playbooks

home / skills / nickcrew / claude-cortex / kubernetes-security-policies

kubernetes-security-policies skill

/skills/kubernetes-security-policies

This skill helps you implement Kubernetes security policies across pod security, network segmentation, RBAC, and runtime defenses for hardened clusters.

npx playbooks add skill nickcrew/claude-cortex --skill kubernetes-security-policies

Review the files below or copy the command above to add this skill to your agents.

Files (9)
SKILL.md
7.2 KB
---
name: kubernetes-security-policies
description: Kubernetes security policies, RBAC, and Pod Security Standards for hardened cluster deployments. Use when implementing cluster security, defining network policies, or enforcing security compliance in Kubernetes environments.
---

# Kubernetes Security Policies

Comprehensive guidance for implementing security policies in Kubernetes clusters, covering Pod Security Standards, Network Policies, RBAC, Security Contexts, admission control, secrets management, and runtime security for production-grade hardened deployments.

## When to Use This Skill

- Implementing Pod Security Standards (PSS/PSA) across namespaces
- Designing and enforcing Network Policies for micro-segmentation
- Configuring RBAC with least-privilege access control
- Setting Security Contexts for container hardening
- Deploying admission controllers (OPA/Gatekeeper, Kyverno)
- Managing secrets and sensitive data securely
- Implementing image security and vulnerability scanning
- Enforcing runtime security policies and threat detection
- Meeting compliance requirements (CIS, NIST, PCI-DSS, SOC2)
- Conducting security audits and hardening assessments

## Core Security Concepts

**Pod Security Standards (PSS):**
Three progressive security levels enforced via Pod Security Admission (PSA):
- **Privileged:** Unrestricted (default)
- **Baseline:** Prevents known privilege escalations
- **Restricted:** Pod hardening best practices (production recommended)

**Network Policies:**
Zero-trust micro-segmentation controlling pod-to-pod and pod-to-external traffic using label selectors and namespace isolation.

**RBAC (Role-Based Access Control):**
Least-privilege access control using ServiceAccounts, Roles, RoleBindings for namespace-scoped permissions, and ClusterRoles for cluster-wide access.

**Security Contexts:**
Container and pod-level security settings including user/group IDs, capabilities, seccomp profiles, and filesystem restrictions.

**Admission Control:**
Policy enforcement at API admission time using OPA Gatekeeper (Rego) or Kyverno (YAML) to validate, mutate, or reject resources.

**Secrets Management:**
External secret storage integration (Vault, AWS Secrets Manager, Sealed Secrets) instead of native Kubernetes secrets.

**Image Security:**
Vulnerability scanning, signature verification, digest-based immutability, and private registry authentication.

## Quick Reference

| Task | Load reference |
| --- | --- |
| Pod Security Standards (PSS/PSA) | `skills/kubernetes-security-policies/references/pod-security-standards.md` |
| Network Policies | `skills/kubernetes-security-policies/references/network-policies.md` |
| RBAC (Roles, ServiceAccounts) | `skills/kubernetes-security-policies/references/rbac.md` |
| Security Contexts (capabilities, seccomp) | `skills/kubernetes-security-policies/references/security-contexts.md` |
| Admission Control (OPA, Kyverno) | `skills/kubernetes-security-policies/references/admission-control.md` |
| Secrets Management (Vault, ESO) | `skills/kubernetes-security-policies/references/secrets-management.md` |
| Image Security (scanning, signing) | `skills/kubernetes-security-policies/references/image-security.md` |
| Best Practices & Compliance | `skills/kubernetes-security-policies/references/best-practices.md` |

## Security Implementation Workflow

### Phase 1: Baseline Assessment
1. Audit current security posture with kube-bench or kubescape
2. Identify gaps against CIS Kubernetes Benchmark
3. Document compliance requirements (PCI-DSS, NIST, SOC2)

### Phase 2: Pod Security Standards
1. Enable PSA audit mode on all namespaces
2. Identify violations using `kubectl get pods -A --show-labels`
3. Remediate workloads to meet baseline/restricted standards
4. Progressively enforce: dev (warn) → staging (baseline) → prod (restricted)

### Phase 3: Network Segmentation
1. Deploy default-deny NetworkPolicy to all namespaces
2. Create explicit allow rules for required traffic flows
3. Implement database isolation policies
4. Add monitoring/observability exceptions

### Phase 4: Access Control (RBAC)
1. Audit existing RBAC with `kubectl auth can-i --list`
2. Create dedicated ServiceAccounts per application
3. Define least-privilege Roles with specific resource/verb restrictions
4. Disable `automountServiceAccountToken` by default
5. Minimize ClusterRole usage

### Phase 5: Admission Control
1. Choose policy engine: OPA Gatekeeper (Rego) or Kyverno (YAML)
2. Implement validation policies: require labels, resource limits, non-root
3. Add mutation policies: inject security contexts, sidecar containers
4. Enforce image policies: disallow latest tag, require signatures

### Phase 6: Secrets Management
1. Deploy External Secrets Operator or Vault integration
2. Migrate native Secrets to external secret stores
3. Enable encryption at rest for etcd
4. Implement secret rotation policies

### Phase 7: Image Security
1. Integrate vulnerability scanning in CI/CD (Trivy, Snyk)
2. Implement image signing with Sigstore/Cosign
3. Enforce signature verification via admission control
4. Use immutable image digests instead of tags

### Phase 8: Runtime Security
1. Deploy Falco for runtime threat detection
2. Enable Kubernetes audit logging
3. Configure alerts for security events
4. Implement intrusion detection policies

## Common Mistakes

**Pod Security:**
- Running containers as root (always set `runAsNonRoot: true`)
- Using privileged containers (avoid unless absolutely necessary)
- Writable root filesystem (set `readOnlyRootFilesystem: true`)
- Missing resource limits (required for restricted PSS)

**Network Policies:**
- No default-deny policy (unrestricted pod-to-pod traffic)
- Overly permissive egress rules (allow all external traffic)
- Forgetting DNS egress (pods can't resolve names)
- Missing monitoring/observability exceptions

**RBAC:**
- Overly broad ClusterRole permissions (violates least privilege)
- Sharing ServiceAccounts across applications
- Using `*` verbs or resources in Roles
- Not auditing RBAC permissions regularly

**Secrets:**
- Committing secrets to Git repositories
- Using environment variables instead of mounted files
- Relying on base64 encoding as encryption
- No secret rotation policy

**Admission Control:**
- Enforcing policies without audit phase first
- Blocking kube-system namespace accidentally
- No policy testing in staging environment
- Missing exemptions for system components

**Images:**
- Using `latest` tag (not immutable, breaks reproducibility)
- No vulnerability scanning in CI/CD
- Unsigned images in production
- Large base images (use distroless or Alpine)

## Resources

- **Pod Security Standards:** https://kubernetes.io/docs/concepts/security/pod-security-standards/
- **Network Policies:** https://kubernetes.io/docs/concepts/services-networking/network-policies/
- **RBAC:** https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- **OPA Gatekeeper:** https://open-policy-agent.github.io/gatekeeper/
- **Kyverno:** https://kyverno.io/docs/
- **External Secrets Operator:** https://external-secrets.io/
- **Falco Runtime Security:** https://falco.org/docs/
- **CIS Benchmarks:** https://www.cisecurity.org/benchmark/kubernetes
- **NSA/CISA Hardening Guide:** https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF

Overview

This skill provides practical guidance and templates for securing Kubernetes clusters using Pod Security Standards, Network Policies, RBAC, admission controllers, secrets management, image security, and runtime detection. It is designed to help teams harden clusters, meet compliance controls, and reduce attack surface across dev, staging, and production environments. The content focuses on concrete tasks, phased implementation, and common pitfalls to avoid.

How this skill works

The skill inspects and codifies security controls into a repeatable workflow: assess current posture, apply Pod Security Admission levels, enforce network micro-segmentation, implement least-privilege RBAC, and enable admission controllers for policy enforcement. It also covers secrets migration to external stores, CI/CD image scanning and signing, and runtime monitoring with tools like Falco. Actionable examples, checklists, and references guide each phase.

When to use it

  • When hardening a new or existing Kubernetes cluster for production
  • When enforcing Pod Security Standards across namespaces
  • When designing network policies for micro-segmentation
  • When implementing least-privilege RBAC and service accounts
  • When integrating admission controllers (OPA/Gatekeeper or Kyverno)
  • When migrating secrets to external secret stores and enabling rotation

Best practices

  • Progressively enforce PSA: audit → baseline → restricted per environment
  • Deploy default-deny NetworkPolicy and add explicit allow rules
  • Use dedicated ServiceAccounts and least-privilege Roles/ClusterRoles
  • Disable automountServiceAccountToken by default and require non-root
  • Integrate image scanning and signing in CI/CD; enforce via admission
  • Store secrets externally (Vault/ESO) and enable etcd encryption

Example use cases

  • Stage rollout: enable PSA in audit mode across namespaces and remediate violations
  • Create default-deny network policies, then add explicit DB-to-app allow rules
  • Audit RBAC with kubectl auth can-i and replace broad ClusterRoles with scoped Roles
  • Add Kyverno/OPA policies to validate labels, resource limits, and non-root execution
  • Integrate Trivy in CI and require Cosign-signed images before deployment
  • Deploy Falco for runtime detection and wire alerts into your SIEM

FAQ

Which policy engine should I choose: OPA Gatekeeper or Kyverno?

Choose Kyverno for YAML-native policies and simpler mutations; choose OPA Gatekeeper for Rego-based policies and complex policy logic. Both can validate and mutate resources—pick based on team familiarity and rule complexity.

How do I start without breaking workloads?

Start with audit/warn modes, run automated checks to identify violations, remediate workloads to comply, then progressively shift enforcement from dev to staging to prod.