首页龙虾技能列表 › Kubernetes — 技能工具

☸️ Kubernetes — 技能工具

v1.0.0

[自动翻译] Avoid common Kubernetes mistakes — resource limits, probe configuration, selector mismatches, and RBAC pitfalls.

4· 1,900·9 当前·9 累计
by @ivangdavila (Iván)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/2/26
安全扫描
VirusTotal
无害
查看报告
OpenClaw
安全
high confidence
The skill is a documentation-only Kubernetes best-practices helper that only requires kubectl and otherwise matches its stated purpose.
评估建议
This skill is essentially documentation and example kubectl commands — it doesn't install code. If you install it, be aware that an agent executing its advice will run kubectl against whatever kubeconfig or cluster context is available on the host. Only enable or allow the agent to use kubectl in environments where you trust the agent and its permissions. Prefer using a non-admin kubeconfig or a dedicated least-privilege service account and test in a non-production cluster first. If you want exp...
详细分析 ▾
用途与能力
Name/description and the SKILL.md content align: guidance about resource limits, probes, networking, storage, RBAC, and kubectl debugging commands. Requesting the kubectl binary is appropriate for a Kubernetes helper.
指令范围
SKILL.md contains only educational guidance and example kubectl commands (describe, logs, exec, get events, auth can-i). It does not instruct the agent to read unrelated files or to transmit data to external endpoints. Note: following its kubectl examples will cause the agent to interact with whatever kubeconfig/cluster context is available on the host — this is expected for the skill's purpose.
安装机制
No install spec and no code files — the lowest-risk pattern. Nothing is downloaded or written to disk by the skill itself.
凭证需求
The skill declares no environment variables or config paths, which is reasonable. However, because it requires kubectl, runtime use will implicitly rely on the user's kubeconfig (or cluster in-cluster credentials). That implicit access to cluster credentials is proportional to the stated purpose but is worth being aware of.
持久化与权限
always is false and the skill is user-invocable; it does not request permanent presence or modify other skills. Autonomous invocation is allowed by default but not exceptional here.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

🖥️ OSLinux · macOS · Windows

版本

latestv1.0.02026/2/10

Initial release

● 无害

安装命令 点击复制

官方npx clawhub@latest install k8s
镜像加速npx clawhub@latest install k8s --registry https://cn.clawhub-mirror.com

技能文档

Resource Management

  • requests = guaranteed minimum — scheduler uses this for placement
  • limits = maximum allowed — exceeding memory = OOMKilled, CPU = throttled
  • No limits = can consume entire node — always set production limits
  • requests without limits = burstable — can use more if available

Probes

  • readinessProbe controls traffic — fails = removed from Service endpoints
  • livenessProbe restarts container — fails = container killed and restarted
  • startupProbe for slow starts — disables liveness/readiness until success
  • Don't use same endpoint for liveness and readiness — liveness should be minimal health check

Probe Pitfalls

  • Liveness probe checking dependencies — if DB down, all pods restart indefinitely
  • initialDelaySeconds too short — pod killed before app starts
  • timeoutSeconds too short — slow response = restart loop
  • HTTP probe to HTTPS endpoint — needs scheme: HTTPS

Labels and Selectors

  • Service selector must match Pod labels exactly — typo = no endpoints
  • Deployment selector is immutable — can't change after creation
  • Use consistent labeling scheme — app, version, environment
  • matchExpressions for complex selection — In, NotIn, Exists

ConfigMaps and Secrets

  • ConfigMap changes don't restart pods — mount as volume for auto-update, or restart manually
  • Secrets are base64 encoded, not encrypted — use external secrets manager for sensitive data
  • envFrom imports all keys — env.valueFrom for specific keys
  • Volume mount makes files — subPath for single file without replacing directory

Networking

  • ClusterIP internal only — default, only accessible within cluster
  • NodePort exposes on node IP — 30000-32767 range, not for production
  • LoadBalancer provisions cloud LB — works only in supported environments
  • Ingress needs Ingress Controller — nginx-ingress, traefik, etc. installed separately

Persistent Storage

  • PVC binds to PV — must match capacity and access modes
  • storageClassName must match — or use "" for no dynamic provisioning
  • ReadWriteOnce = single node — ReadWriteMany needed for multi-pod
  • Pod deletion doesn't delete PVC — persistentVolumeReclaimPolicy controls PV fate

Common Mistakes

  • kubectl apply vs create — apply for declarative (can update), create for imperative (fails if exists)
  • Forgetting namespace — -n namespace or set context default
  • Image tag latest in production — no version pinning, unpredictable updates
  • Not setting imagePullPolicyAlways for latest tag, IfNotPresent for versioned
  • Service port vs targetPort — port is Service's, targetPort is container's

Debugging

  • kubectl describe pod for events — shows scheduling failures, probe failures
  • kubectl logs -f pod for logs — -p for previous container (after crash)
  • kubectl exec -it pod -- sh for shell — debug inside container
  • kubectl get events --sort-by=.lastTimestamp — cluster-wide events timeline

RBAC

  • ServiceAccount per workload — not default, for least privilege
  • Role is namespaced — ClusterRole is cluster-wide
  • RoleBinding binds Role to user/SA — ClusterRoleBinding for cluster-wide
  • Check permissions: kubectl auth can-i verb resource --as=system:serviceaccount:ns:sa
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务