WHAT: Kubernetes manifest generation - Deployments, StatefulSets, CronJobs, Services, Ingresses, ConfigMaps, Secrets, and PVCs with production-grade security and health checks. WHEN: User needs to c
Real data. Real impact.
Emerging
Developers
Per week
Open source
Skills give you superpowers. Install in 30 seconds.
Production-ready Kubernetes manifest generation covering Deployments, StatefulSets, CronJobs, Services, Ingresses, ConfigMaps, Secrets, and PVCs with security contexts, health checks, and resource management.
npx clawhub@latest install kubernetes
| Scenario | Example |
|---|---|
| Create deployment manifests | New microservice needing Deployment + Service |
| Define networking resources | ClusterIP, LoadBalancer, Ingress with TLS |
| Manage configuration | ConfigMaps for app config, Secrets for credentials |
| Stateful workloads | Databases with StatefulSets + PVCs |
| Scheduled jobs | CronJobs for batch processing |
| Multi-environment setup | Kustomize overlays for dev/staging/prod |
| Workload Type | Resource | When to Use |
|---|---|---|
| Stateless app | Deployment | Web servers, APIs, microservices |
| Stateful app | StatefulSet | Databases, message queues, caches |
| One-off task | Job | Migrations, data imports |
| Scheduled task | CronJob | Backups, reports, cleanup |
| Per-node agent | DaemonSet | Log collectors, monitoring agents |
apiVersion: apps/v1 kind: Deployment metadata: name: my-app namespace: production labels: app.kubernetes.io/name: my-app app.kubernetes.io/version: "1.0.0" app.kubernetes.io/component: backend spec: replicas: 3 selector: matchLabels: app.kubernetes.io/name: my-app template: metadata: labels: app.kubernetes.io/name: my-app app.kubernetes.io/version: "1.0.0" spec: securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 1000 seccompProfile: type: RuntimeDefault containers: - name: my-app image: registry.example.com/my-app:1.0.0 ports: - containerPort: 8080 name: http resources: requests: cpu: 250m memory: 256Mi limits: cpu: 500m memory: 512Mi securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: [ALL] livenessProbe: httpGet: path: /health port: http initialDelaySeconds: 30 periodSeconds: 10 readinessProbe: httpGet: path: /ready port: http initialDelaySeconds: 5 periodSeconds: 5 env: - name: LOG_LEVEL valueFrom: configMapKeyRef: name: my-app-config key: LOG_LEVEL - name: DB_PASSWORD valueFrom: secretKeyRef: name: my-app-secret key: DATABASE_PASSWORD
apiVersion: v1 kind: Service metadata: name: my-app namespace: production spec: type: ClusterIP selector: app.kubernetes.io/name: my-app ports: - name: http port: 80 targetPort: 8080 protocol: TCP
apiVersion: v1 kind: Service metadata: name: my-app-lb namespace: production annotations: service.beta.kubernetes.io/aws-load-balancer-type: nlb spec: type: LoadBalancer selector: app.kubernetes.io/name: my-app ports: - name: http port: 80 targetPort: 8080
| Type | Scope | Use Case |
|---|---|---|
| ClusterIP | Cluster-internal | Inter-service communication |
| NodePort | External via node IP | Dev/testing, on-prem |
| LoadBalancer | External via cloud LB | Production external access |
| ExternalName | DNS alias | Mapping to external services |
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: my-app namespace: production annotations: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/rate-limit: "100" spec: ingressClassName: nginx tls: - hosts: [app.example.com] secretName: app-tls rules: - host: app.example.com http: paths: - path: / pathType: Prefix backend: service: name: my-app port: number: 80
apiVersion: v1 kind: ConfigMap metadata: name: my-app-config namespace: production data: LOG_LEVEL: info APP_MODE: production DATABASE_HOST: db.internal.svc.cluster.local app.properties: | server.port=8080 server.host=0.0.0.0
apiVersion: v1 kind: Secret metadata: name: my-app-secret namespace: production type: Opaque stringData: DATABASE_PASSWORD: "changeme" API_KEY: "secret-api-key"
Important: Never commit plaintext Secrets to Git. Use Sealed Secrets, External Secrets Operator, or Vault for production.
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: my-app-data namespace: production spec: accessModes: [ReadWriteOnce] storageClassName: gp3 resources: requests: storage: 10Gi
Mount in a container:
containers: - name: app volumeMounts: - name: data mountPath: /var/lib/app volumes: - name: data persistentVolumeClaim: claimName: my-app-data
| Access Mode | Abbreviation | Use Case |
|---|---|---|
| ReadWriteOnce | RWO | Single-pod databases |
| ReadOnlyMany | ROX | Shared config/static assets |
| ReadWriteMany | RWX | Multi-pod shared storage |
spec: securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 1000 seccompProfile: type: RuntimeDefault
securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: [ALL]
| Check | Status |
|---|---|
| Required |
| Required |
| Recommended |
| Required |
| Recommended |
Specific image tags (never | Required |
| Resource requests and limits set | Required |
metadata: labels: app.kubernetes.io/name: my-app app.kubernetes.io/instance: my-app-prod app.kubernetes.io/version: "1.0.0" app.kubernetes.io/component: backend app.kubernetes.io/part-of: my-system app.kubernetes.io/managed-by: kubectl
manifests/ ├── configmap.yaml ├── secret.yaml ├── deployment.yaml ├── service.yaml └── pvc.yaml
base/ ├── kustomization.yaml ├── deployment.yaml ├── service.yaml └── configmap.yaml overlays/ ├── dev/ │ └── kustomization.yaml └── prod/ ├── kustomization.yaml └── resource-patch.yaml
# Client-side dry run kubectl apply -f manifest.yaml --dry-run=clientServer-side validation
kubectl apply -f manifest.yaml --dry-run=server
Lint with kube-score
kube-score score manifest.yaml
Lint with kube-linter
kube-linter lint manifest.yaml
| Problem | Diagnosis | Fix |
|---|---|---|
Pod stuck | | Fix resource requests, node capacity, PVC binding |
| Wrong image name/tag or missing pull secret | Verify image exists, add |
| App crashes on start | Check logs: |
| Service not reachable | Selector mismatch | Verify |
| ConfigMap not loading | Name mismatch or wrong namespace | Check names match and namespace is correct |
| Readiness probe failing | Wrong path or port | Verify health endpoint works inside container |
| OOMKilled | Memory limit too low | Increase |
| Anti-Pattern | Why | Do Instead |
|---|---|---|
Use | Non-reproducible deployments | Pin exact version: |
| Skip resource limits | Pods can starve the node | Always set |
| Run as root | Container escape = full host access | Set |
| Commit plaintext Secrets | Credentials in Git history forever | Use Sealed Secrets / External Secrets / Vault |
| Skip health checks | K8s can't detect unhealthy pods | Always configure liveness + readiness probes |
| Omit labels | Cannot filter, select, or organize | Use standard |
| Single replica for production | Zero availability during updates | Use |
| Hardcode config in containers | Requires rebuild for config changes | Use ConfigMaps and Secrets |
| Template | Description |
|---|---|
| assets/deployment-template.yaml | Production Deployment with security + probes |
| assets/service-template.yaml | ClusterIP, LoadBalancer, NodePort examples |
| assets/configmap-template.yaml | ConfigMap with data types |
| assets/statefulset-template.yaml | StatefulSet with headless Service + PVC |
| assets/cronjob-template.yaml | CronJob with concurrency + history |
| assets/ingress-template.yaml | Ingress with TLS, rate limiting, CORS |
| Reference | Description |
|---|---|
| references/deployment-spec.md | Detailed Deployment specification |
| references/service-spec.md | Service types and networking details |
No automatic installation available. Please visit the source repository for installation instructions.
View Installation Instructions
1,500+ AI skills, agents & workflows. Install in 30 seconds. Part of the Torly.ai family.
© 2026 Torly.ai. All rights reserved.