OPA pod security policies preventing privileged containers, restricting Linux capabilities, and enforcing security contexts in Kubernetes.
Enforces Kubernetes pod security by blocking privileged containers, dropping dangerous Linux capabilities, and requiring non-root execution. Use when writing OPA policies to prevent privilege escalation and container breakout attacks.
/plugin marketplace add adaptive-enforcement-lab/claude-skills/plugin install enforce@ael-skillsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
examples.mdreference.mdscripts/example-1.shscripts/example-10.yamlscripts/example-11.yamlscripts/example-12.shscripts/example-13.shscripts/example-14.shscripts/example-2.shscripts/example-3.shscripts/example-4.shscripts/example-5.yamlscripts/example-6.yamlscripts/example-7.yamlscripts/example-8.yamlscripts/example-9.shPod security policies written in Rego prevent privilege escalation and enforce security boundaries for containerized workloads.
Capabilities Bypass Security Boundaries
Linux capabilities grant fine-grained privileges. A container with
CAP_SYS_ADMINcan bypass most kernel security mechanisms. Drop all capabilities by default.
Prevent unrestricted container execution:
# Enforced by: overview.yaml
# Result: No containers can run with privileged: true
# Impact: Eliminates most container breakout vectors
Remove capabilities that grant excessive privileges:
# Enforced by: capabilities.yaml
# Result: All containers must drop CAP_SYS_ADMIN, CAP_NET_RAW
# Impact: Prevents kernel manipulation and network sniffing
Require all containers to run as non-root users:
# Enforced by: contexts.yaml
# Result: Containers must define runAsNonRoot: true and runAsUser > 0
# Impact: Prevents root-level filesystem access and privilege escalation
Prevent containers from gaining privileges after start:
# Enforced by: escalation.yaml
# Result: Containers must set allowPrivilegeEscalation: false
# Impact: Blocks setuid binaries and capability inheritance
Every pod should define security contexts at both pod and container levels:
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
See examples.md for detailed code examples.
See examples.md for code examples.
See reference.md for complete documentation.
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.
Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.
Create beautiful visual art in .png and .pdf documents using design philosophy. You should use this skill when the user asks to create a poster, piece of art, design, or other static piece. Create original visual designs, never copying existing artists' work to avoid copyright violations.