omgkit 2.1.1 → 2.2.0

package/plugin/skills/devops/kubernetes/SKILL.md

@@ -1,64 +1,661 @@
 ---
 name: kubernetes
-description: Kubernetes orchestration. Use for K8s manifests, deployments, services.
+description: Kubernetes container orchestration with deployments, services, ConfigMaps, Helm, and production patterns
+category: devops
+triggers:
+  - kubernetes
+  - k8s
+  - kubectl
+  - helm
+  - deployment
+  - pods
+  - container orchestration
 ---
 
-# Kubernetes Skill
+# Kubernetes
+
+Enterprise-grade **Kubernetes container orchestration** following industry best practices. This skill covers deployments, services, ConfigMaps, secrets, Helm charts, ingress, and production-ready patterns used by top engineering teams.
+
+## Purpose
+
+Deploy and manage containerized applications at scale:
+
+- Configure deployments with proper resource limits
+- Expose services with load balancing
+- Manage configuration with ConfigMaps and Secrets
+- Implement health checks and probes
+- Package applications with Helm
+- Configure ingress and networking
+- Implement autoscaling strategies
+
+## Features
+
+### 1. Deployment Configuration
 
-## Deployment
 ```yaml
+# k8s/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: app
+  name: api-server
+  namespace: production
+  labels:
+    app: api-server
+    version: v1.0.0
 spec:
   replicas: 3
+  revisionHistoryLimit: 5
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
   selector:
     matchLabels:
-      app: myapp
+      app: api-server
   template:
     metadata:
       labels:
-        app: myapp
+        app: api-server
+        version: v1.0.0
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9090"
     spec:
+      serviceAccountName: api-server
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        fsGroup: 1000
       containers:
-        - name: app
-          image: myapp:latest
+        - name: api-server
+          image: ghcr.io/company/api-server:v1.0.0
+          imagePullPolicy: IfNotPresent
           ports:
-            - containerPort: 3000
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+            - name: metrics
+              containerPort: 9090
+              protocol: TCP
+          env:
+            - name: NODE_ENV
+              value: "production"
+            - name: PORT
+              value: "3000"
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: api-secrets
+                  key: database-url
+            - name: REDIS_URL
+              valueFrom:
+                configMapKeyRef:
+                  name: api-config
+                  key: redis-url
           resources:
-            limits:
+            requests:
+              cpu: "100m"
               memory: "256Mi"
+            limits:
               cpu: "500m"
+              memory: "512Mi"
+          livenessProbe:
+            httpGet:
+              path: /health/live
+              port: http
+            initialDelaySeconds: 15
+            periodSeconds: 20
+            timeoutSeconds: 5
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /health/ready
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 3
+            failureThreshold: 3
+          startupProbe:
+            httpGet:
+              path: /health/live
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 5
+            failureThreshold: 30
+          volumeMounts:
+            - name: config-volume
+              mountPath: /app/config
+              readOnly: true
+            - name: tmp
+              mountPath: /tmp
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
+      volumes:
+        - name: config-volume
+          configMap:
+            name: api-config
+        - name: tmp
+          emptyDir: {}
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              podAffinityTerm:
+                labelSelector:
+                  matchExpressions:
+                    - key: app
+                      operator: In
+                      values:
+                        - api-server
+                topologyKey: kubernetes.io/hostname
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app: api-server
 ```
 
-## Service
+### 2. Service and Ingress
+
 ```yaml
+# k8s/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
-  name: app-service
+  name: api-server
+  namespace: production
+  labels:
+    app: api-server
 spec:
-  selector:
-    app: myapp
+  type: ClusterIP
   ports:
-    - port: 80
-      targetPort: 3000
-  type: LoadBalancer
+    - name: http
+      port: 80
+      targetPort: http
+      protocol: TCP
+  selector:
+    app: api-server
+
+---
+# k8s/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: api-server
+  namespace: production
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "60"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "60"
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/rate-limit: "100"
+    nginx.ingress.kubernetes.io/rate-limit-window: "1m"
+spec:
+  tls:
+    - hosts:
+        - api.example.com
+      secretName: api-tls-secret
+  rules:
+    - host: api.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: api-server
+                port:
+                  name: http
 ```
 
-## ConfigMap
+### 3. ConfigMaps and Secrets
+
 ```yaml
+# k8s/configmap.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: app-config
+  name: api-config
+  namespace: production
 data:
-  API_URL: "https://api.example.com"
+  redis-url: "redis://redis-master:6379"
+  log-level: "info"
+  cors-origins: "https://example.com,https://www.example.com"
+  config.json: |
+    {
+      "features": {
+        "newDashboard": true,
+        "analytics": true
+      },
+      "limits": {
+        "maxUploadSize": 10485760,
+        "maxRequestsPerMinute": 100
+      }
+    }
+
+---
+# k8s/secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: api-secrets
+  namespace: production
+type: Opaque
+stringData:
+  database-url: "postgresql://user:password@postgres:5432/db"
+  jwt-secret: "your-super-secret-jwt-key"
+  api-key: "your-api-key"
+
+---
+# External Secrets (with External Secrets Operator)
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: api-external-secrets
+  namespace: production
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: aws-secrets-manager
+  target:
+    name: api-secrets
+    creationPolicy: Owner
+  data:
+    - secretKey: database-url
+      remoteRef:
+        key: production/api/database
+        property: url
+    - secretKey: jwt-secret
+      remoteRef:
+        key: production/api/jwt
+        property: secret
+```
+
+### 4. Horizontal Pod Autoscaler
+
+```yaml
+# k8s/hpa.yaml
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: api-server
+  namespace: production
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: api-server
+  minReplicas: 3
+  maxReplicas: 20
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: 70
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: 80
+    - type: Pods
+      pods:
+        metric:
+          name: http_requests_per_second
+        target:
+          type: AverageValue
+          averageValue: "1000"
+  behavior:
+    scaleDown:
+      stabilizationWindowSeconds: 300
+      policies:
+        - type: Percent
+          value: 10
+          periodSeconds: 60
+    scaleUp:
+      stabilizationWindowSeconds: 0
+      policies:
+        - type: Percent
+          value: 100
+          periodSeconds: 15
+        - type: Pods
+          value: 4
+          periodSeconds: 15
+      selectPolicy: Max
+
+---
+# Vertical Pod Autoscaler
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: api-server-vpa
+  namespace: production
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: api-server
+  updatePolicy:
+    updateMode: "Auto"
+  resourcePolicy:
+    containerPolicies:
+      - containerName: api-server
+        minAllowed:
+          cpu: "100m"
+          memory: "256Mi"
+        maxAllowed:
+          cpu: "2"
+          memory: "2Gi"
+```
+
+### 5. Helm Chart Structure
+
+```yaml
+# charts/api-server/Chart.yaml
+apiVersion: v2
+name: api-server
+description: API Server Helm chart
+type: application
+version: 1.0.0
+appVersion: "1.0.0"
+dependencies:
+  - name: redis
+    version: "17.x.x"
+    repository: https://charts.bitnami.com/bitnami
+    condition: redis.enabled
+
+---
+# charts/api-server/values.yaml
+replicaCount: 3
+
+image:
+  repository: ghcr.io/company/api-server
+  tag: ""
+  pullPolicy: IfNotPresent
+
+service:
+  type: ClusterIP
+  port: 80
+
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  hosts:
+    - host: api.example.com
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: api-tls
+      hosts:
+        - api.example.com
+
+resources:
+  requests:
+    cpu: 100m
+    memory: 256Mi
+  limits:
+    cpu: 500m
+    memory: 512Mi
+
+autoscaling:
+  enabled: true
+  minReplicas: 3
+  maxReplicas: 20
+  targetCPUUtilizationPercentage: 70
+
+env:
+  NODE_ENV: production
+  LOG_LEVEL: info
+
+secrets:
+  databaseUrl: ""
+  jwtSecret: ""
+
+redis:
+  enabled: true
+  architecture: standalone
+
+---
+# charts/api-server/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "api-server.fullname" . }}
+  labels:
+    {{- include "api-server.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "api-server.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "api-server.selectorLabels" . | nindent 8 }}
+    spec:
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 3000
+          env:
+            {{- range $key, $value := .Values.env }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "api-server.fullname" . }}-secrets
+                  key: database-url
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          livenessProbe:
+            httpGet:
+              path: /health/live
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /health/ready
+              port: http
+```
+
+### 6. Network Policies
+
+```yaml
+# k8s/network-policy.yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: api-server-network-policy
+  namespace: production
+spec:
+  podSelector:
+    matchLabels:
+      app: api-server
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: ingress-nginx
+        - podSelector:
+            matchLabels:
+              app: frontend
+      ports:
+        - protocol: TCP
+          port: 3000
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              app: postgres
+      ports:
+        - protocol: TCP
+          port: 5432
+    - to:
+        - podSelector:
+            matchLabels:
+              app: redis
+      ports:
+        - protocol: TCP
+          port: 6379
+    - to:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - protocol: UDP
+          port: 53
+```
+
+### 7. Pod Disruption Budget
+
+```yaml
+# k8s/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: api-server-pdb
+  namespace: production
+spec:
+  minAvailable: 2
+  selector:
+    matchLabels:
+      app: api-server
+```
+
+## Use Cases
+
+### CronJob for Scheduled Tasks
+
+```yaml
+# k8s/cronjob.yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: cleanup-job
+  namespace: production
+spec:
+  schedule: "0 2 * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: cleanup
+              image: ghcr.io/company/cleanup:latest
+              env:
+                - name: DATABASE_URL
+                  valueFrom:
+                    secretKeyRef:
+                      name: api-secrets
+                      key: database-url
+          restartPolicy: OnFailure
+```
+
+### StatefulSet for Databases
+
+```yaml
+# k8s/statefulset.yaml
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgres
+  namespace: production
+spec:
+  serviceName: postgres
+  replicas: 3
+  selector:
+    matchLabels:
+      app: postgres
+  template:
+    metadata:
+      labels:
+        app: postgres
+    spec:
+      containers:
+        - name: postgres
+          image: postgres:15
+          ports:
+            - containerPort: 5432
+          env:
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postgres-secrets
+                  key: password
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: fast-ssd
+        resources:
+          requests:
+            storage: 100Gi
 ```
 
 ## Best Practices
-- Use namespaces
-- Set resource limits
-- Use health probes
-- Use ConfigMaps/Secrets
+
+### Do's
+
+- Use namespaces for environment isolation
+- Set resource requests and limits
+- Implement health probes (liveness, readiness, startup)
+- Use ConfigMaps for configuration
+- Use Secrets for sensitive data
+- Implement pod anti-affinity rules
+- Use Network Policies for security
+- Set up Pod Disruption Budgets
+- Use Horizontal Pod Autoscaler
+- Implement proper logging and monitoring
+
+### Don'ts
+
+- Don't run containers as root
+- Don't hardcode configuration in images
+- Don't skip resource limits
+- Don't ignore health probes
+- Don't use latest tag in production
+- Don't expose unnecessary ports
+- Don't skip network policies
+- Don't ignore pod security standards
+- Don't use NodePort in production
+- Don't skip backup strategies
+
+## References
+
+- [Kubernetes Documentation](https://kubernetes.io/docs/)
+- [Helm Documentation](https://helm.sh/docs/)
+- [Kubernetes Patterns](https://k8spatterns.io/)
+- [CNCF Best Practices](https://www.cncf.io/blog/)
+- [Kubernetes Security](https://kubernetes.io/docs/concepts/security/)