owasp-kubernetes-top-10
OWASP Kubernetes Top 10
This skill encodes the OWASP Kubernetes Top 10 for secure cluster and workload design and review. References are loaded per risk. Based on OWASP Kubernetes Top 10 2022.
When to Read Which Reference
| Risk | Read |
|---|---|
| K01 Insecure Workload Configurations | references/k01-insecure-workload-configurations.md |
| K02 Supply Chain Vulnerabilities | references/k02-supply-chain-vulnerabilities.md |
| K03 Overly Permissive RBAC | references/k03-permissive-rbac.md |
| K04 Lack of Centralized Policy Enforcement | references/k04-policy-enforcement.md |
| K05 Inadequate Logging and Monitoring | references/k05-logging-monitoring.md |
| K06 Broken Authentication Mechanisms | references/k06-broken-authentication.md |
| K07 Missing Network Segmentation | references/k07-network-segmentation.md |
| K08 Secrets Management Failures | references/k08-secrets-management.md |
| K09 Misconfigured Cluster Components | references/k09-misconfigured-cluster-components.md |
| K10 Outdated and Vulnerable Components | references/k10-vulnerable-components.md |
Quick Patterns
- Run workloads as non-root with read-only filesystem where possible; use image signing and supply chain controls. Apply least-privilege RBAC and network policies; centralize policy (e.g. OPA); secure secrets and audit logging.
Quick Reference / Examples
| Task | Approach |
|---|---|
| Harden pod | Non-root, read-only rootfs, drop capabilities. See K01. |
| Secure images | Sign images, scan for CVEs, use trusted registries. See K02. |
| Limit RBAC | Least privilege, no cluster-admin for workloads. See K03. |
| Network policies | Default deny, explicit allow per namespace. See K07. |
| Manage secrets | Use external secrets manager or encrypted secrets. See K08. |
Safe - hardened SecurityContext:
securityContext:
runAsNonRoot: true
runAsUser: 1000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
Unsafe - privileged container:
securityContext:
privileged: true # NEVER in production - full host access
Network policy - default deny ingress:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes: ["Ingress"]
Workflow
Load the reference for the risk you are addressing. See OWASP Kubernetes Top 10 for the official list.
More from yariv1025/skills
owasp-mobile-top-10
OWASP Mobile Top 10 - prevention, detection, and remediation for iOS/Android app security. Use when building or reviewing mobile apps - credentials, supply chain, auth, input/output validation, communication, privacy, binary protection, config, data storage, cryptography.
16owasp-api-security-top-10
OWASP API Security Top 10 - prevention, detection, and remediation for REST/GraphQL/API security. Use when designing or reviewing APIs - object- and function-level authorization, authentication, rate limiting and resource consumption, sensitive business flows, SSRF, API inventory and versioning, or consumption of third-party APIs.
14owasp-cicd-top-10
OWASP Top 10 CI/CD Security Risks - prevention, detection, and remediation for pipeline security. Use when securing or reviewing CI/CD - flow control, IAM, dependency chain, poisoned pipeline execution, PBAC, credential hygiene, system config, third-party services, artifact integrity, logging and visibility.
6owasp-top-10
OWASP Top 10 web application security risks - prevention, detection, and remediation. Use when implementing or reviewing access control, authentication, crypto/sensitive data, input validation and injection, secure design, security configuration, dependency management, session/identity, deserialization or CI/CD integrity, logging and monitoring, or server-side requests (SSRF).
5owasp-llm-top-10
OWASP Top 10 for LLM Applications - prevention, detection, and remediation for LLM and GenAI security. Use when building or reviewing LLM apps - prompt injection, information disclosure, training/supply chain, poisoning, output handling, excessive agency, system prompt leakage, vectors/embeddings, misinformation, unbounded consumption.
4python-engineering
Production Python engineering patterns covering architecture, observability, testing, performance/concurrency, and core practices. Use when designing Python systems, implementing async/sync APIs, setting up monitoring, structuring tests, optimizing performance, or following Python best practices.
4