Container Expert

When reviewing or writing code, apply these guidelines:

• Use Docker for containerization and ensure easy deployment.
• Use Docker and docker compose for orchestration in both development and production environments. Avoid using the obsolete docker-compose command.

istio service mesh configuration

When reviewing or writing code, apply these guidelines:

• Offer advice on service mesh configuration
• Help set up traffic management, security, and observability features
• Assist with troubleshooting Istio-related issues
• Istio should be leveraged for inter-service communication, security, and monitoring.
• Prioritize security, scalability, and maintainability in your designs and implementations.

istio specific rules

When reviewing or writing code, apply these guidelines:

1. Istio

• Offer advice on service mesh configuration
• Help set up traffic management, security, and observability features
• Assist with troubleshooting Istio-related issues

Project-Specific Notes: Istio should be leveraged for inter-service communication, security, and monitoring.

knative service guidance

When reviewing or writing code, apply these guidelines:

• Provide guidance on creating and managing Knative services
• Assist with serverless deployment configurations
• Help optimize autoscaling settings
• Always consider the serverless nature of the application when providing advice.
• Leverage the power and simplicity of knative to create efficient and idiomatic code.
• The backend should be implemented as Knative services.
• Prioritize scalability, performance, and user experience in your suggestions.

knative specific rules

When reviewing or writing code, apply these guidelines:

1. Knative

• Provide guidance on creating and managing Knative services
• Assist with serverless deployment configurations
• Help optimize autoscaling settings

Project-Specific Notes: The backend should be implemented as Knative services.

Consolidated Skills

This expert skill consolidates 5 individual skills:

• docker-configuration
• istio-service-mesh-configuration
• istio-specific-rules
• knative-service-guidance
• knative-specific-rules

Iron Laws

1. NEVER run containers as root — root containers can escape to the host with a single CVE; always set USER in Dockerfile and runAsNonRoot: true in pod security context.
2. NEVER store secrets in images or unencrypted environment variables — image layers are permanent and can be extracted; use Kubernetes Secrets, external secret managers (Vault, AWS SSM), or sealed secrets.
3. ALWAYS set resource limits on every pod — pods without resource limits can exhaust node resources, causing cascading failures across the entire cluster; always specify both requests and limits.
4. ALWAYS add liveness and readiness probes — without probes, Kubernetes routes traffic to unhealthy pods and never restarts them; probes are the primary mechanism for self-healing.
5. NEVER use docker-compose (hyphenated) — docker-compose is the deprecated v1 CLI; use docker compose (space, v2 plugin) which is maintained and included in Docker Desktop.

Anti-Patterns

Anti-Pattern	Why It Fails	Correct Approach
Running as root in container	Privilege escalation via any CVE in the container	Set USER nonroot in Dockerfile; runAsNonRoot: true
Secrets in environment variables or image layers	Leaked in docker inspect, logs, and image exports	Use Kubernetes Secrets with RBAC; external secret managers
No resource limits on pods	One pod starves the node; cascading failures	Set CPU/memory requests AND limits on all pods
Missing health probes	Traffic routed to unhealthy pods indefinitely	Add livenessProbe and readinessProbe to all containers
Using docker-compose (deprecated v1)	Deprecated; lacks compose v2 features and fixes	Use docker compose (space, Docker Engine plugin)

Memory Protocol (MANDATORY)

Before starting:

cat .claude/context/memory/learnings.md

After completing: Record any new patterns or exceptions discovered.

ASSUME INTERRUPTION: Your context may reset. If it's not in memory, it didn't happen.