How do I troubleshoot policy issues?

The skill includes troubleshooting commands for checking CNI support for NetworkPolicies and verifying RBAC permissions using the 'kubectl auth can-i' command.

Does this skill cover Service Mesh security?

Yes, it includes configuration examples for Istio PeerAuthentication (mTLS) and AuthorizationPolicies for service-to-service security.

Does it help with compliance audits?

Yes, the configurations and best practices are aligned with CIS Kubernetes Benchmarks and the NIST Cybersecurity Framework to help you meet audit requirements.

Can I use this for multi-tenant cluster security?

Absolutely. It provides specific patterns for network isolation, default-deny policies, and namespace-scoped RBAC to ensure secure multi-tenancy.

Kubernetes Security Policies

Name: Kubernetes Security Policies
Author: HermeticOrmus

byHermeticOrmus

Security & Testing

Implements defense-in-depth security for Kubernetes clusters using NetworkPolicies, Pod Security Standards, and fine-grained RBAC.

About

This skill provides a comprehensive framework for securing Kubernetes environments by enforcing least-privilege access and network isolation. It guides developers and DevOps engineers through implementing Pod Security Standards (Privileged, Baseline, and Restricted), configuring robust NetworkPolicies for traffic control, and managing RBAC for granular permissions. Additionally, it covers advanced security measures including OPA Gatekeeper for policy enforcement and Istio for service mesh security, ensuring clusters meet industry-standard compliance benchmarks like CIS and NIST.

Key Features

Policy enforcement patterns using OPA Gatekeeper and ConstraintTemplates
Default-deny and application-specific NetworkPolicy configuration for traffic isolation
Service Mesh security integration including mTLS and AuthorizationPolicies via Istio
0 GitHub stars
Granular RBAC management for users, groups, and service accounts
Implementation of Kubernetes Pod Security Standards at the namespace level

Use Cases

Securing multi-tenant clusters through network isolation and namespace-level security standards
Achieving compliance with CIS Kubernetes Benchmarks and NIST cybersecurity frameworks
Implementing zero-trust architecture within a cluster using service mesh and strict access controls

About

Key Features

Policy enforcement patterns using OPA Gatekeeper and ConstraintTemplates
Default-deny and application-specific NetworkPolicy configuration for traffic isolation
Service Mesh security integration including mTLS and AuthorizationPolicies via Istio
0 GitHub stars
Granular RBAC management for users, groups, and service accounts
Implementation of Kubernetes Pod Security Standards at the namespace level

Use Cases

Securing multi-tenant clusters through network isolation and namespace-level security standards
Achieving compliance with CIS Kubernetes Benchmarks and NIST cybersecurity frameworks
Implementing zero-trust architecture within a cluster using service mesh and strict access controls