CtrlK
BlogDocsLog inGet started
Tessl Logo

nitinjain999/platform-skills

Production-grade platform engineering handbook — Kubernetes, Terraform, Flux CD, GitHub Actions, AWS, and more.

67

Quality

84%

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

README.mdexamples/kubernetes/

Status: Stable

Kubernetes Examples

Baseline manifests for Kubernetes platform patterns. Apply across EKS, AKS, GKE, and vanilla clusters. Each file is a self-contained, production-hardened example you can copy directly into your GitOps repo.

Examples

FileWhat it showsKey patterns
namespace-baseline.yamlNamespace with ownership labels and pod security enforcementpod-security.kubernetes.io/enforce: restricted, team/env labels
deployment-baseline.yamlDeployment with resource limits, probes, and locked-down security contextrunAsNonRoot, readOnlyRootFilesystem, capabilities.drop: ALL, no CPU limit
network-policy-default-deny.yamlDefault-deny ingress + example allow rule for ingress controllerApplied before workload; explicit allow for ingress controller namespace
pod-disruption-budget.yamlPDB protecting minimum availability during node drainminAvailable: 1 — prevents simultaneous eviction

Quick Start

# 1. Apply namespace first — sets pod security admission before workloads land
kubectl apply -f namespace-baseline.yaml

# 2. Deploy the baseline workload
kubectl apply -f deployment-baseline.yaml

# 3. Lock down network — default deny then explicit allow
kubectl apply -f network-policy-default-deny.yaml

# 4. Protect availability during drain / rolling update
kubectl apply -f pod-disruption-budget.yaml

# Verify security context is in effect
kubectl get pod -n app-team -o jsonpath='{.items[0].spec.containers[0].securityContext}'

Key Patterns

Security context (required on every container)

securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop: ["ALL"]

Resource management (no CPU limit — avoids throttling)

resources:
  requests:
    cpu: "100m"
    memory: "128Mi"
  limits:
    memory: "256Mi"   # CPU limit intentionally omitted

Health probes (required for safe rolling updates)

livenessProbe:
  httpGet:
    path: /healthz
    port: 8080
  initialDelaySeconds: 10
  periodSeconds: 10
readinessProbe:
  httpGet:
    path: /ready
    port: 8080
  initialDelaySeconds: 5
  periodSeconds: 5

Checklist

  • Namespace ownership labels present (team, env)
  • Pod security admission enforced (restricted mode)
  • Resource requests and limits on every container (no CPU limit)
  • Liveness and readiness probes defined
  • ServiceAccount explicitly set — not the default service account
  • runAsNonRoot, allowPrivilegeEscalation: false, capabilities.drop: ALL
  • readOnlyRootFilesystem: true (add emptyDir mounts for writable paths)
  • Default-deny NetworkPolicy applied before any allow rules
  • PodDisruptionBudget covers every deployment with replicas >= 2

See Also

  • references/kubernetes.md — cluster baselines, workload patterns, RBAC, network policy, pod security
  • /platform-skills:review — production-readiness review of any manifest
  • /platform-skills:debug — structured diagnosis for Kubernetes issues

examples

kubernetes

README.md

BEFORE_AFTER.md

CHANGELOG.md

CODE_OF_CONDUCT.md

COMMANDS.md

CONTRIBUTING.md

EDITOR_INTEGRATIONS.md

GETTING_STARTED.md

HOW_IT_WORKS.md

install.sh

INSTALLATION.md

LAUNCH.md

PROMPTS.md

QUICKSTART.md

README.md

renovate.json

SECURITY.md

SKILL.md

tessl.json

tile.json