AgentSkillsCN

security

精通云原生安全。在处理身份验证、授权、RBAC、Pod安全、网络策略、密钥管理、供应链安全、镜像扫描,或进行合规性管理时,可使用此功能。

SKILL.md
--- frontmatter
name: security
description: >
  Cloud-native security expertise. Use when working with authentication,
  authorisation, RBAC, pod security, network policies, secrets management,
  supply chain security, image scanning, or compliance.

Cloud-Native Security

Container Security

  • Base images: UBI or distroless — no full OS images
  • Run as non-root: runAsNonRoot: true, runAsUser: 65532
  • Read-only filesystem: readOnlyRootFilesystem: true
  • Drop all capabilities: drop: ["ALL"], add back only what's needed
  • No privilege escalation: allowPrivilegeEscalation: false
  • Scan images in CI with trivy or grype
  • Sign images with cosign and verify signatures in admission

Secrets Management

  • Never store secrets in git, even encrypted (except Sealed Secrets)
  • Use External Secrets Operator to sync from cloud provider vaults:
    • Azure: Key Vault
    • AWS: Secrets Manager or SSM Parameter Store
    • GCP: Secret Manager
  • Rotate secrets automatically where possible
  • Use workload identity (not static credentials) to access vaults

Authentication and Authorisation

  • Kubernetes: RBAC with least-privilege Roles
  • Cloud: workload identity federation — never long-lived service account keys
  • API auth: OAuth2/OIDC with short-lived tokens
  • Service-to-service: mTLS via service mesh or SPIFFE/SPIRE

Network Security

  • Default deny NetworkPolicies in every namespace
  • Allow only required ingress/egress per service
  • Use service mesh for mTLS between services
  • Egress: use egress gateways to control external access
  • DNS policies to prevent data exfiltration

Supply Chain

  • Pin image digests in production manifests, not tags
  • SBOM generation for all container images
  • Vulnerability scanning in CI and on a schedule
  • Admission policies (Kyverno or Gatekeeper) to enforce:
    • Image source allowlists
    • Signature verification
    • No latest tags
    • Security context requirements

Compliance

  • Pod Security Standards: enforce restricted profile
  • Audit logging enabled on API server
  • Resource tagging for cost and ownership tracking
  • Regular CIS benchmark scans (kube-bench)