markus41/harness-platform
plugins/jira-orchestrator/skills/harness-platform/SKILL.md
This skill should be used when the user asks to "configure Harness delegates", "set up Harness RBAC", "manage connectors/secrets/templates", "apply OPA policy as code", or "review audit logs" — Harness platform administration and governance.
$ install --global
skillsauthnpx skillsauth add markus41/claude harness-platformInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 5, 2026, 6:43 AM235.4s1 file scanned
SKILL.md
- name:
- harness-platform
- description:
- This skill should be used when the user asks to "configure Harness delegates", "set up Harness RBAC", "manage connectors/secrets/templates", "apply OPA policy as code", or "review audit logs" — Harness platform administration and governance.
- allowed-tools:
- [Bash, Read, Write, Edit, Glob, Grep, Task, WebFetch, WebSearch]
- dependencies:
- [harness-mcp, harness-cd, harness-ci]
- triggers:
- [harness delegate, harness rbac, harness connector, harness secret, harness template, harness policy, harness opa, harness user, harness admin]
Harness Platform Administration Skill
Comprehensive Harness Platform administration for delegates, RBAC, connectors, secrets, templates, OPA policies, and governance.
Platform Hierarchy
Account (Root)
├── Organization
│ ├── Project
│ │ ├── Pipelines, Services, Environments
│ │ ├── Connectors (project-level)
│ │ └── Secrets (project-level)
│ ├── Connectors (org-level)
│ └── Secrets (org-level)
├── Delegates
├── Secrets (account-level)
└── User Management
Harness Delegates
Types: Kubernetes (Helm, YAML), Docker, Shell, ECS
Kubernetes Helm Install:
helm repo add harness-delegate https://app.harness.io/storage/harness-download/delegate-helm-chart/
helm install harness-delegate harness-delegate/harness-delegate-ng \
--namespace harness-delegate --create-namespace \
--set accountId="${HARNESS_ACCOUNT_ID}" \
--set delegateToken="${DELEGATE_TOKEN}" \
--set delegateName="prod-delegate" \
--set replicas=2
Delegate Selectors: Route tasks to specific delegates with labels (e.g., production, aws, k8s)
Troubleshooting:
kubectl get pods -n harness-delegate
kubectl logs -n harness-delegate -l app=harness-delegate --tail=100
kubectl exec deployment/harness-delegate -n harness-delegate -- curl -s localhost:8080/api/health
RBAC (Role-Based Access Control)
Built-in Roles:
- Account Admin (full access)
- Account Viewer (read-only)
- Organization Admin (org-level)
- Project Admin (project-level)
- Pipeline Executor (execute only)
- Pipeline Viewer (view only)
Resource Types: PIPELINE, SERVICE, ENVIRONMENT, CONNECTOR, SECRET, INFRASTRUCTURE
Custom Role Example:
role:
name: Deployment Manager
permissions:
- resourceType: PIPELINE
actions: [core_pipeline_view, core_pipeline_execute]
- resourceType: SERVICE
actions: [core_service_view, core_service_access]
- resourceType: ENVIRONMENT
actions: [core_environment_view, core_environment_access]
User Groups & Role Binding:
- Create groups by team/function
- Bind roles to groups with resource groups
- Support SAML/SSO integration
- Service accounts for automation with API keys (90-day default expiry)
Connectors
Cloud Connectors:
- AWS: ManualConfig (access/secret key) or IRSA (recommended for EKS)
- GCP: Service account key
- Azure: App ID, Tenant ID, Client Secret
Kubernetes:
- Manual: Master URL + Service Account token
- In-cluster: InheritFromDelegate (simplest)
Container Registries: Docker Hub, ECR, GCR, ACR
Test Connector:
curl -X POST "https://app.harness.io/gateway/ng/api/connectors/testConnection/${CONNECTOR_ID}" \
-H "x-api-key: ${HARNESS_API_KEY}" \
-d '{"accountIdentifier":"...", "orgIdentifier":"...", "projectIdentifier":"..."}'
Secrets Management
Secret Managers: Harness Built-in (Google KMS), HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault
Vault Connector:
connector:
type: Vault
spec:
vaultUrl: https://vault.company.com
basePath: harness
authToken: <+secrets.getValue("vault_root_token")>
renewalIntervalMinutes: 60
secretEngineVersion: 2
Secret References:
- Harness:
<+secrets.getValue("my_secret")> - Vault:
<+secrets.getValue("vault://secret/data/myapp#api_key")> - AWS SM:
<+secrets.getValue("awsSecretsManager://prod/database")>
Templates
Types: Step, Stage, Pipeline, StepGroup (reusable across pipelines)
Step Template Example:
template:
name: Notify Slack
type: Step
spec:
type: ShellScript
spec:
shell: Bash
script: |
curl -X POST $SLACK_WEBHOOK \
-H 'Content-Type: application/json' \
-d '{"text":"<+input>"}'
Using Templates in Pipeline:
template:
templateRef: standard_k8s_deploy
versionLabel: "1.0.0"
templateInputs:
spec:
service:
serviceRef: my_service
environment:
environmentRef: production
Policy as Code (OPA)
Policy Structure (Rego):
package pipeline
# Deny production deploys without approval
deny[msg] {
some stage in input.pipeline.stages
stage.stage.spec.environment.environmentRef == "production"
not has_approval_step(input.pipeline)
msg := "Production requires approval step"
}
# Require delegate selectors
deny[msg] {
some stage in input.pipeline.stages
stage.stage.spec.environment.environmentRef == "production"
not stage.stage.spec.infrastructure.spec.delegateSelectors
msg := "Production must specify delegate selectors"
}
Policy Set Configuration:
policySet:
name: Production Governance
policySetType: Pipeline
policies:
- policyRef: require_approval
severity: error
- policyRef: require_delegate_selectors
severity: error
entitySelector:
- type: PIPELINE
filter:
- key: projectIdentifier
value: production_project
Evaluation Points: On Save, On Run
Audit Logs
Query Logs:
curl -X POST "https://app.harness.io/gateway/ng/api/audits/list" \
-H "x-api-key: ${HARNESS_API_KEY}" \
-d '{"accountIdentifier":"...", "pageIndex":0, "pageSize":20}'
Event Types: CREATE, UPDATE, DELETE, LOGIN, PIPELINE_START, PIPELINE_END
API Reference
Authentication:
# API Key
curl -H "x-api-key: ${HARNESS_API_KEY}"
# Bearer Token
curl -H "Authorization: Bearer ${TOKEN}"
Common Endpoints:
- Users:
GET /ng/api/user/users - User Groups:
GET /ng/api/user-groups - Roles:
GET /ng/api/roles - Resource Groups:
GET /ng/api/resourcegroup - Connectors:
GET /ng/api/connectors - Secrets:
GET /ng/api/v2/secrets - Delegates:
GET /ng/api/delegate-token-ng - Templates:
GET /template/api/templates - Audit Logs:
POST /ng/api/audits/list
Create Project:
curl -X POST "https://app.harness.io/gateway/ng/api/projects" \
-H "x-api-key: ${HARNESS_API_KEY}" \
-d '{"project":{"name":"My Project","identifier":"my_project","orgIdentifier":"default"}}'
Best Practices
Delegate Management:
- Deploy 2+ replicas for HA
- Resource sizing: 2GB RAM, 0.5 CPU minimum
- Use meaningful tags for routing
- Enable auto-upgrade
- Monitor and export metrics
Security:
- Least privilege RBAC
- Use external secret managers with rotation
- Service accounts for automation
- Regular audit log review
- OPA for governance enforcement
Organization:
- Logical org/project hierarchy
- Consistent naming conventions
- Reuse templates across projects
- Document all resources
Related Documentation
- Harness Docs
- Delegate Guide
- RBAC Guide
- Connectors
- Secrets
- Templates
- Governance
Related Skills
markus41/writing-plans-enhanced
development
VerifiedTrustedCommunity
Enhanced plan-authoring skill with Pre-Writing context gathering, task metadata, non-TDD templates, Red Flags, telemetry, and an automated plan linter. Use when you have a spec or requirements for a multi-step task, before touching code.
13SKILL.mdUpdated Apr 25, 2026
markus41/plugins/scrapin-aint-easy
tools
VerifiedTrustedCommunity
Documentation intelligence engine with graph-based API docs, algorithm library, and drift detection
13SKILL.mdUpdated Apr 17, 2026
markus41/ultraplan
tools
VerifiedTrustedCommunity
Ultraplan cloud planning — kick off a plan in the cloud from your terminal, review and revise in the browser, then execute remotely or send back to CLI
13SKILL.mdUpdated Apr 17, 2026
markus41/plugins/claude-code-expert/skills/mcp
tools
VerifiedTrustedCommunity
--- name: mcp description: Configure MCP servers for Claude Code — stdio vs HTTP, authentication, Tools/Resources/Prompts distinction, channels (CI webhook, mobile relay, Discord bridge, fakechat), and cost of always-loaded tools. Use this skill whenever adding an MCP server, debugging connection issues, choosing between MCP Tools vs Prompts vs Resources, installing channel servers, or managing .mcp.json. Triggers on: "MCP server", "mcp config", "add Obsidian MCP", "install context7", "channels"
13SKILL.mdUpdated Apr 17, 2026