k8s-security
Audit Kubernetes RBAC, enforce policies, and manage secrets. Use for security reviews, permission audits, policy enforcement with Kyverno/Gatekeeper, and secret management.
Best use case
k8s-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Audit Kubernetes RBAC, enforce policies, and manage secrets. Use for security reviews, permission audits, policy enforcement with Kyverno/Gatekeeper, and secret management.
Teams using k8s-security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/k8s-security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How k8s-security Compares
| Feature / Agent | k8s-security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Audit Kubernetes RBAC, enforce policies, and manage secrets. Use for security reviews, permission audits, policy enforcement with Kyverno/Gatekeeper, and secret management.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Kubernetes Security
Security auditing, RBAC management, and policy enforcement using kubectl-mcp-server tools.
## When to Apply
Use this skill when:
- User mentions: "security", "RBAC", "permissions", "policy", "audit", "secrets"
- Operations: security review, permission check, policy enforcement
- Keywords: "who can", "access control", "compliance", "vulnerable"
## Priority Rules
| Priority | Rule | Impact | Tools |
|----------|------|--------|-------|
| 1 | Check cluster-admin bindings first | CRITICAL | `get_cluster_role_bindings` |
| 2 | Audit secrets access permissions | CRITICAL | Review role rules |
| 3 | Verify network isolation | HIGH | `get_network_policies` |
| 4 | Check policy compliance | HIGH | `kyverno_*`, `gatekeeper_*` |
| 5 | Review pod security contexts | MEDIUM | `describe_pod` |
## Quick Reference
| Task | Tool | Example |
|------|------|---------|
| List roles | `get_roles` | `get_roles(namespace)` |
| Cluster roles | `get_cluster_roles` | `get_cluster_roles()` |
| Role bindings | `get_role_bindings` | `get_role_bindings(namespace)` |
| Service accounts | `get_service_accounts` | `get_service_accounts(namespace)` |
| Kyverno policies | `kyverno_clusterpolicies_list_tool` | `kyverno_clusterpolicies_list_tool()` |
## RBAC Auditing
### List Roles and Bindings
```python
get_roles(namespace)
get_cluster_roles()
get_role_bindings(namespace)
get_cluster_role_bindings()
```
### Check Service Account Permissions
```python
get_service_accounts(namespace)
```
### Common RBAC Patterns
| Pattern | Risk Level | Check |
|---------|-----------|-------|
| cluster-admin binding | Critical | `get_cluster_role_bindings()` |
| Wildcard verbs (*) | High | Review role rules |
| secrets access | High | Check get/list on secrets |
| pod/exec | High | Allows container access |
See [RBAC-PATTERNS.md](RBAC-PATTERNS.md) for detailed patterns and remediation.
## Policy Enforcement
### Kyverno Policies
```python
kyverno_policies_list_tool(namespace)
kyverno_clusterpolicies_list_tool()
kyverno_policy_get_tool(name, namespace)
```
### OPA Gatekeeper
```python
gatekeeper_constraints_list_tool()
gatekeeper_constraint_get_tool(kind, name)
gatekeeper_templates_list_tool()
```
### Common Policies to Enforce
| Policy | Purpose |
|--------|---------|
| Disallow privileged | Prevent root containers |
| Require resource limits | Prevent resource exhaustion |
| Restrict host namespaces | Isolate from node |
| Require labels | Ensure metadata |
| Allowed registries | Control image sources |
## Secret Management
### List Secrets
```python
get_secrets(namespace)
```
### Secret Best Practices
1. Use external secret managers (Vault, AWS SM)
2. Encrypt secrets at rest (EncryptionConfiguration)
3. Limit secret access via RBAC
4. Rotate secrets regularly
## Network Policies
### List Policies
```python
get_network_policies(namespace)
```
### Cilium Network Policies
```python
cilium_policies_list_tool(namespace)
cilium_policy_get_tool(name, namespace)
```
### Default Deny Template
```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
```
## Security Scanning Workflow
1. **RBAC Audit**
```python
get_cluster_role_bindings()
get_roles(namespace)
```
2. **Policy Compliance**
```python
kyverno_clusterpolicies_list_tool()
gatekeeper_constraints_list_tool()
```
3. **Network Isolation**
```python
get_network_policies(namespace)
cilium_endpoints_list_tool(namespace)
```
4. **Pod Security**
```python
get_pods(namespace)
describe_pod(name, namespace)
```
## Multi-Cluster Security
Audit across clusters:
```python
get_cluster_role_bindings(context="production")
get_cluster_role_bindings(context="staging")
```
## Automated Audit Script
For comprehensive security audit, see [scripts/audit-rbac.py](scripts/audit-rbac.py).
## Related Tools
- RBAC: `get_roles`, `get_cluster_roles`, `get_role_bindings`
- Policy: `kyverno_*`, `gatekeeper_*`
- Network: `get_network_policies`, `cilium_policies_*`
- Istio: `istio_authorizationpolicies_list_tool`, `istio_peerauthentications_list_tool`
## Related Skills
- [k8s-policy](../k8s-policy/SKILL.md) - Policy management
- [k8s-cilium](../k8s-cilium/SKILL.md) - Cilium network securityRelated Skills
k8s-vind
Manage vCluster (virtual Kubernetes clusters) instances using vind. Use when creating, managing, or operating lightweight virtual clusters for development, testing, or multi-tenancy.
k8s-troubleshoot
Debug Kubernetes pods, nodes, and workloads. Use when pods are failing, containers crash, nodes are unhealthy, or users mention debugging, troubleshooting, or diagnosing Kubernetes issues.
k8s-storage
Kubernetes storage management for PVCs, storage classes, and persistent volumes. Use when provisioning storage, managing volumes, or troubleshooting storage issues.
k8s-service-mesh
Manage Istio service mesh for traffic management, security, and observability. Use for traffic shifting, canary releases, mTLS, and service mesh troubleshooting.
k8s-rollouts
Progressive delivery with Argo Rollouts and Flagger. Use when implementing canary deployments, blue-green deployments, or traffic shifting strategies.
k8s-policy
Kubernetes policy management with Kyverno and Gatekeeper. Use when enforcing security policies, validating resources, or auditing policy compliance.
k8s-operations
kubectl operations for applying, patching, deleting, and executing commands on Kubernetes resources. Use when modifying resources, running commands in pods, or managing resource lifecycle.
k8s-networking
Kubernetes networking management for services, ingresses, endpoints, and network policies. Use when configuring connectivity, load balancing, or network isolation.
k8s-multicluster
Manage multiple Kubernetes clusters, switch contexts, and perform cross-cluster operations. Use when working with multiple clusters, comparing environments, or managing cluster lifecycle.
k8s-kubevirt
Virtual machine management with KubeVirt on Kubernetes. Use when creating, managing, or troubleshooting VMs running on Kubernetes clusters.
k8s-kind
Manage kind (Kubernetes IN Docker) local clusters. Use when creating, testing, or developing with local Kubernetes clusters in Docker containers.
k8s-incident
Respond to Kubernetes incidents with runbooks and diagnostics. Use for outages, pod failures, node issues, network problems, and emergency response.