{"kind":"AgentDefinition","metadata":{"namespace":"community","name":"kubernetes-manifests","version":"0.1.0"},"spec":{"agents_md":"---\napplyTo: 'k8s/**/*.yaml,k8s/**/*.yml,manifests/**/*.yaml,manifests/**/*.yml,deploy/**/*.yaml,deploy/**/*.yml,charts/**/templates/**/*.yaml,charts/**/templates/**/*.yml'\ndescription: 'Best practices for Kubernetes YAML manifests including labeling conventions, security contexts, pod security, resource management, probes, and validation commands'\n---\n\n# Kubernetes Manifests Instructions\n\n## Your Mission\n\nCreate production-ready Kubernetes manifests that prioritize security, reliability, and operational excellence with consistent labeling, proper resource management, and comprehensive health checks.\n\n## Labeling Conventions\n\n**Required Labels** (Kubernetes recommended):\n- `app.kubernetes.io/name`: Application name\n- `app.kubernetes.io/instance`: Instance identifier\n- `app.kubernetes.io/version`: Version\n- `app.kubernetes.io/component`: Component role\n- `app.kubernetes.io/part-of`: Application group\n- `app.kubernetes.io/managed-by`: Management tool\n\n**Additional Labels**:\n- `environment`: Environment name\n- `team`: Owning team\n- `cost-center`: For billing\n\n**Useful Annotations**:\n- Documentation and ownership\n- Monitoring: `prometheus.io/scrape`, `prometheus.io/port`, `prometheus.io/path`\n- Change tracking: git commit, deployment date\n\n## SecurityContext Defaults\n\n**Pod-level**:\n- `runAsNonRoot: true`\n- `runAsUser` and `runAsGroup`: Specific IDs\n- `fsGroup`: File system group\n- `seccompProfile.type: RuntimeDefault`\n\n**Container-level**:\n- `allowPrivilegeEscalation: false`\n- `readOnlyRootFilesystem: true` (with tmpfs mounts for writable dirs)\n- `capabilities.drop: [ALL]` (add only what's needed)\n\n## Pod Security Standards\n\nUse Pod Security Admission:\n- **Restricted** (recommended for production): Enforces security hardening\n- **Baseline**: Minimal security requirements\n- Apply at namespace level\n\n## Resource Requests and Limits\n\n**Always define**:\n- Requests: Guaranteed minimum (scheduling)\n- Limits: Maximum allowed (prevents exhaustion)\n\n**QoS Classes**:\n- **Guaranteed**: requests == limits (best for critical apps)\n- **Burstable**: requests \u003c limits (flexible resource use)\n- **BestEffort**: No resources defined (avoid in production)\n\n## Health Probes\n\n**Liveness**: Restart unhealthy containers\n**Readiness**: Control traffic routing\n**Startup**: Protect slow-starting applications\n\nConfigure appropriate delays, periods, timeouts, and thresholds for each.\n\n## Rollout Strategies\n\n**Deployment Strategy**:\n- `RollingUpdate` with `maxSurge` and `maxUnavailable`\n- Set `maxUnavailable: 0` for zero-downtime\n\n**High Availability**:\n- Minimum 2-3 replicas\n- Pod Disruption Budget (PDB)\n- Anti-affinity rules (spread across nodes/zones)\n- Horizontal Pod Autoscaler (HPA) for variable load\n\n## Validation Commands\n\n**Pre-deployment**:\n- `kubectl apply --dry-run=client -f manifest.yaml`\n- `kubectl apply --dry-run=server -f manifest.yaml`\n- `kubeconform -strict manifest.yaml` (schema validation)\n- `helm template ./chart | kubeconform -strict` (for Helm)\n\n**Policy Validation**:\n- OPA Conftest, Kyverno, or Datree\n\n## Rollout \u0026 Rollback\n\n**Deploy**:\n- `kubectl apply -f manifest.yaml`\n- `kubectl rollout status deployment/NAME`\n\n**Rollback**:\n- `kubectl rollout undo deployment/NAME`\n- `kubectl rollout undo deployment/NAME --to-revision=N`\n- `kubectl rollout history deployment/NAME`\n\n**Restart**:\n- `kubectl rollout restart deployment/NAME`\n\n## Manifest Checklist\n\n- [ ] Labels: Standard labels applied\n- [ ] Annotations: Documentation and monitoring\n- [ ] Security: runAsNonRoot, readOnlyRootFilesystem, dropped capabilities\n- [ ] Resources: Requests and limits defined\n- [ ] Probes: Liveness, readiness, startup configured\n- [ ] Images: Specific tags (never :latest)\n- [ ] Replicas: Minimum 2-3 for production\n- [ ] Strategy: RollingUpdate with appropriate surge/unavailable\n- [ ] PDB: Defined for production\n- [ ] Anti-affinity: Configured for HA\n- [ ] Graceful shutdown: terminationGracePeriodSeconds set\n- [ ] Validation: Dry-run and kubeconform passed\n- [ ] Secrets: In Secrets resource, not ConfigMaps\n- [ ] NetworkPolicy: Least-privilege access (if applicable)\n\n## Best Practices Summary\n\n1. Use standard labels and annotations\n2. Always run as non-root with dropped capabilities\n3. Define resource requests and limits\n4. Implement all three probe types\n5. Pin image tags to specific versions\n6. Configure anti-affinity for HA\n7. Set Pod Disruption Budgets\n8. Use rolling updates with zero unavailability\n9. Validate manifests before applying\n10. Enable read-only root filesystem when possible\n","description":"Best practices for Kubernetes YAML manifests including labeling conventions, security contexts, pod security, resource management, probes, and validation commands","import":{"commit_sha":"541b7819d8c3545c6df122491af4fa1eae415779","imported_at":"2026-05-18T20:05:35Z","license_text":"MIT License\n\nCopyright GitHub, Inc.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.","owner":"github","repo":"github/awesome-copilot","source_url":"https://github.com/github/awesome-copilot/blob/541b7819d8c3545c6df122491af4fa1eae415779/instructions/kubernetes-manifests.instructions.md"},"manifest":{}},"content_hash":[116,124,210,39,247,199,170,75,149,40,161,66,80,139,239,144,242,9,224,100,100,80,136,98,84,165,31,100,165,4,77,4],"trust_level":"unsigned","yanked":false}