Kubernetes Skill for Claude Code and Codex. LLMs hallucinate a lot with K8s - KubeShark fixes this. It eliminates hallucinations and grounds your Kubernetes, Helm etc official best practices.
name: kubernetes-skill
description: "Prevent Kubernetes hallucinations by diagnosing and fixing failure modes: insecure workload defaults, resource starvation, network exposure, privilege sprawl, fragile rollouts, and API drift. Use when generating, reviewing, refactoring, or migrating manifests, Helm charts, Kustomize overlays, cluster policies, and platform-specific Kubernetes work for EKS, GKE, AKS, OpenShift, GitOps controllers, or observability stacks."
KubeShark: Failure-Mode Workflow for Kubernetes
Run this workflow top to bottom.
1) Capture execution context
Record before writing manifests:
cluster version (e.g. 1.30, 1.31) and distribution (EKS, GKE, AKS, k3s, vanilla)
target namespace and environment criticality (dev/staging/prod)
workload type (Deployment, StatefulSet, Job, CronJob, DaemonSet)
API drift: wrong apiVersion, deprecated APIs, schema violations, tool-specific errors
3) Load only the relevant reference file(s)
Primary failure-mode references:
references/insecure-workload-defaults.md
references/resource-starvation.md
references/network-exposure.md
references/privilege-sprawl.md
references/fragile-rollouts.md
README.md
Kubernetes Skill for Claude Code and Codex: KubeShark
The #1 Kubernetes skill for Claude Code and Codex, measured by GitHub stars.
Fixes Hallucinations.
LLMs hallucinate a lot when it comes to Kubernetes. They omit security contexts, generate deprecated APIs, use wildcard RBAC, forget resource limits, and produce probes that cause cascading failures. This skill fixes it. It includes best practices for Kubernetes -- good, bad, and neutral examples so the AI avoids common mistakes. Using KubeShark, the AI keeps proven practices in mind, eliminates hallucinations, and defaults to secure, reliable, production-ready manifests.
KubeShark is built as the production-grade Kubernetes skill for Claude Code and Codex: broader than resource-template skills, safer than generic Kubernetes prompts, and tuned for hallucination prevention instead of raw tutorial volume.
Very Token-Efficient.
Most Kubernetes skills dump huge walls of text onto the agent and burn expensive tokens -- with no upside. LLMs don't need the entire Kubernetes docs again. KubeShark was aggressively de-duplicated and optimized for maximum quality per token.
The agent harness performance optimization system. Skills, instincts, memory, security, and research-first development for Claude Code, Codex, Opencode, Cursor and beyond.
That's it. Claude Code auto-discovers skills in ~/.claude/skills/ -- no restart needed.
Option 2: Marketplace
Claude Code has a built-in plugin system with marketplace support. Instead of cloning manually, you can add KubeShark's marketplace and install directly from the CLI:
Or use the interactive plugin manager -- run /plugin, switch to the Discover tab, and install from there. The marketplace reads the .claude-plugin/marketplace.json in this repo to register KubeShark as an installable plugin.
Option 3: Codex
Codex has no global skill system -- setup is per-project. Clone KubeShark into your repo and reference it from your AGENTS.md:
# Clone into your project root
git clone https://github.com/LukasNiessen/kubernetes-skill.git .kubernetes-skill
Then add to your AGENTS.md (or create one in the repo root):
## Kubernetes
When working with Kubernetes manifests, Helm charts, or Kustomize overlays, follow the workflow in `.kubernetes-skill/SKILL.md`.
Load references from `.kubernetes-skill/references/` as needed.
That's it!
Done. Now ask Claude Code / Codex any Kubernetes question. KubeShark responses follow the 7-step failure-mode workflow and include an output contract with assumptions, tradeoffs, and rollback notes.
Invoke explicitly:
/kubernetes-skill Create a production-ready Deployment with an Ingress and autoscaling
/kubernetes-skill Review my Deployment for security issues and add proper RBAC, NetworkPolicies, and resource limits
Or just ask naturally -- KubeShark activates automatically for any Kubernetes task:
Review my deployment.yaml for security issues
Create a Helm chart for a PostgreSQL StatefulSet with backup CronJobs
Why KubeShark
Overview
| Dimension | KubeShark | No Skill |
| ------------------------------- | ------------------------------------------------------ | ------------ |
| SKILL.md activation cost | Low, procedural workflow only | 0 |
| Reference granularity | 26 focused files | -- |
| Token burn per query | Low (load only matched refs) | 0 |
| Architecture | Failure-mode workflow | -- |
| Diagnoses before generating | Yes (Step 2) | No |
| Output contract | Yes -- assumptions, tradeoffs, rollback | No |
| Conditional references | EKS, GKE, AKS, OpenShift, GitOps, observability stacks | No |
| Security-first defaults | PSS restricted profile | No |
| Good/bad examples | Yes (2 dedicated files) | No |
| Do/Don't checklist | Yes (dedicated file) | No |
| Compliance coverage | NSA/CISA, OWASP K8s Top 10, CIS, Pod Security Standards | No |
| Hallucination prevention | Core design goal | No |
| Cross-resource validation | Label/selector/port consistency checks | No |
| Helm/Kustomize guidance | Dedicated reference files | No |
| Policy engine integration | Kyverno and OPA/Gatekeeper patterns | No |
| License | MIT | -- |
Why Failure-Mode-First Matters for Kubernetes
The key insight is architectural. A static reference manual gives Claude information but never tells it how to think about a problem. There's no diagnosis step, no risk assessment, and no structured output -- Claude reads the reference and generates whatever it thinks fits.
KubeShark takes the opposite approach. The core SKILL.md is a compact operational workflow. It forces Claude through a diagnostic sequence: capture context -> identify failure modes -> load only the relevant references -> propose fixes with explicit risk controls -> validate -> deliver a structured output contract.
This matters for Kubernetes specifically because:
Silent failures are common. A Service with the wrong selector deploys successfully but routes to nothing. A NetworkPolicy with a mistyped label silently does nothing. Unlike Terraform, Kubernetes accepts most manifests without error -- failures surface at runtime.
Multi-dimensional risk. Kubernetes operates across security, networking, scheduling, storage, and application lifecycle simultaneously. An LLM must reason about all these dimensions for every resource.
Training data pollution. Kubernetes has had aggressive API deprecation. The LLM training corpus contains vast amounts of pre-1.22 YAML using removed APIs. Without diagnosis, the LLM confidently generates deprecated configurations.
Skill Comparison
Here's how KubeShark compares to other public Kubernetes-focused agent skills found during the May 2026 review. This compares Kubernetes skill behavior, not full runtime observability products or broad skill collections.
| Dimension | KubeShark | Kubernetes Resource Management | Kube Audit Kit | Kubernetes Operations |
| --------------------------------- | -------------------------------------------------- | ---------------------------------- | ---------------------------------- | ---------------------------------- |
| Primary goal | Generate, review, refactor, and harden K8s safely | Explain and template core objects | Read-only cluster security audits | Kubectl operations and debugging |
| Failure-mode workflow | Yes: six explicit Kubernetes failure modes | No | Audit workflow only | Partial operational workflow |
| Manifest generation/review | Yes | Yes | No, audit-focused | Yes |
| Helm/Kustomize guidance | Dedicated references | No dedicated coverage | No | Not primary |
| Platform-specific guidance | EKS, GKE, AKS, OpenShift via CRR | No | No
A Claude Code plugin that automatically captures everything Claude does during your coding sessions, compresses it with AI (using Claude's agent-sdk), and injects relevant context back into future sessions.
