القائمة
Deploy, manage, and troubleshoot Kubernetes workloads. Use for manifest review, Helm chart validation, resource tuning, RBAC, and cluster operations.
Daily research agent for
Weekly research agent for
Daily research agent for
Build, run, and secure Docker containers with current best practices. Use for Dockerfile review, multi-stage builds, Compose orchestration, image hardening, and CI/CD integration.
Operate GitHub repositories, workflows, and PRs efficiently. Use for Actions optimization, PR hygiene, repo maintenance, and team collaboration patterns.
Design and operate application observability with metrics, logs, traces, and alerts. Use for SLO definition, dashboard design, on-call runbooks, and incident response.
| name | k8s |
| description | Deploy, manage, and troubleshoot Kubernetes workloads. Use for manifest review, Helm chart validation, resource tuning, RBAC, and cluster operations. |
| disable-model-invocation | true |
kubectl version --client # kubectl version
kubectl version # client + server versions
helm version # Helm version
Check Kubernetes releases for the latest stable and Helm releases.
kubectl apply. Avoid kubectl run, kubectl create for production.requests and limits for CPU and memory.livenessProbe and readinessProbe.requests and limits defined for all containerslivenessProbe and readinessProbe definedsecurityContext sets runAsNonRoot: true, readOnlyRootFilesystem: true where possibleimagePullPolicy: Always or pinned image digest (no implicit IfNotPresent with latest)replicas appropriate for the workload (not hardcoded to 1 for stateless services)strategy defined for rolling updates (RollingUpdate with maxUnavailable/maxSurge)valueFrom (not hardcoded)*)# Dry-run before apply
kubectl apply -f manifest.yaml --dry-run=server
# Validate with strict schema
kubectl apply -f manifest.yaml --dry-run=server --validate=strict
# Check resource usage vs limits
kubectl top pods -n <namespace>
kubectl describe node <node-name>
# Audit security posture
kubectl auth can-i --list --as=system:serviceaccount:<ns>:<sa>
# Helm validation
helm lint ./chart
helm template ./chart | kubectl apply --dry-run=server -f -
helm install --dry-run --debug release-name ./chart
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "500m"
Rules of thumb:
requests = observed steady-state usage + 20%limits = observed peak usage + 50%livenessProbe:
httpGet:
path: /health/live
port: 8080
initialDelaySeconds: 10
periodSeconds: 10
failureThreshold: 3
readinessProbe:
httpGet:
path: /health/ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
| Anti-Pattern | Why It's Wrong | Fix |
|---|---|---|
| No resource limits | Noisy neighbor, unpredictable OOMKills | Set requests and limits |
image: myapp:latest | Non-reproducible deployments | Pin to digest or version tag |
| Running as root | Container escape risk | securityContext.runAsNonRoot: true |
| No health probes | Failed containers stay in rotation | livenessProbe + readinessProbe |
Wildcard RBAC (verbs: ["*"]) | Principle of least privilege violation | Explicit verbs per resource |
| Hardcoding config in YAML | No environment separation | ConfigMaps + Secrets |
| Using default ServiceAccount | No audit trail, overprivileged | Explicit SA per workload |
| No PodDisruptionBudget | Voluntary disruptions cause downtime | Define minAvailable or maxUnavailable |
kubectl describe pod → check node resources, taints, PVC bindingkubectl logs --previous → check exit code, OOMKilled, application errorkubectl get endpoints), port alignmentkubectl top pod → check limits, consider HPA or VPAkubectl auth can-i <verb> <resource> --as=system:serviceaccount:<ns>:<sa># Chart.yaml
apiVersion: v2
name: myapp
description: A Helm chart for myapp
type: application
version: 1.0.0
appVersion: "2.0.0"
helm lint in CIhelm template and pipe to kubectl apply --dry-run=servervalues-prod.yaml, values-staging.yaml)values.yaml — use external secret operators