competition-k8s-control-plane
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCompetition K8s Control Plane
赛事K8s控制面
Use this skill only as a downstream specialization after is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to first.
$ctf-sandbox-orchestrator$ctf-sandbox-orchestratorUse this skill when the decisive path runs through Kubernetes control-plane state, API permissions, or controller behavior rather than a single container's runtime alone.
Reply in Simplified Chinese unless the user explicitly requests English.
仅可在已激活、完成沙箱假设配置、节点归属确认以及证据优先级划分后,才可以将本技能作为下游专项技能使用。如果还未完成上述前置操作,请先返回执行前置流程。
$ctf-sandbox-orchestrator$ctf-sandbox-orchestrator当问题的核心解决路径涉及Kubernetes控制面状态、API权限或控制器行为,而非单个容器的运行时问题时,使用本技能。
除非用户明确要求使用英文,否则请用简体中文回复。
Quick Start
快速开始
- Separate manifest intent from live cluster state: API objects, mutations, controllers, secrets, and resulting workloads.
- Identify the active principal first: service account, kubeconfig identity, node credential, webhook, or controller.
- Map the smallest control-plane edge to its workload effect.
- Keep RBAC, service accounts, owner references, namespace boundaries, and secret consumers in compact evidence blocks.
- Reproduce the smallest cluster action that yields the decisive workload or secret effect.
- 区分配置清单预期与集群实际运行状态:API对象、变异、控制器、机密以及最终生成的工作负载。
- 首先识别活跃主体:ServiceAccount、kubeconfig身份、节点凭证、Webhook或控制器。
- 梳理最小控制面边界到其对工作负载产生的影响的映射关系。
- 将RBAC、ServiceAccount、所有者引用、命名空间边界以及机密消费者信息整理为紧凑的证据块。
- 复现能够产生决定性工作负载或机密影响的最小集群操作。
Workflow
工作流
1. Map The API Trust Path
1. 梳理API信任路径
- Record namespaces, service accounts, Roles, ClusterRoles, bindings, admission hooks, controllers, and the resources they can mutate.
- Distinguish read access, create access, patch access, exec access, and secret access.
- Keep principal, verb, resource, namespace, and resulting object in one chain.
- 记录命名空间、ServiceAccount、Role、ClusterRole、绑定关系、准入钩子、控制器以及它们可以修改的资源。
- 区分读取权限、创建权限、补丁权限、执行权限以及机密访问权限。
- 将主体、操作动词、资源、命名空间以及最终生成的对象整理为一条完整链路。
2. Trace Mutation To Workload State
2. 追踪工作负载状态的变异来源
- Show how an API action becomes a pod, volume mount, secret exposure, env injection, job run, or controller-created artifact.
- Compare checked-in YAML against live objects after defaulting, admission mutation, or controller reconciliation.
- Distinguish pod-runtime behavior from cluster-level mutation logic.
- 说明API操作如何生成Pod、卷挂载、机密泄露、环境变量注入、Job运行或控制器创建的产物。
- 对比提交的YAML与经过默认值填充、准入变异或控制器调谐后的实际运行对象的差异。
- 区分Pod运行时行为与集群级变异逻辑。
3. Reduce To The Decisive Cluster Path
3. 提炼出决定性的集群路径
- Compress the result to the smallest chain: principal -> API permission -> mutated object -> resulting workload, secret, or route effect.
- Keep kube objects, live describes, and consumed secret or config paths tied to the same namespace and controller.
- If the problem narrows down to one container's mount or runtime deviation, switch back to the tighter container-runtime skill.
- 将结果压缩为最小链路:主体 -> API权限 -> 变异对象 -> 最终产生的工作负载、机密或路由影响。
- 确保Kube对象、运行时描述信息、已使用的机密或配置路径归属到同一命名空间和控制器下。
- 如果问题最终缩小到单个容器的挂载或运行时偏差,请切换到更适用的容器运行时技能。
Read This Reference
参考文档说明
- Load for the RBAC checklist, controller checklist, and evidence packaging.
references/k8s-control-plane.md - If the hard part is metadata-service reachability, workload identity, instance credentials, or metadata-derived privilege, prefer .
$competition-cloud-metadata-path
- 加载查看RBAC检查清单、控制器检查清单以及证据打包规范。
references/k8s-control-plane.md - 如果核心问题是元数据服务可达性、工作负载身份、实例凭证或元数据衍生权限,请优先使用技能。
$competition-cloud-metadata-path
What To Preserve
需要留存的内容
- Namespace, service account, verb, resource kind, RoleBinding or ClusterRoleBinding, and owner reference chains
- Admission mutations, generated workloads, mounted secrets, and controller-produced drift
- The exact API action or object diff that creates the decisive effect
- 命名空间、ServiceAccount、操作动词、资源类型、RoleBinding或ClusterRoleBinding以及所有者引用链路
- 准入变异、生成的工作负载、挂载的机密以及控制器产生的配置漂移
- 产生决定性影响的准确API操作或对象差异