Master Kubernetes storage management and networking architecture. Learn persistent storage, network policies, service discovery, and ingress routing.
Configures production-grade Kubernetes storage and networking including CSI drivers, Ingress, and Network Policies.
npx claudepluginhub pluginagentmarketplace/custom-plugin-kubernetesThis skill inherits all available tools. When active, it can use any tool Claude has access to.
assets/config.yamlreferences/GUIDE.mdscripts/helper.pyProduction-grade Kubernetes storage and networking covering persistent storage patterns, CSI driver configuration, CNI plugins, service discovery, and ingress routing. This skill provides deep expertise in building reliable, high-performance data and network infrastructure.
Storage Stack
┌─────────────────────────────────────────────────┐
│ APPLICATION POD │
│ Volume Mount: /data │
└─────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────┐
│ PERSISTENT VOLUME CLAIM (PVC) │
│ Namespace-scoped storage request │
└─────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────┐
│ PERSISTENT VOLUME (PV) │
│ Cluster-wide resource │
└─────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────┐
│ CSI DRIVER │
│ aws-ebs-csi, csi-driver-nfs, etc. │
└─────────────────────────────────────────────────┘
Production StorageClass
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: fast-ssd
provisioner: ebs.csi.aws.com
parameters:
type: gp3
iops: "5000"
throughput: "250"
encrypted: "true"
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: shared-efs
provisioner: efs.csi.aws.com
parameters:
provisioningMode: efs-ap
fileSystemId: fs-abc123
reclaimPolicy: Retain
VolumeSnapshot for Backup
apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshotClass
metadata:
name: ebs-snapclass
driver: ebs.csi.aws.com
deletionPolicy: Retain
---
apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshot
metadata:
name: db-backup
spec:
volumeSnapshotClassName: ebs-snapclass
source:
persistentVolumeClaimName: postgresql-data-0
Network Stack
┌─────────────────────────────────────────────────┐
│ EXTERNAL TRAFFIC │
└─────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────┐
│ LOAD BALANCER (ALB/NLB) │
└─────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────┐
│ INGRESS CONTROLLER / GATEWAY API │
│ TLS termination, routing │
└─────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────┐
│ KUBERNETES SERVICE │
│ ClusterIP, NodePort, LoadBalancer │
└─────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────┐
│ CNI PLUGIN │
│ Cilium, Calico, AWS VPC CNI │
└─────────────────────────────────────────────────┘
Service Configuration
apiVersion: v1
kind: Service
metadata:
name: api-server
namespace: production
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: api-server
ports:
- name: http
port: 80
targetPort: 8080
- name: grpc
port: 9090
targetPort: 9090
Production Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: api-ingress
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/limit-rps: "100"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
ingressClassName: nginx
tls:
- hosts:
- api.example.com
secretName: api-tls
rules:
- host: api.example.com
http:
paths:
- path: /v1
pathType: Prefix
backend:
service:
name: api-v1
port:
number: 80
Gateway API
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: production-gateway
spec:
gatewayClassName: istio
listeners:
- name: https
hostname: "*.example.com"
port: 443
protocol: HTTPS
tls:
mode: Terminate
certificateRefs:
- name: wildcard-tls
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: api-routes
spec:
parentRefs:
- name: production-gateway
hostnames:
- "api.example.com"
rules:
- matches:
- path:
type: PathPrefix
value: /api/v1
backendRefs:
- name: api-v1
port: 80
weight: 90
- name: api-v1-canary
port: 80
weight: 10
Zero-Trust Architecture
# Default deny all
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
# Allow DNS
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns
namespace: production
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: UDP
port: 53
---
# API server policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-server-policy
namespace: production
spec:
podSelector:
matchLabels:
app: api-server
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ingress-nginx
ports:
- protocol: TCP
port: 8080
egress:
- to:
- podSelector:
matchLabels:
app: postgresql
ports:
- protocol: TCP
port: 5432
┌─────────────┬─────────────┬─────────────┬─────────────┐
│ Feature │ Cilium │ Calico │ AWS VPC CNI │
├─────────────┼─────────────┼─────────────┼─────────────┤
│ Performance │ Excellent │ Very Good │ Excellent │
│ L7 Policy │ ✓ (native) │ Via Envoy │ ✗ │
│ eBPF │ ✓ │ ✓ (option) │ ✗ │
│ Encryption │ WireGuard │ WireGuard │ VPC native │
│ Observ. │ Hubble │ Basic │ CloudWatch │
└─────────────┴─────────────┴─────────────┴─────────────┘
Storage Problem?
│
├── PVC Pending
│ ├── Check StorageClass exists
│ ├── Check provisioner running
│ └── WaitForFirstConsumer → Schedule pod
│
├── Pod can't mount
│ ├── Already attached → Force detach
│ ├── Permission denied → Check fsGroup
│ └── Filesystem error → Resize PVC
│
└── Performance issues
├── Check IOPS limits
└── Use faster StorageClass
Network Problem?
│
├── Service not reachable
│ ├── No endpoints → Selector mismatch
│ ├── DNS not resolving → CoreDNS
│ └── Timeout → NetworkPolicy
│
├── Ingress not working
│ ├── 404 → Path mismatch
│ ├── 502 → Backend not ready
│ └── TLS error → Certificate
│
└── Pod-to-pod fails
├── Check NetworkPolicy
└── Check CNI pods
# Storage
kubectl get pv,pvc -A
kubectl describe pvc <name>
kubectl get storageclass
# Network
kubectl get svc,endpoints,ingress -A
kubectl run debug --rm -it --image=nicolaka/netshoot -- nslookup <svc>
kubectl get networkpolicy -A
| Challenge | Solution |
|---|---|
| PVC Pending | Check StorageClass, provisioner |
| Volume timeout | Check node health, force detach |
| Ingress 502 | Check backend health |
| DNS failures | Verify CoreDNS, egress policy |
| Metric | Target |
|---|---|
| PVC provision time | <30s |
| Storage availability | 99.99% |
| Service latency | <10ms |
| Network policy coverage | 100% |
Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.
Activates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.