Build a Kustomize overlay structure for three environments (dev, staging, prod) that patches replica counts, resource limits, and image tags without duplicating base manifests
Create a base/ directory with a kustomization.yaml that lists all shared Kubernetes manifests (Deployment, Service, ConfigMap) and sets commonLabels; do not include environment-specific values in the base
Create overlays/dev/, overlays/staging/, and overlays/prod/ directories each with a kustomization.yaml that sets resources: [../../base] and adds environment-specific patches
In each overlay, use a strategic merge patch YAML file to override the Deployment's spec.replicas and spec.template.spec.containers[0].resources.limits fields; use a separate patch per concern rather than one large patch file
Use images: in each overlay's kustomization.yaml to override the container image tag without modifying the Deployment manifest: newName: registry/app newTag: git-$COMMIT_SHA evaluated at kustomize build time via kustomize edit set image
Add a configMapGenerator in the prod overlay with a literals block containing environment-specific config values; use generatorOptions: disableNameSuffixHash: true only for configs that are referenced by name from other resources outside the Kustomize boundary
Run kustomize build overlays/prod | kubeval and kustomize build overlays/prod | kubectl diff -f - in CI to validate and diff the rendered output against the live cluster before applying
Known gotchas
Strategic merge patches require the target resource to have the same apiVersion, kind, name, and namespace as the base resource; a mismatch in any field causes the patch to silently fail to apply, leaving the base value unchanged
ConfigMap and Secret generators append a content hash suffix to the generated resource name by default; any Deployment that references the ConfigMap by a fixed name will not pick up the new generated name, breaking the rolling update trigger unless the Deployment also uses a nameReference transformer
kustomize build does not validate that patches target resources that exist in the base; a patch targeting a resource that was removed from base will silently produce no output and no error, making the overlay drift undetected
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp