authegg/kubernetes-pod-security
skills/kubernetes-pod-security/SKILL.md
Enforce Kubernetes pod and workload security best practices. Use when creating or editing Kubernetes manifests, Helm charts, or Kustomize overlays involving pods, deployments, statefulsets, daemonsets, jobs, or cronjobs. Covers Pod Security Standards (Restricted), SecurityContext hardening, RBAC least privilege, network policies, resource quotas, and admission control. Activates on keywords like "pod security", "K8s manifest", "deployment.yaml", "Helm chart", "securityContext", or "RBAC".
$ install --global
skillsauthnpx skillsauth add authegg/agent-skills kubernetes-pod-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 11:51 AM13.3s2 files scanned
SKILL.md
- name:
- kubernetes-pod-security
- description:
- Enforce Kubernetes pod and workload security best practices. Use when creating or editing Kubernetes manifests, Helm charts, or Kustomize overlays involving pods, deployments, statefulsets, daemonsets, jobs, or cronjobs. Covers Pod Security Standards (Restricted), SecurityContext hardening, RBAC least privilege, network policies, resource quotas, and admission control. Activates on keywords like "pod security", "K8s manifest", "deployment.yaml", "Helm chart", "securityContext", or "RBAC".
- allowed-tools:
- Read, Grep, Glob, Bash, Edit, Write
Kubernetes Pod Security
Enforce Kubernetes pod and workload security using Pod Security Standards (PSS), CIS Kubernetes Benchmark, and NSA/CISA Kubernetes Hardening Guide.
When to Use
- Creating or editing Kubernetes Deployments, StatefulSets, DaemonSets, Jobs, CronJobs
- Writing Helm charts or Kustomize overlays
- Configuring RBAC roles and bindings
- Setting up NetworkPolicies
- Reviewing manifests before production deployment
Pod Security Checklist — Apply to Every Workload
SecurityContext (Required on Every Pod/Container)
-
Run as non-root:
securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 -
Read-only root filesystem:
securityContext: readOnlyRootFilesystem: true -
Drop all capabilities:
securityContext: capabilities: drop: ["ALL"] add: ["NET_BIND_SERVICE"] # Only if needed -
Disallow privilege escalation:
securityContext: allowPrivilegeEscalation: false -
Use seccomp profile:
securityContext: seccompProfile: type: RuntimeDefault
Resource Management (Required)
-
CPU and memory limits on every container:
resources: requests: cpu: "100m" memory: "128Mi" limits: cpu: "500m" memory: "512Mi" -
Never use
resources: {}or omit resources entirely.
Image Security
-
Pin images by digest:
image: nginx@sha256:abc123... -
Always set imagePullPolicy:
imagePullPolicy: Always # For mutable tags -
Use private registries with imagePullSecrets.
RBAC (Least Privilege)
- Never bind ClusterAdmin to service accounts.
- Use Role (namespaced) over ClusterRole where possible.
- Avoid wildcards in RBAC rules: No
verbs: ["*"]orresources: ["*"]. - ServiceAccount per workload — don't use the
defaultservice account:automountServiceAccountToken: false # Unless needed
Network
-
NetworkPolicy for every namespace — default deny ingress/egress, then allow explicitly:
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all spec: podSelector: {} policyTypes: ["Ingress", "Egress"] -
No hostNetwork, hostPID, or hostIPC:
spec: hostNetwork: false hostPID: false hostIPC: false
Secrets
- Never put secrets in env vars from ConfigMaps — use Kubernetes Secrets or external secret operators.
- Never hardcode secrets in manifests — use SealedSecrets, ExternalSecrets, or Vault.
- Enable encryption at rest for etcd.
Pod Security Standards (PSS)
- Target "Restricted" profile for production namespaces:
apiVersion: v1 kind: Namespace metadata: labels: pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/warn: restricted pod-security.kubernetes.io/audit: restricted
Secure Deployment Template
apiVersion: apps/v1
kind: Deployment
metadata:
name: secure-app
spec:
replicas: 2
selector:
matchLabels:
app: secure-app
template:
metadata:
labels:
app: secure-app
spec:
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: myapp@sha256:abc123...
imagePullPolicy: Always
ports:
- containerPort: 8080
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "512Mi"
livenessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 10
periodSeconds: 15
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
volumeMounts:
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir:
sizeLimit: "100Mi"
Severity Classification
- CRITICAL: Running as root, privileged containers, hostPID/hostNetwork, wildcard RBAC
- HIGH: No SecurityContext, missing resource limits, no NetworkPolicy, default service account with token
- MEDIUM: Missing probes, no seccomp profile, mutable image tags
- LOW: Missing pod disruption budgets, no topology spread, missing labels
Related Skills
authegg/secrets-management
development
VerifiedTrustedCommunity
Enforce secrets management best practices for containers and cloud-native applications. Use when configuring environment variables, Docker secrets, Kubernetes secrets, Vault integration, AWS SSM/Secrets Manager, or any credential handling in Dockerfiles, compose files, Kubernetes manifests, or CI pipelines. Activates on keywords like "secrets", "credentials", "API key", "password", "environment variables", ".env file", "Vault", "sealed secrets", or "secret manager".
3SKILL.mdUpdated Apr 3, 2026
authegg/docker-security-hardening
development
VerifiedTrustedCommunity
Enforce Docker container security best practices during development. Use when creating or editing Dockerfiles, docker-compose files, Kubernetes manifests, or CI/CD pipelines involving containers. Covers non-root users, slim base images, multi-stage builds, CVE scanning with Trivy, secrets management, capability dropping, network isolation, SBOM generation, and production readiness gates. Activates on keywords like "Dockerfile", "docker-compose", "container security", "image hardening", "Docker deploy", or "production readiness".
3SKILL.mdUpdated Apr 3, 2026
authegg/ci-security-pipeline
development
VerifiedTrustedCommunity
Generate and enforce security scanning stages in CI/CD pipelines. Use when creating or editing GitHub Actions workflows, GitLab CI, CircleCI, Jenkins, or any CI pipeline that builds Docker images or deploys containers. Covers Dockerfile linting with Hadolint, CVE scanning with Trivy, secret detection, SBOM generation, image signing, and deployment gates. Activates on keywords like "CI pipeline", "GitHub Actions", "security scanning", "Trivy", "Hadolint", "SBOM", or "deploy gate".
3SKILL.mdUpdated Apr 3, 2026
steipete/skill-creator
testing
VerifiedTrustedCommunity
Create, edit, improve, or audit AgentSkills. Use when creating a new skill from scratch or when asked to improve, review, audit, tidy up, or clean up an existing skill or SKILL.md file. Also use when editing or restructuring a skill directory (moving files to references/ or scripts/, removing stale content, validating against the AgentSkills spec). Triggers on phrases like "create a skill", "author a skill", "tidy up a skill", "improve this skill", "review the skill", "clean up the skill", "audit the skill".
356,423SKILL.mdUpdated Apr 13, 2026