Kubernetes and Crossplane standards for NebInfra. Covers kubectl debugging patterns, validation rules, multi-cloud provisioning, and Crossplane composition patterns. Load when working on any K8s or infrastructure repository.
Requires: neb-standards (Layer 0)
EVERY kubectl command MUST use a timeout. Commands can hang indefinitely on stuck resources, finalizers, or network issues.
timeout 10s kubectl get <resource> <name> -n <ns> -o wide # Quick status
timeout 10s kubectl get <resource> <name> -n <ns> -o jsonpath='{range .status.conditions[*]}{.type}={.status} {.reason}: {.message}{"\n"}{end}'
timeout 30s kubectl get events -n <ns> --sort-by='.lastTimestamp' # Event analysis
timeout 30s kubectl logs -n <ns> -l <selector> --tail=200 # Log analysis
When any resource is stuck, failing, or needs investigation, follow all five phases in order:
ALWAYS check status.conditions FIRST -- never poll high-level status fields.
# Ready condition
timeout 10s kubectl get <resource> <name> -n <ns> -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}'
# Synced condition (Crossplane)
timeout 10s kubectl get <resource> <name> -n <ns> -o jsonpath='{.status.conditions[?(@.type=="Synced")].status}'
timeout 10s kubectl get pods -n crossplane-system -l pkg.crossplane.io/provider=provider-aws
timeout 30s kubectl logs -n crossplane-system -l pkg.crossplane.io/provider=provider-aws --tail=200 | \
grep -iE "(error|fail|delete|cleanup|finalizer)" | tail -30
Common error patterns: CannotDeleteExternalResource, CannotCreateExternalResource, InvalidParameterException, AccessDeniedException, refuse to update (immutable field).
When a resource has deletionTimestamp but remains:
NEVER use --force, --disable-openapi-validation, --skip-crds, or similar flags. If validation fails, investigate and fix the spec. Use kubectl apply --dry-run=server to validate before applying.
AI models MUST NOT write directly to clusters. All changes go through deployment processes:
helm template ... | kubectl apply -f -kubectl apply -f resource.yaml, kubectl create, kubectl patch for changesException -- Patch-First Debugging: When iterating on Helm chart changes for deployed resources, kubectl patch is permitted under strict conditions:
This avoids burning CI cycles (minutes each) for changes testable in seconds.
| Provider | Status | Identity | Tags Format |
|---|---|---|---|
| AWS | Primary, production-ready | IRSA | Dict (key-value) |
| GCP | Secondary, expanding | Workload Identity | List (key-value objects) |
| Azure | Future | Managed Identities | Dict (key-value) |
| On-Prem | Production (K8s-based) | AWS IAM | K8s labels |
AWS and Azure use dictionary tags. GCP uses list-format labels. On-prem uses K8s labels/annotations. Use the utils-common.tags.data helper with the appropriate tagsDataType (dict or list).
nebcore-vpc-prod-us-west-2nebcore-vpc-prodNebcoreVnet-Prod