{"id":"1eb3b298-0cd7-49da-8d01-28b455ef972e","shortId":"8WdUDj","kind":"skill","title":"k8s-security-policies","tagline":"Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes.","description":"# Kubernetes Security Policies\n\nComprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes.\n\n## Do not use this skill when\n\n- The task is unrelated to kubernetes security policies\n- You need a different domain or tool outside this scope\n\n## Instructions\n\n- Clarify goals, constraints, and required inputs.\n- Apply relevant best practices and validate outcomes.\n- Provide actionable steps and verification.\n- If detailed examples are required, open `resources/implementation-playbook.md`.\n\n## Purpose\n\nImplement defense-in-depth security for Kubernetes clusters using network policies, pod security standards, and RBAC.\n\n## Use this skill when\n\n- Implement network segmentation\n- Configure pod security standards\n- Set up RBAC for least-privilege access\n- Create security policies for compliance\n- Implement admission control\n- Secure multi-tenant clusters\n\n## Pod Security Standards\n\n### 1. Privileged (Unrestricted)\n```yaml\napiVersion: v1\nkind: Namespace\nmetadata:\n  name: privileged-ns\n  labels:\n    pod-security.kubernetes.io/enforce: privileged\n    pod-security.kubernetes.io/audit: privileged\n    pod-security.kubernetes.io/warn: privileged\n```\n\n### 2. Baseline (Minimally restrictive)\n```yaml\napiVersion: v1\nkind: Namespace\nmetadata:\n  name: baseline-ns\n  labels:\n    pod-security.kubernetes.io/enforce: baseline\n    pod-security.kubernetes.io/audit: baseline\n    pod-security.kubernetes.io/warn: baseline\n```\n\n### 3. Restricted (Most restrictive)\n```yaml\napiVersion: v1\nkind: Namespace\nmetadata:\n  name: restricted-ns\n  labels:\n    pod-security.kubernetes.io/enforce: restricted\n    pod-security.kubernetes.io/audit: restricted\n    pod-security.kubernetes.io/warn: restricted\n```\n\n## Network Policies\n\n### Default Deny All\n```yaml\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n  name: default-deny-all\n  namespace: production\nspec:\n  podSelector: {}\n  policyTypes:\n  - Ingress\n  - Egress\n```\n\n### Allow Frontend to Backend\n```yaml\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n  name: allow-frontend-to-backend\n  namespace: production\nspec:\n  podSelector:\n    matchLabels:\n      app: backend\n  policyTypes:\n  - Ingress\n  ingress:\n  - from:\n    - podSelector:\n        matchLabels:\n          app: frontend\n    ports:\n    - protocol: TCP\n      port: 8080\n```\n\n### Allow DNS\n```yaml\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n  name: allow-dns\n  namespace: production\nspec:\n  podSelector: {}\n  policyTypes:\n  - Egress\n  egress:\n  - to:\n    - namespaceSelector:\n        matchLabels:\n          name: kube-system\n    ports:\n    - protocol: UDP\n      port: 53\n```\n\n**Reference:** See `assets/network-policy-template.yaml`\n\n## RBAC Configuration\n\n### Role (Namespace-scoped)\n```yaml\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n  name: pod-reader\n  namespace: production\nrules:\n- apiGroups: [\"\"]\n  resources: [\"pods\"]\n  verbs: [\"get\", \"watch\", \"list\"]\n```\n\n### ClusterRole (Cluster-wide)\n```yaml\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n  name: secret-reader\nrules:\n- apiGroups: [\"\"]\n  resources: [\"secrets\"]\n  verbs: [\"get\", \"watch\", \"list\"]\n```\n\n### RoleBinding\n```yaml\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n  name: read-pods\n  namespace: production\nsubjects:\n- kind: User\n  name: jane\n  apiGroup: rbac.authorization.k8s.io\n- kind: ServiceAccount\n  name: default\n  namespace: production\nroleRef:\n  kind: Role\n  name: pod-reader\n  apiGroup: rbac.authorization.k8s.io\n```\n\n**Reference:** See `references/rbac-patterns.md`\n\n## Pod Security Context\n\n### Restricted Pod\n```yaml\napiVersion: v1\nkind: Pod\nmetadata:\n  name: secure-pod\nspec:\n  securityContext:\n    runAsNonRoot: true\n    runAsUser: 1000\n    fsGroup: 1000\n    seccompProfile:\n      type: RuntimeDefault\n  containers:\n  - name: app\n    image: myapp:1.0\n    securityContext:\n      allowPrivilegeEscalation: false\n      readOnlyRootFilesystem: true\n      capabilities:\n        drop:\n        - ALL\n```\n\n## Policy Enforcement with OPA Gatekeeper\n\n### ConstraintTemplate\n```yaml\napiVersion: templates.gatekeeper.sh/v1\nkind: ConstraintTemplate\nmetadata:\n  name: k8srequiredlabels\nspec:\n  crd:\n    spec:\n      names:\n        kind: K8sRequiredLabels\n      validation:\n        openAPIV3Schema:\n          type: object\n          properties:\n            labels:\n              type: array\n              items:\n                type: string\n  targets:\n    - target: admission.k8s.gatekeeper.sh\n      rego: |\n        package k8srequiredlabels\n        violation[{\"msg\": msg, \"details\": {\"missing_labels\": missing}}] {\n          provided := {label | input.review.object.metadata.labels[label]}\n          required := {label | label := input.parameters.labels[_]}\n          missing := required - provided\n          count(missing) > 0\n          msg := sprintf(\"missing required labels: %v\", [missing])\n        }\n```\n\n### Constraint\n```yaml\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: K8sRequiredLabels\nmetadata:\n  name: require-app-label\nspec:\n  match:\n    kinds:\n      - apiGroups: [\"apps\"]\n        kinds: [\"Deployment\"]\n  parameters:\n    labels: [\"app\", \"environment\"]\n```\n\n## Service Mesh Security (Istio)\n\n### PeerAuthentication (mTLS)\n```yaml\napiVersion: security.istio.io/v1beta1\nkind: PeerAuthentication\nmetadata:\n  name: default\n  namespace: production\nspec:\n  mtls:\n    mode: STRICT\n```\n\n### AuthorizationPolicy\n```yaml\napiVersion: security.istio.io/v1beta1\nkind: AuthorizationPolicy\nmetadata:\n  name: allow-frontend\n  namespace: production\nspec:\n  selector:\n    matchLabels:\n      app: backend\n  action: ALLOW\n  rules:\n  - from:\n    - source:\n        principals: [\"cluster.local/ns/production/sa/frontend\"]\n```\n\n## Best Practices\n\n1. **Implement Pod Security Standards** at namespace level\n2. **Use Network Policies** for network segmentation\n3. **Apply least-privilege RBAC** for all service accounts\n4. **Enable admission control** (OPA Gatekeeper/Kyverno)\n5. **Run containers as non-root**\n6. **Use read-only root filesystem**\n7. **Drop all capabilities** unless needed\n8. **Implement resource quotas** and limit ranges\n9. **Enable audit logging** for security events\n10. **Regular security scanning** of images\n\n## Compliance Frameworks\n\n### CIS Kubernetes Benchmark\n- Use RBAC authorization\n- Enable audit logging\n- Use Pod Security Standards\n- Configure network policies\n- Implement secrets encryption at rest\n- Enable node authentication\n\n### NIST Cybersecurity Framework\n- Implement defense in depth\n- Use network segmentation\n- Configure security monitoring\n- Implement access controls\n- Enable logging and monitoring\n\n## Troubleshooting\n\n**NetworkPolicy not working:**\n```bash\n# Check if CNI supports NetworkPolicy\nkubectl get nodes -o wide\nkubectl describe networkpolicy <name>\n```\n\n**RBAC permission denied:**\n```bash\n# Check effective permissions\nkubectl auth can-i list pods --as system:serviceaccount:default:my-sa\nkubectl auth can-i '*' '*' --as system:serviceaccount:default:my-sa\n```\n\n## Reference Files\n\n- `assets/network-policy-template.yaml` - Network policy examples\n- `assets/pod-security-template.yaml` - Pod security policies\n- `references/rbac-patterns.md` - RBAC configuration patterns\n\n## Related Skills\n\n- `k8s-manifest-generator` - For creating secure manifests\n- `gitops-workflow` - For automated policy deployment\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.","tags":["k8s","security","policies","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding"],"capabilities":["skill","source-sickn33","skill-k8s-security-policies","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/k8s-security-policies","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34726 github stars · SKILL.md body (7,706 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-23T12:51:07.723Z","embedding":null,"createdAt":"2026-04-18T21:39:31.967Z","updatedAt":"2026-04-23T12:51:07.723Z","lastSeenAt":"2026-04-23T12:51:07.723Z","tsv":"'/audit:':157,184,211 '/enforce:':153,180,207 '/ns/production/sa/frontend':590 '/v1':226,250,286,326,352,373,458 '/v1beta1':520,550,567 '/warn:':161,188,215 '0':507 '1':137,593 '1.0':439 '10':658 '1000':428,430 '2':163,601 '3':190,608 '4':618 '5':624 '53':312 '6':631 '7':638 '8':644 '8080':279 '9':651 'access':120,704 'account':617 'action':73,582 'admiss':127,620 'admission.k8s.gatekeeper.sh':483 'allow':242,256,280,292,573,583 'allow-dn':291 'allow-frontend':572 'allow-frontend-to-backend':255 'allowprivilegeescal':441 'apigroup':337,361,388,403,532 'apivers':141,168,195,223,247,283,323,349,370,414,455,517,547,564 'app':265,273,436,527,533,538,580 'appli':65,609 'array':477 'ask':825 'assets/network-policy-template.yaml':315,763 'assets/pod-security-template.yaml':767 'audit':653,673 'auth':736,750 'authent':689 'author':671 'authorizationpolici':562,569 'autom':789 'backend':245,259,266,581 'baselin':164,175,181,185,189 'baseline-n':174 'bash':714,731 'benchmark':668 'best':67,591 'boundari':833 'can-i':737,751 'capabl':445,641 'check':715,732 'cis':666 'clarif':827 'clarifi':59 'clear':800 'cluster':93,133,346 'cluster-wid':345 'cluster.local':589 'cluster.local/ns/production/sa/frontend':588 'clusterrol':344,354 'cni':717 'complianc':125,664 'comprehens':5,21 'configur':109,317,679,700,773 'constraint':61,515 'constraints.gatekeeper.sh':519 'constraints.gatekeeper.sh/v1beta1':518 'constrainttempl':453,460 'contain':434,626 'context':410 'control':128,621,705 'count':505 'crd':465 'creat':121,782 'criteria':836 'cybersecur':691 'default':219,232,393,555,745,757 'default-deny-al':231 'defens':87,694 'defense-in-depth':86 'deni':220,233,730 'deploy':535,791 'depth':89,696 'describ':726,804 'detail':78,490 'differ':51 'dns':281,293 'domain':52 'drop':446,639 'effect':733 'egress':241,299,300 'enabl':619,652,672,687,706 'encrypt':684 'enforc':449 'environ':539,816 'environment-specif':815 'event':657 'exampl':79,766 'expert':821 'fals':442 'file':762 'filesystem':637 'framework':665,692 'frontend':243,257,274,574 'fsgroup':429 'gatekeep':452 'gatekeeper/kyverno':623 'generat':780 'get':341,365,721 'gitop':786 'gitops-workflow':785 'goal':60 'guid':6,22 'imag':437,663 'implement':8,24,85,106,126,594,645,682,693,703 'ingress':240,268,269 'input':64,830 'input.parameters.labels':501 'input.review.object.metadata.labels':496 'instruct':58 'istio':543 'item':478 'jane':387 'k8s':2,778 'k8s-manifest-generator':777 'k8s-security-policies':1 'k8srequiredlabels':463,469,486,522 'kind':143,170,197,227,251,287,327,353,374,384,390,397,416,459,468,521,531,534,551,568 'kube':306 'kube-system':305 'kubectl':720,725,735,749 'kubernet':17,18,33,45,92,667 'label':150,177,204,475,492,495,497,499,500,512,528,537 'least':118,611 'least-privileg':117,610 'level':600 'limit':649,792 'list':343,367,740 'log':654,674,707 'manifest':779,784 'match':530,801 'matchlabel':264,272,303,579 'mesh':541 'metadata':145,172,199,229,253,289,329,355,376,418,461,523,553,570 'minim':165 'miss':491,493,502,506,510,514,838 'mode':560 'monitor':702,709 'msg':488,489,508 'mtls':545,559 'multi':131 'multi-ten':130 'my-sa':746,758 'myapp':438 'name':146,173,200,230,254,290,304,330,356,377,386,392,399,419,435,462,467,524,554,571 'namespac':144,171,198,235,260,294,320,334,381,394,556,575,599 'namespace-scop':319 'namespaceselector':302 'need':49,643 'network':95,107,217,603,606,680,698,764 'networking.k8s.io':225,249,285 'networking.k8s.io/v1':224,248,284 'networkpolici':9,25,228,252,288,711,719,727 'nist':690 'node':688,722 'non':629 'non-root':628 'ns':149,176,203 'o':723 'object':473 'opa':451,622 'open':82 'openapiv3schema':471 'outcom':71 'output':810 'outsid':55 'packag':485 'paramet':536 'pattern':774 'peerauthent':544,552 'permiss':729,734,831 'pod':13,29,97,110,134,332,339,380,401,408,412,417,422,595,676,741,768 'pod-read':331,400 'pod-security.kubernetes.io':152,156,160,179,183,187,206,210,214 'pod-security.kubernetes.io/audit:':155,182,209 'pod-security.kubernetes.io/enforce:':151,178,205 'pod-security.kubernetes.io/warn:':159,186,213 'podsecuritypolici':10,26 'podselector':238,263,271,297 'polici':4,20,47,96,123,218,448,604,681,765,770,790 'policytyp':239,267,298 'port':275,278,308,311 'practic':68,592 'princip':587 'privileg':119,138,148,154,158,162,612 'privileged-n':147 'product':236,261,295,335,382,395,557,576 'properti':474 'protocol':276,309 'provid':72,494,504 'purpos':84 'quota':647 'rang':650 'rbac':11,27,101,115,316,613,670,728,772 'rbac.authorization.k8s.io':325,351,372,389,404 'rbac.authorization.k8s.io/v1':324,350,371 'read':379,634 'read-on':633 'read-pod':378 'reader':333,359,402 'readonlyrootfilesystem':443 'refer':313,405,761 'references/rbac-patterns.md':407,771 'rego':484 'regular':659 'relat':775 'relev':66 'requir':63,81,498,503,511,526,829 'require-app-label':525 'resourc':338,362,646 'resources/implementation-playbook.md':83 'rest':686 'restrict':166,191,193,202,208,212,216,411 'restricted-n':201 'review':822 'role':318,328,398 'rolebind':368,375 'roleref':396 'root':630,636 'rule':336,360,584 'run':625 'runasnonroot':425 'runasus':427 'runtimedefault':433 'sa':748,760 'safeti':832 'scan':661 'scope':57,321,803 'seccompprofil':431 'secret':358,363,683 'secret-read':357 'secur':3,14,19,30,46,90,98,111,122,129,135,409,421,542,596,656,660,677,701,769,783 'secure-pod':420 'security.istio.io':549,566 'security.istio.io/v1beta1':548,565 'securitycontext':424,440 'see':314,406 'segment':108,607,699 'selector':578 'servic':540,616 'serviceaccount':391,744,756 'set':113 'skill':38,104,776,795 'skill-k8s-security-policies' 'sourc':586 'source-sickn33' 'spec':237,262,296,423,464,466,529,558,577 'specif':817 'sprintf':509 'standard':15,31,99,112,136,597,678 'step':74 'stop':823 'strict':561 'string':480 'subject':383 'substitut':813 'success':835 'support':718 'system':307,743,755 'target':481,482 'task':41,799 'tcp':277 'templates.gatekeeper.sh':457 'templates.gatekeeper.sh/v1':456 'tenant':132 'test':819 'tool':54 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'treat':808 'troubleshoot':710 'true':426,444 'type':432,472,476,479 'udp':310 'unless':642 'unrel':43 'unrestrict':139 'use':36,94,102,602,632,669,675,697,793 'user':385 'v':513 'v1':142,169,196,415 'valid':70,470,818 'verb':340,364 'verif':76 'violat':487 'watch':342,366 'wide':347,724 'work':713 'workflow':787 'yaml':140,167,194,222,246,282,322,348,369,413,454,516,546,563","prices":[{"id":"e014ea8b-73a5-47f6-aae3-fe2c405c93a2","listingId":"1eb3b298-0cd7-49da-8d01-28b455ef972e","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:39:31.967Z"}],"sources":[{"listingId":"1eb3b298-0cd7-49da-8d01-28b455ef972e","source":"github","sourceId":"sickn33/antigravity-awesome-skills/k8s-security-policies","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/k8s-security-policies","isPrimary":false,"firstSeenAt":"2026-04-18T21:39:31.967Z","lastSeenAt":"2026-04-23T12:51:07.723Z"}],"details":{"listingId":"1eb3b298-0cd7-49da-8d01-28b455ef972e","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"k8s-security-policies","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34726,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-23T06:41:03Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"1a5334d8584cd8029ffcb3120a62aebc9d16f1a1","skill_md_path":"skills/k8s-security-policies/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/k8s-security-policies"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"k8s-security-policies","description":"Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/k8s-security-policies"},"updatedAt":"2026-04-23T12:51:07.723Z"}}