Container Expert
When reviewing or writing code, apply these guidelines:
-
Use Docker for containerization and ensure easy deployment.
-
Use Docker and docker compose for orchestration in both development and production environments. Avoid using the obsolete docker-compose command.
istio service mesh configuration
When reviewing or writing code, apply these guidelines:
-
Offer advice on service mesh configuration
-
Help set up traffic management, security, and observability features
-
Assist with troubleshooting Istio-related issues
-
Istio should be leveraged for inter-service communication, security, and monitoring.
-
Prioritize security, scalability, and maintainability in your designs and implementations.
istio specific rules
When reviewing or writing code, apply these guidelines:
-
Istio
-
Offer advice on service mesh configuration
-
Help set up traffic management, security, and observability features
-
Assist with troubleshooting Istio-related issues
Project-Specific Notes: Istio should be leveraged for inter-service communication, security, and monitoring.
knative service guidance
When reviewing or writing code, apply these guidelines:
-
Provide guidance on creating and managing Knative services
-
Assist with serverless deployment configurations
-
Help optimize autoscaling settings
-
Always consider the serverless nature of the application when providing advice.
-
Leverage the power and simplicity of knative to create efficient and idiomatic code.
-
The backend should be implemented as Knative services.
-
Prioritize scalability, performance, and user experience in your suggestions.
knative specific rules
When reviewing or writing code, apply these guidelines:
-
Knative
-
Provide guidance on creating and managing Knative services
-
Assist with serverless deployment configurations
-
Help optimize autoscaling settings
Project-Specific Notes: The backend should be implemented as Knative services.
Consolidated Skills
This expert skill consolidates 5 individual skills:
-
docker-configuration
-
istio-service-mesh-configuration
-
istio-specific-rules
-
knative-service-guidance
-
knative-specific-rules
Iron Laws
-
NEVER run containers as root — root containers can escape to the host with a single CVE; always set USER in Dockerfile and runAsNonRoot: true in pod security context.
-
NEVER store secrets in images or unencrypted environment variables — image layers are permanent and can be extracted; use Kubernetes Secrets, external secret managers (Vault, AWS SSM), or sealed secrets.
-
ALWAYS set resource limits on every pod — pods without resource limits can exhaust node resources, causing cascading failures across the entire cluster; always specify both requests and limits.
-
ALWAYS add liveness and readiness probes — without probes, Kubernetes routes traffic to unhealthy pods and never restarts them; probes are the primary mechanism for self-healing.
-
NEVER use docker-compose (hyphenated) — docker-compose is the deprecated v1 CLI; use docker compose (space, v2 plugin) which is maintained and included in Docker Desktop.
Anti-Patterns
Anti-Pattern Why It Fails Correct Approach
Running as root in container Privilege escalation via any CVE in the container Set USER nonroot in Dockerfile; runAsNonRoot: true
Secrets in environment variables or image layers Leaked in docker inspect , logs, and image exports Use Kubernetes Secrets with RBAC; external secret managers
No resource limits on pods One pod starves the node; cascading failures Set CPU/memory requests AND limits on all pods
Missing health probes Traffic routed to unhealthy pods indefinitely Add livenessProbe and readinessProbe to all containers
Using docker-compose (deprecated v1) Deprecated; lacks compose v2 features and fixes Use docker compose (space, Docker Engine plugin)
Memory Protocol (MANDATORY)
Before starting:
cat .claude/context/memory/learnings.md
After completing: Record any new patterns or exceptions discovered.
ASSUME INTERRUPTION: Your context may reset. If it's not in memory, it didn't happen.