How does this skill help with NetworkPolicies?

It provides ready-to-use templates for implementing a default-deny-all security posture and defining specific ingress/egress rules for frontend, backend, and DNS traffic.

Does it include Policy-as-Code support?

Yes, it features configuration templates for OPA Gatekeeper (ConstraintTemplates) and Istio AuthorizationPolicies to automate security enforcement.

How do I troubleshoot policy issues with this skill?

The skill includes specific troubleshooting commands for checking CNI support for NetworkPolicies and verifying effective RBAC permissions using 'kubectl auth can-i'.

Can I use this for RBAC management?

Yes, it includes standardized patterns for Roles, ClusterRoles, and RoleBindings to ensure both human users and ServiceAccounts operate with least-privilege access.

Does it support modern Pod Security Standards?

Yes, the skill covers the implementation of the Pod Security Admission controller, including Privileged, Baseline, and Restricted profile labels for namespaces.

Kubernetes Security Policies

Name: Kubernetes Security Policies
Author: HermeticOrmus

byHermeticOrmus

Security & Testing

Implement defense-in-depth Kubernetes security through network policies, RBAC configurations, and pod security standards.

About

This skill provides comprehensive guidance and production-grade templates for securing Kubernetes clusters across multiple layers. It empowers developers and DevOps engineers to implement robust security using NetworkPolicies for traffic isolation, RBAC for least-privilege access, and Pod Security Standards to enforce runtime restrictions. Whether you are configuring multi-tenant environments, preparing for compliance audits like CIS Benchmarks, or hardening service mesh communications with Istio and OPA Gatekeeper, this skill offers the implementation patterns and troubleshooting steps necessary for a secure container orchestration environment.

Key Features

0 GitHub stars
Policy enforcement configuration using OPA Gatekeeper and Istio service mesh
Granular NetworkPolicy templates for default-deny and service-to-service isolation
Hardened Pod Security Contexts for non-root execution and read-only filesystems
Least-privilege RBAC patterns for users, groups, and service accounts
Implementation of Kubernetes Pod Security Standards (Privileged, Baseline, Restricted)

Use Cases

Hardening production clusters to meet CIS Kubernetes Benchmark compliance
Implementing network segmentation and isolation in multi-tenant environments
Configuring admission control to prevent insecure pod deployments

About

Key Features

0 GitHub stars
Policy enforcement configuration using OPA Gatekeeper and Istio service mesh
Granular NetworkPolicy templates for default-deny and service-to-service isolation
Hardened Pod Security Contexts for non-root execution and read-only filesystems
Least-privilege RBAC patterns for users, groups, and service accounts
Implementation of Kubernetes Pod Security Standards (Privileged, Baseline, Restricted)

Use Cases

Hardening production clusters to meet CIS Kubernetes Benchmark compliance
Implementing network segmentation and isolation in multi-tenant environments
Configuring admission control to prevent insecure pod deployments