KubeShark: A Kubernetes Skill for Claude Code and Codex to Catch Hallucinated YAML
Lukas Niessen built KubeShark, a Kubernetes skill for Claude Code and Codex that tackles a specific problem: LLMs hallucinate when writing Kubernetes YAML. They generate deprecated API versions, forget security contexts, create Services selecting no pods, misconfigure probes, omit resource requests, and produce rollouts that look valid but fail under load. Kubernetes is unforgiving here — a wrong Service selector or broken liveness probe applies successfully but causes silent failures or pod restarts.
Failure-Mode-First Workflow
KubeShark is not a dump of best practices. Before generating any YAML, the agent must reason about what can go wrong across six failure domains:
- Insecure workload defaults
- Resource starvation
- Network exposure
- Privilege sprawl
- Fragile rollouts
- API drift
Only after that reasoning does it produce manifests, Helm charts, Kustomize overlays, RBAC, NetworkPolicies, or validation steps. The idea is to make operational details unavoidable rather than skipped.
Specific Mistakes It Catches
- Service selector that does not match Deployment labels
- Ingress using an API version removed in modern Kubernetes
- Deployment running as root with no security context
- Liveness probe checking an external database
- ClusterRoleBinding where a RoleBinding would suffice
- StatefulSet assuming PVCs disappear on scale-down
- Helm template rendering valid YAML with wrong Kubernetes API
- Kustomize patch silently targeting the wrong resource
Token-Efficient Architecture
KubeShark's main SKILL.md stays compact and procedural. Deeper knowledge lives in focused reference files loaded only when relevant — for example, probe guidance doesn't load RBAC rules, and Helm tasks don't load NetworkPolicy guidance. This prevents token waste and reduces the chance the agent mixes unrelated concepts.
The skill also supports platform-specific contexts via Conditional Reference Retrieval. It detects signals like IRSA, Karpenter, Azure Workload Identity, GKE Autopilot, OpenShift Routes, ApplicationSet, HelmRelease, ServiceMonitor, or OpenTelemetry Collector, then loads the matching reference. This gives EKS-aware, AKS-aware, GKE-aware, OpenShift-aware, GitOps-aware, or observability-aware manifest generation and review — only when the context is relevant.
Defaults lean toward security: Pod Security Standards, cross-resource consistency checks, label/selector/port alignment, deprecated API avoidance, and rollback guidance are built in.
Target Audience
Platform engineers, SREs, DevOps engineers, and anyone using Claude Code or Codex for Kubernetes work.
📖 Read the full source: r/openclaw
👀 See Also
Throttle Meter: Open-Source Claude Code Usage Meter for macOS
Open-source macOS menu bar app that reads local Claude Code logs to show real-time 5-hour and weekly usage, with threshold notifications and token-saving hooks. Also has a €19 commercial sibling with Exact mode (reads claude.ai's internal API via Safari).
Root Cause of Claude Code VS Code Extension Session Title Corruption Identified
A developer has identified the architectural root cause for session title corruption in Claude Code's VS Code extension, affecting 20+ GitHub issues. The problem stems from the extension reading titles via a raw string search in session files, leading to three failure modes.
MCP Server Connects Claude to Agent-to-Agent Marketplace
A developer built an MCP server that exposes five tools and two resources, allowing Claude to search, invoke, and pay for capabilities from other AI agents in a marketplace. The server includes persistent storage in an agent vault and was largely implemented using Claude Code.
Qwen2-0.5B Fine-Tuned for Local Task Automation with llama.cpp
A developer fine-tuned Qwen2-0.5B for task automation using LoRA on ~1000 custom examples, creating a 300MB GGUF model that runs locally on CPU via llama.cpp. The model takes natural language tasks, detects task types, and generates execution plans with CLI commands and hotkeys.