|
|
112
|
+
allowPrivilegeEscalation: false
|
|
113
|
+
readOnlyRootFilesystem: true
|
|
114
|
+
capabilities:
|
|
115
|
+
drop:
|
|
116
|
+
- ALL
|
|
117
|
+
|
|
118
|
+
# Probes (see Probes section below)
|
|
119
|
+
startupProbe:
|
|
120
|
+
httpGet:
|
|
121
|
+
path: /health
|
|
122
|
+
port: 8080
|
|
123
|
+
failureThreshold: 30
|
|
124
|
+
periodSeconds: 5
|
|
125
|
+
livenessProbe:
|
|
126
|
+
httpGet:
|
|
127
|
+
path: /health
|
|
128
|
+
port: 8080
|
|
129
|
+
initialDelaySeconds: 0
|
|
130
|
+
periodSeconds: 30
|
|
131
|
+
failureThreshold: 3
|
|
132
|
+
readinessProbe:
|
|
133
|
+
httpGet:
|
|
134
|
+
path: /ready
|
|
135
|
+
port: 8080
|
|
136
|
+
initialDelaySeconds: 5
|
|
137
|
+
periodSeconds: 10
|
|
138
|
+
failureThreshold: 2
|
|
139
|
+
|
|
140
|
+
# Environment from ConfigMap and Secret
|
|
141
|
+
envFrom:
|
|
142
|
+
- configMapRef:
|
|
143
|
+
name: my-app-config
|
|
144
|
+
env:
|
|
145
|
+
- name: DB_PASSWORD
|
|
146
|
+
valueFrom:
|
|
147
|
+
secretKeyRef:
|
|
148
|
+
name: my-app-secrets
|
|
149
|
+
key: db-password
|
|
150
|
+
|
|
151
|
+
# Writable tmp directory when readOnlyRootFilesystem: true
|
|
152
|
+
volumeMounts:
|
|
153
|
+
- name: tmp
|
|
154
|
+
mountPath: /tmp
|
|
155
|
+
|
|
156
|
+
volumes:
|
|
157
|
+
- name: tmp
|
|
158
|
+
emptyDir: {}
|
|
159
|
+
```
|
|
160
|
+
|
|
161
|
+
---
|
|
162
|
+
|
|
163
|
+
## Probes — Liveness, Readiness, Startup
|
|
164
|
+
|
|
165
|
+
Understanding when to use each probe is critical:
|
|
166
|
+
|
|
167
|
+
| Probe | Failure Action | Use For |
|
|
168
|
+
|-------|---------------|---------|
|
|
169
|
+
| `startupProbe` | Kills container if slow to start | Slow-starting apps (JVM, Python) |
|
|
170
|
+
| `livenessProbe` | Restarts container | Deadlock / hung process detection |
|
|
171
|
+
| `readinessProbe` | Removes from Service endpoints | Temporary unavailability (DB reconnect) |
|
|
172
|
+
|
|
173
|
+
```yaml
|
|
174
|
+
# Correct pattern: startupProbe covers slow startup,
|
|
175
|
+
# then liveness/readiness take over
|
|
176
|
+
startupProbe:
|
|
177
|
+
httpGet:
|
|
178
|
+
path: /health
|
|
179
|
+
port: 8080
|
|
180
|
+
failureThreshold: 30 # 30 * 5s = 150s max startup time
|
|
181
|
+
periodSeconds: 5
|
|
182
|
+
|
|
183
|
+
livenessProbe:
|
|
184
|
+
httpGet:
|
|
185
|
+
path: /health
|
|
186
|
+
port: 8080
|
|
187
|
+
periodSeconds: 30
|
|
188
|
+
failureThreshold: 3 # 3 * 30s = 90s before restart
|
|
189
|
+
|
|
190
|
+
readinessProbe:
|
|
191
|
+
httpGet:
|
|
192
|
+
path: /ready # Separate endpoint: checks DB, cache, etc.
|
|
193
|
+
port: 8080
|
|
194
|
+
periodSeconds: 10
|
|
195
|
+
failureThreshold: 2
|
|
196
|
+
```
|
|
197
|
+
|
|
198
|
+
```yaml
|
|
199
|
+
# WRONG: initialDelaySeconds without startupProbe
|
|
200
|
+
# If the app takes 60s to start, set a startupProbe instead
|
|
201
|
+
livenessProbe:
|
|
202
|
+
httpGet:
|
|
203
|
+
path: /health
|
|
204
|
+
port: 8080
|
|
205
|
+
initialDelaySeconds: 60 # BAD: Arbitrary wait, race condition
|
|
206
|
+
```
|
|
207
|
+
|
|
208
|
+
---
|
|
209
|
+
|
|
210
|
+
## Services and Ingress
|
|
211
|
+
|
|
212
|
+
### Service Types
|
|
213
|
+
|
|
214
|
+
```yaml
|
|
215
|
+
# ClusterIP (default) — internal-only
|
|
216
|
+
apiVersion: v1
|
|
217
|
+
kind: Service
|
|
218
|
+
metadata:
|
|
219
|
+
name: my-app
|
|
220
|
+
namespace: my-namespace
|
|
221
|
+
spec:
|
|
222
|
+
selector:
|
|
223
|
+
app: my-app
|
|
224
|
+
ports:
|
|
225
|
+
- port: 80
|
|
226
|
+
targetPort: 8080
|
|
227
|
+
protocol: TCP
|
|
228
|
+
type: ClusterIP
|
|
229
|
+
```
|
|
230
|
+
|
|
231
|
+
```yaml
|
|
232
|
+
# LoadBalancer — external traffic (cloud providers)
|
|
233
|
+
spec:
|
|
234
|
+
type: LoadBalancer
|
|
235
|
+
ports:
|
|
236
|
+
- port: 443
|
|
237
|
+
targetPort: 8080
|
|
238
|
+
```
|
|
239
|
+
|
|
240
|
+
### Ingress with TLS
|
|
241
|
+
|
|
242
|
+
```yaml
|
|
243
|
+
apiVersion: networking.k8s.io/v1
|
|
244
|
+
kind: Ingress
|
|
245
|
+
metadata:
|
|
246
|
+
name: my-app
|
|
247
|
+
namespace: my-namespace
|
|
248
|
+
annotations:
|
|
249
|
+
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
|
250
|
+
cert-manager.io/cluster-issuer: "letsencrypt-prod"
|
|
251
|
+
spec:
|
|
252
|
+
ingressClassName: nginx
|
|
253
|
+
tls:
|
|
254
|
+
- hosts:
|
|
255
|
+
- myapp.example.com
|
|
256
|
+
secretName: my-app-tls
|
|
257
|
+
rules:
|
|
258
|
+
- host: myapp.example.com
|
|
259
|
+
http:
|
|
260
|
+
paths:
|
|
261
|
+
- path: /
|
|
262
|
+
pathType: Prefix
|
|
263
|
+
backend:
|
|
264
|
+
service:
|
|
265
|
+
name: my-app
|
|
266
|
+
port:
|
|
267
|
+
number: 80
|
|
268
|
+
```
|
|
269
|
+
|
|
270
|
+
---
|
|
271
|
+
|
|
272
|
+
## ConfigMaps and Secrets
|
|
273
|
+
|
|
274
|
+
### ConfigMap — Non-sensitive configuration
|
|
275
|
+
|
|
276
|
+
```yaml
|
|
277
|
+
apiVersion: v1
|
|
278
|
+
kind: ConfigMap
|
|
279
|
+
metadata:
|
|
280
|
+
name: my-app-config
|
|
281
|
+
namespace: my-namespace
|
|
282
|
+
data:
|
|
283
|
+
LOG_LEVEL: "info"
|
|
284
|
+
APP_ENV: "production"
|
|
285
|
+
MAX_CONNECTIONS: "100"
|
|
286
|
+
# Mount as a file for complex config
|
|
287
|
+
app.yaml: |
|
|
288
|
+
server:
|
|
289
|
+
port: 8080
|
|
290
|
+
timeout: 30s
|
|
291
|
+
```
|
|
292
|
+
|
|
293
|
+
```yaml
|
|
294
|
+
# Mount ConfigMap as a file
|
|
295
|
+
volumes:
|
|
296
|
+
- name: config
|
|
297
|
+
configMap:
|
|
298
|
+
name: my-app-config
|
|
299
|
+
items:
|
|
300
|
+
- key: app.yaml
|
|
301
|
+
path: app.yaml
|
|
302
|
+
volumeMounts:
|
|
303
|
+
- name: config
|
|
304
|
+
mountPath: /etc/app
|
|
305
|
+
readOnly: true
|
|
306
|
+
```
|
|
307
|
+
|
|
308
|
+
### Secrets — Sensitive data
|
|
309
|
+
|
|
310
|
+
```bash
|
|
311
|
+
# Create secret from literal (CLI, then store in Vault/SOPS)
|
|
312
|
+
kubectl create secret generic my-app-secrets \
|
|
313
|
+
--from-literal=db-password='s3cr3t' \
|
|
314
|
+
--namespace=my-namespace \
|
|
315
|
+
--dry-run=client -o yaml | kubectl apply -f -
|
|
316
|
+
```
|
|
317
|
+
|
|
318
|
+
```yaml
|
|
319
|
+
apiVersion: v1
|
|
320
|
+
kind: Secret
|
|
321
|
+
metadata:
|
|
322
|
+
name: my-app-secrets
|
|
323
|
+
namespace: my-namespace
|
|
324
|
+
type: Opaque
|
|
325
|
+
# Values are base64-encoded (NOT encrypted — use Sealed Secrets or ESO for real encryption)
|
|
326
|
+
data:
|
|
327
|
+
db-password: czNjcjN0 # base64 of 's3cr3t'
|
|
328
|
+
```
|
|
329
|
+
|
|
330
|
+
> **Important:** Raw Kubernetes Secrets are only base64-encoded, not encrypted at rest unless your cluster has encryption configured. Use [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) or [External Secrets Operator](https://external-secrets.io) for production.
|
|
331
|
+
|
|
332
|
+
---
|
|
333
|
+
|
|
334
|
+
## Resource Requests and Limits
|
|
335
|
+
|
|
336
|
+
```yaml
|
|
337
|
+
resources:
|
|
338
|
+
requests: # Scheduler uses this to place the pod
|
|
339
|
+
cpu: "100m" # 100 millicores = 0.1 CPU
|
|
340
|
+
memory: "128Mi"
|
|
341
|
+
limits: # Container is killed/throttled above this
|
|
342
|
+
cpu: "500m"
|
|
343
|
+
memory: "256Mi"
|
|
344
|
+
```
|
|
345
|
+
|
|
346
|
+
**Rules of thumb:**
|
|
347
|
+
|
|
348
|
+
| Workload Type | CPU Request | Memory Request | Notes |
|
|
349
|
+
|---------------|-------------|----------------|-------|
|
|
350
|
+
| Web API | 100–250m | 128–256Mi | Set limits 2-4x requests |
|
|
351
|
+
| Worker/consumer | 250–500m | 256–512Mi | Memory limit = request for predictability |
|
|
352
|
+
| JVM app | 500m–1 | 512Mi–2Gi | Allow headroom above `-Xmx` for JVM overhead |
|
|
353
|
+
| Sidecar | 10–50m | 32–64Mi | Keep minimal |
|
|
354
|
+
|
|
355
|
+
```yaml
|
|
356
|
+
# WRONG: No requests or limits — unpredictable scheduling, OOM evictions
|
|
357
|
+
containers:
|
|
358
|
+
- name: app
|
|
359
|
+
image: myapp:latest
|
|
360
|
+
# Missing resources: {} — this is dangerous in production
|
|
361
|
+
|
|
362
|
+
# WRONG: Limits without requests — requests default to limits, over-reserves capacity
|
|
363
|
+
resources:
|
|
364
|
+
limits:
|
|
365
|
+
cpu: "2"
|
|
366
|
+
memory: "1Gi"
|
|
367
|
+
# requests missing — will default to limits values
|
|
368
|
+
```
|
|
369
|
+
|
|
370
|
+
---
|
|
371
|
+
|
|
372
|
+
## RBAC — Roles and ServiceAccounts
|
|
373
|
+
|
|
374
|
+
### Principle of Least Privilege
|
|
375
|
+
|
|
376
|
+
**Two patterns depending on whether the app calls the Kubernetes API:**
|
|
377
|
+
|
|
378
|
+
#### Pattern A — App does NOT need the Kubernetes API (most apps)
|
|
379
|
+
|
|
380
|
+
Disable token automounting on the ServiceAccount. The Role/RoleBinding are not needed.
|
|
381
|
+
|
|
382
|
+
```yaml
|
|
383
|
+
# ServiceAccount with token disabled — safest default
|
|
384
|
+
apiVersion: v1
|
|
385
|
+
kind: ServiceAccount
|
|
386
|
+
metadata:
|
|
387
|
+
name: my-app-sa
|
|
388
|
+
namespace: my-namespace
|
|
389
|
+
automountServiceAccountToken: false # No K8s API token injected into pods
|
|
390
|
+
```
|
|
391
|
+
|
|
392
|
+
```yaml
|
|
393
|
+
# Reference in Deployment — no token, no API access
|
|
394
|
+
spec:
|
|
395
|
+
template:
|
|
396
|
+
spec:
|
|
397
|
+
serviceAccountName: my-app-sa
|
|
398
|
+
automountServiceAccountToken: false # Belt-and-suspenders: also set at pod level
|
|
399
|
+
```
|
|
400
|
+
|
|
401
|
+
#### Pattern B — App DOES need the Kubernetes API (operators, controllers, config watchers)
|
|
402
|
+
|
|
403
|
+
Enable the token and grant only the permissions actually required.
|
|
404
|
+
|
|
405
|
+
```yaml
|
|
406
|
+
# 1. ServiceAccount — enable token for this SA
|
|
407
|
+
apiVersion: v1
|
|
408
|
+
kind: ServiceAccount
|
|
409
|
+
metadata:
|
|
410
|
+
name: my-app-sa
|
|
411
|
+
namespace: my-namespace
|
|
412
|
+
automountServiceAccountToken: true # Token required: app calls K8s API
|
|
413
|
+
```
|
|
414
|
+
|
|
415
|
+
```yaml
|
|
416
|
+
# 2. Role — grant only what the app needs (namespace-scoped)
|
|
417
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
|
418
|
+
kind: Role
|
|
419
|
+
metadata:
|
|
420
|
+
name: my-app-role
|
|
421
|
+
namespace: my-namespace
|
|
422
|
+
rules:
|
|
423
|
+
- apiGroups: [""]
|
|
424
|
+
resources: ["configmaps"]
|
|
425
|
+
verbs: ["get", "list", "watch"] # Read-only, specific resource
|
|
426
|
+
- apiGroups: [""]
|
|
427
|
+
resources: ["secrets"]
|
|
428
|
+
resourceNames: ["my-app-secrets"] # Restrict to specific secret by name
|
|
429
|
+
verbs: ["get"]
|
|
430
|
+
```
|
|
431
|
+
|
|
432
|
+
```yaml
|
|
433
|
+
# 3. Bind Role to ServiceAccount
|
|
434
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
|
435
|
+
kind: RoleBinding
|
|
436
|
+
metadata:
|
|
437
|
+
name: my-app-rolebinding
|
|
438
|
+
namespace: my-namespace
|
|
439
|
+
subjects:
|
|
440
|
+
- kind: ServiceAccount
|
|
441
|
+
name: my-app-sa
|
|
442
|
+
namespace: my-namespace
|
|
443
|
+
roleRef:
|
|
444
|
+
kind: Role
|
|
445
|
+
apiGroup: rbac.authorization.k8s.io
|
|
446
|
+
name: my-app-role
|
|
447
|
+
```
|
|
448
|
+
|
|
449
|
+
```yaml
|
|
450
|
+
# 4. Reference SA in Deployment
|
|
451
|
+
spec:
|
|
452
|
+
template:
|
|
453
|
+
spec:
|
|
454
|
+
serviceAccountName: my-app-sa
|
|
455
|
+
# automountServiceAccountToken defaults to true from SA — token is injected
|
|
456
|
+
```
|
|
457
|
+
|
|
458
|
+
---
|
|
459
|
+
|
|
460
|
+
## Horizontal Pod Autoscaler (HPA)
|
|
461
|
+
|
|
462
|
+
```yaml
|
|
463
|
+
apiVersion: autoscaling/v2
|
|
464
|
+
kind: HorizontalPodAutoscaler
|
|
465
|
+
metadata:
|
|
466
|
+
name: my-app-hpa
|
|
467
|
+
namespace: my-namespace
|
|
468
|
+
spec:
|
|
469
|
+
scaleTargetRef:
|
|
470
|
+
apiVersion: apps/v1
|
|
471
|
+
kind: Deployment
|
|
472
|
+
name: my-app
|
|
473
|
+
minReplicas: 2 # Always at least 2 for HA
|
|
474
|
+
maxReplicas: 10
|
|
475
|
+
metrics:
|
|
476
|
+
- type: Resource
|
|
477
|
+
resource:
|
|
478
|
+
name: cpu
|
|
479
|
+
target:
|
|
480
|
+
type: Utilization
|
|
481
|
+
averageUtilization: 70 # Scale up when avg CPU > 70%
|
|
482
|
+
- type: Resource
|
|
483
|
+
resource:
|
|
484
|
+
name: memory
|
|
485
|
+
target:
|
|
486
|
+
type: Utilization
|
|
487
|
+
averageUtilization: 80
|
|
488
|
+
```
|
|
489
|
+
|
|
490
|
+
> HPA requires `resources.requests` to be set on all containers — it calculates utilization as `current / request`.
|
|
491
|
+
|
|
492
|
+
---
|
|
493
|
+
|
|
494
|
+
## PodDisruptionBudget (PDB)
|
|
495
|
+
|
|
496
|
+
Prevent too many pods going down during node drains or rolling updates:
|
|
497
|
+
|
|
498
|
+
```yaml
|
|
499
|
+
apiVersion: policy/v1
|
|
500
|
+
kind: PodDisruptionBudget
|
|
501
|
+
metadata:
|
|
502
|
+
name: my-app-pdb
|
|
503
|
+
namespace: my-namespace
|
|
504
|
+
spec:
|
|
505
|
+
minAvailable: 2 # OR use maxUnavailable: 1
|
|
506
|
+
selector:
|
|
507
|
+
matchLabels:
|
|
508
|
+
app: my-app
|
|
509
|
+
```
|
|
510
|
+
|
|
511
|
+
---
|
|
512
|
+
|
|
513
|
+
## Namespaces and Multi-Tenancy
|
|
514
|
+
|
|
515
|
+
```bash
|
|
516
|
+
# Create namespace with resource quotas
|
|
517
|
+
kubectl create namespace my-namespace
|
|
518
|
+
|
|
519
|
+
# Apply ResourceQuota to limit namespace consumption
|
|
520
|
+
kubectl apply -f - <<EOF
|
|
521
|
+
apiVersion: v1
|
|
522
|
+
kind: ResourceQuota
|
|
523
|
+
metadata:
|
|
524
|
+
name: my-namespace-quota
|
|
525
|
+
namespace: my-namespace
|
|
526
|
+
spec:
|
|
527
|
+
hard:
|
|
528
|
+
requests.cpu: "4"
|
|
529
|
+
requests.memory: 4Gi
|
|
530
|
+
limits.cpu: "8"
|
|
531
|
+
limits.memory: 8Gi
|
|
532
|
+
pods: "20"
|
|
533
|
+
EOF
|
|
534
|
+
```
|
|
535
|
+
|
|
536
|
+
---
|
|
537
|
+
|
|
538
|
+
## Jobs and CronJobs
|
|
539
|
+
|
|
540
|
+
```yaml
|
|
541
|
+
# One-off Job (DB migration, data processing)
|
|
542
|
+
apiVersion: batch/v1
|
|
543
|
+
kind: Job
|
|
544
|
+
metadata:
|
|
545
|
+
name: db-migrate
|
|
546
|
+
namespace: my-namespace
|
|
547
|
+
spec:
|
|
548
|
+
backoffLimit: 3 # Retry up to 3 times on failure
|
|
549
|
+
ttlSecondsAfterFinished: 3600 # Auto-delete after 1h
|
|
550
|
+
template:
|
|
551
|
+
spec:
|
|
552
|
+
restartPolicy: OnFailure # Never for Jobs (not Always)
|
|
553
|
+
containers:
|
|
554
|
+
- name: migrate
|
|
555
|
+
image: ghcr.io/org/my-app:1.0.0
|
|
556
|
+
command: ["python", "manage.py", "migrate"]
|
|
557
|
+
resources:
|
|
558
|
+
requests:
|
|
559
|
+
cpu: "100m"
|
|
560
|
+
memory: "256Mi"
|
|
561
|
+
```
|
|
562
|
+
|
|
563
|
+
```yaml
|
|
564
|
+
# CronJob
|
|
565
|
+
apiVersion: batch/v1
|
|
566
|
+
kind: CronJob
|
|
567
|
+
metadata:
|
|
568
|
+
name: cleanup-job
|
|
569
|
+
namespace: my-namespace
|
|
570
|
+
spec:
|
|
571
|
+
schedule: "0 2 * * *" # 2am daily
|
|
572
|
+
concurrencyPolicy: Forbid # Don't run if previous still running
|
|
573
|
+
successfulJobsHistoryLimit: 3
|
|
574
|
+
failedJobsHistoryLimit: 1
|
|
575
|
+
jobTemplate:
|
|
576
|
+
spec:
|
|
577
|
+
template:
|
|
578
|
+
spec:
|
|
579
|
+
restartPolicy: OnFailure
|
|
580
|
+
containers:
|
|
581
|
+
- name: cleanup
|
|
582
|
+
image: ghcr.io/org/cleanup:1.0.0
|
|
583
|
+
resources:
|
|
584
|
+
requests:
|
|
585
|
+
cpu: "50m"
|
|
586
|
+
memory: "64Mi"
|
|
587
|
+
```
|
|
588
|
+
|
|
589
|
+
---
|
|
590
|
+
|
|
591
|
+
## kubectl Debugging Cheatsheet
|
|
592
|
+
|
|
593
|
+
```bash
|
|
594
|
+
# --- Pod status and logs ---
|
|
595
|
+
kubectl get pods -n my-namespace
|
|
596
|
+
kubectl get pods -n my-namespace -o wide # Show node assignment
|
|
597
|
+
kubectl describe pod <pod-name> -n my-namespace # Events and state details
|
|
598
|
+
kubectl logs <pod-name> -n my-namespace # Current logs
|
|
599
|
+
kubectl logs <pod-name> -n my-namespace --previous # Logs from crashed container
|
|
600
|
+
kubectl logs <pod-name> -n my-namespace -c <container> # Multi-container pod
|
|
601
|
+
|
|
602
|
+
# --- Execute into a running container ---
|
|
603
|
+
kubectl exec -it <pod-name> -n my-namespace -- sh
|
|
604
|
+
kubectl exec -it <pod-name> -n my-namespace -- bash
|
|
605
|
+
|
|
606
|
+
# --- Check resource usage ---
|
|
607
|
+
kubectl top pods -n my-namespace
|
|
608
|
+
kubectl top nodes
|
|
609
|
+
|
|
610
|
+
# --- Deployment operations ---
|
|
611
|
+
kubectl rollout status deployment/my-app -n my-namespace
|
|
612
|
+
kubectl rollout history deployment/my-app -n my-namespace
|
|
613
|
+
kubectl rollout undo deployment/my-app -n my-namespace # Rollback
|
|
614
|
+
kubectl rollout undo deployment/my-app --to-revision=2 -n my-namespace
|
|
615
|
+
|
|
616
|
+
# --- Scale manually ---
|
|
617
|
+
kubectl scale deployment my-app --replicas=5 -n my-namespace
|
|
618
|
+
|
|
619
|
+
# --- Inspect events (cluster-wide issues) ---
|
|
620
|
+
kubectl get events -n my-namespace --sort-by='.lastTimestamp'
|
|
621
|
+
|
|
622
|
+
# --- Port-forward for local debugging ---
|
|
623
|
+
kubectl port-forward pod/<pod-name> 8080:8080 -n my-namespace
|
|
624
|
+
kubectl port-forward svc/my-app 8080:80 -n my-namespace
|
|
625
|
+
|
|
626
|
+
# --- Dry-run to validate YAML ---
|
|
627
|
+
kubectl apply -f deployment.yaml --dry-run=client
|
|
628
|
+
kubectl apply -f deployment.yaml --dry-run=server # Validates against live cluster
|
|
629
|
+
```
|
|
630
|
+
|
|
631
|
+
### Diagnosing Common Errors
|
|
632
|
+
|
|
633
|
+
```bash
|
|
634
|
+
# CrashLoopBackOff: container keeps crashing
|
|
635
|
+
kubectl logs <pod-name> --previous -n my-namespace # Check crash logs
|
|
636
|
+
kubectl describe pod <pod-name> -n my-namespace # Check exit code & OOMKilled
|
|
637
|
+
|
|
638
|
+
# ImagePullBackOff: can't pull image
|
|
639
|
+
kubectl describe pod <pod-name> -n my-namespace # Check Events section
|
|
640
|
+
# Causes: wrong image tag, missing imagePullSecret, private registry
|
|
641
|
+
|
|
642
|
+
# Pending pod: not scheduled
|
|
643
|
+
kubectl describe pod <pod-name> -n my-namespace
|
|
644
|
+
# Causes: insufficient resources, no matching node selector, taint/toleration mismatch
|
|
645
|
+
|
|
646
|
+
# OOMKilled: out of memory
|
|
647
|
+
# Increase memory limits, check for memory leaks
|
|
648
|
+
kubectl describe pod <pod-name> -n my-namespace | grep -A5 "Last State"
|
|
649
|
+
```
|
|
650
|
+
|
|
651
|
+
---
|
|
652
|
+
|
|
653
|
+
## Anti-Patterns
|
|
654
|
+
|
|
655
|
+
```yaml
|
|
656
|
+
# BAD: Using :latest tag — non-deterministic deployments
|
|
657
|
+
image: myapp:latest
|
|
658
|
+
|
|
659
|
+
# GOOD: Pin to a specific immutable tag (SHA or semver)
|
|
660
|
+
image: ghcr.io/org/myapp:1.4.2
|
|
661
|
+
# or
|
|
662
|
+
image: ghcr.io/org/myapp@sha256:abc123...
|
|
663
|
+
|
|
664
|
+
# ---
|
|
665
|
+
|
|
666
|
+
# BAD: Running as root
|
|
667
|
+
securityContext: {} # Defaults to root
|
|
668
|
+
|
|
669
|
+
# GOOD: Non-root with explicit UID
|
|
670
|
+
securityContext:
|
|
671
|
+
runAsNonRoot: true
|
|
672
|
+
runAsUser: 1001
|
|
673
|
+
|
|
674
|
+
# ---
|
|
675
|
+
|
|
676
|
+
# BAD: No resource limits — one pod can starve the entire node
|
|
677
|
+
containers:
|
|
678
|
+
- name: app
|
|
679
|
+
image: myapp:1.0.0
|
|
680
|
+
# No resources defined
|
|
681
|
+
|
|
682
|
+
# GOOD: Always set requests and limits
|
|
683
|
+
resources:
|
|
684
|
+
requests:
|
|
685
|
+
cpu: "100m"
|
|
686
|
+
memory: "128Mi"
|
|
687
|
+
limits:
|
|
688
|
+
cpu: "500m"
|
|
689
|
+
memory: "256Mi"
|
|
690
|
+
|
|
691
|
+
# ---
|
|
692
|
+
|
|
693
|
+
# BAD: Storing plaintext secrets in ConfigMaps
|
|
694
|
+
apiVersion: v1
|
|
695
|
+
kind: ConfigMap
|
|
696
|
+
data:
|
|
697
|
+
DB_PASSWORD: "mysecretpassword" # NEVER — use Secret or external secrets manager
|
|
698
|
+
|
|
699
|
+
# ---
|
|
700
|
+
|
|
701
|
+
# BAD: ClusterAdmin for application service accounts
|
|
702
|
+
apiVersion: rbac.authorization.k8s.io/v1
|
|
703
|
+
kind: ClusterRoleBinding
|
|
704
|
+
roleRef:
|
|
705
|
+
kind: ClusterRole
|
|
706
|
+
name: cluster-admin # Grants god-mode to your app
|
|
707
|
+
|
|
708
|
+
# ---
|
|
709
|
+
|
|
710
|
+
# BAD: minAvailable: 0 in PDB — defeats the purpose
|
|
711
|
+
spec:
|
|
712
|
+
minAvailable: 0
|
|
713
|
+
|
|
714
|
+
# ---
|
|
715
|
+
|
|
716
|
+
# BAD: restartPolicy: Always in a Job (causes infinite restart loop)
|
|
717
|
+
spec:
|
|
718
|
+
restartPolicy: Always # Use OnFailure or Never for Jobs
|
|
719
|
+
```
|
|
720
|
+
|
|
721
|
+
---
|
|
722
|
+
|
|
723
|
+
## Best Practices Checklist
|
|
724
|
+
|
|
725
|
+
### Security
|
|
726
|
+
- [ ] Container runs as non-root (`runAsNonRoot: true`, `runAsUser` set)
|
|
727
|
+
- [ ] `readOnlyRootFilesystem: true` with `emptyDir` for writable paths
|
|
728
|
+
- [ ] `allowPrivilegeEscalation: false`
|
|
729
|
+
- [ ] All capabilities dropped (`capabilities.drop: [ALL]`)
|
|
730
|
+
- [ ] Dedicated ServiceAccount per app, not `default`
|
|
731
|
+
- [ ] `automountServiceAccountToken: false` unless needed
|
|
732
|
+
- [ ] RBAC follows least privilege (use `Role`, not `ClusterRole` unless needed)
|
|
733
|
+
- [ ] Secrets managed via Sealed Secrets or External Secrets Operator
|
|
734
|
+
|
|
735
|
+
### Reliability
|
|
736
|
+
- [ ] All 3 probe types configured (startup + liveness + readiness)
|
|
737
|
+
- [ ] Resource requests AND limits set on every container
|
|
738
|
+
- [ ] `minReplicas: 2+` for any production workload
|
|
739
|
+
- [ ] PodDisruptionBudget defined for stateful or critical services
|
|
740
|
+
- [ ] `RollingUpdate` strategy with `maxUnavailable: 0`
|
|
741
|
+
- [ ] HPA configured for variable-load services
|
|
742
|
+
|
|
743
|
+
### Observability
|
|
744
|
+
- [ ] App exposes `/health` (liveness) and `/ready` (readiness) endpoints
|
|
745
|
+
- [ ] Structured JSON logging (no PII in logs)
|
|
746
|
+
- [ ] Resource labels: `app`, `version`, `environment`
|
|
747
|
+
|
|
748
|
+
---
|
|
749
|
+
|
|
750
|
+
## Related Skills
|
|
751
|
+
|
|
752
|
+
- `docker-patterns` — Multi-stage Dockerfiles and image security
|
|
753
|
+
- `deployment-patterns` — CI/CD pipelines, rollback strategy, health check endpoints
|
|
754
|
+
- `security-review` — Broader security hardening context
|
|
755
|
+
- `git-workflow` — GitOps integration with K8s (ArgoCD / Flux patterns)
|