<< All versions
Skill v1.0.1
currentAutomated scan100/100rmyndharis/antigravity-skills/k8s-security-policies
4 files
──Details
PublishedJune 8, 2026 at 02:25 AM
Content Hashsha256:859e52d9059876ec...
Git SHA4f9110cbfca4
Bump Typepatch
──Files
Files (1 file, 7.5 KB)
SKILL.md7.5 KBactive
SKILL.md · 348 lines · 7.5 KB
version: "1.0.1" name: k8s-security-policies description: Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.
Kubernetes Security Policies
Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes.
Do not use this skill when
- The task is unrelated to kubernetes security policies
- You need a different domain or tool outside this scope
Instructions
- Clarify goals, constraints, and required inputs.
- Apply relevant best practices and validate outcomes.
- Provide actionable steps and verification.
- If detailed examples are required, open
resources/implementation-playbook.md.
Purpose
Implement defense-in-depth security for Kubernetes clusters using network policies, pod security standards, and RBAC.
Use this skill when
- Implement network segmentation
- Configure pod security standards
- Set up RBAC for least-privilege access
- Create security policies for compliance
- Implement admission control
- Secure multi-tenant clusters
Pod Security Standards
1. Privileged (Unrestricted)
yaml
apiVersion: v1kind: Namespacemetadata:name: privileged-nslabels:pod-security.kubernetes.io/enforce: privilegedpod-security.kubernetes.io/audit: privilegedpod-security.kubernetes.io/warn: privileged
2. Baseline (Minimally restrictive)
yaml
apiVersion: v1kind: Namespacemetadata:name: baseline-nslabels:pod-security.kubernetes.io/enforce: baselinepod-security.kubernetes.io/audit: baselinepod-security.kubernetes.io/warn: baseline
3. Restricted (Most restrictive)
yaml
apiVersion: v1kind: Namespacemetadata:name: restricted-nslabels:pod-security.kubernetes.io/enforce: restrictedpod-security.kubernetes.io/audit: restrictedpod-security.kubernetes.io/warn: restricted
Network Policies
Default Deny All
yaml
apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:name: default-deny-allnamespace: productionspec:podSelector: {}policyTypes:- Ingress- Egress
Allow Frontend to Backend
yaml
apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:name: allow-frontend-to-backendnamespace: productionspec:podSelector:matchLabels:app: backendpolicyTypes:- Ingressingress:- from:- podSelector:matchLabels:app: frontendports:- protocol: TCPport: 8080
Allow DNS
yaml
apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:name: allow-dnsnamespace: productionspec:podSelector: {}policyTypes:- Egressegress:- to:- namespaceSelector:matchLabels:name: kube-systemports:- protocol: UDPport: 53
Reference: See assets/network-policy-template.yaml
RBAC Configuration
Role (Namespace-scoped)
yaml
apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:name: pod-readernamespace: productionrules:- apiGroups: [""]resources: ["pods"]verbs: ["get", "watch", "list"]
ClusterRole (Cluster-wide)
yaml
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: secret-readerrules:- apiGroups: [""]resources: ["secrets"]verbs: ["get", "watch", "list"]
RoleBinding
yaml
apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: read-podsnamespace: productionsubjects:- kind: Username: janeapiGroup: rbac.authorization.k8s.io- kind: ServiceAccountname: defaultnamespace: productionroleRef:kind: Rolename: pod-readerapiGroup: rbac.authorization.k8s.io
Reference: See references/rbac-patterns.md
Pod Security Context
Restricted Pod
yaml
apiVersion: v1kind: Podmetadata:name: secure-podspec:securityContext:runAsNonRoot: truerunAsUser: 1000fsGroup: 1000seccompProfile:type: RuntimeDefaultcontainers:- name: appimage: myapp:1.0securityContext:allowPrivilegeEscalation: falsereadOnlyRootFilesystem: truecapabilities:drop:- ALL
Policy Enforcement with OPA Gatekeeper
ConstraintTemplate
yaml
apiVersion: templates.gatekeeper.sh/v1kind: ConstraintTemplatemetadata:name: k8srequiredlabelsspec:crd:spec:names:kind: K8sRequiredLabelsvalidation:openAPIV3Schema:type: objectproperties:labels:type: arrayitems:type: stringtargets:- target: admission.k8s.gatekeeper.shrego: |package k8srequiredlabelsviolation[{"msg": msg, "details": {"missing_labels": missing}}] {provided := {label | input.review.object.metadata.labels[label]}required := {label | label := input.parameters.labels[_]}missing := required - providedcount(missing) > 0msg := sprintf("missing required labels: %v", [missing])}
Constraint
yaml
apiVersion: constraints.gatekeeper.sh/v1beta1kind: K8sRequiredLabelsmetadata:name: require-app-labelspec:match:kinds:- apiGroups: ["apps"]kinds: ["Deployment"]parameters:labels: ["app", "environment"]
Service Mesh Security (Istio)
PeerAuthentication (mTLS)
yaml
apiVersion: security.istio.io/v1beta1kind: PeerAuthenticationmetadata:name: defaultnamespace: productionspec:mtls:mode: STRICT
AuthorizationPolicy
yaml
apiVersion: security.istio.io/v1beta1kind: AuthorizationPolicymetadata:name: allow-frontendnamespace: productionspec:selector:matchLabels:app: backendaction: ALLOWrules:- from:- source:principals: ["cluster.local/ns/production/sa/frontend"]
Best Practices
- Implement Pod Security Standards at namespace level
- Use Network Policies for network segmentation
- Apply least-privilege RBAC for all service accounts
- Enable admission control (OPA Gatekeeper/Kyverno)
- Run containers as non-root
- Use read-only root filesystem
- Drop all capabilities unless needed
- Implement resource quotas and limit ranges
- Enable audit logging for security events
- Regular security scanning of images
Compliance Frameworks
CIS Kubernetes Benchmark
- Use RBAC authorization
- Enable audit logging
- Use Pod Security Standards
- Configure network policies
- Implement secrets encryption at rest
- Enable node authentication
NIST Cybersecurity Framework
- Implement defense in depth
- Use network segmentation
- Configure security monitoring
- Implement access controls
- Enable logging and monitoring
Troubleshooting
NetworkPolicy not working:
bash
# Check if CNI supports NetworkPolicykubectl get nodes -o widekubectl describe networkpolicy <name>
RBAC permission denied:
bash
# Check effective permissionskubectl auth can-i list pods --as system:serviceaccount:default:my-sakubectl auth can-i '*' '*' --as system:serviceaccount:default:my-sa
Reference Files
assets/network-policy-template.yaml- Network policy examplesassets/pod-security-template.yaml- Pod security policiesreferences/rbac-patterns.md- RBAC configuration patterns
Related Skills
k8s-manifest-generator- For creating secure manifestsgitops-workflow- For automated policy deployment