kubernetes-ontology-access
- Repo stars 0
- Author updated Live
- Author repo skills-registry
- Domain
- DevOps
- Compatible agents
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- Trust score
- 88 / 100 · community maintained
- Author / version / license
- @tomevault-io · no license declared
- Token usage
- Moderate
- Setup complexity
- Guided setup
- External API key
- Not required
- Operating systems
- macOS · Linux · Windows
- Runtime requirements
- Node.js
- Permissions
-
- Read-only
- Write / modify
- Shell exec
- Network behavior
- External requests
- Install commands
- 26 variants
Profile is derived at build time from SKILL.md and install vectors. Subject to drift from author intent.
Heads up: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: kubernetes-ontology-access
description: Use this skill whenever a user wants to onboard, deploy, install, or operate kubernetes-ontology…
category: devops
runtime: Node.js
---
# kubernetes-ontology-access output preview
## PART A: Task fit
- Use case: Use this skill whenever a user wants to onboard, deploy, install, or operate kubernetes-ontology; set up its Helm chart, release CLI, daemon, or topology viewer; run Kubernetes topology queries; diagnose Pod or Workload failures with AI-agent workflows; or connect human visual troubleshooting to the CLI and HTTP API. This skill should trigger for requests about Kubernetes ontology onboarding, Helm deployment, topology query, diagnostic subgraph, ImagePullBackOff or storage/RBAC/Event graph troubleshooting, viewer usage, and agent integration..
- Inputs: target material, constraints, expected output, and acceptance criteria.
- Evidence boundary: follow “Operating Posture / First Response Checklist / Safety Model” and do not present inference as author intent.
## PART B: Execution result
- **01** The card summarizes the use case; runtime output centers on “Use this skill whenever a user wants to onboard, deploy, install, or operate kubernetes-ontology; set up its Helm chart, release CLI, daemon, or topology viewer; run Kubernetes topology queries; diagnose Pod or Workload failures with AI-agent workflows; or connect human visual troubleshooting to the CLI and HTTP API. This skill should trigger for requests about Kubernetes ontology onboarding, Helm deployment, topology query, diagnostic subgraph, ImagePullBackOff or storage/RBAC/Event graph troubleshooting, viewer usage, and agent integration.”.
- **02** When the source has headings, the agent prioritizes “Operating Posture / First Response Checklist / Safety Model” so the result follows the author’s structure.
- **03** Typical output includes task judgment, concrete steps, required commands or file edits, validation, and follow-up options.
- **04** Risk context follows the fingerprint: read files, write/modify files, run shell commands; may access external network resources; usually needs no extra API key.
## Running Rules
- read files, write/modify files, run shell commands; may access external network resources; usually needs no extra API key.
- Validate with a small sample before expanding scope.
- Return the result, validation criteria, and next iteration options. The source mentions slash commands such as `/absolute`, `/usr`; use them first when your agent supports command triggers.
Name target files or source material, expected output, forbidden changes, and whether network or shell access is allowed. Permission fingerprint: read files, write/modify files, run shell commands.
Start with a small task and check whether the result follows “Operating Posture / First Response Checklist / Safety Model”. Inspect diffs, logs, previews, or tests before expanding scope.
Confirm the final output includes a concrete result, evidence, and next action. If it stays generic, tighten inputs, boundaries, and acceptance criteria.
---
name: kubernetes-ontology-access
description: Use this skill whenever a user wants to onboard, deploy, install, or operate kubernetes-ontology…
category: devops
source: tomevault-io/skills-registry
---
# kubernetes-ontology-access
## When to use
- Use this skill whenever a user wants to onboard, deploy, install, or operate kubernetes-ontology; set up its Helm char…
- Use it when the task has clear inputs, repeatable steps, and validation criteria.
## What to provide
- Target material, scope, expected result, and forbidden changes.
- Whether network, commands, file writes, or external services are allowed.
## Execution rules
- Organize steps around “Operating Posture / First Response Checklist / Safety Model” and keep inference separate from source facts.
- read files, write/modify files, run shell commands; may access external network resources; usually needs no extra API key.
- Validate with a small sample before expanding the task.
## Output requirements
- Return the deliverable, key evidence, validation method, and next action.
- Mark missing information as unknown; do not invent commands, platforms, or dependencies. The author source anchors workflow facts; repository files anchor sources and commands; Fluxly only adds fit, limitations, and quality judgment.
skill "kubernetes-ontology-access" {
input -> user goal + target files + boundaries + acceptance criteria
context -> Operating Posture / First Response Checklist / Safety Model
rules -> SKILL.md triggers / order / output contract
runtime -> Node.js | read files, write/modify files, run shell commands | may access external network resources
guardrails -> usually needs no extra API key + small-sample validation + diff/log review
output -> copyable result + checklist + next iteration
} Kubernetes Ontology Access
Guide users from zero to useful diagnosis with kubernetes-ontology.
This skill is the repository's onboarding playbook for three connected modes:
- AI-agent automatic troubleshooting through stable daemon-backed queries.
- CLI-driven topology and diagnostic inspection.
- Human visual intervention through the topology viewer.
Prefer read-only, daemon-backed workflows. The project observes Kubernetes objects and builds an in-memory graph; it must not mutate observed workloads.
Operating Posture
Do not merely summarize the docs. Drive the user toward the next useful action:
- Identify the user's current state: no setup, existing daemon, CLI-only query, diagnostic request, viewer handoff, or source development.
- Choose the shortest path that satisfies the request.
- Give concrete commands the user or agent can run next, with safe defaults named inline.
- When command output is needed, ask for or run that command before moving to later steps.
- Keep cluster-changing actions explicit: ask for confirmation before running
helm upgrade --installor any command that changes cluster resources. - Do not require a repository checkout for CLI-only diagnostics against an already running daemon.
First Response Checklist
When this skill triggers, quickly establish:
- Whether the user is inside a local checkout of this repository.
- Target cluster context and logical cluster name.
- Desired namespaces for collection (
contextNamespaces). - Deployment path: release binary server + client for private clusters or short-lived local diagnosis, Helm + release CLI when cluster nodes can pull the image, source build for development.
- Whether the environment can reach GitHub Releases and whether cluster nodes
can pull
ghcr.ioor an internal mirror. - Diagnostic entry, if known:
PodorWorkload, namespace, and name. - Whether they want the viewer opened for human inspection.
If values are missing and a safe default exists, proceed with the default and name it. Ask only for values that are required and cannot be inferred, such as the target namespace/name for a diagnostic query.
Safety Model
Explain this once when onboarding a new user:
- Runtime collection is read-only against observed Kubernetes resources.
- Helm installs this project's own Deployment, Service, ServiceAccount, ConfigMap, viewer, and read-only RBAC.
- Release binary mode installs nothing in the cluster. It starts
kubernetes-ontologydon the host that has kubeconfig access, and optionally startskubernetes-ontology-vieweron that host. - The default RBAC includes
get,list, andwatch; Secret reads are enabled souses_secretedges can be collected. Use--set rbac.readSecrets=falsewhen Secret collection is not acceptable. - Keep the HTTP API and viewer behind
kubectl port-forwardor a controlled private network. Do not expose them directly to the public internet. - For short-lived diagnosis, tell the user exactly how to stop port-forwards, host-local binaries, and Helm resources after use.
Repository Pointers
When working from a checkout, read only the files needed for the current task:
README.mdorREADME.zh-CN.mdfor project overview.QUICKSTART.mdfor end-to-end setup and commands.AI_CONTRACT.mdfor downstream agent consumption rules.charts/kubernetes-ontology/values.yamlfor Helm values.Makefilefor local build, server, CLI, and viewer targets.
Recommended Onboarding Flow
Choose the deployment path from network constraints first:
- Use release binary server + client when the cluster is private, air-gapped, cannot pull public images, or the user wants no in-cluster footprint.
- Use Helm + release CLI when the cluster can pull the configured image, or the image has been mirrored to an internal registry.
- Use source build only for contributors or local code changes.
Only guide the user to clone the repository when the current path needs files
from the checkout, such as the local Helm chart under
charts/kubernetes-ontology, source development, or local viewer development.
If the user only needs CLI queries against an existing daemon, skip the clone.
When a checkout is needed and the user does not already have one, use:
git clone https://github.com/Colvin-Y/kubernetes-ontology.git
cd kubernetes-ontology
If the user is not ready to deploy yet, first verify prerequisites and collect the target cluster, logical cluster name, and namespaces. Then return to the checkout step only when deploying the chart or using source-local commands.
1. Verify Prerequisites
Check or ask the user to check:
kubectl config current-context
kubectl get namespace
Check helm version only for the Helm path. For private environments, explicitly
ask whether cluster nodes can pull ghcr.io/colvin-y/kubernetes-ontology or an
internal mirror. If they cannot, prefer the release binary path.
If the user expects the agent to run commands, confirm before using any command
that changes cluster resources, including helm upgrade --install.
2. Release Binary Server + Client
Use this path when the user wants a simple binary workflow or the cluster cannot pull the published image. A GitHub Release archive contains:
kubernetes-ontologyd: the read-only server that talks to the Kubernetes API.kubernetes-ontology: the CLI client that talks to the server.kubernetes-ontology-viewer: optional local viewer.local/kubernetes-ontology.yaml.example: a config template.
Download or transfer the archive for the selected version and platform:
export KO_VERSION=v0.1.7
curl -LO "https://github.com/Colvin-Y/kubernetes-ontology/releases/download/${KO_VERSION}/kubernetes-ontology_${KO_VERSION}_linux_amd64.tar.gz"
tar -xzf "kubernetes-ontology_${KO_VERSION}_linux_amd64.tar.gz"
cd "kubernetes-ontology_${KO_VERSION}_linux_amd64"
Use linux_amd64, linux_arm64, darwin_amd64, darwin_arm64, or
windows_amd64.zip for other hosts. If the private environment cannot access
GitHub, tell the user to download the archive elsewhere and transfer it through
their approved internal channel.
Release CLI binaries check GitHub Releases with a short best-effort timeout during normal use when version metadata is present. When a release CLI is already installed, prefer checking before longer troubleshooting sessions:
./kubernetes-ontology --version
./kubernetes-ontology --check-update
If a newer release is available and the environment permits downloading from GitHub, the user can update the CLI in place:
./kubernetes-ontology --update
Use --no-update-check or KUBERNETES_ONTOLOGY_SKIP_UPDATE_CHECK=1 for
offline or tightly controlled scripts.
Create or adapt kubernetes-ontology.yaml:
cp local/kubernetes-ontology.yaml.example kubernetes-ontology.yaml
Then edit the kubeconfig path, logical cluster name, namespace scope, and any cluster-specific workload, controller, or CSI rules:
kubeconfig: /absolute/path/to/kubeconfig.yaml
cluster: your-logical-cluster
contextNamespaces:
- default
- kube-system
server:
addr: 127.0.0.1:18080
bootstrapTimeout: 2m
streamMode: informer
Run the server in the foreground unless the user explicitly wants a background process:
./kubernetes-ontologyd --config ./kubernetes-ontology.yaml
If a background process is useful for a short session:
nohup ./kubernetes-ontologyd --config ./kubernetes-ontology.yaml > kubernetes-ontologyd.log 2>&1 &
echo $! > kubernetes-ontologyd.pid
Confirm readiness from another terminal:
./kubernetes-ontology --server "http://127.0.0.1:18080" --status
Optional local viewer:
./kubernetes-ontology-viewer --server "http://127.0.0.1:18080"
When done, stop foreground processes with Ctrl-C. For background processes:
kill "$(cat kubernetes-ontologyd.pid)"
If the viewer was backgrounded, kill that PID too. Remind the user to remove temporary logs, pid files, and copied kubeconfigs according to their local security policy.
3. Deploy The Helm Chart
Use a release version and image. If the user did not specify one, use the latest project release they selected or the version already present in the repository docs. Do not invent a future version.
export KO_VERSION=v0.1.7
export KO_IMAGE=ghcr.io/colvin-y/kubernetes-ontology
helm upgrade --install kubernetes-ontology ./charts/kubernetes-ontology \
--namespace kubernetes-ontology \
--create-namespace \
--set image.repository="${KO_IMAGE}" \
--set image.tag="${KO_VERSION}" \
--set cluster="your-logical-cluster" \
--set contextNamespaces='{default,kube-system}'
For private clusters, mirror the image to an internal registry and set
KO_IMAGE to that mirror. If image mirroring is not available, use the release
binary path instead.
For all namespaces, remove the --set contextNamespaces=... line and use the
chart default empty list. For no Secret collection:
helm upgrade --install kubernetes-ontology ./charts/kubernetes-ontology \
--namespace kubernetes-ontology \
--reuse-values \
--set rbac.readSecrets=false
Wait for rollout:
kubectl -n kubernetes-ontology rollout status deploy/kubernetes-ontology
The viewer rollout exists when viewer.enabled=true, which is the chart
default:
kubectl -n kubernetes-ontology rollout status deploy/kubernetes-ontology-viewer
3. Port-Forward Server And Viewer
Use separate terminals or background sessions:
kubectl -n kubernetes-ontology port-forward svc/kubernetes-ontology 18080:18080
The viewer service exists when viewer.enabled=true, which is the chart
default:
kubectl -n kubernetes-ontology port-forward svc/kubernetes-ontology-viewer 8765:8765
If the user disabled the viewer, expose only the server or re-enable the viewer later.
Default endpoints:
- Server:
http://127.0.0.1:18080 - Viewer:
http://127.0.0.1:8765
4. Download The CLI
Download kubernetes-ontology from GitHub Releases for the selected
KO_VERSION. The repository release workflow packages kubernetes-ontology,
kubernetes-ontologyd, and kubernetes-ontology-viewer under an archive root
named kubernetes-ontology_${KO_VERSION}_${GOOS}_${GOARCH}. Choose the archive
suffix by platform:
- macOS Apple Silicon:
darwin_arm64.tar.gz - macOS Intel:
darwin_amd64.tar.gz - Linux x86_64:
linux_amd64.tar.gz - Linux ARM64:
linux_arm64.tar.gz - Windows x86_64:
windows_amd64.zip
Example for macOS Apple Silicon:
curl -LO "https://github.com/Colvin-Y/kubernetes-ontology/releases/download/${KO_VERSION}/kubernetes-ontology_${KO_VERSION}_darwin_arm64.tar.gz"
tar -tzf "kubernetes-ontology_${KO_VERSION}_darwin_arm64.tar.gz" | head
tar -xzf "kubernetes-ontology_${KO_VERSION}_darwin_arm64.tar.gz"
sudo install "kubernetes-ontology_${KO_VERSION}_darwin_arm64/kubernetes-ontology" /usr/local/bin/kubernetes-ontology
If the user is installing from a fork or custom release, inspect the archive
contents first and adjust the install path to the actual extracted directory.
If the user cannot use sudo, keep the binary in a local directory and invoke
it by path.
After installation, run kubernetes-ontology --check-update when network
access to GitHub Releases is allowed. Normal CLI calls also do this with a
short best-effort timeout and print a stderr notice when a newer release exists.
5. Confirm The Daemon Is Ready
kubernetes-ontology --server "http://127.0.0.1:18080" --status
Continue only when status shows Ready: true or Phase: ready. List,
entity, relation, expand, and diagnostic responses include lowercase
freshness.ready metadata that agents can use after the daemon is serving
queries. If the daemon is not ready, inspect rollout logs and retry status.
6. Cleanup For Short-Lived Use
For Helm path:
# Stop any foreground port-forward terminals with Ctrl-C first.
helm uninstall kubernetes-ontology --namespace kubernetes-ontology
Only delete the namespace if it was created exclusively for this install:
kubectl delete namespace kubernetes-ontology
For release binary path, stop kubernetes-ontologyd and any viewer process on
the host. The binary path leaves no cluster-side resources to uninstall.
AI-Agent Automatic Troubleshooting
Use this flow when the user asks the agent to diagnose a workload or pod.
Pod Entry
kubernetes-ontology \
--server "http://127.0.0.1:18080" \
--machine-errors \
--diagnose-pod \
--namespace default \
--name my-pod
Workload Entry
kubernetes-ontology \
--server "http://127.0.0.1:18080" \
--machine-errors \
--diagnose-workload \
--namespace default \
--name my-deployment
Agent Reasoning Rules
- Treat the response as a bounded evidence graph, not complete cluster truth.
- Check
schemaVersion,recipe,lanes,partial,warnings,degradedSources,budgets,rankedEvidence, andconflictsbefore forming a conclusion. - Use
managed_by_helm_releaseandinstalls_chartedges as Helm/package provenance when present, but describe them as label-derived evidence unless future exact manifest evidence is explicitly available. - For "helm upgrade failed" requests, diagnose current cluster state even if
the user lacks Helm CLI output. Say clearly that template, values,
repository, client, hook, and
--atomicrollback causes need user-provided Helm stderr/status/history. - When
helm_cli_output_not_observedorhelm_manifest_evidence_not_collectedappears, include it in the answer before naming a root cause. - Index nodes by
canonicalId; join edges byfromandto. - Prefer edge/node attributes and provenance over explanation text for hard conclusions.
- Use
rankedEvidencefirst for suspicion ranking, then explanation text for narrative. - If
budgets.truncated=true, say which budget was hit and suggest narrowing namespace/depth before raising graph caps. - If evidence is missing, report that it is missing from the current graph slice rather than claiming the object does not exist anywhere.
- Prefer asserted and observed facts before inferred shortcuts.
- Preserve conflicts in the user-facing answer instead of choosing one owner or cause silently.
- For contract details, consult
AI_CONTRACT.md.
Current limits to keep visible in agent reasoning:
rankedEvidencecurrently starts with Event evidence; not every signal type is ranked yet.explanationcontent is useful but best-effort narrative.- Traversal policy can hide valid facts outside the selected graph slice.
- Diagnostic budgets can intentionally truncate the graph. Treat
partial=trueas a correctness constraint, not a cosmetic warning. - CSI component correlation is configurable with
csiComponentRules; no driver-specific component inference runs unless a matching rule is configured. - A missing edge in one diagnostic response should be treated as missing evidence in that slice, not global absence.
Agent Output Template
For diagnostic answers, respond with:
## Summary
[1-3 sentence diagnosis]
## Evidence
- [partial/warning/budget/conflict status, if present]
- [rankedEvidence item, if present]
- [node/edge/provenance fact]
- [node/edge/provenance fact]
## Next Queries
```bash
[one or two targeted CLI commands]
```
## Human Viewer
Open http://127.0.0.1:8765 and load the same Pod or Workload diagnostic graph.
Avoid recommending cluster mutations unless the user explicitly asks for remediation and the evidence supports it.
CLI Query Playbook
Status:
kubernetes-ontology --server "http://127.0.0.1:18080" --status
List entities:
kubernetes-ontology \
--server "http://127.0.0.1:18080" \
--list-entities \
--entity-kind Pod \
--namespace default \
--limit 20
Resolve an entity and capture entity.entityGlobalId:
kubernetes-ontology \
--server "http://127.0.0.1:18080" \
--resolve-entity \
--entity-kind Pod \
--namespace default \
--name my-pod
Diagnose a Helm release after a failed upgrade:
Use this Incident Context Pack flow only with v0.1.6 or newer.
kubernetes-ontology \
--server "http://127.0.0.1:18080" \
--diagnose-helm-release \
--namespace default \
--name my-release \
--recipe helm-upgrade-runtime-failure
Use this when the user knows the release name but does not have the original
Helm CLI output. Follow the returned rankedEvidence, warnings,
degradedSources, and release-owned Workload/Pod nodes. If the response only
shows Helm metadata and no rollout blocker, ask for helm upgrade stderr,
helm status, or helm history.
Expand one entity:
kubernetes-ontology \
--server "http://127.0.0.1:18080" \
--expand-entity \
--entity-id 'your/entityGlobalId' \
--expand-depth 1 \
--limit 100
List filtered relations:
kubernetes-ontology \
--server "http://127.0.0.1:18080" \
--list-filtered-relations \
--from 'your/entityGlobalId' \
--relation-kind scheduled_on \
--limit 50
Common stable relation kinds include:
controlled_byowns_podscheduled_onselects_poduses_config_mapuses_secretuses_service_accountbound_by_role_bindingmounts_pvcbound_to_pvmanaged_by_helm_releaseinstalls_chartreported_by_eventaffected_by_webhookmanaged_by_csi_controllerserved_by_csi_node_agent
Human Visual Troubleshooting
Use the viewer when the user wants to inspect topology manually, validate an agent conclusion, compare graph branches, or export a visible subgraph.
Steps:
- Port-forward the viewer service.
- Open
http://127.0.0.1:8765. - Load live topology or a focused Pod/Workload diagnostic graph.
- Select nodes to inspect attributes, provenance, and edge kinds.
- Expand one hop when a relation needs more context.
- Export the visible graph as JSON when the agent needs to continue from the exact human-inspected state.
The Helm chart enables the viewer by default. If the user installed with
viewer.enabled=false, skip the viewer rollout and port-forward commands, or
enable it with:
helm upgrade --install kubernetes-ontology ./charts/kubernetes-ontology \
--namespace kubernetes-ontology \
--reuse-values \
--set viewer.enabled=true
If using the local development viewer instead of Helm:
make visualize
Or use the dependency-free release viewer:
kubernetes-ontology-viewer --server "http://127.0.0.1:18080"
Runtime Footprint And Cleanup
Always make the runtime footprint explicit during onboarding:
- Release binary path starts
kubernetes-ontologydon the host, and optionallykubernetes-ontology-viewer. It creates no Kubernetes resources. - Helm path creates Kubernetes Deployments for the server and viewer, Services,
a ServiceAccount, a ConfigMap, and read-only ClusterRole/ClusterRoleBinding
resources. It may also require
kubectl port-forwardprocesses on the user's workstation. - Source path starts local
make serveand optionalmake visualizeprocesses from the checkout.
For short-lived use, tell the user how to clean up before ending the session:
# Binary path, when backgrounded:
kill "$(cat kubernetes-ontologyd.pid)"
# Helm path:
helm uninstall kubernetes-ontology --namespace kubernetes-ontology
# Source path:
# stop the foreground make serve / make visualize terminals with Ctrl-C
Only suggest deleting the kubernetes-ontology namespace when it was created
solely for this install and the user confirms no other resources should remain.
Source Development Path
Use this path for contributors or local code changes:
make build build-daemon build-viewer
cp local/kubernetes-ontology.yaml.example local/kubernetes-ontology.yaml
Edit local/kubernetes-ontology.yaml, then run in separate terminals:
make serve
make visualize
CLI checks:
make status-server
make list-entities-server ENTITY_KIND=Pod NAMESPACE=default LIMIT=20
make diagnose-pod-server NAMESPACE=default NAME=my-pod
For code changes, verify:
make verify
make live-check NAMESPACE=default NAME=my-pod
Troubleshooting The Onboarding
If entry not found:
- Check exact namespace/name.
- List available entities in the namespace.
- Confirm
contextNamespacesincludes the target namespace, or is empty for all namespaces.
If status is not ready:
- Check the server rollout and pod logs.
- Confirm the ServiceAccount has read access to the needed resources.
- Increase
bootstrapTimeoutfor large or slow clusters.
If graph evidence seems too small:
- Increase diagnostic depth with
--max-depthor--storage-max-depth. - Use
--expand-terminal-nodesfor deliberate fan-out. - Expand selected viewer nodes one hop instead of loading the whole cluster.
If the viewer cannot load data:
- Confirm both port-forwards are running.
- Check
http://127.0.0.1:18080/status. - Restart the viewer port-forward and reload the page.
Source: Colvin-Y/kubernetes-ontology — distributed by TomeVault.
Decide Fit First
Design Intent
How To Use It
Boundaries And Review