k8s-security
SKILL.md
Kubernetes Security
Security auditing, RBAC management, and policy enforcement using kubectl-mcp-server tools.
When to Apply
Use this skill when:
- User mentions: "security", "RBAC", "permissions", "policy", "audit", "secrets"
- Operations: security review, permission check, policy enforcement
- Keywords: "who can", "access control", "compliance", "vulnerable"
Priority Rules
| Priority | Rule | Impact | Tools |
|---|---|---|---|
| 1 | Check cluster-admin bindings first | CRITICAL | get_cluster_role_bindings |
| 2 | Audit secrets access permissions | CRITICAL | Review role rules |
| 3 | Verify network isolation | HIGH | get_network_policies |
| 4 | Check policy compliance | HIGH | kyverno_*, gatekeeper_* |
| 5 | Review pod security contexts | MEDIUM | describe_pod |
Quick Reference
| Task | Tool | Example |
|---|---|---|
| List roles | get_roles |
get_roles(namespace) |
| Cluster roles | get_cluster_roles |
get_cluster_roles() |
| Role bindings | get_role_bindings |
get_role_bindings(namespace) |
| Service accounts | get_service_accounts |
get_service_accounts(namespace) |
| Kyverno policies | kyverno_clusterpolicies_list_tool |
kyverno_clusterpolicies_list_tool() |
RBAC Auditing
List Roles and Bindings
get_roles(namespace)
get_cluster_roles()
get_role_bindings(namespace)
get_cluster_role_bindings()
Check Service Account Permissions
get_service_accounts(namespace)
Common RBAC Patterns
| Pattern | Risk Level | Check |
|---|---|---|
| cluster-admin binding | Critical | get_cluster_role_bindings() |
| Wildcard verbs (*) | High | Review role rules |
| secrets access | High | Check get/list on secrets |
| pod/exec | High | Allows container access |
See RBAC-PATTERNS.md for detailed patterns and remediation.
Policy Enforcement
Kyverno Policies
kyverno_policies_list_tool(namespace)
kyverno_clusterpolicies_list_tool()
kyverno_policy_get_tool(name, namespace)
OPA Gatekeeper
gatekeeper_constraints_list_tool()
gatekeeper_constraint_get_tool(kind, name)
gatekeeper_templates_list_tool()
Common Policies to Enforce
| Policy | Purpose |
|---|---|
| Disallow privileged | Prevent root containers |
| Require resource limits | Prevent resource exhaustion |
| Restrict host namespaces | Isolate from node |
| Require labels | Ensure metadata |
| Allowed registries | Control image sources |
Secret Management
List Secrets
get_secrets(namespace)
Secret Best Practices
- Use external secret managers (Vault, AWS SM)
- Encrypt secrets at rest (EncryptionConfiguration)
- Limit secret access via RBAC
- Rotate secrets regularly
Network Policies
List Policies
get_network_policies(namespace)
Cilium Network Policies
cilium_policies_list_tool(namespace)
cilium_policy_get_tool(name, namespace)
Default Deny Template
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Security Scanning Workflow
-
RBAC Audit
get_cluster_role_bindings() get_roles(namespace) -
Policy Compliance
kyverno_clusterpolicies_list_tool() gatekeeper_constraints_list_tool() -
Network Isolation
get_network_policies(namespace) cilium_endpoints_list_tool(namespace) -
Pod Security
get_pods(namespace) describe_pod(name, namespace)
Multi-Cluster Security
Audit across clusters:
get_cluster_role_bindings(context="production")
get_cluster_role_bindings(context="staging")
Automated Audit Script
For comprehensive security audit, see scripts/audit-rbac.py.
Related Tools
- RBAC:
get_roles,get_cluster_roles,get_role_bindings - Policy:
kyverno_*,gatekeeper_* - Network:
get_network_policies,cilium_policies_* - Istio:
istio_authorizationpolicies_list_tool,istio_peerauthentications_list_tool
Related Skills
- k8s-policy - Policy management
- k8s-cilium - Cilium network security
Weekly Installs
6
Repository
rohitg00/kubect…p-serverGitHub Stars
849
First Seen
Feb 7, 2026
Security Audits
Installed on
gemini-cli6
github-copilot6
codex6
kimi-cli6
opencode6
amp6