Stats
Actions
Tags
From vanguard-frontier-agentic
Reviews FluxCD Kustomization, HelmRelease, and GitRepository resources for production safety, SOPS encryption, prune safety, commit verification, and least-privilege ServiceAccounts.
How this skill is triggered — by the user, by Claude, or both
Slash command
/vanguard-frontier-agentic:fluxcd-kustomization-helmrelease-reviewThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Review FluxCD `Kustomization`, `HelmRelease`, `GitRepository`, `HelmRepository`, and `OCIRepository` resources for source trust guarantees, SOPS secret encryption, prune-enabled blast radius on stateful workloads, per-Kustomization ServiceAccount scoping, HelmRelease upgrade remediation safety, and health check completeness. FluxCD's default posture gives the `kustomize-controller` cluster-admi...
Review FluxCD Kustomization, HelmRelease, GitRepository, HelmRepository, and OCIRepository resources for source trust guarantees, SOPS secret encryption, prune-enabled blast radius on stateful workloads, per-Kustomization ServiceAccount scoping, HelmRelease upgrade remediation safety, and health check completeness. FluxCD's default posture gives the kustomize-controller cluster-admin-equivalent reach — the security surface lives in per-Kustomization ServiceAccounts, commit signature verification, SOPS encryption at rest, and prune annotation guards.
Secret manifests committed to any Git source as a CRITICAL finding — anyone with repo read access (CI, PR participants, auditors) has those secrets.GitRepository.spec.ref.semver: ">=0.0.0" or an unbound semver range in a production source as a HIGH finding — any tag push from a compromised upstream triggers a deploy.spec.verify.secretRef (commit GPG signature verification) on production GitRepository sources as a HIGH finding.Kustomization.spec.serviceAccountName not set as a HIGH finding — the kustomize-controller SA applies with cluster-admin-equivalent scope for all tenants.spec.prune: true on Kustomizations covering stateful workloads (StatefulSets, PVCs, CRDs) without kustomize.toolkit.fluxcd.io/prune: disabled annotations as a HIGH finding.HelmRelease.spec.chart.spec.version: "*" or an unbound version range as a HIGH finding — any upstream chart publish triggers an auto-upgrade.HelmRelease.spec.upgrade.remediation.retries: -1 (infinite retry) as a MEDIUM finding — a broken release blocks other reconciliation loops indefinitely.Load these only when needed:
npx claudepluginhub raishin/vanguard-frontier-agentic --plugin vanguard-frontier-agenticReviews Argo CD Application, AppProject, ApplicationSet, RBAC, and sync windows for production safety, least-privilege sync identity, and controlled blast radius.
Implements GitOps continuous delivery with Argo CD or Flux: app-of-apps patterns, automated sync policies, drift detection, multi-environment promotion. For declarative Kubernetes management from Git.
Constructs GitOps workflows using ArgoCD or Flux for Kubernetes. Generates manifests, sync policies, multi-environment promotion, RBAC, notifications, and CI updates for secure continuous deployment.