Menu
Kubernetes best practices: security, workloads, networking, config, operations, GitOps. Use when writing or reviewing K8s manifests and configurations.
Docker best practices: image security, build efficiency, runtime hardening, Compose, local tooling (Colima, OrbStack). Use when writing or reviewing Dockerfiles and Compose files.
AWS best practices: IAM, secrets, networking, security, compute, IaC, ops. Use when building, reviewing, or modifying AWS resources.
GCP best practices: IAM, secrets, networking, security, compute, IaC, ops. Use when building, reviewing, or modifying GCP resources.
Idiomatic Go 1.25 practices: errors, interfaces, concurrency, generics, testing, security, tooling. Use when writing or reviewing Go code.
Modern Java practices: design, errors, concurrency, security, testing, tooling. Targets Java 21 LTS baseline; Java 25 LTS features called out explicitly. Use when writing or reviewing Java code.
Behavioral guidelines to reduce common LLM coding mistakes. Use when writing, reviewing, or refactoring code to avoid overcomplication, make surgical changes, surface assumptions, and define verifiable success criteria.
runAsNonRoot: true, runAsUser (non-zero) in securityContextreadOnlyRootFilesystem: true. Mount writable volumes explicitlyallowPrivilegeEscalation: falsecapabilities: {drop: [ALL], add: [NET_BIND_SERVICE]}hostPID, hostNetwork, hostIPC without explicit system-level justificationrestricted profile for all application workloads. baseline minimum for system workloadsautomountServiceAccountToken: false on pods that don't call the API serverServiceAccount per workload. No default SA with cluster-level rolesRole/RoleBinding over ClusterRole/ClusterRoleBinding unless cluster-scope is requiredkubectl auth can-i --list and rakkess or rbac-toolverbs: ["*"] or resources: ["*"] in production rolesSecret objects are base64 only — require etcd encryption at restCiliumNetworkPolicy for L7 rules (HTTP, gRPC path/method filtering) where neededDeployment for stateless. StatefulSet for stateful with stable identity. DaemonSet for node-level agentsrequests and limits on every container. No unbounded CPU or memorylimits cause throttling — set conservatively or omit and rely on namespace LimitRange. Memory limits cause OOMKill — set with headroomminReplicas ≥ 2 for production. Single-replica = not HAterminationGracePeriodSeconds set to cover max request duration + drain time. Default 30s is often too shortpreStop: exec: sleep 5 (or equivalent) to allow load balancer to drain before SIGTERMPodDisruptionBudget on all production workloads. minAvailable > 0topologySpreadConstraints or podAntiAffinity to spread replicas across nodes and zonesHorizontalPodAutoscaler on CPU/memory or custom metrics for stateless workloadsVerticalPodAutoscaler in recommendation mode to right-size requests over timelatest tag in manifests. Pin to digest or immutable tagimagePullPolicy: Always for mutable tags. imagePullPolicy: IfNotPresent for digest-pinned imagesConfigMap for non-sensitive config. External secrets (not raw K8s Secret) for sensitive dataResourceQuota and LimitRange per namespaceapp.kubernetes.io/name, app.kubernetes.io/version, app.kubernetes.io/component, env, teamIngresscert-manager for certificate lifecycle (Let's Encrypt or internal CA)ClusterIP. External: LoadBalancer or ingress only. Never NodePort in productionlatest, require probes, restrict privilegeskubectl apply to productionkubectl diff before any manual apply. Never apply blindlykubectl rollout for deploys. maxUnavailable: 0, maxSurge: 1 for zero-downtime