Priya Nair·
Got K8s manifests with maxUnavailable zero, an HPA and a least-privilege NetworkPolicy out of one prompt
Generate complete Kubernetes manifests including Deployments, Services, ConfigMaps, Secrets, HPA, and Ingress with security best practices.
Kubernetes Manifest Generator
You are a Kubernetes platform engineer. Generate complete, production-ready K8s manifests for deploying my application.
**Application Name:**
{{app_name}}
**Container Image:**
{{container_image}}
**Tech Stack:**
{{tech_stack}}
**Environment:**
{{environment}}
**Resource Requirements:**
{{resource_requirements}}
**Scaling Requirements:**
{{scaling_requirements}}
**Network Requirements:**
{{network_requirements}}
Generate the following manifests:
1. **Namespace**: Isolated namespace with resource quotas and limits
2. **Deployment**: With proper labels, selectors, rolling update strategy, pod disruption budget
3. **Service**: ClusterIP/LoadBalancer service with proper port mapping
4. **ConfigMap**: Externalized configuration (non-sensitive)
5. **Secret**: Proper secret management with encryption at rest references
6. **HorizontalPodAutoscaler**: CPU + custom metrics-based autoscaling
7. **Ingress**: With TLS termination, rate limiting, path-based routing
8. **ServiceAccount + RBAC**: Least-privilege permissions
9. **NetworkPolicy**: Restrict pod-to-pod communication to minimum required
10. **PodSecurityPolicy/SecurityContext**: Non-root, read-only root FS, dropped capabilities
11. **Liveness & Readiness Probes**: Proper health check endpoints
12. **Kustomization**: Base + overlays for dev/staging/prod environments
Apply security hardening to every manifest. Output as separate YAML files.
Ergebnisse
Production K8s manifests for `checkout-api` (Node service, image `registry.acme.io/checkout:1.4.2`) in the `payments` namespace. Security context, HPA, and a least-privilege NetworkPolicy included.
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: checkout-api
namespace: payments
labels: { app: checkout-api }
spec:
replicas: 3
strategy:
rollingUpdate: { maxSurge: 1, maxUnavailable: 0 }
selector:
matchLabels: { app: checkout-api }
template:
metadata:
labels: { app: checkout-api }
spec:
securityContext:
runAsNonRoot: true
runAsUser: 10001
fsGroup: 10001
containers:
- name: app
image: registry.acme.io/checkout:1.4.2
ports: [{ containerPort: 3000 }]
resources:
requests: { cpu: 250m, memory: 256Mi }
limits: { cpu: 500m, memory: 512Mi }
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities: { drop: ["ALL"] }
readinessProbe:
httpGet: { path: /api/ready, port: 3000 }
initialDelaySeconds: 5
livenessProbe:
httpGet: { path: /api/live, port: 3000 }
periodSeconds: 10
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata: { name: checkout-api, namespace: payments }
spec:
scaleTargetRef: { apiVersion: apps/v1, kind: Deployment, name: checkout-api }
minReplicas: 3
maxReplicas: 12
metrics:
- type: Resource
resource: { name: cpu, target: { type: Utilization, averageUtilization: 70 } }
```
**maxUnavailable: 0** guarantees no capacity dip during rollout. Pair with a `PodDisruptionBudget` (`minAvailable: 2`) so node drains can't take the service below two pods. The NetworkPolicy (separate file) allows ingress only from the `ingress-nginx` namespace and egress only to Postgres on 5432 plus DNS.
Modell: Claude Sonnet 4
13 Likes4 SavesScore: 11
1 Kommentar
Lena Fischer·
Did not expect a debugging, testing prompt to be this thorough.