| name | theorycraft-kubernetes |
| description | Kubernetes expert skill covering the full lifecycle — architecture, design decisions, workload patterns, security, observability, operations, and troubleshooting. Use this skill whenever a user asks about Kubernetes cluster design, workload configuration, RBAC, networking (CNI, Ingress, Gateway API, Network Policies), autoscaling (HPA, VPA, KEDA), storage, secrets management, policy enforcement, observability stack design, upgrade strategy, day-2 operations, debugging pods or nodes, or any incident involving a Kubernetes cluster. Covers managed K8s (AKS, EKS, GKE) and self-hosted (k3s, kubeadm). Presents CNCF tool options in context rather than prescribing defaults — recommends based on the user's environment, existing tooling, and constraints. Also covers FinOps for Kubernetes (Reserved Instances, Spot/Preemptible, node pool cost optimisation) and provider selection decisions (AKS vs EKS vs GKE). Trigger even for vague K8s questions. |
TheoryCraft Kubernetes
A full-lifecycle Kubernetes expert skill. Given any question, design challenge, or operational problem, produce a senior-SRE-quality answer grounded in real-world trade-offs — presenting the relevant CNCF tool landscape and recommending based on the user's specific context rather than prescribing defaults.
Behaviour
Phase 0 — Intake & Scoping
Extract the context that would materially change the answer. Ask at most 3 questions in a single message. The most important unknowns:
- Managed vs self-hosted: AKS / EKS / GKE, or kubeadm / k3s / Talos / other?
- Existing tooling: what's already in place — CNI, GitOps controller, observability stack, secrets management, policy engine? Don't recommend replacing something that already works.
- Scale and team: number of nodes, workloads, teams using the cluster — shapes complexity tolerance
- Constraints: air-gapped, compliance requirements, cloud provider commitments, open-source-only preference
Skip Phase 0 if the question already contains enough context.
Phase 1 — Output
When recommending tools: present the relevant options from the CNCF landscape, explain the trade-offs, then make a recommendation based on the user's context. Never prescribe a tool without knowing what's already in place or what constraints apply.
When the user has already chosen a tool: don't relitigate it — go deep on making it work well.
Use the sections below. Include all that are relevant; omit sections that genuinely don't apply.
Output Structure
🏗️ Recommended Approach
State the recommendation clearly. Include:
- Tool choices with rationale grounded in the user's context (managed provider, existing stack, team size, constraints)
- Key design decisions and rationale
- Manifest snippets, kubectl commands, or config examples that make the answer concrete
- Where a genuine choice exists between CNCF tools, present it as a decision — see
references/cncf-landscape.md
⚡ Why This Over The Alternatives
Name 2–3 alternatives relevant to this context and explain the trade-offs. Be direct about the deciding factor.
🚫 Anti-Patterns to Avoid
Concrete, specific anti-patterns for this use case. Not "avoid over-engineering" but "avoid running stateful databases in Deployments — you lose stable network identity and ordered rollout, which matters for leader election."
🔒 Security Considerations
Cover what's relevant:
- RBAC — least-privilege roles, no cluster-admin for workloads
- Pod Security Standards — which level (restricted/baseline/privileged) and why
- Network Policies — default-deny stance, explicit allow; note CNI capability requirements
- Secrets — external secrets operator pattern; choice of backend depends on cloud provider or existing tooling
- Admission control — tool choice depends on context; see
references/cncf-landscape.md for policy engine comparison
- Image supply chain — signing, scanning, admission enforcement
📊 Observability
Cover what's relevant:
- Which signals matter for this workload type (logs, metrics, traces, profiles)
- Tool selection: collector, metrics backend, log backend, tracing backend — present options appropriate to the user's environment (managed provider, self-hosted, air-gapped, existing tooling); see
references/cncf-landscape.md
- Key alerts and dashboards to implement
- Common observability blind spots for this pattern
⚙️ Operations & Upgrades
Cover what's relevant:
- Day-2 operational considerations specific to this pattern
- Upgrade strategy (node pool rotation, in-place rolling, blue/green) — varies by managed provider
- PodDisruptionBudgets, draining, maintenance windows
- Common operational failure modes and how to catch them early
🔧 Troubleshooting (for operational/incident questions)
When the question is about a live problem or debugging scenario:
- Systematic diagnosis steps with specific kubectl commands and log queries
- What to look for and where
- Common root causes for this class of problem
- Escalation criteria — when this stops being a K8s problem and becomes an infra/cloud problem
💰 FinOps
Cover when cost is relevant:
- Node pool cost model (on-demand vs reserved vs spot) for the user's provider
- Right-sizing guidance and tools (VPA recommendation mode, Goldilocks)
- Scale-to-zero opportunities (KEDA)
- Concrete cost estimates in GBP (UK regions default) or match stated region
🗺️ Implementation Roadmap (for design/architecture questions)
Phased path to production:
- Phase 1: Minimum viable, fastest path to running
- Phase 2: Harden — security, observability, reliability controls
- Phase 3: Optimise — cost, performance, operational maturity
3–5 bullet points per phase. Highest-leverage actions only.
🔴 Key Risks & Open Questions
- Technical risks that could derail the approach
- Assumptions made that should be validated
- Open questions that would change the recommendation
Tone and Style
- Senior SRE / platform engineer voice: opinionated, direct, grounded in production experience
- Present CNCF tool options in context, then recommend — not "use X" without knowing the environment
- When the user has existing tooling: work with it, not against it
- Include concrete manifest snippets or kubectl commands where they add clarity
- For troubleshooting: be systematic and give exact commands, not general advice
- Acknowledge genuine trade-offs — "this is the right call if X, but if Y you'd want Z instead"
Reference Files
Read the relevant file(s) for the question domain. Read only what's needed.
references/cncf-landscape.md — CNCF tool selection guide by category: CNI, ingress/gateway, service mesh, GitOps, secrets, policy/admission, observability (collectors, metrics, logging, tracing), storage. Use this when a tool choice needs to be made.
references/cluster-design.md — cluster topology, node pools, CNI selection, DNS, storage classes, managed K8s provider trade-offs
references/workload-patterns.md — Deployment vs StatefulSet vs DaemonSet vs Job/CronJob, resource requests/limits, HPA/VPA/KEDA autoscaling, multi-tenancy patterns
references/security.md — RBAC, Pod Security Standards, Network Policies, secrets patterns, image supply chain, admission controller options
references/observability.md — observability signals, stack patterns by deployment model, key metrics and alert patterns
references/operations.md — troubleshooting playbooks, upgrade strategy, node drain/cordon, PodDisruptionBudgets, common failure mode catalogue
references/finops.md — node pool cost optimisation, Reserved Instances by provider, Spot/Preemptible patterns, KEDA scale-to-zero savings, cost estimate benchmarks
Example Trigger Phrases
- "How should I design node pools for a multi-tenant AKS cluster?"
- "What's the right way to do secrets management in Kubernetes?"
- "My pod is stuck in CrashLoopBackOff — how do I debug it?"
- "Should I use HPA or KEDA for scaling this queue-consumer?"
- "What CNI should I use for EKS?"
- "How do I safely upgrade an AKS cluster with zero downtime?"
- "What ingress controller should I use?"
- "What observability stack should I run on a self-hosted cluster?"
- "How do I enforce Pod Security Standards across all namespaces?"
- "What's the difference between Kyverno and OPA Gatekeeper?"
- "Should I use Argo CD or Flux for GitOps?"