Skip to content

Commit 0f57d65

Browse files
Hammad Haqqanicursoragent
Hammad Haqqani
and
cursoragent
committed
Add missing templates and prompts: kubernetes, python, cicd, migration, security-review
Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent 144890d commit 0f57d65

2 files changed

Lines changed: 825 additions & 0 deletions

File tree

templates/kubernetes/CLAUDE.md

Lines changed: 355 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,355 @@
1+
# Kubernetes Project Guidelines
2+
3+
This document provides context and conventions for Kubernetes manifest generation and management in this project.
4+
5+
## Project Context
6+
7+
This project manages Kubernetes resources using declarative manifests. All resources should be version-controlled, follow Kubernetes best practices, and be deployable across multiple environments.
8+
9+
## Code Style and Conventions
10+
11+
### File Organization
12+
13+
- **Manifests**: Organize by resource type or application component
14+
- **Environments**: Separate directories for `dev/`, `staging/`, `prod/`
15+
- **Base/Overlays**: Use Kustomize base/overlay pattern for environment-specific configs
16+
- **Helm Charts**: Place reusable components in `charts/` directory
17+
18+
### Directory Structure
19+
20+
```
21+
k8s/
22+
├── base/
23+
│ ├── deployment.yaml
24+
│ ├── service.yaml
25+
│ ├── configmap.yaml
26+
│ └── kustomization.yaml
27+
├── overlays/
28+
│ ├── dev/
29+
│ ├── staging/
30+
│ └── prod/
31+
└── charts/
32+
└── app-name/
33+
```
34+
35+
### Naming Conventions
36+
37+
- **Resources**: Use lowercase with hyphens (e.g., `app-frontend`, `db-backend`)
38+
- **Labels**: Use consistent label keys: `app`, `version`, `component`, `environment`
39+
- **Namespaces**: Use lowercase (e.g., `production`, `staging`, `development`)
40+
- **ConfigMaps/Secrets**: Use descriptive names matching their purpose
41+
42+
### Label Standards
43+
44+
Always include these standard labels:
45+
```yaml
46+
labels:
47+
app: application-name
48+
version: "1.0.0"
49+
component: frontend|backend|database
50+
environment: dev|staging|prod
51+
managed-by: kubernetes
52+
```
53+
54+
## Resource Patterns
55+
56+
### Deployments
57+
58+
- Always specify resource requests and limits
59+
- Use `replicas: 2` minimum for production
60+
- Set appropriate `revisionHistoryLimit`
61+
- Use `strategy.type: RollingUpdate` with proper `maxSurge` and `maxUnavailable`
62+
63+
Example:
64+
```yaml
65+
apiVersion: apps/v1
66+
kind: Deployment
67+
metadata:
68+
name: app-frontend
69+
labels:
70+
app: app-frontend
71+
component: frontend
72+
spec:
73+
replicas: 3
74+
revisionHistoryLimit: 3
75+
strategy:
76+
type: RollingUpdate
77+
rollingUpdate:
78+
maxSurge: 1
79+
maxUnavailable: 0
80+
selector:
81+
matchLabels:
82+
app: app-frontend
83+
template:
84+
metadata:
85+
labels:
86+
app: app-frontend
87+
spec:
88+
containers:
89+
- name: app
90+
image: app:1.0.0
91+
resources:
92+
requests:
93+
memory: "256Mi"
94+
cpu: "250m"
95+
limits:
96+
memory: "512Mi"
97+
cpu: "500m"
98+
```
99+
100+
### Services
101+
102+
- Use ClusterIP for internal services
103+
- Use LoadBalancer or NodePort only when necessary
104+
- Always define `selector` matching pod labels
105+
- Use meaningful port names
106+
107+
### ConfigMaps and Secrets
108+
109+
- Never commit secrets to version control
110+
- Use external secret management (Sealed Secrets, External Secrets Operator, etc.)
111+
- Store non-sensitive config in ConfigMaps
112+
- Use `immutable: true` for ConfigMaps that don't change
113+
114+
### Namespaces
115+
116+
- Create separate namespaces per environment
117+
- Use ResourceQuotas and LimitRanges
118+
- Apply NetworkPolicies for network isolation
119+
120+
## Security Best Practices
121+
122+
### Pod Security
123+
124+
1. **Security Context**: Always set security context
125+
```yaml
126+
securityContext:
127+
runAsNonRoot: true
128+
runAsUser: 1000
129+
fsGroup: 2000
130+
allowPrivilegeEscalation: false
131+
capabilities:
132+
drop:
133+
- ALL
134+
```
135+
136+
2. **Image Security**:
137+
- Use specific image tags (avoid `latest`)
138+
- Scan images for vulnerabilities
139+
- Use images from trusted registries
140+
- Prefer distroless or minimal base images
141+
142+
3. **Network Policies**: Implement network policies for pod-to-pod communication
143+
```yaml
144+
apiVersion: networking.k8s.io/v1
145+
kind: NetworkPolicy
146+
metadata:
147+
name: app-network-policy
148+
spec:
149+
podSelector:
150+
matchLabels:
151+
app: app-frontend
152+
policyTypes:
153+
- Ingress
154+
- Egress
155+
ingress:
156+
- from:
157+
- podSelector:
158+
matchLabels:
159+
app: app-backend
160+
ports:
161+
- protocol: TCP
162+
port: 8080
163+
```
164+
165+
4. **RBAC**: Follow principle of least privilege
166+
- Create specific ServiceAccounts for each application
167+
- Use Role/RoleBinding for namespace-scoped permissions
168+
- Use ClusterRole/ClusterRoleBinding sparingly
169+
170+
### Secrets Management
171+
172+
- Use Kubernetes Secrets for sensitive data (base64 encoded)
173+
- Prefer External Secrets Operator or Sealed Secrets
174+
- Rotate secrets regularly
175+
- Never log or expose secrets
176+
177+
## Resource Management
178+
179+
### Resource Requests and Limits
180+
181+
Always specify both requests and limits:
182+
```yaml
183+
resources:
184+
requests:
185+
memory: "256Mi"
186+
cpu: "250m"
187+
limits:
188+
memory: "512Mi"
189+
cpu: "500m"
190+
```
191+
192+
### Health Checks
193+
194+
Implement liveness and readiness probes:
195+
```yaml
196+
livenessProbe:
197+
httpGet:
198+
path: /health
199+
port: 8080
200+
initialDelaySeconds: 30
201+
periodSeconds: 10
202+
timeoutSeconds: 5
203+
failureThreshold: 3
204+
205+
readinessProbe:
206+
httpGet:
207+
path: /ready
208+
port: 8080
209+
initialDelaySeconds: 5
210+
periodSeconds: 5
211+
timeoutSeconds: 3
212+
failureThreshold: 3
213+
```
214+
215+
## Deployment Strategies
216+
217+
### Rolling Updates
218+
219+
Default strategy for zero-downtime deployments:
220+
```yaml
221+
strategy:
222+
type: RollingUpdate
223+
rollingUpdate:
224+
maxSurge: 1
225+
maxUnavailable: 0
226+
```
227+
228+
### Blue-Green Deployments
229+
230+
Use separate Deployments and switch Service selectors.
231+
232+
### Canary Deployments
233+
234+
Use Argo Rollouts or Flagger for canary deployments.
235+
236+
## Environment Management
237+
238+
### Kustomize Overlays
239+
240+
Use Kustomize for environment-specific configurations:
241+
```yaml
242+
# base/kustomization.yaml
243+
resources:
244+
- deployment.yaml
245+
- service.yaml
246+
247+
# overlays/prod/kustomization.yaml
248+
resources:
249+
- ../../base
250+
patches:
251+
- path: replica-patch.yaml
252+
```
253+
254+
### Helm Values
255+
256+
When using Helm, maintain separate values files:
257+
```
258+
charts/app/
259+
├── Chart.yaml
260+
├── values.yaml
261+
├── values-dev.yaml
262+
├── values-staging.yaml
263+
└── values-prod.yaml
264+
```
265+
266+
## Common Commands
267+
268+
```bash
269+
# Apply manifests
270+
kubectl apply -f manifests/
271+
272+
# Apply with Kustomize
273+
kubectl apply -k overlays/prod/
274+
275+
# Get resources
276+
kubectl get pods -n namespace-name
277+
kubectl get deployments,services -n namespace-name
278+
279+
# Describe resource
280+
kubectl describe pod pod-name -n namespace-name
281+
282+
# View logs
283+
kubectl logs pod-name -n namespace-name
284+
kubectl logs -f deployment/app-name -n namespace-name
285+
286+
# Execute command in pod
287+
kubectl exec -it pod-name -n namespace-name -- /bin/sh
288+
289+
# Port forward
290+
kubectl port-forward service/app-service 8080:80 -n namespace-name
291+
292+
# Delete resources
293+
kubectl delete -f manifests/
294+
kubectl delete pod pod-name -n namespace-name
295+
296+
# Scale deployment
297+
kubectl scale deployment app-name --replicas=5 -n namespace-name
298+
299+
# Rollout status
300+
kubectl rollout status deployment/app-name -n namespace-name
301+
302+
# Rollback
303+
kubectl rollout undo deployment/app-name -n namespace-name
304+
```
305+
306+
## Testing Requirements
307+
308+
### Pre-deployment Checks
309+
310+
- Validate YAML syntax: `kubectl apply --dry-run=client -f manifest.yaml`
311+
- Use `kubeval` or `kube-score` for validation
312+
- Test in dev environment first
313+
- Review resource requests/limits
314+
315+
### Validation Tools
316+
317+
- **kubeval**: Validate Kubernetes YAML files
318+
- **kube-score**: Static code analysis for Kubernetes
319+
- **polaris**: Kubernetes best practices checker
320+
- **kubectl diff**: Preview changes before applying
321+
322+
## Monitoring and Observability
323+
324+
### Labels for Monitoring
325+
326+
Ensure resources have labels for Prometheus/Grafana:
327+
```yaml
328+
labels:
329+
app: app-name
330+
component: frontend
331+
prometheus.io/scrape: "true"
332+
prometheus.io/port: "8080"
333+
prometheus.io/path: "/metrics"
334+
```
335+
336+
### Logging
337+
338+
- Use structured logging (JSON format)
339+
- Include correlation IDs
340+
- Set appropriate log levels
341+
- Use sidecar containers for log aggregation if needed
342+
343+
## Documentation
344+
345+
- Document all custom resources and their purposes
346+
- Include architecture diagrams
347+
- Document environment-specific configurations
348+
- Keep README.md updated with deployment instructions
349+
350+
## Additional Resources
351+
352+
- [Kubernetes Best Practices](https://kubernetes.io/docs/concepts/configuration/overview/)
353+
- [Kubernetes Security Best Practices](https://kubernetes.io/docs/concepts/security/)
354+
- [Kustomize Documentation](https://kustomize.io/)
355+
- [Helm Documentation](https://helm.sh/docs/)

0 commit comments

Comments
 (0)