Kube Shark enforces manifest checks

Lukas Niessen’s KubeShark is an open-source Kubernetes skill built for AI coding agents such as Claude Code and Codex, according to the project’s GitHub repository and documentation. The project is designed to catch common manifest mistakes before YAML reaches a cluster, including deprecated APIs, wildcard RBAC permissions, missing resource settings and cross-resource mismatches. The repository says large language models “hallucinate a lot” on Kubernetes tasks and frames the skill as a way to constrain that behavior with prewritten checks and examples. The documentation describes KubeShark as “failure-mode-first,” meaning it asks the agent to diagnose likely risks before generating manifests. ### Who built KubeShark, and where is it published? GitHub shows KubeShark in a public repository under LukasNiessen/kubernetes-skill, with Lukas Niessen listed as the owner. The repository was updated within the last few days and describes itself as a “Kubernetes Skill for Claude Code and Codex.” The same material is published in a documentation site under Niessen’s GitHub Pages domain, which repeats the positioning around manifest safety and agent use. (github.com) The repository’s README says the skill is “the #1 Kubernetes skill for Claude Code and Codex, measured by GitHub stars.” GitHub showed 182 stars and three forks when the page was crawled, a small but visible early signal that the project is attracting attention among users experimenting with agent-assisted infrastructure work. ### What does the skill actually check before an agent writes YAML? (github.com) The GitHub README lists several failure patterns it says KubeShark is meant to prevent: omitted security contexts, deprecated APIs, wildcard RBAC, forgotten resource limits and probes that can trigger repeated restarts. The documentation adds cross-resource consistency checks, including label, selector and port alignment, which are common sources of Kubernetes deployment errors even when a manifest is valid YAML. (github.com) The documentation also says the skill covers 20 reference files spanning security, networking, RBAC, probes, storage, Helm and Kustomize. It says those references are loaded on demand rather than dumped wholesale into the model context, an approach the project presents as a way to keep token use down while still grounding the agent in specific Kubernetes patterns. (github.com) ### How is this different from a linter or admission controller? KubeShark is packaged as a “skill” for coding agents rather than as a cluster-side enforcement tool, according to the project documentation. That means the checks happen earlier in the workflow, when an agent is drafting or revising manifests, instead of after code review or during cluster admission. The documentation explicitly describes the workflow as “diagnose before generate.” (lukasniessen.github.io) The repository says the project is based primarily on official Kubernetes documentation, the NSA/CISA Kubernetes Hardening Guide, the OWASP Kubernetes Top 10, Pod Security Standards and the CIS Kubernetes Benchmark. That sourcing matters because the tool is not only checking syntax; it is trying to encode operational and security conventions that teams often enforce later through policy engines or human review. (lukasniessen.github.io) ### Which agents does it target, and how heavy is it to run? The documentation names Claude Code and Codex as the intended agent environments. It says KubeShark has an activation cost of about 650 tokens and uses granular references loaded only when needed. That token figure is one of the clearest concrete details in the project because cost and context size are practical constraints for teams using coding agents repeatedly in infrastructure workflows. (github.com) The same documentation says the skill includes guidance for Helm, Kustomize and policy engines such as Kyverno and OPA/Gatekeeper. That places the project alongside existing Kubernetes validation tooling rather than as a replacement for it, with the difference that it is aimed at steering the model before invalid or risky manifests are produced. ### Where can users inspect or install it now? (lukasniessen.github.io) The GitHub repository includes installation instructions that tell users to clone the project into a Claude skills directory under their home folder. The documentation page also links the same repository and lists the feature set, reference coverage and license terms. As of May 18, 2026, those two pages are the primary public sources for the project’s code and usage details. (github.com) (lukasniessen.github.io)