Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From kubestellar-ops
Set up and manage resource ownership tracking with OPA Gatekeeper
npx claudepluginhub kubestellar/claude-plugins --plugin kubestellar-opsHow this skill is triggered — by the user, by Claude, or both
Slash command
/kubestellar-ops:k8s-ownershipThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Help the user set up and manage resource ownership tracking using OPA Gatekeeper policies.
Implements policy-as-code enforcement using OPA Gatekeeper or Kyverno to validate and mutate Kubernetes resources. Use for enforcing resource standards, preventing security misconfigurations, and CI/CD shift-left validation.
Enforces Kubernetes admission policies using OPA Gatekeeper with ConstraintTemplates, Rego rules, and the Gatekeeper policy library.
Implements OPA Gatekeeper admission controller on Kubernetes to enforce policies via ConstraintTemplates and Rego rules.
Share bugs, ideas, or general feedback.
Help the user set up and manage resource ownership tracking using OPA Gatekeeper policies.
Check Gatekeeper Status
check_gatekeeper to verify OPA Gatekeeper is installedCheck/Install Ownership Policy
get_ownership_policy_status to see if the ownership policy existsinstall_ownership_policydryrun mode for safetyShow Violations
list_ownership_violations to show resources missing ownership labelsRecommend Next Steps
warn mode first, then enforce| Tool | Purpose |
|---|---|
check_gatekeeper | Check if Gatekeeper is installed |
get_ownership_policy_status | Get current policy configuration |
list_ownership_violations | List resources missing labels |
install_ownership_policy | Install the policy (dryrun/warn/enforce) |
set_ownership_policy_mode | Change enforcement mode |
uninstall_ownership_policy | Remove the policy |
find_resource_owners | Check who owns existing resources |
install_ownership_policy:
labels: Required labels (default: ["owner", "team"])mode: dryrun (default), warn, or enforceexclude_namespaces: Namespaces to skip (auto-excludes system namespaces)Policy not installed:
Gatekeeper is installed and healthy.
Ownership policy is not configured.
Would you like to install it? I recommend starting with dryrun mode
to see which resources would be affected before enforcing.
Showing violations:
Found 47 resources missing ownership labels:
By Namespace:
- default: 12 violations
- app-prod: 23 violations
- app-staging: 12 violations
Top violations:
| Namespace | Kind | Name | Missing |
|-----------|------|------|---------|
| app-prod | Deployment | api-server | owner, team |
...
dryrun modeenforce modeenforce mode will block deployments