OPA RBAC policies preventing cluster-admin privilege escalation, restricting privileged verbs, and blocking wildcard permissions.
OPA policies that prevent privilege escalation by restricting cluster-admin access, blocking dangerous RBAC verbs (escalate/bind/impersonate), and eliminating wildcard permissions. Use when creating or modifying RBAC roles to enforce least-privilege security patterns.
/plugin marketplace add adaptive-enforcement-lab/claude-skills/plugin install enforce@ael-skillsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
examples.mdreference.mdscripts/example-1.shscripts/example-10.shscripts/example-11.shscripts/example-12.shscripts/example-13.regoscripts/example-14.shscripts/example-2.shscripts/example-3.shscripts/example-4.shscripts/example-5.yamlscripts/example-6.yamlscripts/example-7.yamlscripts/example-8.yamlscripts/example-9.shRBAC policies control who can perform which actions on which resources. These templates prevent privilege escalation through overly permissive roles.
Wildcards Grant Unrestricted Access
RBAC rules with
resources: ["*"]orverbs: ["*"]grant access to all current and future resources or actions. Avoid wildcards except for break-glass admin roles.
Block cluster-admin except for approved break-glass accounts:
# Enforced by: cluster-admin.yaml
# Result: Only subjects in approved list can receive cluster-admin binding
# Impact: Prevents privilege escalation to cluster-admin
Prevent use of escalate, bind, impersonate:
# Enforced by: privileged-verbs.yaml
# Result: Roles cannot include escalate/bind/impersonate verbs
# Impact: Prevents users from granting themselves additional permissions
Require explicit resource and verb lists:
# Enforced by: wildcards.yaml
# Result: Roles must specify resources: ["pods"], not resources: ["*"]
# Impact: Reduces blast radius of compromised service accounts
See the full implementation guide in the source documentation.
Grant minimum permissions required for each workload:
pods, configmaps, not *get, list, not *Block RBAC manipulation verbs:
escalate - Allows creating roles with more permissions than creator hasbind - Allows granting roles to arbitrary subjectsimpersonate - Allows acting as other users without authenticationOnly cluster admins should have these verbs.
Use annotations to enforce temporary access:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: temporary-debug-access
annotations:
rbac.expires: "2025-01-05T00:00:00Z"
subjects:
- kind: User
name: engineer@company.com
roleRef:
kind: ClusterRole
name: debug-read-only
OPA policies can validate expiration and block expired bindings.
See reference.md for additional techniques and detailed examples.
See examples.md for code examples.
See reference.md for complete documentation.
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.
Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.
Create beautiful visual art in .png and .pdf documents using design philosophy. You should use this skill when the user asks to create a poster, piece of art, design, or other static piece. Create original visual designs, never copying existing artists' work to avoid copyright violations.