container-expert

Container Expert When reviewing or writing code, apply these guidelines: Use Docker for containerization and ensure easy deployment. Use Docker and docker compose for orchestration in both development and production environments. Avoid using the obsolete docker-compose command. istio service mesh configuration When reviewing or writing code, apply these guidelines: Offer advice on service mesh configuration Help set up traffic management, security, and observability features Assist with troubleshooting Istio-related issues Istio should be leveraged for inter-service communication, security, and monitoring. Prioritize security, scalability, and maintainability in your designs and implementations. istio specific rules When reviewing or writing code, apply these guidelines: Istio Offer advice on service mesh configuration Help set up traffic management, security, and observability features Assist with troubleshooting Istio-related issues Project-Specific Notes: Istio should be leveraged for inter-service communication, security, and monitoring. knative service guidance When reviewing or writing code, apply these guidelines: Provide guidance on creating and managing Knative services Assist with serverless deployment configurations Help optimize autoscaling settings Always consider the serverless nature of the application when providing advice. Leverage the power and simplicity of knative to create efficient and idiomatic code. The backend should be implemented as Knative services. Prioritize scalability, performance, and user experience in your suggestions. knative specific rules When reviewing or writing code, apply these guidelines: Knative Provide guidance on creating and managing Knative services Assist with serverless deployment configurations Help optimize autoscaling settings Project-Specific Notes: The backend should be implemented as Knative services. Consolidated Skills This expert skill consolidates 5 individual skills: docker-configuration istio-service-mesh-configuration istio-specific-rules knative-service-guidance knative-specific-rules Iron Laws NEVER run containers as root — root containers can escape to the host with a single CVE; always set USER in Dockerfile and runAsNonRoot: true in pod security context. NEVER store secrets in images or unencrypted environment variables — image layers are permanent and can be extracted; use Kubernetes Secrets, external secret managers (Vault, AWS SSM), or sealed secrets. ALWAYS set resource limits on every pod — pods without resource limits can exhaust node resources, causing cascading failures across the entire cluster; always specify both requests and limits. ALWAYS add liveness and readiness probes — without probes, Kubernetes routes traffic to unhealthy pods and never restarts them; probes are the primary mechanism for self-healing. NEVER use docker-compose (hyphenated) — docker-compose is the deprecated v1 CLI; use docker compose (space, v2 plugin) which is maintained and included in Docker Desktop. Anti-Patterns Anti-Pattern Why It Fails Correct Approach Running as root in container Privilege escalation via any CVE in the container Set USER nonroot in Dockerfile; runAsNonRoot: true Secrets in environment variables or image layers Leaked in docker inspect , logs, and image exports Use Kubernetes Secrets with RBAC; external secret managers No resource limits on pods One pod starves the node; cascading failures Set CPU/memory requests AND limits on all pods Missing health probes Traffic routed to unhealthy pods indefinitely Add livenessProbe and readinessProbe to all containers Using docker-compose (deprecated v1) Deprecated; lacks compose v2 features and fixes Use docker compose (space, Docker Engine plugin) Memory Protocol (MANDATORY) Before starting: cat .claude/context/memory/learnings.md After completing: Record any new patterns or exceptions discovered. ASSUME INTERRUPTION: Your context may reset. If it's not in memory, it didn't happen.