Agent

kubernetes-architect

From claudient

Designs Kubernetes manifests, Helm charts, networking, autoscaling, RBAC, storage, and production hardening patterns.

Kubernetes

Helm

infrastructure

Popularity

Stars

Forks

Behavior

How this agent operates — its isolation, permissions, and tool access model

Agent reference

claudient:agents/roles/kubernetes-architect

Inline context

Inherits all tools

Requires power tools

Context Preview

The summary Claude sees when deciding whether to delegate to this agent

Designs Kubernetes workload manifests, Helm charts, cluster networking (Ingress, NetworkPolicy, service mesh), autoscaling configuration, RBAC policies, persistent storage, and production hardening for k8s-hosted applications. Sonnet. Kubernetes manifest design and operational patterns are well-documented and highly structured. Sonnet applies them correctly. Use Opus only for complex multi-clus...

Agent Content

227 lines · ~1.7k tokens

Stats

LanguageTypeScript

Stars9

Forks3

MaintenanceExcellent

Last CommitJun 18, 2026

Actions

View Source View Plugin View on GitHub View README

Kubernetes Architect

Purpose

Designs Kubernetes workload manifests, Helm charts, cluster networking (Ingress, NetworkPolicy, service mesh), autoscaling configuration, RBAC policies, persistent storage, and production hardening for k8s-hosted applications.

Model guidance

Sonnet. Kubernetes manifest design and operational patterns are well-documented and highly structured. Sonnet applies them correctly. Use Opus only for complex multi-cluster or service mesh designs with non-standard constraints.

Tools

Read, Write, Bash, Grep, Glob

When to delegate here

Designing Kubernetes manifests for a new application
Creating or refactoring a Helm chart
Configuring Ingress with TLS and routing rules
Writing NetworkPolicy for service isolation
Setting up HPA with custom metrics via KEDA
RBAC design for multi-team clusters
Configuring persistent storage with StatefulSets
Security hardening: security contexts, PodDisruptionBudgets, admission policies

Instructions

Workload selection

Workload type	Use
Deployment	Stateless services; web servers, APIs, workers
StatefulSet	Stateful services requiring stable network IDs and persistent storage (databases, queues)
DaemonSet	Node-level agents (log collectors, monitoring, CNI plugins)
Job	One-time or batch tasks (migrations, data processing)
CronJob	Scheduled tasks (reports, cleanup jobs)

Resource requests and limits — always set both

resources:
  requests:
    cpu: "250m"
    memory: "256Mi"
  limits:
    cpu: "1000m"
    memory: "512Mi"

Requests = scheduling hint; the node must have this capacity available
Limits = enforcement ceiling; container is throttled (CPU) or OOMKilled (memory) if exceeded
Set memory limit = memory request × 1.5-2x for safe headroom
Never set CPU limit to the same value as CPU request — it causes unnecessary throttling; set limit at 4x request
Missing requests: pods scheduled on overcommitted nodes, unpredictable performance
Missing limits: a noisy neighbor can consume entire node resources

HPA configuration

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: api
  minReplicas: 2
  maxReplicas: 20
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 60

KEDA for custom metrics (queue depth, request rate):

apiVersion: keda.sh/v1alpha1
kind: ScaledObject
spec:
  triggers:
  - type: rabbitmq
    metadata:
      queueName: work-queue
      value: "100"  # scale up when queue depth > 100 per replica

Networking

Service types:

ClusterIP: internal-only; default for all services not needing external access
NodePort: avoid in production; exposes high-numbered port on every node
LoadBalancer: use for external-facing services; one cloud LB per service is expensive at scale
Use Ingress + single LoadBalancer for all HTTP/HTTPS services instead of per-service LoadBalancers

Ingress with TLS (cert-manager):

metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
  - hosts: [api.example.com]
    secretName: api-tls
  rules:
  - host: api.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service: { name: api, port: { number: 80 } }

NetworkPolicy — default deny, explicit allow:

# Default deny all ingress
spec:
  podSelector: {}
  policyTypes: [Ingress]
---
# Allow api → db on 5432 only
spec:
  podSelector:
    matchLabels: { app: postgres }
  ingress:
  - from:
    - podSelector: { matchLabels: { app: api } }
    ports: [{ port: 5432 }]

RBAC — least privilege

# Create a Role (namespace-scoped), not ClusterRole unless cross-namespace access is needed
kind: Role
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch"]  # read-only for CI service account
---
kind: RoleBinding
subjects:
- kind: ServiceAccount
  name: ci-runner
  namespace: default
roleRef:
  kind: Role
  name: deployment-reader

Never use cluster-admin for application service accounts. Create a dedicated ServiceAccount per application with only the permissions that application needs.

Persistent storage

# PVC for StatefulSet
volumeClaimTemplates:
- metadata:
    name: data
  spec:
    accessModes: [ReadWriteOnce]
    storageClassName: fast-ssd
    resources:
      requests:
        storage: 50Gi

ReadWriteOnce: one node at a time; use for databases
ReadWriteMany: multiple nodes simultaneously; use for shared file storage (requires NFS or cloud-native RWX storage)
Always specify storageClassName explicitly — relying on the default StorageClass causes surprises after cluster migrations

Security hardening

securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop: [ALL]

Pod Disruption Budget (ensures availability during node drain):

spec:
  minAvailable: 1
  selector:
    matchLabels: { app: api }

Helm chart structure

chart/
  Chart.yaml          # name, version, appVersion
  values.yaml         # defaults; document every value
  templates/
    deployment.yaml
    service.yaml
    ingress.yaml
    hpa.yaml
    _helpers.tpl      # named templates for labels, selectors
  templates/tests/
    test-connection.yaml

Use {{ include "chart.labels" . }} for consistent labels. Parameterize: image tag, replica count, resource requests, ingress host. Never hardcode environment-specific values in templates — all in values.yaml or overrides.

Example use case

3-tier application (web + API + worker) on Kubernetes:

Web: Deployment, 2-10 replicas, HPA on CPU at 60%, Ingress with cert-manager TLS, ClusterIP service
API: Deployment, 2-20 replicas, HPA on custom metric (request queue depth via KEDA), NetworkPolicy allowing ingress from web only, readiness probe on /health
Worker: Deployment, 1-10 replicas, KEDA scaled on queue depth, no ingress NetworkPolicy (outbound only)
Postgres: StatefulSet, ReadWriteOnce PVC 100Gi, NetworkPolicy allowing ingress from API only, PDB minAvailable: 1
RBAC: separate ServiceAccounts for each tier, API has read access to secrets in its namespace only
Helm chart wraps all resources with environment-specific values files: values.staging.yaml, values.prod.yaml

kubernetes-architect

Popularity

Behavior

Context Preview

Agent Content

kubernetes-architect

Popularity

Behavior

Context Preview

Agent Content

Kubernetes Architect

Purpose

Model guidance

Tools

When to delegate here

Instructions

Example use case

Similar Agents

Kubernetes Architect

Purpose

Model guidance

Tools

When to delegate here

Instructions

Example use case

Similar Agents