Agent skill

security

Master Kubernetes security, RBAC, network policies, pod security, and compliance. Learn to secure clusters and enforce access control.

View SKILL.md on GitHub Repository
Stars 1
Forks 0

Install this agent skill to your Project

npx add-skill https://github.com/pluginagentmarketplace/custom-plugin-kubernetes/tree/main/skills/security

SKILL.md

Kubernetes Security

Executive Summary

Production-grade Kubernetes security covering defense-in-depth strategies from authentication to runtime protection. This skill provides deep expertise in implementing zero-trust security models, compliance frameworks, and production-hardened configurations for SOC2, PCI-DSS, and HIPAA requirements.

Core Competencies

1. RBAC Architecture

RBAC Hierarchy

User / ServiceAccount / Group
           ↓
    RoleBinding / ClusterRoleBinding
           ↓
    Role / ClusterRole
           ↓
    Rules (apiGroups, resources, verbs)

Production RBAC

yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: api-server
  namespace: production
automountServiceAccountToken: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: api-server-role
  namespace: production
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list", "watch"]
  resourceNames: ["api-config"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
  resourceNames: ["api-secrets"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: api-server-binding
  namespace: production
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: api-server-role
subjects:
- kind: ServiceAccount
  name: api-server
  namespace: production

2. Pod Security Standards

Restricted Security Context

yaml
apiVersion: v1
kind: Pod
metadata:
  name: secure-app
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 10000
    runAsGroup: 10000
    fsGroup: 10000
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    image: myregistry.io/app:v1.0.0@sha256:abc123
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop: ["ALL"]
    volumeMounts:
    - name: tmp
      mountPath: /tmp
  volumes:
  - name: tmp
    emptyDir: {}

Namespace Enforcement

yaml
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/warn: baseline
    pod-security.kubernetes.io/audit: restricted

3. Policy Enforcement

Kyverno Policy

yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-run-as-nonroot
spec:
  validationFailureAction: Enforce
  rules:
  - name: run-as-non-root
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      message: "Containers must run as non-root"
      pattern:
        spec:
          containers:
          - securityContext:
              runAsNonRoot: true

OPA Gatekeeper

yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
  targets:
  - target: admission.k8s.gatekeeper.sh
    rego: |
      package k8srequiredlabels
      violation[{"msg": msg}] {
        provided := {l | input.review.object.metadata.labels[l]}
        required := {l | l := input.parameters.labels[_]}
        missing := required - provided
        count(missing) > 0
        msg := sprintf("Missing labels: %v", [missing])
      }

4. Secret Management

External Secrets Operator

yaml
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: aws-secrets-manager
spec:
  provider:
    aws:
      service: SecretsManager
      region: us-east-1
      auth:
        jwt:
          serviceAccountRef:
            name: external-secrets-sa
            namespace: external-secrets
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: database-credentials
  namespace: production
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets-manager
    kind: ClusterSecretStore
  target:
    name: db-credentials
  data:
  - secretKey: password
    remoteRef:
      key: production/database
      property: password

5. Supply Chain Security

Image Signing with Cosign

bash
# Sign image
cosign sign --yes \
  --oidc-issuer=https://token.actions.githubusercontent.com \
  myregistry.io/app:v1.0.0

# Verify in admission
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-image-signature
spec:
  validationFailureAction: Enforce
  rules:
  - name: verify-signature
    match:
      resources:
        kinds:
        - Pod
    verifyImages:
    - imageReferences:
      - "myregistry.io/*"
      attestors:
      - entries:
        - keyless:
            issuer: "https://token.actions.githubusercontent.com"

Integration Patterns

Uses skill: cluster-admin

  • Audit logging configuration
  • Node security hardening

Coordinates with skill: storage-networking

  • Network policy enforcement
  • Secret encryption

Works with skill: monitoring

  • Security event alerting
  • Compliance dashboards

Troubleshooting Guide

Decision Tree: Access Issues

Access Denied?
│
├── RBAC issue
│   ├── kubectl auth can-i <verb> <resource> --as=<user>
│   ├── Check RoleBindings
│   └── Verify subject matches
│
├── PSS violation
│   ├── Check namespace labels
│   └── Fix securityContext
│
└── Policy blocked
    ├── Check Kyverno/Gatekeeper logs
    └── Review policy rules

Debug Commands

bash
# RBAC debugging
kubectl auth can-i --list --as=system:serviceaccount:prod:myapp
kubectl get rolebindings,clusterrolebindings -A -o wide

# PSS testing
kubectl label ns test pod-security.kubernetes.io/enforce=restricted --dry-run=server

# Policy status
kubectl get constraints -A
kubectl get clusterpolicies

Common Challenges & Solutions

Challenge Solution
RBAC sprawl Regular audits, automation
Secret rotation External Secrets Operator
Policy exceptions Document, time-limit
Compliance gaps CIS Benchmark scanning

Success Criteria

Metric Target
RBAC least privilege 100%
PSS restricted All prod namespaces
Network policy coverage 100%
Image signing 100% production

Resources

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

pluginagentmarketplace/custom-plugin-kubernetes

gitops

Master GitOps practices, CI/CD integration, Helm charts, Kustomize, and ArgoCD. Learn modern deployment patterns and infrastructure as code.

1 0
Explore
pluginagentmarketplace/custom-plugin-kubernetes

deployments

Master Kubernetes Deployments, StatefulSets, DaemonSets, and workload orchestration. Learn deployment patterns and container orchestration strategies.

1 0
Explore
pluginagentmarketplace/custom-plugin-kubernetes

cluster-admin

Master Kubernetes cluster administration, from initial setup through production management. Learn cluster installation, scaling, upgrades, and HA strategies.

1 0
Explore
pluginagentmarketplace/custom-plugin-kubernetes

troubleshooting

Kubernetes debugging, problem diagnosis, and issue resolution

1 0
Explore
pluginagentmarketplace/custom-plugin-kubernetes

helm

Helm package management, chart development, and release management

1 0
Explore
pluginagentmarketplace/custom-plugin-kubernetes

multi-cluster

Multi-cluster Kubernetes management, federation, and hybrid deployments

1 0
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results