From castai-pack
Secures CAST AI Kubernetes clusters: manages and rotates API keys, audits RBAC permissions, installs Kvisor security agent via Helm, and configures network policies.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin castai-packThis skill is limited to using the following tools:
Secure your CAST AI integration: API key management, RBAC least-privilege, Kvisor runtime security agent, and network policy configuration.
Installs CAST AI agent on Kubernetes clusters via Helm charts or Terraform with API key auth. For EKS/GKE/AKS onboarding, cost optimization, autoscaling.
Guides Kubernetes cluster security with Pod Security Standards, Network Policies, RBAC, admission controllers, and secrets management for hardened, compliant deployments.
Hardens managed Kubernetes clusters on EKS, AKS, GKE with Pod Security Standards, network policies, workload identity, RBAC scoping, image admission controls, and runtime security monitoring.
Share bugs, ideas, or general feedback.
Secure your CAST AI integration: API key management, RBAC least-privilege, Kvisor runtime security agent, and network policy configuration.
# Use separate keys per environment
# console.cast.ai > API > API Access Keys
# Development: Read-Only key (monitoring only)
# Staging: Full Access key with limited cluster scope
# Production: Full Access key, rotated every 90 days
# Store in secrets manager, never in code
aws secretsmanager create-secret \
--name "castai/prod/api-key" \
--secret-string "${CASTAI_API_KEY}"
# Rotate key procedure:
# 1. Generate new key in console
# 2. Update secrets manager
# 3. Restart CAST AI agent pods to pick up new key
# 4. Verify agent reconnects
# 5. Revoke old key in console
# Audit CAST AI ClusterRoles
kubectl get clusterroles -l app.kubernetes.io/managed-by=castai -o yaml
# The CAST AI agent needs these minimum permissions:
# - get/list/watch: pods, nodes, events, namespaces, replicasets
# - get: persistentvolumes, storageclasses
# The cluster controller additionally needs:
# - create/delete: nodes (for autoscaling)
# - patch: pods/eviction (for evictor)
# Check for overly broad permissions
kubectl auth can-i --list --as=system:serviceaccount:castai-agent:castai-agent
# Kvisor scans for CVEs, misconfigurations, and runtime threats
helm upgrade --install castai-kvisor castai-helm/castai-kvisor \
-n castai-agent \
--set castai.apiKey="${CASTAI_API_KEY}" \
--set castai.clusterID="${CASTAI_CLUSTER_ID}" \
--set controller.extraArgs.image-scan-enabled=true \
--set controller.extraArgs.kube-bench-enabled=true
# Verify Kvisor is running
kubectl get pods -n castai-agent -l app.kubernetes.io/name=castai-kvisor
# Restrict CAST AI agent egress to only api.cast.ai
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: castai-agent-egress
namespace: castai-agent
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: castai-agent
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0 # api.cast.ai resolves dynamically
ports:
- protocol: TCP
port: 443
- to: # Allow DNS
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
.gitignore| Issue | Detection | Mitigation |
|---|---|---|
| API key in git history | git log -S "CASTAI" | Rotate key immediately |
| Agent has cluster-admin | kubectl auth can-i --list | Apply scoped ClusterRole |
| Kvisor high resource use | kubectl top pods -n castai-agent | Adjust scan intervals |
| Network policy blocks agent | Agent goes offline | Allow egress to 443 |
For production deployment checklist, see castai-prod-checklist.