From kubernetes-assistant
Master Kubernetes storage management and networking architecture. Learn persistent storage, network policies, service discovery, and ingress routing.
npx claudepluginhub pluginagentmarketplace/custom-plugin-kubernetes --plugin kubernetes-assistantThis skill uses the workspace's default tool permissions.
Production-grade Kubernetes storage and networking covering persistent storage patterns, CSI driver configuration, CNI plugins, service discovery, and ingress routing. This skill provides deep expertise in building reliable, high-performance data and network infrastructure.
Generates design tokens/docs from CSS/Tailwind/styled-components codebases, audits visual consistency across 10 dimensions, detects AI slop in UI.
Records polished WebM UI demo videos of web apps using Playwright with cursor overlay, natural pacing, and three-phase scripting. Activates for demo, walkthrough, screen recording, or tutorial requests.
Delivers idiomatic Kotlin patterns for null safety, immutability, sealed classes, coroutines, Flows, extensions, DSL builders, and Gradle DSL. Use when writing, reviewing, refactoring, or designing Kotlin code.
Production-grade Kubernetes storage and networking covering persistent storage patterns, CSI driver configuration, CNI plugins, service discovery, and ingress routing. This skill provides deep expertise in building reliable, high-performance data and network infrastructure.
Storage Stack
┌─────────────────────────────────────────────────┐
│ APPLICATION POD │
│ Volume Mount: /data │
└─────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────┐
│ PERSISTENT VOLUME CLAIM (PVC) │
│ Namespace-scoped storage request │
└─────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────┐
│ PERSISTENT VOLUME (PV) │
│ Cluster-wide resource │
└─────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────┐
│ CSI DRIVER │
│ aws-ebs-csi, csi-driver-nfs, etc. │
└─────────────────────────────────────────────────┘
Production StorageClass
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: fast-ssd
provisioner: ebs.csi.aws.com
parameters:
type: gp3
iops: "5000"
throughput: "250"
encrypted: "true"
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: shared-efs
provisioner: efs.csi.aws.com
parameters:
provisioningMode: efs-ap
fileSystemId: fs-abc123
reclaimPolicy: Retain
VolumeSnapshot for Backup
apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshotClass
metadata:
name: ebs-snapclass
driver: ebs.csi.aws.com
deletionPolicy: Retain
---
apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshot
metadata:
name: db-backup
spec:
volumeSnapshotClassName: ebs-snapclass
source:
persistentVolumeClaimName: postgresql-data-0
Network Stack
┌─────────────────────────────────────────────────┐
│ EXTERNAL TRAFFIC │
└─────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────┐
│ LOAD BALANCER (ALB/NLB) │
└─────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────┐
│ INGRESS CONTROLLER / GATEWAY API │
│ TLS termination, routing │
└─────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────┐
│ KUBERNETES SERVICE │
│ ClusterIP, NodePort, LoadBalancer │
└─────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────┐
│ CNI PLUGIN │
│ Cilium, Calico, AWS VPC CNI │
└─────────────────────────────────────────────────┘
Service Configuration
apiVersion: v1
kind: Service
metadata:
name: api-server
namespace: production
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: api-server
ports:
- name: http
port: 80
targetPort: 8080
- name: grpc
port: 9090
targetPort: 9090
Production Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: api-ingress
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/limit-rps: "100"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
ingressClassName: nginx
tls:
- hosts:
- api.example.com
secretName: api-tls
rules:
- host: api.example.com
http:
paths:
- path: /v1
pathType: Prefix
backend:
service:
name: api-v1
port:
number: 80
Gateway API
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: production-gateway
spec:
gatewayClassName: istio
listeners:
- name: https
hostname: "*.example.com"
port: 443
protocol: HTTPS
tls:
mode: Terminate
certificateRefs:
- name: wildcard-tls
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: api-routes
spec:
parentRefs:
- name: production-gateway
hostnames:
- "api.example.com"
rules:
- matches:
- path:
type: PathPrefix
value: /api/v1
backendRefs:
- name: api-v1
port: 80
weight: 90
- name: api-v1-canary
port: 80
weight: 10
Zero-Trust Architecture
# Default deny all
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
# Allow DNS
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns
namespace: production
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: UDP
port: 53
---
# API server policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-server-policy
namespace: production
spec:
podSelector:
matchLabels:
app: api-server
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ingress-nginx
ports:
- protocol: TCP
port: 8080
egress:
- to:
- podSelector:
matchLabels:
app: postgresql
ports:
- protocol: TCP
port: 5432
┌─────────────┬─────────────┬─────────────┬─────────────┐
│ Feature │ Cilium │ Calico │ AWS VPC CNI │
├─────────────┼─────────────┼─────────────┼─────────────┤
│ Performance │ Excellent │ Very Good │ Excellent │
│ L7 Policy │ ✓ (native) │ Via Envoy │ ✗ │
│ eBPF │ ✓ │ ✓ (option) │ ✗ │
│ Encryption │ WireGuard │ WireGuard │ VPC native │
│ Observ. │ Hubble │ Basic │ CloudWatch │
└─────────────┴─────────────┴─────────────┴─────────────┘
Storage Problem?
│
├── PVC Pending
│ ├── Check StorageClass exists
│ ├── Check provisioner running
│ └── WaitForFirstConsumer → Schedule pod
│
├── Pod can't mount
│ ├── Already attached → Force detach
│ ├── Permission denied → Check fsGroup
│ └── Filesystem error → Resize PVC
│
└── Performance issues
├── Check IOPS limits
└── Use faster StorageClass
Network Problem?
│
├── Service not reachable
│ ├── No endpoints → Selector mismatch
│ ├── DNS not resolving → CoreDNS
│ └── Timeout → NetworkPolicy
│
├── Ingress not working
│ ├── 404 → Path mismatch
│ ├── 502 → Backend not ready
│ └── TLS error → Certificate
│
└── Pod-to-pod fails
├── Check NetworkPolicy
└── Check CNI pods
# Storage
kubectl get pv,pvc -A
kubectl describe pvc <name>
kubectl get storageclass
# Network
kubectl get svc,endpoints,ingress -A
kubectl run debug --rm -it --image=nicolaka/netshoot -- nslookup <svc>
kubectl get networkpolicy -A
| Challenge | Solution |
|---|---|
| PVC Pending | Check StorageClass, provisioner |
| Volume timeout | Check node health, force detach |
| Ingress 502 | Check backend health |
| DNS failures | Verify CoreDNS, egress policy |
| Metric | Target |
|---|---|
| PVC provision time | <30s |
| Storage availability | 99.99% |
| Service latency | <10ms |
| Network policy coverage | 100% |