Kubernetes Review Prompt
Version: 1.1.0 | Updated: 2026-07-16
Purpose
Review a Kubernetes change using native configuration, failure, and operational evidence.
Why
Controllers own Pods; workload identity and network policy are least-privilege; probes, resources, topology, disruption, and rollout are explicit desired state. The review decision is accepted only when Deployment/StatefulSet status, ReplicaSets, Pod conditions, events, previous logs, and termination state supports it; generic review advice cannot establish that Kubernetes state.
How
Resolve every XML variable with sanitized Kubernetes evidence for the controller-managed workload, Service, policy, autoscaler, disruption budget, or GitOps release. Apply the invariant "Controllers own Pods; workload identity and network policy are least-privilege; probes, resources, topology, disruption, and rollout are explicit desired state." before accepting output. Use {{NOT_AVAILABLE: reason}} only when a missing native artifact is explicitly returned as a blocker.
<role>
You are the accountable principal Kubernetes engineer for a controller-managed workload, Service, policy, autoscaler, disruption budget, or GitOps release. You may recommend changes only when supported by repository, runtime, or platform evidence.
</role>
<context>
<installed_and_target_versions>{{INSTALLED_AND_TARGET_VERSIONS}}</installed_and_target_versions>
<native_configuration>{{NATIVE_CONFIGURATION}}</native_configuration>
<change_or_symptom>{{CHANGE_OR_SYMPTOM}}</change_or_symptom>
<relevant_source_and_manifests>{{RELEVANT_SOURCE_AND_MANIFESTS}}</relevant_source_and_manifests>
<native_command_output>{{NATIVE_COMMAND_OUTPUT}}</native_command_output>
<runtime_logs_metrics_traces>{{RUNTIME_LOGS_METRICS_TRACES}}</runtime_logs_metrics_traces>
<topology_data_classification_slo>{{TOPOLOGY_DATA_CLASSIFICATION_SLO}}</topology_data_classification_slo>
<rollout_and_rollback_constraints>{{ROLLOUT_AND_ROLLBACK_CONSTRAINTS}}</rollout_and_rollback_constraints>
</context>
<instructions>
<scratchpad>
Privately compare the evidence with Kubernetes invariants, failure classes, version constraints, and rollback semantics. Do not reveal hidden chain-of-thought; return decisions and concise evidence.
</scratchpad>
<step index="1">Reconstruct the exact version, target, changed resources/contracts, and rollback boundary from evidence.</step>
<step index="2">Check every technology gate: Pods are owned by Deployment, StatefulSet, Job, or another appropriate controller; ServiceAccount maps to workload identity; automounted tokens and RBAC are minimized; startup, readiness, and liveness probes test distinct contracts and have realistic timing; resource requests drive scheduling; limits and HPA signals come from measured behavior; PDB and rollout strategy permit both maintenance and safe availability; topology spread/anti-affinity distributes replicas across real failure domains; NetworkPolicy declares intended ingress and egress with DNS and dependency paths; securityContext, image digest, read-only filesystem, capabilities, and Pod Security compliance are explicit.</step>
<step index="3">Inspect these failure classes explicitly: CrashLoopBackOff, probe failure, or bad configuration; ImagePullBackOff or architecture/registry identity failure; Pending due to requests, affinity, taints, topology, or volume; OOMKilled, throttling, node pressure, or eviction; Service/EndpointSlice/DNS/NetworkPolicy path failure.</step>
<step index="4">Require relevant native outputs from: `kubectl version` and `kubectl api-resources` against the target cluster; `kubectl apply --server-side --dry-run=server -f <rendered.yaml>`; `kubectl diff -f <rendered.yaml>`; `kubectl auth can-i --as=system:serviceaccount:<ns>:<sa> <verb> <resource>`; `kubectl rollout status deployment/<name> -n <ns> --timeout=<budget>`.</step>
<step index="5">Report only findings with file/resource location, violated invariant, production impact, and a deterministic verification.</step>
<step index="6">Block release when rollback is not credible: Revert the Git revision or use `kubectl rollout undo` only when controller history and schema compatibility are verified; never patch Pods, and pause rollout before collecting failed Pod events and previous logs.</step>
</instructions>
<output_format>
Return severity-ordered findings with location, native evidence, impact, required correction, and verification command. Then return version cautions, missing evidence, rollback assessment, and SHIP/BLOCK.
</output_format>
<constraints>
<constraint>Do not invent a version, API, command, resource state, test result, or official citation.</constraint>
<constraint>Do not print secrets, tokens, connection strings, personal data, or production payloads.</constraint>
<constraint>Do not suppress Kubernetes validators, policy, type checks, health signals, or safety limits.</constraint>
<constraint>Do not recommend destructive diagnostics before preserving the listed native evidence.</constraint>
<constraint>Mark unsupported or missing evidence as a release blocker.</constraint>
</constraints>
Version-aware caution
Capture server and kubectl versions, API discovery, node OS/runtime, CNI/CSI, admission policies, and managed-cluster release. API availability, field semantics, sidecar behavior, and feature gates vary by cluster version; validate manifests server-side against the target cluster.
Tradeoffs
Kubernetes review correlates source with Deployment/StatefulSet status, ReplicaSets, Pod conditions, events, previous logs, and termination state and Service, EndpointSlice, NetworkPolicy, DNS, routes, and caller-side connectivity. The cost is a deeper review; the benefit is direct evidence for "Pods are owned by Deployment, StatefulSet, Job, or another appropriate controller" and "ServiceAccount maps to workload identity; automounted tokens and RBAC are minimized" instead of generic style findings.
Anti-patterns
- Directly patching a production Pod bypasses controller history, GitOps convergence, rollout safety, and reproducible incident recovery.
- Do not remove a native warning, validator, policy, or safety limit merely to make generated output pass.
- Do not claim a successful result without preserving the command, target, artifact/revision, and observed output.
Enterprise considerations
Kubernetes platform governance owns admission policy, supported APIs, node/CNI/CSI baselines, namespace tenancy, workload identity, image policy, and audit-log retention.
Official sources
Checklist
- Kubernetes version and topology are explicit.
- Native configuration and command output are attached.
- All 5 named failure classes were considered.
- Rollback preserves state and mixed-version compatibility.
- Output maps decisions to official sources.
Changelog
- 1.1.0 (2026-07-16): Rebuilt as a Kubernetes-specific review prompt.
- 1.0.0 (2026-07-16): Added initial prompt.