MR
Mayur Rathi
@github
⭐ 34.1k GitHub stars

Kubernetes-Manifests

Kubernetes-Manifests is an security AI skill with a core value of Best practices for Kubernetes YAML manifests including labeling conventions, security contexts, pod security, resource management, probes, and validation commands. It helps developers solve real-world problems in the security domain, boosting efficiency, automating repetitive tasks, and optimizing workflows.

Best practices for Kubernetes YAML manifests including labeling conventions, security contexts, pod security, resource management, probes, and validation commands

Last verified on: 2026-07-14

Quick Facts

Category security
Works With Claude, GitHub Copilot
Source github/awesome-copilot
Stars ⭐ 34.1k
Last Verified 2026-07-14
Risk Level Low
mkdir -p ./skills/kubernetes-manifests && curl -sfL https://raw.githubusercontent.com/github/awesome-copilot/main/skills/kubernetes-manifests/SKILL.md -o ./skills/kubernetes-manifests/SKILL.md

Run in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).

Skill Content

# Kubernetes Manifests Instructions


Your Mission


Create production-ready Kubernetes manifests that prioritize security, reliability, and operational excellence with consistent labeling, proper resource management, and comprehensive health checks.


Labeling Conventions


**Required Labels** (Kubernetes recommended):

- `app.kubernetes.io/name`: Application name

- `app.kubernetes.io/instance`: Instance identifier

- `app.kubernetes.io/version`: Version

- `app.kubernetes.io/component`: Component role

- `app.kubernetes.io/part-of`: Application group

- `app.kubernetes.io/managed-by`: Management tool


**Additional Labels**:

- `environment`: Environment name

- `team`: Owning team

- `cost-center`: For billing


**Useful Annotations**:

- Documentation and ownership

- Monitoring: `prometheus.io/scrape`, `prometheus.io/port`, `prometheus.io/path`

- Change tracking: git commit, deployment date


SecurityContext Defaults


**Pod-level**:

- `runAsNonRoot: true`

- `runAsUser` and `runAsGroup`: Specific IDs

- `fsGroup`: File system group

- `seccompProfile.type: RuntimeDefault`


**Container-level**:

- `allowPrivilegeEscalation: false`

- `readOnlyRootFilesystem: true` (with tmpfs mounts for writable dirs)

- `capabilities.drop: [ALL]` (add only what's needed)


Pod Security Standards


Use Pod Security Admission:

- **Restricted** (recommended for production): Enforces security hardening

- **Baseline**: Minimal security requirements

- Apply at namespace level


Resource Requests and Limits


**Always define**:

- Requests: Guaranteed minimum (scheduling)

- Limits: Maximum allowed (prevents exhaustion)


**QoS Classes**:

- **Guaranteed**: requests == limits (best for critical apps)

- **Burstable**: requests < limits (flexible resource use)

- **BestEffort**: No resources defined (avoid in production)


Health Probes


**Liveness**: Restart unhealthy containers

**Readiness**: Control traffic routing

**Startup**: Protect slow-starting applications


Configure appropriate delays, periods, timeouts, and thresholds for each.


Rollout Strategies


**Deployment Strategy**:

- `RollingUpdate` with `maxSurge` and `maxUnavailable`

- Set `maxUnavailable: 0` for zero-downtime


**High Availability**:

- Minimum 2-3 replicas

- Pod Disruption Budget (PDB)

- Anti-affinity rules (spread across nodes/zones)

- Horizontal Pod Autoscaler (HPA) for variable load


Validation Commands


**Pre-deployment**:

- `kubectl apply --dry-run=client -f manifest.yaml`

- `kubectl apply --dry-run=server -f manifest.yaml`

- `kubeconform -strict manifest.yaml` (schema validation)

- `helm template ./chart | kubeconform -strict` (for Helm)


**Policy Validation**:

- OPA Conftest, Kyverno, or Datree


Rollout & Rollback


**Deploy**:

- `kubectl apply -f manifest.yaml`

- `kubectl rollout status deployment/NAME`


**Rollback**:

- `kubectl rollout undo deployment/NAME`

- `kubectl rollout undo deployment/NAME --to-revision=N`

- `kubectl rollout history deployment/NAME`


**Restart**:

- `kubectl rollout restart deployment/NAME`


Manifest Checklist


- [ ] Labels: Standard labels applied

- [ ] Annotations: Documentation and monitoring

- [ ] Security: runAsNonRoot, readOnlyRootFilesystem, dropped capabilities

- [ ] Resources: Requests and limits defined

- [ ] Probes: Liveness, readiness, startup configured

- [ ] Images: Specific tags (never :latest)

- [ ] Replicas: Minimum 2-3 for production

- [ ] Strategy: RollingUpdate with appropriate surge/unavailable

- [ ] PDB: Defined for production

- [ ] Anti-affinity: Configured for HA

- [ ] Graceful shutdown: terminationGracePeriodSeconds set

- [ ] Validation: Dry-run and kubeconform passed

- [ ] Secrets: In Secrets resource, not ConfigMaps

- [ ] NetworkPolicy: Least-privilege access (if applicable)


Best Practices Summary


1. Use standard labels and annotations

2. Always run as non-root with dropped capabilities

3. Define resource requests and limits

4. Implement all three probe types

5. Pin image tags to specific versions

6. Configure anti-af

🎯 Best For

  • Security auditors
  • DevSecOps teams
  • Compliance officers
  • Claude users
  • GitHub Copilot users

💡 Use Cases

  • Auditing dependencies for known CVEs
  • Scanning API endpoints for auth gaps
  • Using Kubernetes-Manifests in daily workflow
  • Automating repetitive security tasks

📖 How to Use This Skill

  1. 1

    Install the Skill

    Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.

  2. 2

    Load into Your AI Assistant

    Open Claude or GitHub Copilot and reference the skill. Paste the SKILL.md content or use the system prompt tab.

  3. 3

    Apply Kubernetes-Manifests to Your Work

    Provide context for your task — paste source material, describe your audience, or share existing work to guide the AI.

  4. 4

    Review and Refine

    Edit the AI output for accuracy, tone, and completeness. Add human insight where the AI lacks context.

❓ Frequently Asked Questions

Can this replace a dedicated SAST tool?

AI-based security review is complementary to SAST tools. Use it as a first-pass filter, not a replacement.

How do I install Kubernetes-Manifests?

Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/kubernetes-manifests/SKILL.md, ready to use.

Can I customize this skill for my team?

Absolutely. Edit the SKILL.md file to add team-specific instructions, examples, or workflows.

⚠️ Common Mistakes to Avoid

Only scanning surface-level issues

Deep security review requires understanding your app architecture, not just regex patterns.

Not reading the full skill

Skills contain important context and edge cases beyond the quick start.

🔗 Related Skills