From castai-pack
Secure CAST AI API keys, RBAC configuration, and Kvisor security agent. Use when hardening CAST AI cluster access, configuring security scanning, or implementing API key rotation procedures. Trigger with phrases like "cast ai security", "cast ai api key rotation", "cast ai rbac", "cast ai kvisor", "secure cast ai".
npx claudepluginhub flight505/skill-forge --plugin castai-packThis skill is limited to using the following tools:
Secure your CAST AI integration: API key management, RBAC least-privilege, Kvisor runtime security agent, and network policy configuration.
Guides Next.js Cache Components and Partial Prerendering (PPR): 'use cache' directives, cacheLife(), cacheTag(), revalidateTag() for caching, invalidation, static/dynamic optimization. Auto-activates on cacheComponents: true.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Share bugs, ideas, or general feedback.
Secure your CAST AI integration: API key management, RBAC least-privilege, Kvisor runtime security agent, and network policy configuration.
# Use separate keys per environment
# console.cast.ai > API > API Access Keys
# Development: Read-Only key (monitoring only)
# Staging: Full Access key with limited cluster scope
# Production: Full Access key, rotated every 90 days
# Store in secrets manager, never in code
aws secretsmanager create-secret \
--name "castai/prod/api-key" \
--secret-string "${CASTAI_API_KEY}"
# Rotate key procedure:
# 1. Generate new key in console
# 2. Update secrets manager
# 3. Restart CAST AI agent pods to pick up new key
# 4. Verify agent reconnects
# 5. Revoke old key in console
# Audit CAST AI ClusterRoles
kubectl get clusterroles -l app.kubernetes.io/managed-by=castai -o yaml
# The CAST AI agent needs these minimum permissions:
# - get/list/watch: pods, nodes, events, namespaces, replicasets
# - get: persistentvolumes, storageclasses
# The cluster controller additionally needs:
# - create/delete: nodes (for autoscaling)
# - patch: pods/eviction (for evictor)
# Check for overly broad permissions
kubectl auth can-i --list --as=system:serviceaccount:castai-agent:castai-agent
# Kvisor scans for CVEs, misconfigurations, and runtime threats
helm upgrade --install castai-kvisor castai-helm/castai-kvisor \
-n castai-agent \
--set castai.apiKey="${CASTAI_API_KEY}" \
--set castai.clusterID="${CASTAI_CLUSTER_ID}" \
--set controller.extraArgs.image-scan-enabled=true \
--set controller.extraArgs.kube-bench-enabled=true
# Verify Kvisor is running
kubectl get pods -n castai-agent -l app.kubernetes.io/name=castai-kvisor
# Restrict CAST AI agent egress to only api.cast.ai
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: castai-agent-egress
namespace: castai-agent
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: castai-agent
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0 # api.cast.ai resolves dynamically
ports:
- protocol: TCP
port: 443
- to: # Allow DNS
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
.gitignore| Issue | Detection | Mitigation |
|---|---|---|
| API key in git history | git log -S "CASTAI" | Rotate key immediately |
| Agent has cluster-admin | kubectl auth can-i --list | Apply scoped ClusterRole |
| Kvisor high resource use | kubectl top pods -n castai-agent | Adjust scan intervals |
| Network policy blocks agent | Agent goes offline | Allow egress to 443 |
For production deployment checklist, see castai-prod-checklist.