omgkit 2.2.0 → 2.3.1

package/plugin/skills/devops/kubernetes/SKILL.md

@@ -1,55 +1,20 @@
 ---
-name: kubernetes
-description: Kubernetes container orchestration with deployments, services, ConfigMaps, Helm, and production patterns
-category: devops
-triggers:
-  - kubernetes
-  - k8s
-  - kubectl
-  - helm
-  - deployment
-  - pods
-  - container orchestration
+name: Orchestrating with Kubernetes
+description: The agent implements Kubernetes container orchestration with deployments, services, Helm charts, and production patterns. Use when deploying containerized applications, configuring autoscaling, managing secrets, or setting up ingress routing.
 ---
 
-# Kubernetes
+# Orchestrating with Kubernetes
 
-Enterprise-grade **Kubernetes container orchestration** following industry best practices. This skill covers deployments, services, ConfigMaps, secrets, Helm charts, ingress, and production-ready patterns used by top engineering teams.
-
-## Purpose
-
-Deploy and manage containerized applications at scale:
-
-- Configure deployments with proper resource limits
-- Expose services with load balancing
-- Manage configuration with ConfigMaps and Secrets
-- Implement health checks and probes
-- Package applications with Helm
-- Configure ingress and networking
-- Implement autoscaling strategies
-
-## Features
-
-### 1. Deployment Configuration
+## Quick Start
 
 ```yaml
-# k8s/deployment.yaml
+# deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: api-server
-  namespace: production
-  labels:
-    app: api-server
-    version: v1.0.0
 spec:
   replicas: 3
-  revisionHistoryLimit: 5
-  strategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxSurge: 1
-      maxUnavailable: 0
   selector:
     matchLabels:
       app: api-server
@@ -57,239 +22,62 @@ spec:
     metadata:
       labels:
         app: api-server
-        version: v1.0.0
-      annotations:
-        prometheus.io/scrape: "true"
-        prometheus.io/port: "9090"
     spec:
-      serviceAccountName: api-server
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1000
-        fsGroup: 1000
       containers:
-        - name: api-server
-          image: ghcr.io/company/api-server:v1.0.0
-          imagePullPolicy: IfNotPresent
+        - name: api
+          image: ghcr.io/org/api:v1.0.0
           ports:
-            - name: http
-              containerPort: 3000
-              protocol: TCP
-            - name: metrics
-              containerPort: 9090
-              protocol: TCP
-          env:
-            - name: NODE_ENV
-              value: "production"
-            - name: PORT
-              value: "3000"
-            - name: DATABASE_URL
-              valueFrom:
-                secretKeyRef:
-                  name: api-secrets
-                  key: database-url
-            - name: REDIS_URL
-              valueFrom:
-                configMapKeyRef:
-                  name: api-config
-                  key: redis-url
+            - containerPort: 3000
           resources:
-            requests:
-              cpu: "100m"
-              memory: "256Mi"
-            limits:
-              cpu: "500m"
-              memory: "512Mi"
-          livenessProbe:
-            httpGet:
-              path: /health/live
-              port: http
-            initialDelaySeconds: 15
-            periodSeconds: 20
-            timeoutSeconds: 5
-            failureThreshold: 3
-          readinessProbe:
-            httpGet:
-              path: /health/ready
-              port: http
-            initialDelaySeconds: 5
-            periodSeconds: 10
-            timeoutSeconds: 3
-            failureThreshold: 3
-          startupProbe:
-            httpGet:
-              path: /health/live
-              port: http
-            initialDelaySeconds: 10
-            periodSeconds: 5
-            failureThreshold: 30
-          volumeMounts:
-            - name: config-volume
-              mountPath: /app/config
-              readOnly: true
-            - name: tmp
-              mountPath: /tmp
-          securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            capabilities:
-              drop:
-                - ALL
-      volumes:
-        - name: config-volume
-          configMap:
-            name: api-config
-        - name: tmp
-          emptyDir: {}
-      affinity:
-        podAntiAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-            - weight: 100
-              podAffinityTerm:
-                labelSelector:
-                  matchExpressions:
-                    - key: app
-                      operator: In
-                      values:
-                        - api-server
-                topologyKey: kubernetes.io/hostname
-      topologySpreadConstraints:
-        - maxSkew: 1
-          topologyKey: topology.kubernetes.io/zone
-          whenUnsatisfiable: DoNotSchedule
-          labelSelector:
-            matchLabels:
-              app: api-server
+            requests: { cpu: "100m", memory: "256Mi" }
+            limits: { cpu: "500m", memory: "512Mi" }
 ```
 
-### 2. Service and Ingress
-
-```yaml
-# k8s/service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: api-server
-  namespace: production
-  labels:
-    app: api-server
-spec:
-  type: ClusterIP
-  ports:
-    - name: http
-      port: 80
-      targetPort: http
-      protocol: TCP
-  selector:
-    app: api-server
-
----
-# k8s/ingress.yaml
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: api-server
-  namespace: production
-  annotations:
-    kubernetes.io/ingress.class: nginx
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "60"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "60"
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    nginx.ingress.kubernetes.io/rate-limit: "100"
-    nginx.ingress.kubernetes.io/rate-limit-window: "1m"
-spec:
-  tls:
-    - hosts:
-        - api.example.com
-      secretName: api-tls-secret
-  rules:
-    - host: api.example.com
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: api-server
-                port:
-                  name: http
+```bash
+kubectl apply -f deployment.yaml
 ```
 
-### 3. ConfigMaps and Secrets
+## Features
 
-```yaml
-# k8s/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: api-config
-  namespace: production
-data:
-  redis-url: "redis://redis-master:6379"
-  log-level: "info"
-  cors-origins: "https://example.com,https://www.example.com"
-  config.json: |
-    {
-      "features": {
-        "newDashboard": true,
-        "analytics": true
-      },
-      "limits": {
-        "maxUploadSize": 10485760,
-        "maxRequestsPerMinute": 100
-      }
-    }
+| Feature | Description | Guide |
+|---------|-------------|-------|
+| Deployments | Declarative pod management with rollbacks | Define replicas, update strategy, pod template |
+| Services | Internal/external load balancing | ClusterIP for internal, LoadBalancer for external |
+| ConfigMaps/Secrets | Configuration and sensitive data | Mount as volumes or environment variables |
+| Ingress | HTTP routing with TLS termination | Use nginx-ingress or cloud provider ingress |
+| HPA | Horizontal Pod Autoscaler | Scale based on CPU, memory, or custom metrics |
+| Helm | Package manager for K8s applications | Template and version deployments |
 
----
-# k8s/secret.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: api-secrets
-  namespace: production
-type: Opaque
-stringData:
-  database-url: "postgresql://user:password@postgres:5432/db"
-  jwt-secret: "your-super-secret-jwt-key"
-  api-key: "your-api-key"
+## Common Patterns
 
----
-# External Secrets (with External Secrets Operator)
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: api-external-secrets
-  namespace: production
+### Production Deployment with Probes
+
+```yaml
 spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: aws-secrets-manager
-  target:
-    name: api-secrets
-    creationPolicy: Owner
-  data:
-    - secretKey: database-url
-      remoteRef:
-        key: production/api/database
-        property: url
-    - secretKey: jwt-secret
-      remoteRef:
-        key: production/api/jwt
-        property: secret
+  containers:
+    - name: api
+      image: ghcr.io/org/api:v1.0.0
+      livenessProbe:
+        httpGet: { path: /health/live, port: 3000 }
+        initialDelaySeconds: 15
+        periodSeconds: 20
+      readinessProbe:
+        httpGet: { path: /health/ready, port: 3000 }
+        initialDelaySeconds: 5
+        periodSeconds: 10
+      env:
+        - name: DATABASE_URL
+          valueFrom:
+            secretKeyRef: { name: app-secrets, key: database-url }
 ```
 
-### 4. Horizontal Pod Autoscaler
+### Horizontal Pod Autoscaler
 
 ```yaml
-# k8s/hpa.yaml
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: api-server
-  namespace: production
 spec:
   scaleTargetRef:
     apiVersion: apps/v1
@@ -299,363 +87,40 @@ spec:
   maxReplicas: 20
   metrics:
     - type: Resource
-      resource:
-        name: cpu
-        target:
-          type: Utilization
-          averageUtilization: 70
-    - type: Resource
-      resource:
-        name: memory
-        target:
-          type: Utilization
-          averageUtilization: 80
-    - type: Pods
-      pods:
-        metric:
-          name: http_requests_per_second
-        target:
-          type: AverageValue
-          averageValue: "1000"
-  behavior:
-    scaleDown:
-      stabilizationWindowSeconds: 300
-      policies:
-        - type: Percent
-          value: 10
-          periodSeconds: 60
-    scaleUp:
-      stabilizationWindowSeconds: 0
-      policies:
-        - type: Percent
-          value: 100
-          periodSeconds: 15
-        - type: Pods
-          value: 4
-          periodSeconds: 15
-      selectPolicy: Max
-
----
-# Vertical Pod Autoscaler
-apiVersion: autoscaling.k8s.io/v1
-kind: VerticalPodAutoscaler
-metadata:
-  name: api-server-vpa
-  namespace: production
-spec:
-  targetRef:
-    apiVersion: apps/v1
-    kind: Deployment
-    name: api-server
-  updatePolicy:
-    updateMode: "Auto"
-  resourcePolicy:
-    containerPolicies:
-      - containerName: api-server
-        minAllowed:
-          cpu: "100m"
-          memory: "256Mi"
-        maxAllowed:
-          cpu: "2"
-          memory: "2Gi"
-```
-
-### 5. Helm Chart Structure
-
-```yaml
-# charts/api-server/Chart.yaml
-apiVersion: v2
-name: api-server
-description: API Server Helm chart
-type: application
-version: 1.0.0
-appVersion: "1.0.0"
-dependencies:
-  - name: redis
-    version: "17.x.x"
-    repository: https://charts.bitnami.com/bitnami
-    condition: redis.enabled
-
----
-# charts/api-server/values.yaml
-replicaCount: 3
-
-image:
-  repository: ghcr.io/company/api-server
-  tag: ""
-  pullPolicy: IfNotPresent
-
-service:
-  type: ClusterIP
-  port: 80
-
-ingress:
-  enabled: true
-  className: nginx
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-  hosts:
-    - host: api.example.com
-      paths:
-        - path: /
-          pathType: Prefix
-  tls:
-    - secretName: api-tls
-      hosts:
-        - api.example.com
-
-resources:
-  requests:
-    cpu: 100m
-    memory: 256Mi
-  limits:
-    cpu: 500m
-    memory: 512Mi
-
-autoscaling:
-  enabled: true
-  minReplicas: 3
-  maxReplicas: 20
-  targetCPUUtilizationPercentage: 70
-
-env:
-  NODE_ENV: production
-  LOG_LEVEL: info
-
-secrets:
-  databaseUrl: ""
-  jwtSecret: ""
-
-redis:
-  enabled: true
-  architecture: standalone
-
----
-# charts/api-server/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "api-server.fullname" . }}
-  labels:
-    {{- include "api-server.labels" . | nindent 4 }}
-spec:
-  {{- if not .Values.autoscaling.enabled }}
-  replicas: {{ .Values.replicaCount }}
-  {{- end }}
-  selector:
-    matchLabels:
-      {{- include "api-server.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      labels:
-        {{- include "api-server.selectorLabels" . | nindent 8 }}
-    spec:
-      containers:
-        - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          ports:
-            - name: http
-              containerPort: 3000
-          env:
-            {{- range $key, $value := .Values.env }}
-            - name: {{ $key }}
-              value: {{ $value | quote }}
-            {{- end }}
-            - name: DATABASE_URL
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "api-server.fullname" . }}-secrets
-                  key: database-url
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-          livenessProbe:
-            httpGet:
-              path: /health/live
-              port: http
-          readinessProbe:
-            httpGet:
-              path: /health/ready
-              port: http
+      resource: { name: cpu, target: { type: Utilization, averageUtilization: 70 } }
 ```
 
-### 6. Network Policies
+### Ingress with TLS
 
 ```yaml
-# k8s/network-policy.yaml
 apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: api-server-network-policy
-  namespace: production
-spec:
-  podSelector:
-    matchLabels:
-      app: api-server
-  policyTypes:
-    - Ingress
-    - Egress
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              name: ingress-nginx
-        - podSelector:
-            matchLabels:
-              app: frontend
-      ports:
-        - protocol: TCP
-          port: 3000
-  egress:
-    - to:
-        - podSelector:
-            matchLabels:
-              app: postgres
-      ports:
-        - protocol: TCP
-          port: 5432
-    - to:
-        - podSelector:
-            matchLabels:
-              app: redis
-      ports:
-        - protocol: TCP
-          port: 6379
-    - to:
-        - namespaceSelector: {}
-          podSelector:
-            matchLabels:
-              k8s-app: kube-dns
-      ports:
-        - protocol: UDP
-          port: 53
-```
-
-### 7. Pod Disruption Budget
-
-```yaml
-# k8s/pdb.yaml
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
-  name: api-server-pdb
-  namespace: production
-spec:
-  minAvailable: 2
-  selector:
-    matchLabels:
-      app: api-server
-```
-
-## Use Cases
-
-### CronJob for Scheduled Tasks
-
-```yaml
-# k8s/cronjob.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: cleanup-job
-  namespace: production
-spec:
-  schedule: "0 2 * * *"
-  concurrencyPolicy: Forbid
-  successfulJobsHistoryLimit: 3
-  failedJobsHistoryLimit: 3
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          containers:
-            - name: cleanup
-              image: ghcr.io/company/cleanup:latest
-              env:
-                - name: DATABASE_URL
-                  valueFrom:
-                    secretKeyRef:
-                      name: api-secrets
-                      key: database-url
-          restartPolicy: OnFailure
-```
-
-### StatefulSet for Databases
-
-```yaml
-# k8s/statefulset.yaml
-apiVersion: apps/v1
-kind: StatefulSet
+kind: Ingress
 metadata:
-  name: postgres
-  namespace: production
+  name: api-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
-  serviceName: postgres
-  replicas: 3
-  selector:
-    matchLabels:
-      app: postgres
-  template:
-    metadata:
-      labels:
-        app: postgres
-    spec:
-      containers:
-        - name: postgres
-          image: postgres:15
-          ports:
-            - containerPort: 5432
-          env:
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: postgres-secrets
-                  key: password
-          volumeMounts:
-            - name: data
-              mountPath: /var/lib/postgresql/data
-  volumeClaimTemplates:
-    - metadata:
-        name: data
-      spec:
-        accessModes: ["ReadWriteOnce"]
-        storageClassName: fast-ssd
-        resources:
-          requests:
-            storage: 100Gi
+  tls:
+    - hosts: [api.example.com]
+      secretName: api-tls
+  rules:
+    - host: api.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service: { name: api-server, port: { number: 80 } }
 ```
 
 ## Best Practices
 
-### Do's
-
-- Use namespaces for environment isolation
-- Set resource requests and limits
-- Implement health probes (liveness, readiness, startup)
-- Use ConfigMaps for configuration
-- Use Secrets for sensitive data
-- Implement pod anti-affinity rules
-- Use Network Policies for security
-- Set up Pod Disruption Budgets
-- Use Horizontal Pod Autoscaler
-- Implement proper logging and monitoring
-
-### Don'ts
-
-- Don't run containers as root
-- Don't hardcode configuration in images
-- Don't skip resource limits
-- Don't ignore health probes
-- Don't use latest tag in production
-- Don't expose unnecessary ports
-- Don't skip network policies
-- Don't ignore pod security standards
-- Don't use NodePort in production
-- Don't skip backup strategies
-
-## References
-
-- [Kubernetes Documentation](https://kubernetes.io/docs/)
-- [Helm Documentation](https://helm.sh/docs/)
-- [Kubernetes Patterns](https://k8spatterns.io/)
-- [CNCF Best Practices](https://www.cncf.io/blog/)
-- [Kubernetes Security](https://kubernetes.io/docs/concepts/security/)
+| Do | Avoid |
+|----|-------|
+| Set resource requests and limits | Running containers as root |
+| Implement liveness and readiness probes | Using `latest` tag in production |
+| Use namespaces for environment isolation | Hardcoding config in container images |
+| Configure Pod Disruption Budgets | Skipping network policies |
+| Use Secrets for sensitive data | Exposing unnecessary ports |
+| Implement pod anti-affinity rules | Using NodePort in production |
+| Set up HPA for autoscaling | Ignoring pod security standards |