DevOps & Security
K8s Manifest Generator
Generates complete Kubernetes manifests from a service description with resource limits, probes, autoscaling, services, and ingress configured. Useful for shipping production-grade K8s deployments without manifest hand-crafting. Platform engineers and SREs deploying new services to Kubernetes, tech leads at companies standardizing their manifest patterns, startup CTOs without a dedicated DevOps hire. A manifest that "works" often ships without the production-critical pieces: distinct liveness and readiness probes, realistic resource limits (not just requests), a sensible autoscaling profile, a non-root security context, pod disruption budgets, and an image pull policy that matches the image tag strategy. AI-generated manifests routinely skip one or more of these. A structured generator produces production-grade YAML that survives a real incident.
One-Time Purchase
$19.99
Kubernetes Manifests — payments-api (K8s 1.29, nginx ingress)
Target cluster: prod-us-east · Namespace: payments · Service tier: 1
At a glance
A production-grade manifest set for payments-api: distinct liveness and readiness probes (not the same endpoint), realistic CPU/memory requests + limits, HorizontalPodAutoscaler 3→12 replicas at 70% CPU, non-root SecurityContext with read-only root FS, PodDisruptionBudget at minAvailable=2, and an ingress wired to a real TLS secret. Image tag pinned by digest; imagePullPolicy: IfNotPresent matches.
What this set covers
deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: payments-api
namespace: payments
labels:
app.kubernetes.io/name: payments-api
app.kubernetes.io/component: api
app.kubernetes.io/part-of: payments
spec:
replicas: 3
revisionHistoryLimit: 5
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0 # zero-downtime rollouts
selector:
matchLabels:
app.kubernetes.io/name: payments-api
template:
metadata:
labels:
app.kubernetes.io/name: payments-api
annotations:
# Force re-roll when ConfigMap changes
checksum/config: "{{ .Values.configChecksum }}"
spec:
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 10001
fsGroup: 10001
seccompProfile:
type: RuntimeDefault
containers:
- name: api
# Digest pin — never use a moving tag in production
image: ghcr.io/example-org/payments-api@sha256:7c2d4e0b5a1c8f3b9e2a6d8c1f4b7e9a2d5c8f1e4b7a9c2d5e8f1b4c7a9d2e5
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 8080
protocol: TCP
env:
- name: PORT
value: "8080"
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: payments-api-secrets
key: database-url
- name: STRIPE_SECRET_KEY
valueFrom:
secretKeyRef:
name: payments-api-secrets
key: stripe-secret-key
resources:
requests:
cpu: 250m
memory: 384Mi
limits:
cpu: 1000m
memory: 768Mi # 2× request — caps OOM blast radius
readinessProbe:
httpGet:
path: /ready # checks DB + Stripe reachability
port: http
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 3
livenessProbe:
httpGet:
path: /healthz # process-only check; does NOT touch DB
port: http
initialDelaySeconds: 30
periodSeconds: 15
timeoutSeconds: 3
failureThreshold: 3
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
volumeMounts:
- name: tmp
mountPath: /tmp
- name: cache
mountPath: /app/cache
volumes:
- name: tmp
emptyDir: {}
- name: cache
emptyDir: {}
topologySpreadConstraints:
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app.kubernetes.io/name: payments-api
service.yaml and ingress.yaml
apiVersion: v1
kind: Service
metadata:
name: payments-api
namespace: payments
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: payments-api
ports:
- name: http
port: 80
targetPort: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: payments-api
namespace: payments
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/hsts: "true"
nginx.ingress.kubernetes.io/hsts-max-age: "31536000"
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
ingressClassName: nginx
tls:
- hosts: [payments.example.com]
secretName: payments-api-tls
rules:
- host: payments.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: payments-api
port:
name: http
hpa.yaml, pdb.yaml, networkpolicy.yaml
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: payments-api
namespace: payments
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: payments-api
minReplicas: 3
maxReplicas: 12
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
behavior:
scaleDown:
stabilizationWindowSeconds: 300 # 5-min cool-down — avoid thrash
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: payments-api
namespace: payments
spec:
minAvailable: 2 # paired with 3 replicas; prevents drain to 0
selector:
matchLabels:
app.kubernetes.io/name: payments-api
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: payments-api
namespace: payments
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: payments-api
policyTypes: [Ingress, Egress]
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ingress-nginx
ports:
- port: 8080
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: payments
ports: [{ port: 5432 }] # Postgres
- to: [] # DNS + outbound HTTPS to Stripe
ports:
- port: 53
protocol: UDP
- port: 443
Resource Decisions
| Field | Value | Why |
|---|---|---|
replicas | 3 | aligned with PDB minAvailable: 2 |
resources.requests.cpu | 250m | Sized off observed p95 over the last 30 days |
resources.limits.memory | 768Mi | 2× request; bounded OOM blast radius |
readinessProbe | /ready | distinct from liveness; checks DB + Stripe |
livenessProbe | /healthz | process-only; never restarts on dependency outage |
runAsNonRoot | true | UID 10001, read-only root FS |
imagePullPolicy | IfNotPresent | matches digest-pinned tag |
maxUnavailable | 0 | Zero-downtime rolling update |
Security controls in this set
Production readiness
Two items to confirm before applying to prod-us-east: (1) HPA needs metrics-server installed — without it, the autoscaler reports unknown and never scales. Verify with kubectl top pods -n payments. (2) The Stripe secret must already exist in the payments namespace — apply payments-api-secrets from your sealed-secret pipeline before the Deployment, or the pod stays CreateContainerConfigError.
Do not skip
The /healthz liveness endpoint must not touch the database or any downstream service. A liveness probe that fails on dependency outage causes a kill-loop that takes the service down harder than the original problem. Keep /healthz as a process-only liveness check; put DB and Stripe reachability in /ready only.
Apply Order
kubectl apply -f networkpolicy.yaml -n payments
kubectl apply -f service.yaml -n payments
kubectl apply -f deployment.yaml -n payments
kubectl apply -f hpa.yaml -n payments
kubectl apply -f pdb.yaml -n payments
kubectl apply -f ingress.yaml -n payments
kubectl rollout status deployment/payments-api -n payments --timeout=2m
Generated by the ClearPoint Nexus K8s Manifest Generator skill. Verify resource sizing against production traffic before scaling beyond staging.
This sample illustrates the skill's output format. Names, metrics, and operational details are illustrative unless the artifact explicitly analyzes public information.
View full sample →
All sales final. No refunds on digital products.
Includes support for Claude Code, Codex, OpenClaw, and Google Antigravity in the same license.
Also in DevOps Foundations
Bundle price: $44. Compare this skill with the full workflow bundle or Pro access.
Best for
Platform engineers and SREs shipping a new service to a Kubernetes cluster who need a manifest with probes, resource limits, autoscaling, and a non-root security context wired up correctly the first time. Most valuable for teams without a dedicated DevOps hire where the alternative is copy-pasting a manifest from the last service and forgetting which pieces don’t apply.
Not ideal for
Teams already on a higher-level abstraction (Helm charts they maintain, Crossplane, internal platform tooling) where the raw manifest output bypasses the team’s own conventions. Also a poor fit for stateful workloads with bespoke storage and ordering requirements (operators, custom controllers) where the generic template misses the specifics that actually matter.
Included in this purchase
- Claude Code, Codex, OpenClaw, and Google Antigravity skill files.
- Setup guidance for the right adapter in your workspace.
- One-time license for the purchased skill version.
Setup
Plan for a short setup in the repository or workspace where the skill will run. Some coding familiarity helps for implementation-heavy outputs.
Related Skills
$19.99
One-time license
$19.99
One-time license
$19.99
One-time license
Future Updates
This purchase includes the current version of the skill. If you want future adapter updates — meaning compatibility and packaging updates as supported platforms evolve — plus new catalog additions included automatically, upgrade to Pro.