{"id":"13fdaee3-4205-4bba-abe1-c1dd66ce67b5","shortId":"HYQkBH","kind":"skill","title":"vigilante-issue-implementation-on-kubernetes","tagline":"Implement a GitHub issue end-to-end when Vigilante dispatches work for a Kubernetes-focused repository with manifest hardening and workload security guidance.","description":"# Vigilante Kubernetes Issue Implementation\n\n## Focus\n- Read the prompt for detected tech stacks, process hints, and Kubernetes security guidance before changing manifests.\n- Treat Kubernetes manifest changes as operationally sensitive — not as generic YAML edits.\n- Keep changes scoped to the issue and do not broaden into unrelated cluster-ops or security redesign work.\n\n## Manifest Hygiene\n- Use recommended Kubernetes labels (`app.kubernetes.io/name`, `app.kubernetes.io/version`, etc.) on all new resources.\n- Validate manifest YAML syntax before committing. Use `kubectl --dry-run=client -o yaml` or an equivalent offline validator when available.\n- Prefer `kustomize` overlays or Helm values for environment-specific configuration rather than duplicating manifests.\n- Keep resource definitions focused — one resource per file when practical, with clear naming.\n\n## Service Account Hygiene\n- Do not use the `default` service account for workloads. Create dedicated service accounts scoped to the workload's needs.\n- Set `automountServiceAccountToken: false` on pods and service accounts that do not need API access.\n- When a workload requires API access, bind the minimum RBAC permissions to its dedicated service account.\n\n## Pod and Container Security Context\n- Set `runAsNonRoot: true` and specify a numeric `runAsUser` in the pod or container `securityContext`.\n- Set `allowPrivilegeEscalation: false` on containers.\n- Set `readOnlyRootFilesystem: true` where the application supports it, using `emptyDir` volumes for writable paths.\n- Drop all capabilities and add back only what is required: `securityContext.capabilities.drop: [\"ALL\"]`.\n- Prefer `Restricted` Pod Security Standards when the workload allows it.\n\n## RBAC and Permissions\n- Follow least-privilege principles: prefer `Role` and `RoleBinding` (namespace-scoped) over `ClusterRole` and `ClusterRoleBinding` unless the workload genuinely needs cluster-wide access.\n- Avoid wildcards (`*`) in RBAC rules for verbs, resources, or API groups.\n- When the issue only requires application-level changes, do not introduce or modify cluster-scoped resources.\n\n## Image Security\n- Use image digests or pinned tags rather than `latest` or other mutable tags.\n- Prefer images from trusted registries. Note when an image source is unverified.\n- Be aware of image scanning and admission policies when the repository documents them.\n\n## Network Policy and Resource Management\n- When touching network-facing workloads, check whether a `NetworkPolicy` exists and preserve or extend it rather than removing restrictions.\n- Set resource `requests` and `limits` on containers to prevent unbounded resource consumption.\n- Do not remove existing resource constraints without explicit justification in the issue.\n\n## Scope Guardrails\n- Do not make broad cluster-wide changes when the issue only requires application-level manifest updates.\n- Do not introduce cluster-admin RBAC, node-level access, or host-namespace usage unless the issue specifically requires it.\n- Preserve existing security posture — improve it where relevant to the issue, but do not weaken it.\n\n## Mixed-Stack Repositories\n- A Kubernetes repository may also contain application code (Go, Node.js, Python, etc.) alongside manifests.\n- Scope Kubernetes manifest guidance to YAML/Helm/Kustomize files. Do not apply manifest validation to application source code.\n- When an issue touches both application code and Kubernetes manifests, validate each side with its appropriate toolchain.\n\n## Workflow\n- Follow the base `vigilante-issue-implementation` workflow for issue comments, validation, push, and PR creation.\n- Use `vigilante commit` for all commit-producing operations. Do not use `git commit` or GitHub CLI commit flows directly.\n- Any commit or amend must preserve the user's existing git author, committer, and signing configuration. Commit on behalf of the user and do not overwrite `git config` with a coding-agent identity.\n- Do not add `Co-authored by:` trailers or any other agent attribution for Codex, Claude, Gemini, or similar coding-agent identities.\n- Repository-specific instructions (`AGENTS.md`, `README.md`, CI config) remain authoritative when they are more specific than the generic Kubernetes guidance in this skill.","tags":["vigilante","issue","implementation","kubernetes","aliengiraffe","agent","agent-skills","agentic-ai","agentic-workflow","agents","ai-orchestration","ai-orchestrator"],"capabilities":["skill","source-aliengiraffe","skill-vigilante-issue-implementation-on-kubernetes","topic-agent","topic-agent-skills","topic-agentic-ai","topic-agentic-workflow","topic-agents","topic-ai-orchestration","topic-ai-orchestrator","topic-orchestration"],"categories":["vigilante"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/aliengiraffe/vigilante/vigilante-issue-implementation-on-kubernetes","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add aliengiraffe/vigilante","source_repo":"https://github.com/aliengiraffe/vigilante","install_from":"skills.sh"}},"qualityScore":"0.464","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 28 github stars · SKILL.md body (4,264 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-01T07:01:24.547Z","embedding":null,"createdAt":"2026-04-18T22:23:16.403Z","updatedAt":"2026-05-01T07:01:24.547Z","lastSeenAt":"2026-05-01T07:01:24.547Z","tsv":"'/name':92 '/version':95 'access':185,191,289,438 'account':151,159,165,179,201 'add':244,590 'admin':433 'admiss':352 'agent':586,599,609 'agents.md':615 'allow':260 'allowprivilegeescal':222 'alongsid':482 'also':474 'amend':557 'api':184,190,299 'app.kubernetes.io':91,94 'app.kubernetes.io/name':90 'app.kubernetes.io/version':93 'appli':493 'applic':231,307,424,476,497,505 'application-level':306,423 'appropri':515 'attribut':600 'author':565,593 'authorit':620 'automountserviceaccounttoken':173 'avail':121 'avoid':290 'awar':347 'back':245 'base':520 'behalf':572 'bind':192 'broad':413 'broaden':74 'capabl':242 'chang':51,56,66,309,417 'check':370 'ci':617 'claud':603 'clear':148 'cli':550 'client':112 'cluster':78,287,316,415,432 'cluster-admin':431 'cluster-op':77 'cluster-scop':315 'cluster-wid':286,414 'clusterrol':278 'clusterrolebind':280 'co':592 'co-author':591 'code':477,499,506,585,608 'codex':602 'coding-ag':584,607 'comment':528 'commit':106,536,540,547,551,555,570 'commit-produc':539 'committ':566 'config':581,618 'configur':132,569 'constraint':401 'consumpt':395 'contain':204,219,225,390,475 'context':206 'creat':162 'creation':533 'dedic':163,199 'default':157 'definit':139 'detect':41 'digest':323 'direct':553 'dispatch':17 'document':357 'dri':110 'drop':240 'dry-run':109 'duplic':135 'edit':64 'emptydir':235 'end':12,14 'end-to-end':11 'environ':130 'environment-specif':129 'equival':117 'etc':96,481 'exist':374,399,451,563 'explicit':403 'extend':378 'face':368 'fals':174,223 'file':144,490 'flow':552 'focus':23,36,140 'follow':265,518 'gemini':604 'generic':62,628 'genuin':284 'git':546,564,580 'github':9,549 'go':478 'group':300 'guardrail':409 'guidanc':31,49,487,630 'harden':27 'helm':126 'hint':45 'host':441 'host-namespac':440 'hygien':85,152 'ident':587,610 'imag':319,322,335,342,349 'implement':4,7,35,524 'improv':454 'instruct':614 'introduc':312,430 'issu':3,10,34,70,303,407,420,446,460,502,523,527 'justif':404 'keep':65,137 'kubectl':108 'kubernet':6,22,33,47,54,88,471,485,508,629 'kubernetes-focus':21 'kustom':123 'label':89 'latest':329 'least':267 'least-privileg':266 'level':308,425,437 'limit':388 'make':412 'manag':363 'manifest':26,52,55,84,102,136,426,483,486,494,509 'may':473 'minimum':194 'mix':467 'mixed-stack':466 'modifi':314 'must':558 'mutabl':332 'name':149 'namespac':275,442 'namespace-scop':274 'need':171,183,285 'network':359,367 'network-fac':366 'networkpolici':373 'new':99 'node':436 'node-level':435 'node.js':479 'note':339 'numer':213 'o':113 'offlin':118 'one':141 'op':79 'oper':58,542 'overlay':124 'overwrit':579 'path':239 'per':143 'permiss':196,264 'pin':325 'pod':176,202,217,254 'polici':353,360 'postur':453 'pr':532 'practic':146 'prefer':122,252,270,334 'preserv':376,450,559 'prevent':392 'principl':269 'privileg':268 'process':44 'produc':541 'prompt':39 'push':530 'python':480 'rather':133,327,380 'rbac':195,262,293,434 'read':37 'readme.md':616 'readonlyrootfilesystem':227 'recommend':87 'redesign':82 'registri':338 'relev':457 'remain':619 'remov':382,398 'repositori':24,356,469,472,612 'repository-specif':611 'request':386 'requir':189,249,305,422,448 'resourc':100,138,142,297,318,362,385,394,400 'restrict':253,383 'role':271 'rolebind':273 'rule':294 'run':111 'runasnonroot':208 'runasus':214 'scan':350 'scope':67,166,276,317,408,484 'secur':30,48,81,205,255,320,452 'securitycontext':220 'securitycontext.capabilities.drop':250 'sensit':59 'servic':150,158,164,178,200 'set':172,207,221,226,384 'side':512 'sign':568 'similar':606 'skill':633 'skill-vigilante-issue-implementation-on-kubernetes' 'sourc':343,498 'source-aliengiraffe' 'specif':131,447,613,625 'specifi':211 'stack':43,468 'standard':256 'support':232 'syntax':104 'tag':326,333 'tech':42 'toolchain':516 'topic-agent' 'topic-agent-skills' 'topic-agentic-ai' 'topic-agentic-workflow' 'topic-agents' 'topic-ai-orchestration' 'topic-ai-orchestrator' 'topic-orchestration' 'touch':365,503 'trailer':595 'treat':53 'true':209,228 'trust':337 'unbound':393 'unless':281,444 'unrel':76 'unverifi':345 'updat':427 'usag':443 'use':86,107,155,234,321,534,545 'user':561,575 'valid':101,119,495,510,529 'valu':127 'verb':296 'vigilant':2,16,32,522,535 'vigilante-issue-implement':521 'vigilante-issue-implementation-on-kubernet':1 'volum':236 'weaken':464 'whether':371 'wide':288,416 'wildcard':291 'without':402 'work':18,83 'workflow':517,525 'workload':29,161,169,188,259,283,369 'writabl':238 'yaml':63,103,114 'yaml/helm/kustomize':489","prices":[{"id":"49d17e8d-dfa3-43c2-a658-9beeb93c2d56","listingId":"13fdaee3-4205-4bba-abe1-c1dd66ce67b5","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"aliengiraffe","category":"vigilante","install_from":"skills.sh"},"createdAt":"2026-04-18T22:23:16.403Z"}],"sources":[{"listingId":"13fdaee3-4205-4bba-abe1-c1dd66ce67b5","source":"github","sourceId":"aliengiraffe/vigilante/vigilante-issue-implementation-on-kubernetes","sourceUrl":"https://github.com/aliengiraffe/vigilante/tree/main/skills/vigilante-issue-implementation-on-kubernetes","isPrimary":false,"firstSeenAt":"2026-04-18T22:23:16.403Z","lastSeenAt":"2026-05-01T07:01:24.547Z"}],"details":{"listingId":"13fdaee3-4205-4bba-abe1-c1dd66ce67b5","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"aliengiraffe","slug":"vigilante-issue-implementation-on-kubernetes","github":{"repo":"aliengiraffe/vigilante","stars":28,"topics":["agent","agent-skills","agentic-ai","agentic-workflow","agents","ai","ai-orchestration","ai-orchestrator","orchestration"],"license":"apache-2.0","html_url":"https://github.com/aliengiraffe/vigilante","pushed_at":"2026-04-23T16:58:46Z","description":"Vigilante is a sandbox-first orchestration layer for coding agents. It isolates every task in a git worktree, enforces strict credential scoping, and gives you full audit logs — so your agents can't burn down production.","skill_md_sha":"76acb6d3f680f2cdae11415271d374af77e7ae62","skill_md_path":"skills/vigilante-issue-implementation-on-kubernetes/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/aliengiraffe/vigilante/tree/main/skills/vigilante-issue-implementation-on-kubernetes"},"layout":"multi","source":"github","category":"vigilante","frontmatter":{"name":"vigilante-issue-implementation-on-kubernetes","description":"Implement a GitHub issue end-to-end when Vigilante dispatches work for a Kubernetes-focused repository with manifest hardening and workload security guidance."},"skills_sh_url":"https://skills.sh/aliengiraffe/vigilante/vigilante-issue-implementation-on-kubernetes"},"updatedAt":"2026-05-01T07:01:24.547Z"}}