How does this skill help with NetworkPolicies?

It provides ready-to-use templates for implementing a default-deny-all security posture and defining specific ingress/egress rules for frontend, backend, and DNS traffic.

Does it include Policy-as-Code support?

Yes, it features configuration templates for OPA Gatekeeper (ConstraintTemplates) and Istio AuthorizationPolicies to automate security enforcement.

How do I troubleshoot policy issues with this skill?

The skill includes specific troubleshooting commands for checking CNI support for NetworkPolicies and verifying effective RBAC permissions using 'kubectl auth can-i'.

Can I use this for RBAC management?

Yes, it includes standardized patterns for Roles, ClusterRoles, and RoleBindings to ensure both human users and ServiceAccounts operate with least-privilege access.

Does it support modern Pod Security Standards?

Yes, the skill covers the implementation of the Pod Security Admission controller, including Privileged, Baseline, and Restricted profile labels for namespaces.

Kubernetes Security Policies

Name: Kubernetes Security Policies
Author: HermeticOrmus

byHermeticOrmus

보안 및 테스팅

Implement defense-in-depth Kubernetes security through network policies, RBAC configurations, and pod security standards.

소개

This skill provides comprehensive guidance and production-grade templates for securing Kubernetes clusters across multiple layers. It empowers developers and DevOps engineers to implement robust security using NetworkPolicies for traffic isolation, RBAC for least-privilege access, and Pod Security Standards to enforce runtime restrictions. Whether you are configuring multi-tenant environments, preparing for compliance audits like CIS Benchmarks, or hardening service mesh communications with Istio and OPA Gatekeeper, this skill offers the implementation patterns and troubleshooting steps necessary for a secure container orchestration environment.

주요 기능

0 GitHub stars
Policy enforcement configuration using OPA Gatekeeper and Istio service mesh
Granular NetworkPolicy templates for default-deny and service-to-service isolation
Hardened Pod Security Contexts for non-root execution and read-only filesystems
Least-privilege RBAC patterns for users, groups, and service accounts
Implementation of Kubernetes Pod Security Standards (Privileged, Baseline, Restricted)

사용 사례

Hardening production clusters to meet CIS Kubernetes Benchmark compliance
Implementing network segmentation and isolation in multi-tenant environments
Configuring admission control to prevent insecure pod deployments

소개

주요 기능

0 GitHub stars
Policy enforcement configuration using OPA Gatekeeper and Istio service mesh
Granular NetworkPolicy templates for default-deny and service-to-service isolation
Hardened Pod Security Contexts for non-root execution and read-only filesystems
Least-privilege RBAC patterns for users, groups, and service accounts
Implementation of Kubernetes Pod Security Standards (Privileged, Baseline, Restricted)

사용 사례

Hardening production clusters to meet CIS Kubernetes Benchmark compliance
Implementing network segmentation and isolation in multi-tenant environments
Configuring admission control to prevent insecure pod deployments