ReddRadar
Agent skill
k8s-policy
Kubernetes policy management with Kyverno and Gatekeeper. Use when enforcing security policies, validating resources, or auditing policy compliance.
Install this agent skill to your Project
npx add-skill https://github.com/rohitg00/kubectl-mcp-server/tree/main/kubernetes-skills/claude/k8s-policy
Metadata
Additional technical details for this skill
- tools
- 6
- author
- rohitg00
- version
- 1.0.0
- category
- security
SKILL.md
Kubernetes Policy Management
Manage policies using kubectl-mcp-server's Kyverno and Gatekeeper tools.
When to Apply
Use this skill when:
- User mentions: "Kyverno", "Gatekeeper", "OPA", "policy", "compliance"
- Operations: enforcing policies, checking violations, policy audit
- Keywords: "require labels", "block privileged", "validate", "enforce"
Priority Rules
| Priority | Rule | Impact | Tools |
|---|---|---|---|
| 1 | Detect policy engine first | CRITICAL | kyverno_detect_tool, gatekeeper_detect_tool |
| 2 | Use Audit mode before Enforce | HIGH | validationFailureAction |
| 3 | Check policy reports for violations | HIGH | kyverno_clusterpolicyreports_list_tool |
| 4 | Review constraint templates | MEDIUM | gatekeeper_constrainttemplates_list_tool |
Quick Reference
| Task | Tool | Example |
|---|---|---|
| List Kyverno cluster policies | kyverno_clusterpolicies_list_tool |
kyverno_clusterpolicies_list_tool() |
| Get Kyverno policy | kyverno_clusterpolicy_get_tool |
kyverno_clusterpolicy_get_tool(name) |
| List Gatekeeper constraints | gatekeeper_constraints_list_tool |
gatekeeper_constraints_list_tool() |
| Get constraint | gatekeeper_constraint_get_tool |
gatekeeper_constraint_get_tool(kind, name) |
Kyverno
Detect Installation
kyverno_detect_tool()
List Policies
kyverno_clusterpolicies_list_tool()
kyverno_policies_list_tool(namespace="default")
Get Policy Details
kyverno_clusterpolicy_get_tool(name="require-labels")
kyverno_policy_get_tool(name="require-resources", namespace="default")
Policy Reports
kyverno_clusterpolicyreports_list_tool()
kyverno_policyreports_list_tool(namespace="default")
Common Kyverno Policies
kubectl_apply(manifest="""
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
validationFailureAction: Enforce
rules:
- name: require-app-label
match:
resources:
kinds:
- Pod
validate:
message: "Label 'app' is required"
pattern:
metadata:
labels:
app: "?*"
""")
kubectl_apply(manifest="""
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-limits
spec:
validationFailureAction: Enforce
rules:
- name: require-cpu-memory
match:
resources:
kinds:
- Pod
validate:
message: "CPU and memory limits required"
pattern:
spec:
containers:
- resources:
limits:
cpu: "?*"
memory: "?*"
""")
Gatekeeper (OPA)
Detect Installation
gatekeeper_detect_tool()
List Constraints
gatekeeper_constraints_list_tool()
gatekeeper_constrainttemplates_list_tool()
Get Constraint Details
gatekeeper_constraint_get_tool(
kind="K8sRequiredLabels",
name="require-app-label"
)
gatekeeper_constrainttemplate_get_tool(name="k8srequiredlabels")
Common Gatekeeper Policies
kubectl_apply(manifest="""
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
openAPIV3Schema:
type: object
properties:
labels:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("Missing labels: %v", [missing])
}
""")
kubectl_apply(manifest="""
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: require-app-label
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
labels: ["app", "env"]
""")
Policy Audit Workflow
kyverno_detect_tool()
kyverno_clusterpolicies_list_tool()
kyverno_clusterpolicyreports_list_tool()
Prerequisites
- Kyverno: Required for Kyverno tools
bash
kubectl create -f https://github.com/kyverno/kyverno/releases/latest/download/install.yaml - Gatekeeper: Required for Gatekeeper tools
bash
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
Related Skills
- k8s-security - RBAC and security
- k8s-operations - Apply policies
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
rohitg00/kubectl-mcp-server
k8s-multicluster
Manage multiple Kubernetes clusters, switch contexts, and perform cross-cluster operations. Use when working with multiple clusters, comparing environments, or managing cluster lifecycle.
rohitg00/kubectl-mcp-server
k8s-incident
Respond to Kubernetes incidents with runbooks and diagnostics. Use for outages, pod failures, node issues, network problems, and emergency response.
rohitg00/kubectl-mcp-server
k8s-gitops
Manage GitOps workflows with Flux and ArgoCD. Use for sync status, reconciliation, app management, source management, and GitOps troubleshooting.
rohitg00/kubectl-mcp-server
k8s-autoscaling
Configure Kubernetes autoscaling with HPA, VPA, and KEDA. Use for horizontal/vertical pod autoscaling, event-driven scaling, and capacity management.
rohitg00/kubectl-mcp-server
k8s-deploy
Deploy and manage Kubernetes workloads with progressive delivery. Use for deployments, rollouts, blue-green, canary releases, scaling, and release management.
rohitg00/kubectl-mcp-server
k8s-cost
Optimize Kubernetes costs through resource right-sizing, unused resource detection, and cluster efficiency analysis. Use for cost optimization, resource analysis, and capacity planning.
Didn't find tool you were looking for?