Build Your Cloud Security Skill

# Build Your Cloud Security Skill

In January 2024, a major cryptocurrency exchange lost $230 million because an attacker exploited misconfigured Kubernetes RBAC—a service account with cluster-admin privileges was exposed through a debugging pod left running in production. The attacker didn't break encryption or exploit zero-days. They walked through a door that should have been locked.

Your Task API is running in Kubernetes. Before learning how to protect it—configuring RBAC, isolating network traffic, enforcing Pod Security Standards—you will **own** a cloud-security skill that generates secure configurations from day one.

This skill becomes a component of your sellable Digital FTE portfolio. By the end of this chapter, you will have a production-tested skill that implements defense-in-depth security for any Kubernetes workload.

---

## Step 1: Get the Skills Lab

1. Go to [github.com/panaversity/claude-code-skills-lab](https://github.com/panaversity/claude-code-skills-lab)
2. Click the green **Code** button
3. Select **Download ZIP**
4. Extract the ZIP file
5. Open the extracted folder in your terminal

```bash
cd claude-code-skills-lab
claude
```

**Output:**

```
Claude Code v1.0.0
Type your message or ? for help

>
```

---

## Step 2: Write Your LEARNING-SPEC.md

Before asking Claude to build your skill, define what you want to learn. Create a file named `LEARNING-SPEC.md`:

```markdown
# Cloud Security Learning Specification

## What
A skill for securing Kubernetes workloads using:
- RBAC (Roles, RoleBindings, ServiceAccounts)
- NetworkPolicies (default deny, explicit allow)
- Pod Security Standards (PSS enforcement)
- Secrets management (External Secrets Operator patterns)
- Image scanning (Trivy integration)
- Dapr security (mTLS, component scopes)

## Why
Production AI agents handle sensitive data and make autonomous decisions.
A single misconfiguration—an overprivileged service account, missing
network isolation, a container running as root—can expose the entire
cluster. The 4C security model (Cloud, Cluster, Container, Code)
provides defense-in-depth.

## Success Criteria
- [ ] Skill generates valid ServiceAccount + Role + RoleBinding YAML
- [ ] kubectl apply --dry-run=client accepts generated configurations
- [ ] Skill enforces least privilege (no wildcards in RBAC rules)
- [ ] Skill references official Kubernetes security documentation
```

**Output:**

```
LEARNING-SPEC.md created (892 bytes)
```

This specification tells Claude exactly what you need and how you will measure success.

---

## Step 3: Fetch Official Documentation

Ask Claude to gather the authoritative source material:

```
Using your Context7 skill, fetch the official Kubernetes security
documentation. I need to understand RBAC (Roles, ClusterRoles,
RoleBindings), NetworkPolicy, and Pod Security Standards.
```

Claude will retrieve documentation from the official Kubernetes project, giving your skill accurate, up-to-date patterns rather than hallucinated configurations.

**Output:**

```
Fetching Kubernetes security documentation via Context7...

Retrieved:
- RBAC authorization patterns
- NetworkPolicy specification
- Pod Security Standards (Privileged, Baseline, Restricted)
- Secrets management best practices
- Security context configuration

Documentation ready for skill creation.
```

---

## Step 4: Create Your Skill

Now prompt Claude to build the skill using the fetched documentation:

```
Using your skill creator skill, create a new skill for Kubernetes security.
I will use it to secure Python/FastAPI applications from dev to production.
Cover RBAC, NetworkPolicies, Pod Security Standards, secrets management,
image scanning with Trivy, and Dapr security. Use the Kubernetes security
docs you just fetched.
```

Claude will:
1. Study the fetched documentation
2. Ask clarifying questions about your security requirements
3. Create the skill with security templates and best practices

**Output:**

```
Creating cloud-security skill...

Questions:
1. Should I include patterns for External Secrets Operator?
2. What base PSS level should be the default (baseline or restricted)?
3. Do you need Dapr-specific security patterns?

[After your answers]

Skill created at .claude/skills/cloud-security/
- SKILL.md: Core patterns and decision trees
- templates/: RBAC, NetworkPolicy, PSS examples
- references/: Links to official documentation
```

Your skill appears at `.claude/skills/cloud-security/`.

---

## Step 5: Test Your Skill

Verify your new skill generates valid Kubernetes YAML:

```
Using my cloud-security skill, show me how to create a dedicated
ServiceAccount for my Task API with minimal permissions.
```

**Output:**

```yaml
# task-api-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: task-api-sa
  namespace: task-api
automountServiceAccountToken: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: task-api-role
  namespace: task-api
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: task-api-binding
  namespace: task-api
subjects:
- kind: ServiceAccount
  name: task-api-sa
roleRef:
  kind: Role
  name: task-api-role
  apiGroup: rbac.authorization.k8s.io
```

Save the output and validate:

```bash
kubectl apply --dry-run=client -f task-api-rbac.yaml
```

**Output:**

```
serviceaccount/task-api-sa created (dry run)
role.rbac.authorization.k8s.io/task-api-role created (dry run)
rolebinding.rbac.authorization.k8s.io/task-api-binding created (dry run)
```

If dry-run succeeds, your skill generates valid RBAC configurations following least privilege principles. Notice that the Role specifies only `configmaps` with `get` and `list` verbs—no wildcards, no cluster-wide access.

---

## Done

You now own a cloud-security skill built from official Kubernetes security documentation. The rest of this chapter teaches you what it knows—and how to make it better.

**Next: Lesson 1 — The 4C Security Model**

---

## Try With AI

Now that you have a working skill, test its gap identification capabilities.

**Prompt 1:**

```
Using my cloud-security skill, show me how to create a dedicated
ServiceAccount for my Task API with minimal permissions.
```

**What you're learning:** How your skill generates RBAC patterns following least privilege. Notice whether it avoids wildcards (*) in verbs and resources, and whether it suggests `automountServiceAccountToken: false` by default.

**Prompt 2:**

```
What's missing from this skill for production workloads?
```

**What you're learning:** Gap identification is a critical meta-skill. Your skill might be missing NetworkPolicy defaults, PSS enforcement labels, Trivy scanning integration, or Dapr component scopes. Each gap becomes a learning target for this chapter's lessons.

:::warning Security Reminder
Never test security configurations on production clusters. Always use `--dry-run=client` first, then apply to a development namespace. Security misconfigurations can expose your entire cluster.
:::