원클릭으로
cluster-operations
Day-2 cluster operations — node management, etcd backup/restore, certificate rotation, namespace lifecycle.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Day-2 cluster operations — node management, etcd backup/restore, certificate rotation, namespace lifecycle.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Production-grade GitHub Actions workflows — reusable workflows, OIDC cloud auth, caching, matrix builds, and environment protection rules. Use when the user creates, reviews, or debugs CI/CD pipelines in .github/workflows, or asks about GitHub Actions deployment, OIDC authentication, or workflow optimization.
Systematic diagnosis of Kubernetes pod failures — CrashLoopBackOff, OOMKilled, Pending, ImagePullBackOff, and service connectivity issues. Use when the user encounters pods not starting, container restart loops, scheduling failures, or service unreachability in a K8s cluster.
Implement distributed tracing with OpenTelemetry, Tempo/Jaeger — instrumentation, sampling, and trace-to-log correlation. Use when the user asks about distributed tracing, OpenTelemetry setup, span instrumentation, trace propagation, or connecting traces to logs and metrics.
Design reusable React components with compound patterns, controlled/uncontrolled hybrids, typed prop APIs, async state handling, and ARIA accessibility. Use when the user creates, refactors, or reviews React components, or mentions props, hooks, .tsx files, component APIs, or accessible UI patterns.
Apply STRIDE threat modeling to system designs, identify IDOR and authorization vulnerabilities, and build threat matrices for security reviews. Use when the user designs a new system, reviews an architecture, prepares for a security audit, or asks about common API vulnerabilities like IDOR or broken access control.
Secure CI/CD pipelines with keyless signing, OIDC federation, provenance attestations, policy enforcement, and hardened runners.
| name | cluster-operations |
| type | skill |
| description | Day-2 cluster operations — node management, etcd backup/restore, certificate rotation, namespace lifecycle. |
| related-rules | ["cluster-standards.md","upgrade-policy.md"] |
| allowed-tools | Read, Bash |
Expertise: Safe day-2 operations on self-hosted Kubernetes clusters — node drain, etcd ops, cert rotation.
When draining nodes for maintenance, rotating certificates, backing up etcd, or troubleshooting control plane issues.
# --- CORDON (stop scheduling new pods, don't evict existing) ---
kubectl cordon <node-name>
# Use case: pre-drain notification, temporary maintenance hold
# --- DRAIN (evict all pods, mark unschedulable) ---
kubectl drain <node-name> \
--ignore-daemonsets \ # DaemonSet pods can't be evicted
--delete-emptydir-data \ # required for pods using emptyDir
--grace-period=60 \ # give pods time to shut down cleanly
--timeout=300s # abort if takes > 5 minutes
# After drain: node is unschedulable and empty (except daemonsets)
# --- UNCORDON (return to service) ---
kubectl uncordon <node-name>
# --- Verify node is empty before maintenance ---
kubectl get pods -A --field-selector=spec.nodeName=<node-name>
# --- Take snapshot (run on a control plane node) ---
ETCDCTL_API=3 etcdctl snapshot save /backup/etcd-$(date +%Y%m%d-%H%M%S).db \
--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/kubernetes/pki/etcd/ca.crt \
--cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
--key=/etc/kubernetes/pki/etcd/healthcheck-client.key
# --- Verify snapshot ---
ETCDCTL_API=3 etcdctl snapshot status /backup/etcd-latest.db --write-out=table
# --- Restore snapshot (disaster recovery — only when cluster is down) ---
ETCDCTL_API=3 etcdctl snapshot restore /backup/etcd-latest.db \
--data-dir=/var/lib/etcd-restored \
--initial-cluster=master-1=https://192.168.1.10:2380 \
--initial-advertise-peer-urls=https://192.168.1.10:2380 \
--name=master-1
# Then update etcd static pod manifest to point to new data-dir
# --- Check certificate expiry ---
kubeadm certs check-expiration
# --- Renew all certificates (run on each control plane node) ---
kubeadm certs renew all
# --- Restart control plane components after renewal ---
# (kubeadm renews certs but doesn't restart static pods automatically)
for pod in kube-apiserver kube-controller-manager kube-scheduler; do
kubectl -n kube-system delete pod -l component=$pod
done
# --- Update kubeconfig after cert renewal ---
cp /etc/kubernetes/admin.conf ~/.kube/config
# --- Create namespace with standard labels ---
kubectl create namespace my-team-prod
kubectl label namespace my-team-prod \
environment=production \
team=my-team \
pod-security.kubernetes.io/enforce=restricted
# --- Apply default NetworkPolicy and LimitRange immediately ---
kubectl apply -f infra/namespaces/defaults/ -n my-team-prod
# --- Safe namespace deletion (check for resources first) ---
kubectl get all -n <namespace-to-delete>
kubectl delete namespace <name> # blocks until all resources are gone
# If stuck in Terminating:
kubectl get namespace <name> -o json | \
jq '.spec.finalizers = []' | \
kubectl replace --raw "/api/v1/namespaces/<name>/finalize" -f -
# API server, scheduler, controller-manager
kubectl get componentstatuses # deprecated in 1.19+ but still useful
kubectl get pods -n kube-system # all system pods should be Running
# etcd cluster health
ETCDCTL_API=3 etcdctl endpoint health \
--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/kubernetes/pki/etcd/ca.crt \
--cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
--key=/etc/kubernetes/pki/etcd/healthcheck-client.key
# Node conditions
kubectl describe nodes | grep -A5 "Conditions:"
# All pods not Running
kubectl get pods -A --field-selector=status.phase!=Running,status.phase!=Succeeded
# Recent events by namespace
kubectl get events -n <ns> --sort-by='.lastTimestamp'
# Resource usage by namespace
kubectl top pods -A --sort-by=memory | head -20
# Find pods on a specific node
kubectl get pods -A -o wide | grep <node-name>