Author a specific Kubernetes resource type as literal YAML in a ConfigHub Unit with best-practice defaults. Use for "create a StatefulSet", "add an Ingress", "set up NetworkPolicy", "I need a CronJob", "add RBAC for my app", "set up autoscaling", "add a PDB". Not for AppConfig-based ConfigMaps (use app-config).
71
—
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Author common Kubernetes resource types as ConfigHub Units — literal YAML, best-practice defaults applied via functions, wired into the right Space.
.env, .properties, .yaml config files) — use app-config.import.confighub-core.references/yaml-patterns.md.cub auth status succeeds — it contacts the server's /me endpoint to confirm the token is still valid (not just local login state). If it fails, ask the user to run cub auth login (an interactive browser sign-in an agent cannot complete).Before showing hardcoded YAML, check whether the skill-examples Space has a relevant example Unit:
cub unit get <example-slug> --space skill-examples -o yaml 2>/dev/null| Resource type | Example slug | Contents |
|---|---|---|
| Deployment + Service | hello-app | Deployment + ClusterIP Service bundle |
| StatefulSet + headless Service | hello-statefulset | StatefulSet with volumeClaimTemplates + headless Service |
| DaemonSet | hello-daemonset | Node-level DaemonSet with hostPath volumes |
| Job | hello-job | One-shot Job with backoffLimit + activeDeadlineSeconds |
| CronJob | hello-cronjob | Scheduled CronJob with concurrencyPolicy |
| Ingress | hello-ingress | Ingress with TLS + cert-manager annotation |
| NetworkPolicy | hello-netpol | Default-deny + explicit-allow pair |
| RBAC | hello-rbac | ServiceAccount + Role + RoleBinding bundle |
| HPA | hello-hpa | HorizontalPodAutoscaler with scale behavior |
| PDB | hello-pdb | PodDisruptionBudget |
| Namespace | hello-ns | Namespace with pod-security labels |
If the example Unit exists, show it to the user as the starting point and adapt it. If skill-examples doesn't exist or the Unit isn't there, use the patterns from references/yaml-patterns.md.
Ask the user:
set-pod-container-security-context-defaults sets readOnlyRootFilesystem: true, so any write paths must be backed by a volume (see step 5).ingressClassName? Note: the community ingress-nginx controller is being retired (https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/) — new clusters should prefer Gateway API or a maintained alternative (InGate, NGINX Inc.'s NGINX Ingress Controller, Traefik, HAProxy, etc.).cub unit get <example-slug> --space skill-examples -o yaml 2>/dev/nullIf the example exists, use it as a starting template. Adapt names, images, ports, and other fields to the user's requirements. If the example doesn't exist, author the YAML from scratch following references/yaml-patterns.md.
Write literal YAML to a temp file. Follow these rules:
confighubplaceholder for namespace fields — ensure-namespaces will add it where missing.metadata.labels using the Kubernetes recommended labels: at minimum app.kubernetes.io/name (matching the workload selector). Add app.kubernetes.io/instance, app.kubernetes.io/version, app.kubernetes.io/component, app.kubernetes.io/part-of, app.kubernetes.io/managed-by where they apply. Do not use the bare app label.restartPolicy: Never (or OnFailure), backoffLimit, and activeDeadlineSeconds.automountServiceAccountToken: false on the ServiceAccount and on the workload pod spec (see step 5); grant only needed verbs; use resourceNames for Secrets.ingressClassName explicitly; always configure TLS for production. Prefer a maintained controller — community ingress-nginx is retired (see https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/).cub unit create --space <space> <unit-slug> /tmp/<file>.yaml \
--change-desc "<summary>
User prompt: <verbatim>
Clarifications: <condensed>"For workload Units (Deployment, StatefulSet, DaemonSet, Job, CronJob):
cub function set --space <space> --unit <slug> \
-- set-container-resources-defaults --change-desc "..."
cub function set --space <space> --unit <slug> \
-- set-container-probe-defaults --change-desc "..."
cub function set --space <space> --unit <slug> \
-- set-pod-container-security-context-defaults --change-desc "..."
cub function set --space <space> --unit <slug> \
-- set-automount-service-account-token-false --change-desc "..."
cub function set --space <space> --unit <slug> \
-- ensure-namespaces --change-desc "..."set-automount-service-account-token-false sets automountServiceAccountToken: false on every pod spec in the Unit. Apply it to every workload; the ServiceAccount-level setting is a defense-in-depth backstop, not a replacement. Only skip (and explicitly set true on the pod spec) when the workload genuinely needs to call the Kubernetes API.
Writable paths for read-only root filesystems. set-pod-container-security-context-defaults sets readOnlyRootFilesystem: true. If the container needs to write anywhere (e.g. /tmp, /var/cache/<app>, a log dir, a scratch dir), mount a volume at that path. For each write path:
cub function set --space <space> --unit <slug> \
-- set-container-volume-mount-path <container-name> <volume-name> <volume-path> \
--volume-source=emptyDir \
--change-desc "..."set-container-volume-mount-path adds the volumeMount to the named container and — if the named volume is not already in the pod spec — adds the volume too. --volume-source accepts emptyDir (default for scratch), configMap, secret, or persistentVolumeClaim. Use * as the container name to apply to all containers in the pod.
If the function doesn't fit the shape the user needs (e.g. a projected volume, a specific medium: Memory emptyDir, or an existing PVC with a sub-path), edit the YAML directly via cub unit update or a yq-i run instead.
For Namespace Units:
cub function set --space <space> --unit <slug> \
-- set-pod-security-defaults --change-desc "..."For non-workload namespaced resources (Ingress, NetworkPolicy, RBAC, HPA, PDB):
cub function set --space <space> --unit <slug> \
-- ensure-namespaces --change-desc "..."Note: set-container-probe-defaults adds HTTP GET probes on the first containerPort. For databases and other non-HTTP workloads, override with TCP or exec probes afterward via yq-i.
cub function vet --space <space> --unit <slug> -- vet-schemas
cub function vet --space <space> --unit <slug> -- vet-placeholders
cub function vet --space <space> --unit <slug> -- vet-formatBased on what was created, suggest the logical next skill:
target-bind + cub-apply to deploy.kubectl describe networkpolicy.serviceAccountName.Default: one Kubernetes resource per Unit (the doctrine in confighub-core). It scopes revisions, ApplyGates, diffs, and blast radius to a single resource, and links resources that reference each other via Links / Needs-Provides rather than co-locating them. Author each resource type below as its own Unit; wire cross-references with cub link create.
<app>-crds.volumeClaimTemplates inline rather than a separate PVC resource.skill-examples Units (e.g. hello-app = Deployment + Service) carry a small bundle for demonstration; treat those as examples, not the recommended granularity for new work.cub read + create/update + function do + run + link create/update, kubectl create --dry-run=client and kubectl explain for scaffolding.cub * delete *, mutating kubectl (apply/edit/patch/delete), helm, kustomize.{{ }}, ${VAR}, values files). Stop and route to confighub-core for the doctrine explanation.cub unit get <slug> --space <space> -o yaml — inspect the stored YAML.cub function vet --space <space> --unit <slug> -- vet-schemas — valid against target K8s version.cub function vet --space <space> --unit <slug> -- vet-placeholders — no stray placeholders.cub unit get <slug> --space <space> --web — Unit in the GUI.cub revision list <slug> --space <space> --web — provenance chain.references/yaml-patterns.md — ConfigHub-native YAML patterns for all resource types.references/functions-catalog.md — defaults functions, setters, validators.references/cub-cli.md — CLI discipline, --change-desc, -o mutations.confighub-core (doctrine), skill-examples-bootstrap (seeds the skill-examples Space with live examples), target-bind (deploy), cub-apply (apply), app-config (ConfigMap from app config files).82d0282
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.