install
source · Clone the upstream repo
git clone https://github.com/ComeOnOliver/skillshub
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ComeOnOliver/skillshub "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/rohitg00/kubectl-mcp-server/k8s-policy" ~/.claude/skills/comeonoliver-skillshub-k8s-policy && rm -rf "$T"
manifest:
skills/rohitg00/kubectl-mcp-server/k8s-policy/SKILL.mdsource content
Kubernetes Policy Management
Manage policies using kubectl-mcp-server's Kyverno and Gatekeeper tools.
When to Apply
Use this skill when:
- User mentions: "Kyverno", "Gatekeeper", "OPA", "policy", "compliance"
- Operations: enforcing policies, checking violations, policy audit
- Keywords: "require labels", "block privileged", "validate", "enforce"
Priority Rules
| Priority | Rule | Impact | Tools |
|---|---|---|---|
| 1 | Detect policy engine first | CRITICAL | |
| 2 | Use Audit mode before Enforce | HIGH | validationFailureAction |
| 3 | Check policy reports for violations | HIGH | |
| 4 | Review constraint templates | MEDIUM | |
Quick Reference
| Task | Tool | Example |
|---|---|---|
| List Kyverno cluster policies | | |
| Get Kyverno policy | | |
| List Gatekeeper constraints | | |
| Get constraint | | |
Kyverno
Detect Installation
kyverno_detect_tool()
List Policies
kyverno_clusterpolicies_list_tool() kyverno_policies_list_tool(namespace="default")
Get Policy Details
kyverno_clusterpolicy_get_tool(name="require-labels") kyverno_policy_get_tool(name="require-resources", namespace="default")
Policy Reports
kyverno_clusterpolicyreports_list_tool() kyverno_policyreports_list_tool(namespace="default")
Common Kyverno Policies
kubectl_apply(manifest=""" apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-labels spec: validationFailureAction: Enforce rules: - name: require-app-label match: resources: kinds: - Pod validate: message: "Label 'app' is required" pattern: metadata: labels: app: "?*" """) kubectl_apply(manifest=""" apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-limits spec: validationFailureAction: Enforce rules: - name: require-cpu-memory match: resources: kinds: - Pod validate: message: "CPU and memory limits required" pattern: spec: containers: - resources: limits: cpu: "?*" memory: "?*" """)
Gatekeeper (OPA)
Detect Installation
gatekeeper_detect_tool()
List Constraints
gatekeeper_constraints_list_tool() gatekeeper_constrainttemplates_list_tool()
Get Constraint Details
gatekeeper_constraint_get_tool( kind="K8sRequiredLabels", name="require-app-label" ) gatekeeper_constrainttemplate_get_tool(name="k8srequiredlabels")
Common Gatekeeper Policies
kubectl_apply(manifest=""" apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: name: k8srequiredlabels spec: crd: spec: names: kind: K8sRequiredLabels validation: openAPIV3Schema: type: object properties: labels: type: array items: type: string targets: - target: admission.k8s.gatekeeper.sh rego: | package k8srequiredlabels violation[{"msg": msg}] { provided := {label | input.review.object.metadata.labels[label]} required := {label | label := input.parameters.labels[_]} missing := required - provided count(missing) > 0 msg := sprintf("Missing labels: %v", [missing]) } """) kubectl_apply(manifest=""" apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: require-app-label spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: labels: ["app", "env"] """)
Policy Audit Workflow
kyverno_detect_tool() kyverno_clusterpolicies_list_tool() kyverno_clusterpolicyreports_list_tool()
Prerequisites
- Kyverno: Required for Kyverno tools
kubectl create -f https://github.com/kyverno/kyverno/releases/latest/download/install.yaml - Gatekeeper: Required for Gatekeeper tools
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
Related Skills
- k8s-security - RBAC and security
- k8s-operations - Apply policies