AgentSkillsCN

k8s-security-hardening

适用于实施 Pod 安全标准、强化集群安全配置、为零信任设置网络策略、配置密钥管理、实施准入控制策略、开展安全审计,或确保符合 CIS 基准时使用。

SKILL.md
--- frontmatter
name: k8s-security-hardening
description: Use when implementing Pod Security Standards, hardening cluster security configuration, setting up network policies for zero-trust, configuring secrets management, implementing admission control policies, conducting security audits, or ensuring CIS benchmark compliance

Kubernetes Security Hardening

Secure Kubernetes platforms including Pod Security Standards, network policies, secrets management, admission control, and compliance.

Keywords

kubernetes, security, hardening, pod security, pss, psa, network policy, rbac, secrets, encryption, audit, compliance, cis benchmark, admission control, kyverno, opa, gatekeeper, implementing, configuring, conducting, ensuring

When to Use This Skill

  • Implementing Pod Security Standards
  • Hardening cluster security configuration
  • Setting up network policies for zero-trust
  • Configuring secrets management
  • Implementing admission control policies
  • Conducting security audits
  • Ensuring CIS benchmark compliance

Related Skills

Quick Reference

TaskCommand
Check PSS violationskubectl get pods -A -o json | jq '.items[] | select(.spec.securityContext.runAsNonRoot != true)'
Audit cluster-adminkubectl get clusterrolebindings -o json | jq '.items[] | select(.roleRef.name=="cluster-admin")'
List network policieskubectl get networkpolicies -A
Run CIS benchmarkkubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml

Pod Security Standards

For detailed security context configuration, see Shared: Pod Security Context.

Namespace Enforcement

yaml
apiVersion: v1
kind: Namespace
metadata:
  name: secure-namespace
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

Profile Summary

ProfileUse CaseKey Restrictions
PrivilegedSystem/infraNone
BaselineGeneralNo privileged, no hostPath
RestrictedSecurity-sensitiveNon-root, drop caps, seccomp

Admission Control

Kyverno Policy Example

yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-run-as-nonroot
spec:
  validationFailureAction: Enforce
  rules:
  - name: run-as-non-root
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      message: "Containers must run as non-root"
      pattern:
        spec:
          containers:
          - securityContext:
              runAsNonRoot: true

Image Verification

yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-images
spec:
  validationFailureAction: Enforce
  rules:
  - name: verify-signature
    match:
      any:
      - resources:
          kinds:
          - Pod
    verifyImages:
    - imageReferences:
      - "registry.company.com/*"
      attestors:
      - entries:
        - keyless:
            rekor:
              url: https://rekor.sigstore.dev

OPA Gatekeeper Constraint

yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: require-team-label
spec:
  match:
    kinds:
    - apiGroups: [""]
      kinds: ["Namespace"]
  parameters:
    labels:
    - key: "team"

Network Security

For detailed NetworkPolicy patterns, see Shared: Network Policies.

Zero-Trust Implementation

  1. Apply default deny all
  2. Allow DNS egress
  3. Allow specific required traffic only
  4. Audit with network policy logging

RBAC Security

For detailed RBAC patterns, see Shared: RBAC Patterns.

Audit Commands

bash
# Find cluster-admin bindings
kubectl get clusterrolebindings -o json | \
  jq '.items[] | select(.roleRef.name=="cluster-admin") | .subjects'

# Find wildcard permissions
kubectl get roles,clusterroles -A -o json | \
  jq '.items[] | select(.rules[].verbs[] | contains("*")) | .metadata.name'

# Service account permissions
kubectl auth can-i --list --as=system:serviceaccount:${NS}:${SA}

Secrets Management

External Secrets

yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: app-secrets
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  target:
    name: app-secrets
    creationPolicy: Owner
  data:
  - secretKey: password
    remoteRef:
      key: secret/data/app
      property: password

Encryption at Rest

yaml
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
  - secrets
  providers:
  - aescbc:
      keys:
      - name: key1
        secret: <base64-key>
  - identity: {}

Runtime Security

Falco Rules

yaml
- rule: Shell Spawned in Container
  desc: Detect shell spawned in container
  condition: >
    spawned_process and
    container and
    proc.name in (shell_binaries)
  output: >
    Shell spawned in container
    (user=%user.name container=%container.name shell=%proc.name)
  priority: WARNING
  tags: [container, shell]

Audit Policy

yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
  resources:
  - group: ""
    resources: ["secrets", "configmaps"]
- level: RequestResponse
  users: ["system:anonymous"]
  verbs: ["*"]
- level: RequestResponse
  resources:
  - group: "rbac.authorization.k8s.io"

Supply Chain Security

SLSA Requirements

LevelRequirements
SLSA 1Build process documented
SLSA 2Version control, hosted build
SLSA 3Verified source, isolated build
SLSA 4Two-party review, hermetic builds

Image Signing (Cosign)

bash
# Sign image
cosign sign --key cosign.key registry.example.com/app:v1.0.0

# Verify image
cosign verify --key cosign.pub registry.example.com/app:v1.0.0

Security Scanning

ToolTargetFrequency
TrivyContainer imagesEvery build
KubescapeCluster configDaily
FalcoRuntime behaviorContinuous
kube-benchCIS benchmarkWeekly
PolarisBest practicesOn change

Run kube-bench

bash
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
kubectl logs -l app=kube-bench

Security Checklist

Cluster Level

  • API server private network only
  • etcd encrypted, access restricted
  • Audit logging enabled
  • PSS enforced cluster-wide
  • Network policies default deny
  • RBAC least privilege
  • Secrets encrypted at rest

Workload Level

  • Non-root containers
  • Read-only root filesystem
  • No privilege escalation
  • Capabilities dropped
  • Resource limits set
  • Signed images only
  • No hostPath mounts

Tenant Level

  • Namespace isolation
  • Network policies enforced
  • Resource quotas applied
  • RBAC scoped to namespace
  • SA tokens disabled by default

MCP Tools

  • mcp__flux-operator-mcp__get_kubernetes_resources - Query resources
  • mcp__flux-operator-mcp__apply_kubernetes_manifest - Apply policies