← Back to Skills Marketplace
wpank

Kubernetes

by wpank · GitHub ↗ · v1.0.0
cross-platform ✓ Security Clean
2652
Downloads
1
Stars
22
Active Installs
1
Versions
Install in OpenClaw
/install kubernetes-devops
Description
WHAT: Kubernetes manifest generation - Deployments, StatefulSets, CronJobs, Services, Ingresses, ConfigMaps, Secrets, and PVCs with production-grade security and health checks. WHEN: User needs to create K8s manifests, deploy containers, configure Services/Ingress, manage ConfigMaps/Secrets, set up persistent storage, or organize multi-environment configs. KEYWORDS: kubernetes, k8s, manifest, deployment, statefulset, cronjob, service, ingress, configmap, secret, pvc, pod, container, yaml, kustomize, helm, namespace, probe, security context
README (SKILL.md)

Kubernetes

Production-ready Kubernetes manifest generation covering Deployments, StatefulSets, CronJobs, Services, Ingresses, ConfigMaps, Secrets, and PVCs with security contexts, health checks, and resource management.

Installation

OpenClaw / Moltbot / Clawbot

npx clawhub@latest install kubernetes

When to Use

Scenario Example
Create deployment manifests New microservice needing Deployment + Service
Define networking resources ClusterIP, LoadBalancer, Ingress with TLS
Manage configuration ConfigMaps for app config, Secrets for credentials
Stateful workloads Databases with StatefulSets + PVCs
Scheduled jobs CronJobs for batch processing
Multi-environment setup Kustomize overlays for dev/staging/prod

Workload Selection

Workload Type Resource When to Use
Stateless app Deployment Web servers, APIs, microservices
Stateful app StatefulSet Databases, message queues, caches
One-off task Job Migrations, data imports
Scheduled task CronJob Backups, reports, cleanup
Per-node agent DaemonSet Log collectors, monitoring agents

Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  namespace: production
  labels:
    app.kubernetes.io/name: my-app
    app.kubernetes.io/version: "1.0.0"
    app.kubernetes.io/component: backend
spec:
  replicas: 3
  selector:
    matchLabels:
      app.kubernetes.io/name: my-app
  template:
    metadata:
      labels:
        app.kubernetes.io/name: my-app
        app.kubernetes.io/version: "1.0.0"
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        fsGroup: 1000
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: my-app
          image: registry.example.com/my-app:1.0.0
          ports:
            - containerPort: 8080
              name: http
          resources:
            requests:
              cpu: 250m
              memory: 256Mi
            limits:
              cpu: 500m
              memory: 512Mi
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop: [ALL]
          livenessProbe:
            httpGet:
              path: /health
              port: http
            initialDelaySeconds: 30
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /ready
              port: http
            initialDelaySeconds: 5
            periodSeconds: 5
          env:
            - name: LOG_LEVEL
              valueFrom:
                configMapKeyRef:
                  name: my-app-config
                  key: LOG_LEVEL
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: my-app-secret
                  key: DATABASE_PASSWORD

Services

ClusterIP (Internal)

apiVersion: v1
kind: Service
metadata:
  name: my-app
  namespace: production
spec:
  type: ClusterIP
  selector:
    app.kubernetes.io/name: my-app
  ports:
    - name: http
      port: 80
      targetPort: 8080
      protocol: TCP

LoadBalancer (External)

apiVersion: v1
kind: Service
metadata:
  name: my-app-lb
  namespace: production
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
spec:
  type: LoadBalancer
  selector:
    app.kubernetes.io/name: my-app
  ports:
    - name: http
      port: 80
      targetPort: 8080

Service Type Quick Reference

Type Scope Use Case
ClusterIP Cluster-internal Inter-service communication
NodePort External via node IP Dev/testing, on-prem
LoadBalancer External via cloud LB Production external access
ExternalName DNS alias Mapping to external services

Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-app
  namespace: production
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/rate-limit: "100"
spec:
  ingressClassName: nginx
  tls:
    - hosts: [app.example.com]
      secretName: app-tls
  rules:
    - host: app.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: my-app
                port:
                  number: 80

ConfigMap & Secret

ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: my-app-config
  namespace: production
data:
  LOG_LEVEL: info
  APP_MODE: production
  DATABASE_HOST: db.internal.svc.cluster.local
  app.properties: |
    server.port=8080
    server.host=0.0.0.0

Secret

apiVersion: v1
kind: Secret
metadata:
  name: my-app-secret
  namespace: production
type: Opaque
stringData:
  DATABASE_PASSWORD: "changeme"
  API_KEY: "secret-api-key"

Important: Never commit plaintext Secrets to Git. Use Sealed Secrets, External Secrets Operator, or Vault for production.

Persistent Storage

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: my-app-data
  namespace: production
spec:
  accessModes: [ReadWriteOnce]
  storageClassName: gp3
  resources:
    requests:
      storage: 10Gi

Mount in a container:

containers:
  - name: app
    volumeMounts:
      - name: data
        mountPath: /var/lib/app
volumes:
  - name: data
    persistentVolumeClaim:
      claimName: my-app-data
Access Mode Abbreviation Use Case
ReadWriteOnce RWO Single-pod databases
ReadOnlyMany ROX Shared config/static assets
ReadWriteMany RWX Multi-pod shared storage

Security Context

Pod-Level

spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000
    seccompProfile:
      type: RuntimeDefault

Container-Level

securityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop: [ALL]

Security Checklist

Check Status
runAsNonRoot: true Required
allowPrivilegeEscalation: false Required
readOnlyRootFilesystem: true Recommended
capabilities.drop: [ALL] Required
seccompProfile: RuntimeDefault Recommended
Specific image tags (never :latest) Required
Resource requests and limits set Required

Standard Labels

metadata:
  labels:
    app.kubernetes.io/name: my-app
    app.kubernetes.io/instance: my-app-prod
    app.kubernetes.io/version: "1.0.0"
    app.kubernetes.io/component: backend
    app.kubernetes.io/part-of: my-system
    app.kubernetes.io/managed-by: kubectl

Manifest Organization

Option 1 — Separate Files

manifests/
├── configmap.yaml
├── secret.yaml
├── deployment.yaml
├── service.yaml
└── pvc.yaml

Option 2 — Kustomize

base/
├── kustomization.yaml
├── deployment.yaml
├── service.yaml
└── configmap.yaml
overlays/
├── dev/
│   └── kustomization.yaml
└── prod/
    ├── kustomization.yaml
    └── resource-patch.yaml

Validation

# Client-side dry run
kubectl apply -f manifest.yaml --dry-run=client

# Server-side validation
kubectl apply -f manifest.yaml --dry-run=server

# Lint with kube-score
kube-score score manifest.yaml

# Lint with kube-linter
kube-linter lint manifest.yaml

Troubleshooting Quick Reference

Problem Diagnosis Fix
Pod stuck Pending kubectl describe pod — check events Fix resource requests, node capacity, PVC binding
ImagePullBackOff Wrong image name/tag or missing pull secret Verify image exists, add imagePullSecrets
CrashLoopBackOff App crashes on start Check logs: kubectl logs \x3Cpod> --previous
Service not reachable Selector mismatch Verify kubectl get endpoints \x3Csvc> is non-empty
ConfigMap not loading Name mismatch or wrong namespace Check names match and namespace is correct
Readiness probe failing Wrong path or port Verify health endpoint works inside container
OOMKilled Memory limit too low Increase resources.limits.memory

NEVER Do

Anti-Pattern Why Do Instead
Use :latest image tag Non-reproducible deployments Pin exact version: image:1.2.3
Skip resource limits Pods can starve the node Always set requests and limits
Run as root Container escape = full host access Set runAsNonRoot: true + USER
Commit plaintext Secrets Credentials in Git history forever Use Sealed Secrets / External Secrets / Vault
Skip health checks K8s can't detect unhealthy pods Always configure liveness + readiness probes
Omit labels Cannot filter, select, or organize Use standard app.kubernetes.io/* labels
Single replica for production Zero availability during updates Use replicas: 3 minimum for HA
Hardcode config in containers Requires rebuild for config changes Use ConfigMaps and Secrets

Assets & References

Assets (Templates)

Template Description
assets/deployment-template.yaml Production Deployment with security + probes
assets/service-template.yaml ClusterIP, LoadBalancer, NodePort examples
assets/configmap-template.yaml ConfigMap with data types
assets/statefulset-template.yaml StatefulSet with headless Service + PVC
assets/cronjob-template.yaml CronJob with concurrency + history
assets/ingress-template.yaml Ingress with TLS, rate limiting, CORS

References

Reference Description
references/deployment-spec.md Detailed Deployment specification
references/service-spec.md Service types and networking details
Usage Guidance
This skill appears coherent and focused on generating Kubernetes manifests. Before installing or using it, consider: (1) Do not paste real credentials or plaintext secrets into templates—use Sealed Secrets/Vault/External Secrets in production; the README rightly warns about this. (2) Review and adapt example annotations (e.g., AWS NLB annotations, cert-manager issuer names, ingress controller annotations) to your cloud/cluster—these are provider-specific. (3) Example init/health scripts reference utilities like nc and curl; ensure your container images include needed tools or replace with appropriate checks. (4) Validate and lint generated manifests (kubectl --dry-run, kubeval, kube-linter, kube-score) before applying to a cluster. If you need the agent to modify live clusters, ensure separate skills/tools handle kubectl credentials and RBAC appropriately; this skill by itself does not request or manage cluster credentials.
Capability Analysis
Type: OpenClaw Skill Name: kubernetes-devops Version: 1.0.0 The OpenClaw AgentSkills skill bundle for Kubernetes manifest generation is benign. All files, including SKILL.md and various YAML templates, consistently focus on providing documentation and examples for creating secure and production-ready Kubernetes resources. Shell commands like `kubectl`, `curl`, and `nc` are either presented as instructions for the user to validate generated manifests or are part of Kubernetes YAML templates intended to run within pods, not executed by the OpenClaw agent itself. There is no evidence of prompt injection, data exfiltration, malicious execution, persistence mechanisms, or obfuscation.
Capability Assessment
Purpose & Capability
The name/description match the provided content: templates and step‑by‑step guidance for Deployments, StatefulSets, CronJobs, Services, Ingresses, ConfigMaps, Secrets, and PVCs. There are no unrelated binaries, environment variables, or credentials requested.
Instruction Scope
SKILL.md and included files only provide manifest examples, templates, and workflow questions for generating Kubernetes YAML. The instructions do not tell the agent to read system files, access external credentials, or transmit data to unexpected endpoints. Some template snippets include shell snippets intended to run inside containers (e.g., nc, curl) — these are examples for container images, not instructions for the agent to execute on the host.
Install Mechanism
No install spec or code is bundled; this is instruction-only, so nothing will be downloaded or written to disk during install. This is the lowest-risk install profile.
Credentials
The skill does not request any environment variables, secrets, or config paths. Example Secret manifests are present as templates (with a clear admonition not to commit plaintext secrets), which is appropriate for a manifest generator.
Persistence & Privilege
always:false and default invocation settings. The skill does not request permanent presence or modify other skills/configurations.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install kubernetes-devops
  3. After installation, invoke the skill by name or use /kubernetes-devops
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release – production-ready Kubernetes manifest generation for DevOps workflows. - Supports generation for Deployments, StatefulSets, CronJobs, Services, Ingresses, ConfigMaps, Secrets, and PersistentVolumeClaims. - Built-in guidance for selecting appropriate workload/resource types and organization (Kustomize, file structure). - Production-focused security (securityContext, probes, resource limits) and health checks included in all samples. - Includes configuration for both internal (ClusterIP) and external (LoadBalancer, Ingress) service exposure. - Provides manifest examples, best practices, labels, and validation steps.
Metadata
Slug kubernetes-devops
Version 1.0.0
License
All-time Installs 23
Active Installs 22
Total Versions 1
Frequently Asked Questions

What is Kubernetes?

WHAT: Kubernetes manifest generation - Deployments, StatefulSets, CronJobs, Services, Ingresses, ConfigMaps, Secrets, and PVCs with production-grade security and health checks. WHEN: User needs to create K8s manifests, deploy containers, configure Services/Ingress, manage ConfigMaps/Secrets, set up persistent storage, or organize multi-environment configs. KEYWORDS: kubernetes, k8s, manifest, deployment, statefulset, cronjob, service, ingress, configmap, secret, pvc, pod, container, yaml, kustomize, helm, namespace, probe, security context. It is an AI Agent Skill for Claude Code / OpenClaw, with 2652 downloads so far.

How do I install Kubernetes?

Run "/install kubernetes-devops" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Kubernetes free?

Yes, Kubernetes is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Kubernetes support?

Kubernetes is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Kubernetes?

It is built and maintained by wpank (@wpank); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments