PluginBench
Skill
Pass
Audit score 90

k8s-security-policies

wshobson/agents

Implement NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards for production Kubernetes security.

What is k8s-security-policies?

This skill provides comprehensive guidance for securing Kubernetes clusters through defense-in-depth policies including network segmentation, pod security standards, and role-based access control. Use it when implementing cluster security, enforcing compliance, or configuring multi-tenant isolation.

  • Configure Pod Security Standards (Privileged, Baseline, Restricted) at namespace level
  • Implement NetworkPolicies for ingress/egress traffic control and network segmentation
  • Set up RBAC with Roles, ClusterRoles, and RoleBindings for least-privilege access
  • Define Pod Security Contexts to restrict container capabilities and enforce non-root execution
  • Deploy OPA Gatekeeper policies for admission control and policy enforcement
  • Configure Istio PeerAuthentication and AuthorizationPolicy for service mesh security

How to install k8s-security-policies

npx skills add https://github.com/wshobson/agents --skill k8s-security-policies
Prerequisites
  • Kubernetes cluster (1.23+)
  • kubectl configured to access cluster
  • CNI plugin that supports NetworkPolicy (Calico, Cilium, etc.)
  • Optional: OPA Gatekeeper or Kyverno for admission control
  • Optional: Istio service mesh for advanced security policies
Claude Code
Cursor
Windsurf
Cline

How to use k8s-security-policies

  1. 1.Choose appropriate Pod Security Standard level (Privileged/Baseline/Restricted) for each namespace
  2. 2.Apply namespace labels to enforce Pod Security Standards
  3. 3.Create default-deny NetworkPolicy to block all traffic by default
  4. 4.Define allow rules for required pod-to-pod communication
  5. 5.Configure RBAC Roles and RoleBindings following least-privilege principle
  6. 6.Implement Pod Security Contexts in pod specs to restrict capabilities
  7. 7.Deploy OPA Gatekeeper ConstraintTemplates and Constraints for policy enforcement
  8. 8.Enable audit logging to monitor security policy violations

Use cases

Good for
  • Implement network isolation between frontend and backend services in production
  • Enforce pod security standards across namespaces for compliance requirements
  • Configure least-privilege RBAC for service accounts and users
  • Set up default-deny network policies and selectively allow required traffic
  • Deploy OPA Gatekeeper constraints to require labels on Deployments
Who it's for
  • Kubernetes cluster administrators
  • DevOps engineers securing production clusters
  • Platform engineers implementing multi-tenant clusters
  • Security engineers enforcing compliance frameworks
  • SREs implementing defense-in-depth security

k8s-security-policies FAQ

What's the difference between Pod Security Standards and PodSecurityPolicy?

Pod Security Standards (PSS) are the modern replacement for deprecated PodSecurityPolicy. PSS uses namespace labels to enforce security levels, while PSP was a cluster resource. PSS is simpler to manage and is the recommended approach for Kubernetes 1.25+.

Do I need a CNI plugin for NetworkPolicy to work?

Yes, NetworkPolicy requires a CNI plugin that supports it. Common options include Calico, Cilium, and Weave. Without a supporting CNI, NetworkPolicy resources are created but have no effect.

How do I test if my RBAC configuration is correct?

Use kubectl auth can-i to check permissions: kubectl auth can-i list pods --as system:serviceaccount:default:my-sa. This shows whether a specific service account can perform an action.

Should I use Istio AuthorizationPolicy or Kubernetes NetworkPolicy?

NetworkPolicy operates at layer 3-4 (IP/port), while Istio AuthorizationPolicy operates at layer 7 (application). Use NetworkPolicy for basic network segmentation; use Istio for fine-grained application-level access control.

What happens if I apply conflicting NetworkPolicies?

NetworkPolicies are additive—if any policy allows traffic, it flows. If you want to block traffic, you must ensure no allow rule matches. Start with default-deny and explicitly allow required traffic.

Full instructions (SKILL.md)

Source of truth, from wshobson/agents.


name: k8s-security-policies description: Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.

Kubernetes Security Policies

Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes.

Purpose

Implement defense-in-depth security for Kubernetes clusters using network policies, pod security standards, and RBAC.

When to Use This Skill

  • Implement network segmentation
  • Configure pod security standards
  • Set up RBAC for least-privilege access
  • Create security policies for compliance
  • Implement admission control
  • Secure multi-tenant clusters

Pod Security Standards

1. Privileged (Unrestricted)

apiVersion: v1
kind: Namespace
metadata:
  name: privileged-ns
  labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/warn: privileged

2. Baseline (Minimally restrictive)

apiVersion: v1
kind: Namespace
metadata:
  name: baseline-ns
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/audit: baseline
    pod-security.kubernetes.io/warn: baseline

3. Restricted (Most restrictive)

apiVersion: v1
kind: Namespace
metadata:
  name: restricted-ns
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

Network Policies

Default Deny All

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

Allow Frontend to Backend

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-backend
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: frontend
      ports:
        - protocol: TCP
          port: 8080

Allow DNS

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              name: kube-system
      ports:
        - protocol: UDP
          port: 53

Reference: See assets/network-policy-template.yaml

RBAC Configuration

Role (Namespace-scoped)

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: production
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "watch", "list"]

ClusterRole (Cluster-wide)

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: secret-reader
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "watch", "list"]

RoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: production
subjects:
  - kind: User
    name: jane
    apiGroup: rbac.authorization.k8s.io
  - kind: ServiceAccount
    name: default
    namespace: production
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Reference: See references/rbac-patterns.md

Pod Security Context

Restricted Pod

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: app
      image: myapp:1.0
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        capabilities:
          drop:
            - ALL

Policy Enforcement with OPA Gatekeeper

ConstraintTemplate

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
      validation:
        openAPIV3Schema:
          type: object
          properties:
            labels:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels
        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
          provided := {label | input.review.object.metadata.labels[label]}
          required := {label | label := input.parameters.labels[_]}
          missing := required - provided
          count(missing) > 0
          msg := sprintf("missing required labels: %v", [missing])
        }

Constraint

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: require-app-label
spec:
  match:
    kinds:
      - apiGroups: ["apps"]
        kinds: ["Deployment"]
  parameters:
    labels: ["app", "environment"]

Service Mesh Security (Istio)

PeerAuthentication (mTLS)

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: production
spec:
  mtls:
    mode: STRICT

AuthorizationPolicy

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-frontend
  namespace: production
spec:
  selector:
    matchLabels:
      app: backend
  action: ALLOW
  rules:
    - from:
        - source:
            principals: ["cluster.local/ns/production/sa/frontend"]

Best Practices

  1. Implement Pod Security Standards at namespace level
  2. Use Network Policies for network segmentation
  3. Apply least-privilege RBAC for all service accounts
  4. Enable admission control (OPA Gatekeeper/Kyverno)
  5. Run containers as non-root
  6. Use read-only root filesystem
  7. Drop all capabilities unless needed
  8. Implement resource quotas and limit ranges
  9. Enable audit logging for security events
  10. Regular security scanning of images

Compliance Frameworks

CIS Kubernetes Benchmark

  • Use RBAC authorization
  • Enable audit logging
  • Use Pod Security Standards
  • Configure network policies
  • Implement secrets encryption at rest
  • Enable node authentication

NIST Cybersecurity Framework

  • Implement defense in depth
  • Use network segmentation
  • Configure security monitoring
  • Implement access controls
  • Enable logging and monitoring

Troubleshooting

NetworkPolicy not working:

# Check if CNI supports NetworkPolicy
kubectl get nodes -o wide
kubectl describe networkpolicy <name>

RBAC permission denied:

# Check effective permissions
kubectl auth can-i list pods --as system:serviceaccount:default:my-sa
kubectl auth can-i '*' '*' --as system:serviceaccount:default:my-sa

Related Skills

  • k8s-manifest-generator - For creating secure manifests
  • gitops-workflow - For automated policy deployment