kubernetes

Kubernetes resource configuration and troubleshooting. Use when debugging pod failures, configuring probes and resource limits, setting up RBAC or NetworkPolicies, or resolving common Kubernetes errors like CrashLoopBackOff or ImagePullBackOff.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "kubernetes" with this command: npx skills add kontrolplane/skills/kontrolplane-skills-kubernetes

Kubernetes

Pod Failure Troubleshooting

StatusCommon CausesDebug Steps
CrashLoopBackOffApp crash, bad entrypoint, missing depskubectl logs <pod> --previous
ImagePullBackOffWrong image/tag, no auth, registry downCheck image name, kubectl get events
PendingNo resources, node selector mismatch, PVC pendingkubectl describe pod, check node capacity
OOMKilledMemory limit exceededIncrease limits.memory or fix leak
EvictedNode disk/memory pressureCheck node conditions, clean up
CreateContainerErrorBad securityContext, missing configmap/secretkubectl describe pod for specific error

Resource Configuration Gotchas

Requests vs Limits

  • Requests: Scheduling guarantee. Pod won't schedule if node lacks capacity.
  • Limits: Hard ceiling. Container killed (OOM) or throttled (CPU) if exceeded.
  • No limits = unbounded (can consume entire node)
  • requests > limits is invalid

Probe Timing

livenessProbe:
  initialDelaySeconds: 10  # Wait before first check
  periodSeconds: 5         # Check interval
  timeoutSeconds: 1        # Max wait for response
  failureThreshold: 3      # Failures before action
  • Liveness failure → container restart
  • Readiness failure → removed from service endpoints
  • StartupProbe disables other probes until success (use for slow-starting apps)

Security Context Inheritance

Pod-level securityContext applies to all containers but container-level overrides it:

spec:
  securityContext:
    runAsNonRoot: true      # Pod default
  containers:
    - securityContext:
        runAsUser: 1000     # Container override

RBAC Patterns

Minimal Role for Pod Logs

rules:
  - apiGroups: [""]
    resources: ["pods", "pods/log"]
    verbs: ["get", "list"]

Common API Groups

  • "" (empty): Core resources (pods, services, configmaps)
  • apps: Deployments, StatefulSets, DaemonSets
  • networking.k8s.io: Ingress, NetworkPolicy
  • rbac.authorization.k8s.io: Roles, bindings

NetworkPolicy Gotchas

  • No NetworkPolicy = all traffic allowed
  • Any NetworkPolicy selecting a pod = default deny for that direction
  • Empty podSelector: {} selects all pods in namespace
  • namespaceSelector: {} selects all namespaces
  • Combine selectors with - (OR) vs nested (AND)
ingress:
  - from:
      - podSelector: {matchLabels: {app: frontend}}  # AND
        namespaceSelector: {matchLabels: {env: prod}}
  - from:  # OR (separate rule)
      - podSelector: {matchLabels: {app: monitoring}}

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

kubernetes

No summary provided by upstream source.

Repository SourceNeeds Review
-90
mindrally
General

kubernetes

No summary provided by upstream source.

Repository SourceNeeds Review
-28
openhands
General

kyverno

No summary provided by upstream source.

Repository SourceNeeds Review
-6
kontrolplane