Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 21 additions & 1 deletion rh-developer/.catalog/collection.json
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
"Automation"
],
"contents": {
"description": "The pack provides 15 skills for developer workflows on OpenShift and RHEL, including two orchestration skills\nfor end-to-end containerize-and-deploy and structured incident investigation.\n",
"description": "The pack provides 17 skills for developer workflows on OpenShift and RHEL, including two orchestration skills\nfor end-to-end containerize-and-deploy and structured incident investigation.\n",
"orchestration_skills": [
{
"description": "End-to-end containerize and deploy",
Expand Down Expand Up @@ -84,6 +84,16 @@
"name": "debug-container",
"summary_markdown": "Diagnose Podman/Docker local container failures.\n**Use when:**\n- \"Container exits immediately locally\"\n- \"Cannot pull image locally\"\n**What it does:**\n- Inspects local container state and logs.\n- Complements OpenShift debug skills.\n"
},
{
"description": "OpenShift SCC violation diagnostics",
"name": "debug-scc",
"summary_markdown": "Diagnose Security Context Constraint violations blocking pod creation on OpenShift.\n**Use when:**\n- \"SCC violation\"\n- \"Pod blocked by security context constraint\"\n- \"FailedCreate forbidden\"\n**What it does:**\n- Parses SCC rejection messages from ReplicaSet events.\n- Identifies non-compliant securityContext fields (runAsUser, capabilities, privilege escalation).\n- Checks ServiceAccount SCC bindings and suggests targeted fixes.\n"
},
{
"description": "OpenShift RBAC diagnostics",
"name": "debug-rbac",
"summary_markdown": "Diagnose RBAC permission failures causing 403 Forbidden errors on OpenShift.\n**Use when:**\n- \"RBAC denied\"\n- \"403 forbidden in pod logs\"\n- \"Missing RoleBinding\"\n**What it does:**\n- Analyzes pod logs for FORBIDDEN errors and readiness probe failures.\n- Identifies missing Role/RoleBinding for ServiceAccounts.\n- Detects regression patterns where bindings are repeatedly removed.\n"
},
{
"description": "RHEL host diagnostics",
"name": "debug-rhel",
Expand Down Expand Up @@ -126,6 +136,16 @@
"skill_to_use": "incident-triage",
"user_request": "\"Investigate this incident\" or \"root cause analysis\" or \"triage this alert\""
},
{
"reason": "Parses SCC rejection messages and identifies non-compliant security context fields.",
"skill_to_use": "debug-scc",
"user_request": "\"SCC violation\" or \"pod blocked by security context\""
},
{
"reason": "Traces missing RoleBindings and ServiceAccount permissions.",
"skill_to_use": "debug-rbac",
"user_request": "\"RBAC denied\" or \"403 forbidden in pod logs\""
},
{
"reason": "Pre-flight before deploy or heavy debug.",
"skill_to_use": "validate-environment",
Expand Down
32 changes: 31 additions & 1 deletion rh-developer/.catalog/collection.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ summary: The rh-developer collection provides skills to detect projects, build i
validate environments, and debug builds, pods, pipelines, networks, and hosts.
contents:
description: |
The pack provides 15 skills for developer workflows on OpenShift and RHEL, including two orchestration skills
The pack provides 17 skills for developer workflows on OpenShift and RHEL, including two orchestration skills
for end-to-end containerize-and-deploy and structured incident investigation.
skills:
- name: detect-project
Expand Down Expand Up @@ -148,6 +148,30 @@ contents:
**What it does:**
- Inspects local container state and logs.
- Complements OpenShift debug skills.
- name: debug-scc
description: OpenShift SCC violation diagnostics
summary_markdown: |
Diagnose Security Context Constraint violations blocking pod creation on OpenShift.
**Use when:**
- "SCC violation"
- "Pod blocked by security context constraint"
- "FailedCreate forbidden"
**What it does:**
- Parses SCC rejection messages from ReplicaSet events.
- Identifies non-compliant securityContext fields (runAsUser, capabilities, privilege escalation).
- Checks ServiceAccount SCC bindings and suggests targeted fixes.
- name: debug-rbac
description: OpenShift RBAC diagnostics
summary_markdown: |
Diagnose RBAC permission failures causing 403 Forbidden errors on OpenShift.
**Use when:**
- "RBAC denied"
- "403 forbidden in pod logs"
- "Missing RoleBinding"
**What it does:**
- Analyzes pod logs for FORBIDDEN errors and readiness probe failures.
- Identifies missing Role/RoleBinding for ServiceAccounts.
- Detects regression patterns where bindings are repeatedly removed.
- name: debug-rhel
description: RHEL host diagnostics
summary_markdown: |
Expand Down Expand Up @@ -208,6 +232,12 @@ contents:
- user_request: '"Investigate this incident" or "root cause analysis" or "triage this alert"'
skill_to_use: incident-triage
reason: Multi-resource investigation with Five Whys, guardrails, and due diligence.
- user_request: '"SCC violation" or "pod blocked by security context"'
skill_to_use: debug-scc
reason: Parses SCC rejection messages and identifies non-compliant security context fields.
- user_request: '"RBAC denied" or "403 forbidden in pod logs"'
skill_to_use: debug-rbac
reason: Traces missing RoleBindings and ServiceAccount permissions.
- user_request: '"Check my tools" or "validate cluster access"'
skill_to_use: validate-environment
reason: Pre-flight before deploy or heavy debug.
Expand Down
4 changes: 4 additions & 0 deletions rh-developer/CLAUDE.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ Match the user's request to the correct skill:
| Build failure, BuildConfig error, S2I error, build logs, failed build | `/debug-build` |
| Pod failure, CrashLoopBackOff, ImagePullBackOff, OOMKilled, Pending pod | `/debug-pod` |
| Container issue, Podman/Docker failure, local container debug, container crash | `/debug-container` |
| SCC violation, pod blocked by SCC, security context constraint, FailedCreate forbidden | `/debug-scc` |
| RBAC denied, 403 forbidden, missing RoleBinding, ServiceAccount permission denied | `/debug-rbac` |
| Network issue, DNS, Service connectivity, Route, NetworkPolicy, ingress | `/debug-network` |
| Pipeline failure, Tekton, PipelineRun, TaskRun error, pipeline logs | `/debug-pipeline` |
| RHEL issue, systemd, SELinux, firewall, journal logs, system service | `/debug-rhel` |
Expand All @@ -43,6 +45,8 @@ Some workflows require multiple skills in sequence:
- **Pre-flight check**: Run `/validate-environment` before any deployment skill
- **Build failure recovery**: `/debug-build` -> fix -> `/s2i-build` retry
- **Pod failure recovery**: `/debug-pod` or `/debug-network` -> fix -> `/deploy` retry
- **SCC violation recovery**: `/debug-scc` -> fix security context or grant SCC -> `/deploy` retry
- **RBAC failure recovery**: `/debug-rbac` -> create Role/RoleBinding -> verify pod readiness
- **RHEL failure recovery**: `/debug-rhel` or `/debug-container` -> fix -> `/rhel-deploy` retry
- **Incident triage**: `/incident-triage` -> identifies root cause -> routes to `/debug-pod`, `/debug-network`, or `/deploy` for targeted fix

Expand Down
Loading
Loading