// Kubernetes deployment patterns, Helm charts, and cluster management. Use when deploying applications to K8s, designing workload configurations, implementing scaling strategies, or managing cluster resources.
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | tsh-implementing-kubernetes |
| description | Kubernetes deployment patterns, Helm charts, and cluster management. Use when deploying applications to K8s, designing workload configurations, implementing scaling strategies, or managing cluster resources. |
| user-invocable | false |
Check which Kubernetes tooling the project uses:
helm/ or Chart.yaml ā Helm chartskustomize/ or kustomization.yaml ā Kustomizek8s/ or kubernetes/ with *.yaml ā Raw manifestsskaffold.yaml ā Skaffold for local devargocd/ or Application resources ā ArgoCD GitOpsflux-system/ or Kustomization CRD ā Flux GitOpsUse context7 to look up Kubernetes API versions and syntax.
| Workload Type | Use When |
|---|---|
| Deployment | Stateless apps, web servers, APIs |
| StatefulSet | Databases, stateful apps needing stable identity |
| DaemonSet | Node-level agents (logging, monitoring) |
| Job | One-time tasks, batch processing |
| CronJob | Scheduled recurring tasks |
resources:
requests: # Scheduler uses for placement
memory: "256Mi"
cpu: "100m"
limits: # Kubelet enforces these
memory: "512Mi"
cpu: "500m"
Rules:
| Class | Condition | Eviction Priority |
|---|---|---|
| Guaranteed | requests == limits (all containers) | Last to evict |
| Burstable | requests < limits | Medium |
| BestEffort | No requests or limits | First to evict |
Rule: Production workloads should be Guaranteed or Burstable, never BestEffort.
livenessProbe: # Restarts container if fails
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 15
periodSeconds: 10
failureThreshold: 3
readinessProbe: # Removes from Service if fails
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 3
startupProbe: # Delays liveness until startup complete
httpGet:
path: /healthz
port: 8080
failureThreshold: 30
periodSeconds: 10
Rules:
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: api-pdb
spec:
minAvailable: 2 # OR maxUnavailable: 1
selector:
matchLabels:
app: api
Rule: Always create PDB for production workloads to ensure availability during node drains.
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app: api
topologyKey: kubernetes.io/hostname
Rule: Spread replicas across nodes/zones for high availability.
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: api-hpa
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: api
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
behavior:
scaleDown:
stabilizationWindowSeconds: 300 # Prevent flapping
| Scaling Type | Use When | Tool |
|---|---|---|
| CPU-based | General compute workloads | HPA |
| Memory-based | Memory-intensive apps | HPA |
| Custom metrics | Queue depth, request rate | HPA + Prometheus Adapter |
| Event-driven | Message queues, scheduled jobs | KEDA |
| Vertical | Right-sizing requests/limits | VPA |
mychart/
āāā Chart.yaml # Chart metadata
āāā values.yaml # Default values
āāā values-dev.yaml # Environment overrides
āāā values-prod.yaml
āāā templates/
ā āāā _helpers.tpl # Template helpers
ā āāā deployment.yaml
ā āāā service.yaml
ā āāā ingress.yaml
ā āāā hpa.yaml
ā āāā pdb.yaml
ā āāā configmap.yaml
āāā charts/ # Dependencies
# values.yaml - use structured defaults
replicaCount: 2
image:
repository: myapp
tag: "" # Override in CI, not here
pullPolicy: IfNotPresent
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
# Enable/disable optional components
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 10
Rules:
{{ include "mychart.fullname" . }} for resource names| Ingress Controller | Use When |
|---|---|
| nginx-ingress | General purpose, widely supported |
| AWS ALB | AWS-native, integrated with WAF/ACM |
| Traefik | Simple setup, automatic HTTPS |
| Istio Gateway | Service mesh already in use |
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: api-ingress
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
ingressClassName: nginx
tls:
- hosts:
- api.example.com
secretName: api-tls
rules:
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api
port:
number: 80
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
Rule: Always run as non-root with minimal capabilities in production.
kubectl apply --dry-run=server, helm templatelatest in prod)app, version, environment)| Don't | Do |
|---|---|
Use latest image tag | Pin specific versions or SHA |
| Skip resource requests | Always set requests for scheduling |
| Single replica in production | Minimum 2 replicas with PDB |
| Run as root | Use non-root user with minimal caps |
| Missing readiness probe | Configure probes for graceful traffic |
kubectl apply in production | GitOps with ArgoCD/Flux |
| Hardcode values in manifests | Use Helm values or Kustomize overlays |
| Ignore pod eviction | Set PDB to maintain availability |
tsh-implementing-observability - For K8s monitoring and logging setuptsh-implementing-ci-cd - For K8s deployment pipelinestsh-managing-secrets - For K8s secret management patternstsh-implementing-terraform-modules - For provisioning K8s clusters