K8s Manifest Generator

1---2name: k8s-manifest-generator3description: Create production-ready Kubernetes manifests for Deployments, Services, ConfigMaps, and Secrets following best practices and security standards. Use when generating Kubernetes YAML manifests, creating K8s resources, or implementing production-grade Kubernetes configurations.4---5 6# Kubernetes Manifest Generator7 8Step-by-step guidance for creating production-ready Kubernetes manifests including Deployments, Services, ConfigMaps, Secrets, and PersistentVolumeClaims.9 10## Purpose11 12This skill provides comprehensive guidance for generating well-structured, secure, and production-ready Kubernetes manifests following cloud-native best practices and Kubernetes conventions.13 14## When to Use This Skill15 16Use this skill when you need to:17 18- Create new Kubernetes Deployment manifests19- Define Service resources for network connectivity20- Generate ConfigMap and Secret resources for configuration management21- Create PersistentVolumeClaim manifests for stateful workloads22- Follow Kubernetes best practices and naming conventions23- Implement resource limits, health checks, and security contexts24- Design manifests for multi-environment deployments25 26## Step-by-Step Workflow27 28### 1. Gather Requirements29 30**Understand the workload:**31 32- Application type (stateless/stateful)33- Container image and version34- Environment variables and configuration needs35- Storage requirements36- Network exposure requirements (internal/external)37- Resource requirements (CPU, memory)38- Scaling requirements39- Health check endpoints40 41**Questions to ask:**42 43- What is the application name and purpose?44- What container image and tag will be used?45- Does the application need persistent storage?46- What ports does the application expose?47- Are there any secrets or configuration files needed?48- What are the CPU and memory requirements?49- Does the application need to be exposed externally?50 51### 2. Create Deployment Manifest52 53**Follow this structure:**54 55```yaml56apiVersion: apps/v157kind: Deployment58metadata:59  name: <app-name>60  namespace: <namespace>61  labels:62    app: <app-name>63    version: <version>64spec:65  replicas: 366  selector:67    matchLabels:68      app: <app-name>69  template:70    metadata:71      labels:72        app: <app-name>73        version: <version>74    spec:75      containers:76        - name: <container-name>77          image: <image>:<tag>78          ports:79            - containerPort: <port>80              name: http81          resources:82            requests:83              memory: "256Mi"84              cpu: "250m"85            limits:86              memory: "512Mi"87              cpu: "500m"88          livenessProbe:89            httpGet:90              path: /health91              port: http92            initialDelaySeconds: 3093            periodSeconds: 1094          readinessProbe:95            httpGet:96              path: /ready97              port: http98            initialDelaySeconds: 599            periodSeconds: 5100          env:101            - name: ENV_VAR102              value: "value"103          envFrom:104            - configMapRef:105                name: <app-name>-config106            - secretRef:107                name: <app-name>-secret108```109 110**Best practices to apply:**111 112- Always set resource requests and limits113- Implement both liveness and readiness probes114- Use specific image tags (never `:latest`)115- Apply security context for non-root users116- Use labels for organization and selection117- Set appropriate replica count based on availability needs118 119**Reference:** See `references/deployment-spec.md` for detailed deployment options120 121### 3. Create Service Manifest122 123**Choose the appropriate Service type:**124 125**ClusterIP (internal only):**126 127```yaml128apiVersion: v1129kind: Service130metadata:131  name: <app-name>132  namespace: <namespace>133  labels:134    app: <app-name>135spec:136  type: ClusterIP137  selector:138    app: <app-name>139  ports:140    - name: http141      port: 80142      targetPort: 8080143      protocol: TCP144```145 146**LoadBalancer (external access):**147 148```yaml149apiVersion: v1150kind: Service151metadata:152  name: <app-name>153  namespace: <namespace>154  labels:155    app: <app-name>156  annotations:157    service.beta.kubernetes.io/aws-load-balancer-type: nlb158spec:159  type: LoadBalancer160  selector:161    app: <app-name>162  ports:163    - name: http164      port: 80165      targetPort: 8080166      protocol: TCP167```168 169**Reference:** See `references/service-spec.md` for service types and networking170 171### 4. Create ConfigMap172 173**For application configuration:**174 175```yaml176apiVersion: v1177kind: ConfigMap178metadata:179  name: <app-name>-config180  namespace: <namespace>181data:182  APP_MODE: production183  LOG_LEVEL: info184  DATABASE_HOST: db.example.com185  # For config files186  app.properties: |187    server.port=8080188    server.host=0.0.0.0189    logging.level=INFO190```191 192**Best practices:**193 194- Use ConfigMaps for non-sensitive data only195- Organize related configuration together196- Use meaningful names for keys197- Consider using one ConfigMap per component198- Version ConfigMaps when making changes199 200**Reference:** See `assets/configmap-template.yaml` for examples201 202### 5. Create Secret203 204**For sensitive data:**205 206```yaml207apiVersion: v1208kind: Secret209metadata:210  name: <app-name>-secret211  namespace: <namespace>212type: Opaque213stringData:214  DATABASE_PASSWORD: "changeme"215  API_KEY: "secret-api-key"216  # For certificate files217  tls.crt: |218    -----BEGIN CERTIFICATE-----219    ...220    -----END CERTIFICATE-----221  tls.key: |222    -----BEGIN PRIVATE KEY-----223    ...224    -----END PRIVATE KEY-----225```226 227**Security considerations:**228 229- Never commit secrets to Git in plain text230- Use Sealed Secrets, External Secrets Operator, or Vault231- Rotate secrets regularly232- Use RBAC to limit secret access233- Consider using Secret type: `kubernetes.io/tls` for TLS secrets234 235### 6. Create PersistentVolumeClaim (if needed)236 237**For stateful applications:**238 239```yaml240apiVersion: v1241kind: PersistentVolumeClaim242metadata:243  name: <app-name>-data244  namespace: <namespace>245spec:246  accessModes:247    - ReadWriteOnce248  storageClassName: gp3249  resources:250    requests:251      storage: 10Gi252```253 254**Mount in Deployment:**255 256```yaml257spec:258  template:259    spec:260      containers:261        - name: app262          volumeMounts:263            - name: data264              mountPath: /var/lib/app265      volumes:266        - name: data267          persistentVolumeClaim:268            claimName: <app-name>-data269```270 271**Storage considerations:**272 273- Choose appropriate StorageClass for performance needs274- Use ReadWriteOnce for single-pod access275- Use ReadWriteMany for multi-pod shared storage276- Consider backup strategies277- Set appropriate retention policies278 279### 7. Apply Security Best Practices280 281**Add security context to Deployment:**282 283```yaml284spec:285  template:286    spec:287      securityContext:288        runAsNonRoot: true289        runAsUser: 1000290        fsGroup: 1000291        seccompProfile:292          type: RuntimeDefault293      containers:294        - name: app295          securityContext:296            allowPrivilegeEscalation: false297            readOnlyRootFilesystem: true298            capabilities:299              drop:300                - ALL301```302 303**Security checklist:**304 305- [ ] Run as non-root user306- [ ] Drop all capabilities307- [ ] Use read-only root filesystem308- [ ] Disable privilege escalation309- [ ] Set seccomp profile310- [ ] Use Pod Security Standards311 312### 8. Add Labels and Annotations313 314**Standard labels (recommended):**315 316```yaml317metadata:318  labels:319    app.kubernetes.io/name: <app-name>320    app.kubernetes.io/instance: <instance-name>321    app.kubernetes.io/version: "1.0.0"322    app.kubernetes.io/component: backend323    app.kubernetes.io/part-of: <system-name>324    app.kubernetes.io/managed-by: kubectl325```326 327**Useful annotations:**328 329```yaml330metadata:331  annotations:332    description: "Application description"333    contact: "team@example.com"334    prometheus.io/scrape: "true"335    prometheus.io/port: "9090"336    prometheus.io/path: "/metrics"337```338 339### 9. Organize Multi-Resource Manifests340 341**File organization options:**342 343**Option 1: Single file with `---` separator**344 345```yaml346# app-name.yaml347---348apiVersion: v1349kind: ConfigMap350...351---352apiVersion: v1353kind: Secret354...355---356apiVersion: apps/v1357kind: Deployment358...359---360apiVersion: v1361kind: Service362...363```364 365**Option 2: Separate files**366 367```368manifests/369├── configmap.yaml370├── secret.yaml371├── deployment.yaml372├── service.yaml373└── pvc.yaml374```375 376**Option 3: Kustomize structure**377 378```379base/380├── kustomization.yaml381├── deployment.yaml382├── service.yaml383└── configmap.yaml384overlays/385├── dev/386│   └── kustomization.yaml387└── prod/388    └── kustomization.yaml389```390 391### 10. Validate and Test392 393**Validation steps:**394 395```bash396# Dry-run validation397kubectl apply -f manifest.yaml --dry-run=client398 399# Server-side validation400kubectl apply -f manifest.yaml --dry-run=server401 402# Validate with kubeval403kubeval manifest.yaml404 405# Validate with kube-score406kube-score score manifest.yaml407 408# Check with kube-linter409kube-linter lint manifest.yaml410```411 412**Testing checklist:**413 414- [ ] Manifest passes dry-run validation415- [ ] All required fields are present416- [ ] Resource limits are reasonable417- [ ] Health checks are configured418- [ ] Security context is set419- [ ] Labels follow conventions420- [ ] Namespace exists or is created421 422## Common Patterns423 424### Pattern 1: Simple Stateless Web Application425 426**Use case:** Standard web API or microservice427 428**Components needed:**429 430- Deployment (3 replicas for HA)431- ClusterIP Service432- ConfigMap for configuration433- Secret for API keys434- HorizontalPodAutoscaler (optional)435 436**Reference:** See `assets/deployment-template.yaml`437 438### Pattern 2: Stateful Database Application439 440**Use case:** Database or persistent storage application441 442**Components needed:**443 444- StatefulSet (not Deployment)445- Headless Service446- PersistentVolumeClaim template447- ConfigMap for DB configuration448- Secret for credentials449 450### Pattern 3: Background Job or Cron451 452**Use case:** Scheduled tasks or batch processing453 454**Components needed:**455 456- CronJob or Job457- ConfigMap for job parameters458- Secret for credentials459- ServiceAccount with RBAC460 461### Pattern 4: Multi-Container Pod462 463**Use case:** Application with sidecar containers464 465**Components needed:**466 467- Deployment with multiple containers468- Shared volumes between containers469- Init containers for setup470- Service (if needed)471 472## Templates473 474The following templates are available in the `assets/` directory:475 476- `deployment-template.yaml` - Standard deployment with best practices477- `service-template.yaml` - Service configurations (ClusterIP, LoadBalancer, NodePort)478- `configmap-template.yaml` - ConfigMap examples with different data types479- `secret-template.yaml` - Secret examples (to be generated, not committed)480- `pvc-template.yaml` - PersistentVolumeClaim templates481 482## Reference Documentation483 484- `references/deployment-spec.md` - Detailed Deployment specification485- `references/service-spec.md` - Service types and networking details486 487## Best Practices Summary488 4891. **Always set resource requests and limits** - Prevents resource starvation4902. **Implement health checks** - Ensures Kubernetes can manage your application4913. **Use specific image tags** - Avoid unpredictable deployments4924. **Apply security contexts** - Run as non-root, drop capabilities4935. **Use ConfigMaps and Secrets** - Separate config from code4946. **Label everything** - Enables filtering and organization4957. **Follow naming conventions** - Use standard Kubernetes labels4968. **Validate before applying** - Use dry-run and validation tools4979. **Version your manifests** - Keep in Git with version control49810. **Document with annotations** - Add context for other developers499 500## Troubleshooting501 502**Pods not starting:**503 504- Check image pull errors: `kubectl describe pod <pod-name>`505- Verify resource availability: `kubectl get nodes`506- Check events: `kubectl get events --sort-by='.lastTimestamp'`507 508**Service not accessible:**509 510- Verify selector matches pod labels: `kubectl get endpoints <service-name>`511- Check service type and port configuration512- Test from within cluster: `kubectl run debug --rm -it --image=busybox -- sh`513 514**ConfigMap/Secret not loading:**515 516- Verify names match in Deployment517- Check namespace518- Ensure resources exist: `kubectl get configmap,secret`519 520## Next Steps521 522After creating manifests:523 5241. Store in Git repository5252. Set up CI/CD pipeline for deployment5263. Consider using Helm or Kustomize for templating5274. Implement GitOps with ArgoCD or Flux5285. Add monitoring and observability529 530## Related Skills531 532- `helm-chart-scaffolding` - For templating and packaging533- `gitops-workflow` - For automated deployments534- `k8s-security-policies` - For advanced security configurations