AgentSkillsCN

k8s-security

审计Kubernetes RBAC权限,强化策略执行,精细管理Secrets密钥。无论是安全评审、权限审计,还是通过Kyverno/Gatekeeper执行策略约束,抑或进行Secrets密钥管理,这一功能都能为你提供全面保障。

SKILL.md
--- frontmatter
name: k8s-security
description: Audit Kubernetes RBAC, enforce policies, and manage secrets. Use for security reviews, permission audits, policy enforcement with Kyverno/Gatekeeper, and secret management.

Kubernetes Security

Security auditing, RBAC management, and policy enforcement using kubectl-mcp-server tools.

RBAC Auditing

List Roles and Bindings

code
get_roles(namespace)           # Namespace-scoped roles
get_cluster_roles()            # Cluster-wide roles
get_role_bindings(namespace)   # Namespace bindings
get_cluster_role_bindings()    # Cluster-wide bindings

Check Service Account Permissions

code
get_service_accounts(namespace)
# Then examine role bindings for the SA

Common RBAC Patterns

PatternRisk LevelCheck
cluster-admin bindingCriticalget_cluster_role_bindings()
Wildcard verbs (*)HighReview role rules
secrets accessHighCheck get/list on secrets
pod/execHighAllows container access

See RBAC-PATTERNS.md for detailed patterns and remediation.

Policy Enforcement

Kyverno Policies

code
kyverno_policies_list_tool(namespace)
kyverno_clusterpolicies_list_tool()
kyverno_policy_get_tool(name, namespace)

OPA Gatekeeper

code
gatekeeper_constraints_list_tool()
gatekeeper_constraint_get_tool(kind, name)
gatekeeper_templates_list_tool()

Common Policies to Enforce

PolicyPurpose
Disallow privilegedPrevent root containers
Require resource limitsPrevent resource exhaustion
Restrict host namespacesIsolate from node
Require labelsEnsure metadata
Allowed registriesControl image sources

Secret Management

List Secrets

code
get_secrets(namespace)  # Lists names only, not values

Secret Best Practices

  1. Use external secret managers (Vault, AWS SM)
  2. Encrypt secrets at rest (EncryptionConfiguration)
  3. Limit secret access via RBAC
  4. Rotate secrets regularly

Network Policies

List Policies

code
get_network_policies(namespace)

Cilium Network Policies

code
cilium_policies_list_tool(namespace)
cilium_policy_get_tool(name, namespace)

Default Deny Template

yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

Security Scanning Workflow

  1. RBAC Audit

    code
    get_cluster_role_bindings()  # Find cluster-admin users
    get_roles(namespace)         # Review namespace permissions
    
  2. Policy Compliance

    code
    kyverno_clusterpolicies_list_tool()  # Check policy coverage
    gatekeeper_constraints_list_tool()    # Check constraint status
    
  3. Network Isolation

    code
    get_network_policies(namespace)       # Verify policies exist
    cilium_endpoints_list_tool(namespace) # Check endpoint labels
    
  4. Pod Security

    code
    get_pods(namespace)
    describe_pod(name, namespace)  # Check securityContext
    

Multi-Cluster Security

Audit across clusters:

code
# Production cluster
get_cluster_role_bindings(context="production")

# Staging cluster
get_cluster_role_bindings(context="staging")

Automated Audit Script

For comprehensive security audit, see scripts/audit-rbac.py.

Related Tools

  • RBAC: get_roles, get_cluster_roles, get_role_bindings
  • Policy: kyverno_*, gatekeeper_*
  • Network: get_network_policies, cilium_policies_*
  • Istio: istio_authorizationpolicies_list_tool, istio_peerauthentications_list_tool