Skill

kubernetes-security-policies

Guides Kubernetes cluster security with Pod Security Standards, Network Policies, RBAC, admission controllers, and secrets management for hardened, compliant deployments.

Kubernetes

security

devops

npx claudepluginhub nickcrew/claude-cortex

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Comprehensive guidance for implementing security policies in Kubernetes clusters, covering Pod Security Standards, Network Policies, RBAC, Security Contexts, admission control, secrets management, and runtime security for production-grade hardened deployments.

Supporting Assets

references/admission-control.mdreferences/best-practices.mdreferences/image-security.mdreferences/network-policies.mdreferences/pod-security-standards.mdreferences/rbac.mdreferences/secrets-management.mdreferences/security-contexts.md

SKILL.md

Similar Skills

k8s-security-policies

682

Implements Kubernetes security policies including NetworkPolicy for network isolation, Pod Security Standards, and RBAC for cluster security and compliance.

2 files

rmyndharis-antigravity-skills

kubernetes-security

129

Provides Kubernetes security best practices for pod security contexts, network policies, RBAC, secrets management, and resource limits. Use when securing K8s deployments.

no tools

kubernetes

k8s-security-policies

36.4k

Implements Kubernetes security policies including NetworkPolicies, Pod Security Standards, and RBAC for network segmentation, least-privilege access, and compliance.

2 files

antigravity-awesome-skills

Stats

Stars15

Forks6

Last CommitApr 23, 2026

Used By2 plugins

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Kubernetes Security Policies

When to Use This Skill

Implementing Pod Security Standards (PSS/PSA) across namespaces
Designing and enforcing Network Policies for micro-segmentation
Configuring RBAC with least-privilege access control
Setting Security Contexts for container hardening
Deploying admission controllers (OPA/Gatekeeper, Kyverno)
Managing secrets and sensitive data securely
Implementing image security and vulnerability scanning
Enforcing runtime security policies and threat detection
Meeting compliance requirements (CIS, NIST, PCI-DSS, SOC2)
Conducting security audits and hardening assessments

Core Security Concepts

Pod Security Standards (PSS): Three progressive security levels enforced via Pod Security Admission (PSA):

Privileged: Unrestricted (default)
Baseline: Prevents known privilege escalations
Restricted: Pod hardening best practices (production recommended)

Network Policies: Zero-trust micro-segmentation controlling pod-to-pod and pod-to-external traffic using label selectors and namespace isolation.

RBAC (Role-Based Access Control): Least-privilege access control using ServiceAccounts, Roles, RoleBindings for namespace-scoped permissions, and ClusterRoles for cluster-wide access.

Security Contexts: Container and pod-level security settings including user/group IDs, capabilities, seccomp profiles, and filesystem restrictions.

Admission Control: Policy enforcement at API admission time using OPA Gatekeeper (Rego) or Kyverno (YAML) to validate, mutate, or reject resources.

Secrets Management: External secret storage integration (Vault, AWS Secrets Manager, Sealed Secrets) instead of native Kubernetes secrets.

Image Security: Vulnerability scanning, signature verification, digest-based immutability, and private registry authentication.

Quick Reference

Task	Load reference
Pod Security Standards (PSS/PSA)	`skills/kubernetes-security-policies/references/pod-security-standards.md`
Network Policies	`skills/kubernetes-security-policies/references/network-policies.md`
RBAC (Roles, ServiceAccounts)	`skills/kubernetes-security-policies/references/rbac.md`
Security Contexts (capabilities, seccomp)	`skills/kubernetes-security-policies/references/security-contexts.md`
Admission Control (OPA, Kyverno)	`skills/kubernetes-security-policies/references/admission-control.md`
Secrets Management (Vault, ESO)	`skills/kubernetes-security-policies/references/secrets-management.md`
Image Security (scanning, signing)	`skills/kubernetes-security-policies/references/image-security.md`
Best Practices & Compliance	`skills/kubernetes-security-policies/references/best-practices.md`

Security Implementation Workflow

Phase 1: Baseline Assessment

Audit current security posture with kube-bench or kubescape
Identify gaps against CIS Kubernetes Benchmark
Document compliance requirements (PCI-DSS, NIST, SOC2)

Phase 2: Pod Security Standards

Enable PSA audit mode on all namespaces
Identify violations using kubectl get pods -A --show-labels
Remediate workloads to meet baseline/restricted standards
Progressively enforce: dev (warn) → staging (baseline) → prod (restricted)

Phase 3: Network Segmentation

Deploy default-deny NetworkPolicy to all namespaces
Create explicit allow rules for required traffic flows
Implement database isolation policies
Add monitoring/observability exceptions

Phase 4: Access Control (RBAC)

Audit existing RBAC with kubectl auth can-i --list
Create dedicated ServiceAccounts per application
Define least-privilege Roles with specific resource/verb restrictions
Disable automountServiceAccountToken by default
Minimize ClusterRole usage

Phase 5: Admission Control

Choose policy engine: OPA Gatekeeper (Rego) or Kyverno (YAML)
Implement validation policies: require labels, resource limits, non-root
Add mutation policies: inject security contexts, sidecar containers
Enforce image policies: disallow latest tag, require signatures

Phase 6: Secrets Management

Deploy External Secrets Operator or Vault integration
Migrate native Secrets to external secret stores
Enable encryption at rest for etcd
Implement secret rotation policies

Phase 7: Image Security

Integrate vulnerability scanning in CI/CD (Trivy, Snyk)
Implement image signing with Sigstore/Cosign
Enforce signature verification via admission control
Use immutable image digests instead of tags

Phase 8: Runtime Security

Deploy Falco for runtime threat detection
Enable Kubernetes audit logging
Configure alerts for security events
Implement intrusion detection policies

Common Mistakes

Pod Security:

Running containers as root (always set runAsNonRoot: true)
Using privileged containers (avoid unless absolutely necessary)
Writable root filesystem (set readOnlyRootFilesystem: true)
Missing resource limits (required for restricted PSS)

Network Policies:

No default-deny policy (unrestricted pod-to-pod traffic)
Overly permissive egress rules (allow all external traffic)
Forgetting DNS egress (pods can't resolve names)
Missing monitoring/observability exceptions

RBAC:

Overly broad ClusterRole permissions (violates least privilege)
Sharing ServiceAccounts across applications
Using * verbs or resources in Roles
Not auditing RBAC permissions regularly

Secrets:

Committing secrets to Git repositories
Using environment variables instead of mounted files
Relying on base64 encoding as encryption
No secret rotation policy

Admission Control:

Enforcing policies without audit phase first
Blocking kube-system namespace accidentally
No policy testing in staging environment
Missing exemptions for system components

Images:

Using latest tag (not immutable, breaks reproducibility)
No vulnerability scanning in CI/CD
Unsigned images in production
Large base images (use distroless or Alpine)

Resources

Pod Security Standards: https://kubernetes.io/docs/concepts/security/pod-security-standards/
Network Policies: https://kubernetes.io/docs/concepts/services-networking/network-policies/
RBAC: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
OPA Gatekeeper: https://open-policy-agent.github.io/gatekeeper/
Kyverno: https://kyverno.io/docs/
External Secrets Operator: https://external-secrets.io/
Falco Runtime Security: https://falco.org/docs/
CIS Benchmarks: https://www.cisecurity.org/benchmark/kubernetes
NSA/CISA Hardening Guide: https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF