rohitg00/k8s-security
kubernetes-skills/claude/k8s-security/SKILL.md
Audit Kubernetes RBAC, enforce policies, and manage secrets. Use for security reviews, permission audits, policy enforcement with Kyverno/Gatekeeper, and secret management.
$ install --global
skillsauthnpx skillsauth add rohitg00/kubectl-mcp-server k8s-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 11, 2026, 10:32 PM46.6s3 files scanned
SKILL.md
- name:
- k8s-security
- description:
- Audit Kubernetes RBAC, enforce policies, and manage secrets. Use for security reviews, permission audits, policy enforcement with Kyverno/Gatekeeper, and secret management.
- license:
- Apache-2.0
- author:
- rohitg00
- version:
- 1.0.0
- tools:
- 10
- category:
- security
Kubernetes Security
Security auditing, RBAC management, and policy enforcement using kubectl-mcp-server tools.
When to Apply
Use this skill when:
- User mentions: "security", "RBAC", "permissions", "policy", "audit", "secrets"
- Operations: security review, permission check, policy enforcement
- Keywords: "who can", "access control", "compliance", "vulnerable"
Priority Rules
| Priority | Rule | Impact | Tools |
|----------|------|--------|-------|
| 1 | Check cluster-admin bindings first | CRITICAL | get_cluster_role_bindings |
| 2 | Audit secrets access permissions | CRITICAL | Review role rules |
| 3 | Verify network isolation | HIGH | get_network_policies |
| 4 | Check policy compliance | HIGH | kyverno_*, gatekeeper_* |
| 5 | Review pod security contexts | MEDIUM | describe_pod |
Quick Reference
| Task | Tool | Example |
|------|------|---------|
| List roles | get_roles | get_roles(namespace) |
| Cluster roles | get_cluster_roles | get_cluster_roles() |
| Role bindings | get_role_bindings | get_role_bindings(namespace) |
| Service accounts | get_service_accounts | get_service_accounts(namespace) |
| Kyverno policies | kyverno_clusterpolicies_list_tool | kyverno_clusterpolicies_list_tool() |
RBAC Auditing
List Roles and Bindings
get_roles(namespace)
get_cluster_roles()
get_role_bindings(namespace)
get_cluster_role_bindings()
Check Service Account Permissions
get_service_accounts(namespace)
Common RBAC Patterns
| Pattern | Risk Level | Check |
|---------|-----------|-------|
| cluster-admin binding | Critical | get_cluster_role_bindings() |
| Wildcard verbs (*) | High | Review role rules |
| secrets access | High | Check get/list on secrets |
| pod/exec | High | Allows container access |
See RBAC-PATTERNS.md for detailed patterns and remediation.
Policy Enforcement
Kyverno Policies
kyverno_policies_list_tool(namespace)
kyverno_clusterpolicies_list_tool()
kyverno_policy_get_tool(name, namespace)
OPA Gatekeeper
gatekeeper_constraints_list_tool()
gatekeeper_constraint_get_tool(kind, name)
gatekeeper_templates_list_tool()
Common Policies to Enforce
| Policy | Purpose | |--------|---------| | Disallow privileged | Prevent root containers | | Require resource limits | Prevent resource exhaustion | | Restrict host namespaces | Isolate from node | | Require labels | Ensure metadata | | Allowed registries | Control image sources |
Secret Management
List Secrets
get_secrets(namespace)
Secret Best Practices
- Use external secret managers (Vault, AWS SM)
- Encrypt secrets at rest (EncryptionConfiguration)
- Limit secret access via RBAC
- Rotate secrets regularly
Network Policies
List Policies
get_network_policies(namespace)
Cilium Network Policies
cilium_policies_list_tool(namespace)
cilium_policy_get_tool(name, namespace)
Default Deny Template
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Security Scanning Workflow
-
RBAC Audit
get_cluster_role_bindings() get_roles(namespace) -
Policy Compliance
kyverno_clusterpolicies_list_tool() gatekeeper_constraints_list_tool() -
Network Isolation
get_network_policies(namespace) cilium_endpoints_list_tool(namespace) -
Pod Security
get_pods(namespace) describe_pod(name, namespace)
Multi-Cluster Security
Audit across clusters:
get_cluster_role_bindings(context="production")
get_cluster_role_bindings(context="staging")
Automated Audit Script
For comprehensive security audit, see scripts/audit-rbac.py.
Related Tools
- RBAC:
get_roles,get_cluster_roles,get_role_bindings - Policy:
kyverno_*,gatekeeper_* - Network:
get_network_policies,cilium_policies_* - Istio:
istio_authorizationpolicies_list_tool,istio_peerauthentications_list_tool
Related Skills
- k8s-policy - Policy management
- k8s-cilium - Cilium network security
Related Skills
rohitg00/k8s-vind
development
VerifiedTrustedCommunity
Manage vCluster (virtual Kubernetes clusters) instances using vind. Use when creating, managing, or operating lightweight virtual clusters for development, testing, or multi-tenancy.
865SKILL.mdUpdated Apr 11, 2026
rohitg00/k8s-troubleshoot
development
VerifiedTrustedCommunity
Debug Kubernetes pods, nodes, and workloads. Use when pods are failing, containers crash, nodes are unhealthy, or users mention debugging, troubleshooting, or diagnosing Kubernetes issues.
865SKILL.mdUpdated Apr 11, 2026
rohitg00/k8s-storage
devops
VerifiedTrustedCommunity
Kubernetes storage management for PVCs, storage classes, and persistent volumes. Use when provisioning storage, managing volumes, or troubleshooting storage issues.
865SKILL.mdUpdated Apr 11, 2026
rohitg00/k8s-service-mesh
testing
VerifiedTrustedCommunity
Manage Istio service mesh for traffic management, security, and observability. Use for traffic shifting, canary releases, mTLS, and service mesh troubleshooting.
865SKILL.mdUpdated Apr 11, 2026