kubernetes-security
$
npx mdskill add notque/vexjoy-agent/kubernetes-securityEnforce Kubernetes security through RBAC, pod policies, and network isolation.
- Hardens clusters by managing roles, permissions, and supply chain controls.
- Integrates with Kyverno, OPA, cosign, and secret management tools.
- Loads reference patterns when keywords like RBAC or network policy appear.
- Delivers hardened configurations and security recommendations directly to users.
SKILL.md
.github/skills/kubernetes-securityView on GitHub ↗
---
name: kubernetes-security
description: "Kubernetes security: RBAC, PodSecurity, network policies."
user-invocable: false
context: fork
agent: kubernetes-helm-engineer
routing:
triggers:
- "kubernetes security"
- "k8s RBAC"
- "RBAC setup"
- "pod security policy"
- "network policy"
category: kubernetes
pairs_with:
- kubernetes-debugging
- cobalt-core
---
# Kubernetes Security Skill
Harden Kubernetes clusters and workloads through RBAC, pod security, network isolation, secret management, and supply chain controls.
## Reference Loading Table
| Signal | Reference | Size |
|--------|-----------|------|
| RBAC, Role, RoleBinding, ClusterRole, ServiceAccount, least-privilege, access control, permissions | `references/rbac-patterns.md` | ~60 lines |
| PodSecurity, SecurityContext, runAsNonRoot, readOnlyRootFilesystem, restricted, baseline, image hardening, distroless, Dockerfile | `references/pod-security.md` | ~90 lines |
| NetworkPolicy, default-deny, allow-list, egress, ingress, DNS, lateral movement, namespace isolation | `references/network-policies.md` | ~70 lines |
| cosign, Kyverno, OPA, admission controller, Sealed Secrets, External Secrets, supply chain, misconfiguration, privileged | `references/supply-chain.md` | ~120 lines |
**Load greedily.** If the user's question touches any signal keyword, load the matching reference before responding. Multiple signals matching = load all matching references.
---
## Phase 1: IDENTIFY
Determine which security domain the user is asking about.
| Domain | Reference |
|--------|-----------|
| Access control, permissions, roles | `references/rbac-patterns.md` |
| Pod hardening, container security | `references/pod-security.md` |
| Network isolation, traffic rules | `references/network-policies.md` |
| Image signing, secrets, admission control | `references/supply-chain.md` |
If the question spans multiple domains, load all relevant references. Most production hardening tasks touch at least RBAC + pod security.
**Gate**: Domain identified. Reference(s) loaded. Proceed to Phase 2.
---
## Phase 2: RESPOND
Use loaded reference knowledge to answer with concrete YAML manifests and specific configurations. The references contain complete, copy-paste-ready examples for each security domain.
For general Kubernetes debugging, pair with the `kubernetes-debugging` skill.
**Gate**: Question answered with reference-backed manifests, not generic advice.
---
## Phase 3: VERIFY
Validate the security posture against the misconfiguration table in `references/supply-chain.md`. Flag any of the 8 common misconfigurations if present in the user's manifests.
---
## References
- [Kubernetes Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/)
- [Kubernetes Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
- [Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
- [External Secrets Operator](https://external-secrets.io/)
- [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
- [Cosign](https://docs.sigstore.dev/cosign/overview/)
- [Kyverno](https://kyverno.io/)