By name: kubernetes-security description: "Kubernetes security: RBAC, PodSecurity, network policies." user-invocable: false context: fork agent: kubernetes-helm-engineer routing: triggers: - "kubernetes security" - "k8s RBAC" - "RBAC setup" - "pod security policy" - "network policy" category: kubernetes pairs_with: - kubernetes-debugging - cobalt-core
Kubernetes Security Skill
Harden Kubernetes clusters and workloads through RBAC, pod security, network isolation, secret management, and supply chain controls.
Reference Loading Table
| Signal | Reference | Size |
|---|---|---|
| RBAC, Role, RoleBinding, ClusterRole, ServiceAccount, least-privilege, access control, permissions | references/rbac-patterns.md |
~60 lines |
| PodSecurity, SecurityContext, runAsNonRoot, readOnlyRootFilesystem, restricted, baseline, image hardening, distroless, Dockerfile | references/pod-security.md |
~90 lines |
| NetworkPolicy, default-deny, allow-list, egress, ingress, DNS, lateral movement, namespace isolation | references/network-policies.md |
~70 lines |
| cosign, Kyverno, OPA, admission controller, Sealed Secrets, External Secrets, supply chain, misconfiguration, privileged | references/supply-chain.md |
~120 lines |
Load greedily. If the user's question touches any signal keyword, load the matching reference before responding. Multiple signals matching = load all matching references.
Phase 1: IDENTIFY
Determine which security domain the user is asking about.
| Domain | Reference |
|---|---|
| Access control, permissions, roles | references/rbac-patterns.md |
| Pod hardening, container security | references/pod-security.md |
| Network isolation, traffic rules | references/network-policies.md |
| Image signing, secrets, admission control | references/supply-chain.md |
If the question spans multiple domains, load all relevant references. Most production hardening tasks touch at least RBAC + pod security.
Gate: Domain identified. Reference(s) loaded. Proceed to Phase 2.
Phase 2: RESPOND
Use loaded reference knowledge to answer with concrete YAML manifests and specific configurations. The references contain complete, copy-paste-ready examples for each security domain.
For general Kubernetes debugging, pair with the kubernetes-debugging skill.
Gate: Question answered with reference-backed manifests, not generic advice.
Phase 3: VERIFY
Validate the security posture against the misconfiguration table in references/supply-chain.md. Flag any of the 8 common misconfigurations if present in the user's manifests.