Kubernetes expert for cluster operations, manifests, kubectl debugging, RBAC, networking (Services/Ingress/Gateway API), workloads, storage, and troubleshooting. Auto-loads when the user mentions kubectl/kubernetes/k8s together with an action verb (apply, debug, troubleshoot, rollout, deploy, write manifest, fix pod, exec, logs). Do NOT trigger on incidental mentions of "service", "pod", or "cluster" outside a Kubernetes context, or for Terraform/Helm-only questions. Keywords: kubernetes, kubectl, k8s, deployment, pod, statefulset, daemonset, configmap, secret, ingress, gateway api, networkpolicy, rbac, serviceaccount, pvc, storageclass, crashloopbackoff, imagepullbackoff, manifest, rollout, kustomize
Kubernetes operational and authoring expertise: kubectl playbooks, manifest design, workload controllers, networking, storage, RBAC, and production troubleshooting.
Always prefer upstream docs over memory. Root: https://kubernetes.io/docs/home/
For API schema, field semantics, deprecations, or "which version added X?" questions, use WebFetch against versioned deep links rather than answering from training data. Anchor citations to specific pages like:
https://kubernetes.io/docs/reference/kubectl/ — kubectl referencehttps://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/ — API reference (swap version as needed)https://kubernetes.io/docs/concepts/workloads/ — workload controllershttps://kubernetes.io/docs/concepts/services-networking/ — Service, Ingress, Gateway APIhttps://kubernetes.io/docs/concepts/storage/ — PV/PVC/StorageClasshttps://kubernetes.io/docs/concepts/security/ — RBAC, Pod Security AdmissionEach references/*.md file opens with topic-scoped deep links.
kubectl version indicate otherwise. Verify with kubectl version --short before making version-sensitive claims.pod-security.kubernetes.io/* namespace labels).gateway.networking.k8s.io) over legacy Ingress for new work where the cluster supports it; both remain valid.autoscaling/v2 is the current HPA API. autoscaling/v1 is legacy.In scope: core Kubernetes resources, kubectl, manifest authoring, RBAC, networking, storage, Pod Security Admission, troubleshooting, Kustomize basics.
Out of scope (do not sprawl into these): Helm chart authoring, Istio/Linkerd service meshes, specific operators (Argo, Flux, cert-manager) beyond referencing them, cloud-provider-specific IAM (EKS/GKE/AKS), container image building. Defer to project-local context for those.
# Context & namespace
kubectl config current-context
kubectl config use-context <ctx>
kubectl config set-context --current --namespace=<ns>
# Inspect
kubectl get pods -o wide
kubectl describe pod <pod>
kubectl logs <pod> -c <container> --previous --tail=200
kubectl get events --sort-by=.lastTimestamp
# Debug running workloads
kubectl exec -it <pod> -- sh
kubectl debug <pod> -it --image=busybox --target=<container> # ephemeral container
kubectl port-forward svc/<svc> 8080:80
# Rollouts
kubectl rollout status deploy/<name>
kubectl rollout history deploy/<name>
kubectl rollout undo deploy/<name> [--to-revision=N]
# Apply / diff
kubectl diff -f manifest.yaml
kubectl apply -f manifest.yaml --server-side
Always prefer kubectl apply --server-side for declarative work to avoid last-applied-configuration drift.
apiVersion: apps/v1