Skillshub castai-security-basics

install

source · Clone the upstream repo

git clone https://github.com/ComeOnOliver/skillshub

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/ComeOnOliver/skillshub "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/jeremylongshore/claude-code-plugins-plus-skills/castai-security-basics" ~/.claude/skills/comeonoliver-skillshub-castai-security-basics && rm -rf "$T"

manifest: skills/jeremylongshore/claude-code-plugins-plus-skills/castai-security-basics/SKILL.md

CAST AI Security Basics

Overview

Secure your CAST AI integration: API key management, RBAC least-privilege, Kvisor runtime security agent, and network policy configuration.

Prerequisites

CAST AI agent installed on cluster
Cluster admin access for RBAC configuration
Secrets manager (AWS Secrets Manager, Vault, etc.)

Instructions

Step 1: API Key Management

# Use separate keys per environment
# console.cast.ai > API > API Access Keys

# Development: Read-Only key (monitoring only)
# Staging: Full Access key with limited cluster scope
# Production: Full Access key, rotated every 90 days

# Store in secrets manager, never in code
aws secretsmanager create-secret \
  --name "castai/prod/api-key" \
  --secret-string "${CASTAI_API_KEY}"

# Rotate key procedure:
# 1. Generate new key in console
# 2. Update secrets manager
# 3. Restart CAST AI agent pods to pick up new key
# 4. Verify agent reconnects
# 5. Revoke old key in console

Step 2: RBAC Least-Privilege Review

# Audit CAST AI ClusterRoles
kubectl get clusterroles -l app.kubernetes.io/managed-by=castai -o yaml

# The CAST AI agent needs these minimum permissions:
# - get/list/watch: pods, nodes, events, namespaces, replicasets
# - get: persistentvolumes, storageclasses
# The cluster controller additionally needs:
# - create/delete: nodes (for autoscaling)
# - patch: pods/eviction (for evictor)

# Check for overly broad permissions
kubectl auth can-i --list --as=system:serviceaccount:castai-agent:castai-agent

Step 3: Enable Kvisor Security Agent

# Kvisor scans for CVEs, misconfigurations, and runtime threats
helm upgrade --install castai-kvisor castai-helm/castai-kvisor \
  -n castai-agent \
  --set castai.apiKey="${CASTAI_API_KEY}" \
  --set castai.clusterID="${CASTAI_CLUSTER_ID}" \
  --set controller.extraArgs.image-scan-enabled=true \
  --set controller.extraArgs.kube-bench-enabled=true

# Verify Kvisor is running
kubectl get pods -n castai-agent -l app.kubernetes.io/name=castai-kvisor

Step 4: Network Policies

# Restrict CAST AI agent egress to only api.cast.ai
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: castai-agent-egress
  namespace: castai-agent
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: castai-agent
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0  # api.cast.ai resolves dynamically
      ports:
        - protocol: TCP
          port: 443
    - to:  # Allow DNS
        - namespaceSelector: {}
      ports:
        - protocol: UDP
          port: 53

Step 5: Security Checklist

API keys stored in secrets manager, not Helm values files
Separate keys per environment (dev/staging/prod)
Read-only keys for monitoring-only clusters
Key rotation scheduled every 90 days
Kvisor enabled for image scanning and CIS benchmarks
CAST AI namespace has network policies
Agent RBAC reviewed and minimized
Helm values files in
```
.gitignore
```
Audit logs enabled in CAST AI console

Error Handling

Issue	Detection	Mitigation
API key in git history	`git log -S "CASTAI"`	Rotate key immediately
Agent has cluster-admin	`kubectl auth can-i --list`	Apply scoped ClusterRole
Kvisor high resource use	`kubectl top pods -n castai-agent`	Adjust scan intervals
Network policy blocks agent	Agent goes offline	Allow egress to 443

Resources

Next Steps

For production deployment checklist, see

castai-prod-checklist