name: k8s-dev description: Assistance with Remote Kubernetes Development (Telepresence, Okteto, DevSpace). triggers: [k8s dev, remote dev, telepresence, okteto, devspace, tilt, scaffold, remote cluster] tags: [ops] context_cost: medium

Kubernetes Dev Skill

Goal

To develop directly against a remote Kubernetes cluster, enabling access to cloud dependencies and effectively "infinite" resources.

Capabilities

1. Remote Interception (Telepresence)

• Intercept: Route traffic from a remote service to your laptop.
• Debug: Step through code locally while handling live remote requests.
• Preview URLs: Share a specific intercept version with teammates.

2. Sync & Hot Reload (Okteto / DevSpace)

• File Sync: Bi-directional sync between local folder and remote pod.
• Terminal: Get a shell inside the remote pod.
• Environment: Spin up ephemeral namespaces for each developer.

3. Configuration

• DevSpace: Generate devspace.yaml for pipeline + sync.
• Okteto: Generate okteto.yaml for hybrid dev.

Steps

1. When to use: Recommend Remote Dev when the app is too large for Docker Desktop (RAM/CPU limits) or depends on cloud-only resources (RDS, SQS).
2. Isolation: Ensure developers work in their own Namespaces to avoid stepping on toes.
3. Security: Use RBAC to limit developer permissions in the cluster.

Deliverables

• devspace.yaml configuration.
• telepresence intercept commands.
• okteto.yaml manifest.

Security & Guardrails

1. Skill Security (Kubernetes Dev)

• Local Intercept Isolation: When using tools like Telepresence to route cluster traffic to a local machine, the connection must be strictly tunneled over mTLS. The local agent process must drop privileges to a non-root user to mitigate risks if the intercepted traffic is malicious.
• Ephemeral Namespace Cleanup: DevSpace or Okteto configurations must include hard TTLs (Time-To-Live) for developer namespaces. Stale namespaces abandoned by agents/developers must be automatically purged to reduce the cluster's attack surface.

2. System Integration Security

• RBAC Developer Constraints: The generated Kubernetes configurations must enforce strict Role-Based Access Control (RBAC). A remote developer shell must NEVER have cluster-admin privileges; it should only have edit/exec capabilities within its targeted, isolated namespace.
• Network Policy Egress: Developer pods must be constrained by NetworkPolicies that block arbitrary egress to the public internet or production namespaces, preventing a compromised dev pod from being used as a staging ground for lateral movement.

3. LLM & Agent Guardrails

• Production Intercept Block: The agent must violently reject any user prompt attempting to use Telepresence or DevSpace to intercept traffic directly from the production namespace. It must enforce that remote dev only occurs in dev or staging clusters.
• Secret Syncing Prohibition: DevSpace/Okteto file sync mechanisms must explicitly exclude .env files or folders containing local secrets from being synced up to the cluster, preventing accidental exposure of local credentials to the remote pod environment.