install
source · Clone the upstream repo
git clone https://github.com/ComeOnOliver/skillshub
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ComeOnOliver/skillshub "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/rohitg00/kubectl-mcp-server/k8s-security" ~/.claude/skills/comeonoliver-skillshub-k8s-security && rm -rf "$T"
manifest:
skills/rohitg00/kubectl-mcp-server/k8s-security/SKILL.mdsource content
Kubernetes Security
Security auditing, RBAC management, and policy enforcement using kubectl-mcp-server tools.
When to Apply
Use this skill when:
- User mentions: "security", "RBAC", "permissions", "policy", "audit", "secrets"
- Operations: security review, permission check, policy enforcement
- Keywords: "who can", "access control", "compliance", "vulnerable"
Priority Rules
| Priority | Rule | Impact | Tools |
|---|---|---|---|
| 1 | Check cluster-admin bindings first | CRITICAL | |
| 2 | Audit secrets access permissions | CRITICAL | Review role rules |
| 3 | Verify network isolation | HIGH | |
| 4 | Check policy compliance | HIGH | |
| 5 | Review pod security contexts | MEDIUM | |
Quick Reference
| Task | Tool | Example |
|---|---|---|
| List roles | | |
| Cluster roles | | |
| Role bindings | | |
| Service accounts | | |
| Kyverno policies | | |
RBAC Auditing
List Roles and Bindings
get_roles(namespace) get_cluster_roles() get_role_bindings(namespace) get_cluster_role_bindings()
Check Service Account Permissions
get_service_accounts(namespace)
Common RBAC Patterns
| Pattern | Risk Level | Check |
|---|---|---|
| cluster-admin binding | Critical | |
| Wildcard verbs (*) | High | Review role rules |
| secrets access | High | Check get/list on secrets |
| pod/exec | High | Allows container access |
See RBAC-PATTERNS.md for detailed patterns and remediation.
Policy Enforcement
Kyverno Policies
kyverno_policies_list_tool(namespace) kyverno_clusterpolicies_list_tool() kyverno_policy_get_tool(name, namespace)
OPA Gatekeeper
gatekeeper_constraints_list_tool() gatekeeper_constraint_get_tool(kind, name) gatekeeper_templates_list_tool()
Common Policies to Enforce
| Policy | Purpose |
|---|---|
| Disallow privileged | Prevent root containers |
| Require resource limits | Prevent resource exhaustion |
| Restrict host namespaces | Isolate from node |
| Require labels | Ensure metadata |
| Allowed registries | Control image sources |
Secret Management
List Secrets
get_secrets(namespace)
Secret Best Practices
- Use external secret managers (Vault, AWS SM)
- Encrypt secrets at rest (EncryptionConfiguration)
- Limit secret access via RBAC
- Rotate secrets regularly
Network Policies
List Policies
get_network_policies(namespace)
Cilium Network Policies
cilium_policies_list_tool(namespace) cilium_policy_get_tool(name, namespace)
Default Deny Template
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all spec: podSelector: {} policyTypes: - Ingress - Egress
Security Scanning Workflow
-
RBAC Audit
get_cluster_role_bindings() get_roles(namespace) -
Policy Compliance
kyverno_clusterpolicies_list_tool() gatekeeper_constraints_list_tool() -
Network Isolation
get_network_policies(namespace) cilium_endpoints_list_tool(namespace) -
Pod Security
get_pods(namespace) describe_pod(name, namespace)
Multi-Cluster Security
Audit across clusters:
get_cluster_role_bindings(context="production") get_cluster_role_bindings(context="staging")
Automated Audit Script
For comprehensive security audit, see scripts/audit-rbac.py.
Related Tools
- RBAC:
,get_roles
,get_cluster_rolesget_role_bindings - Policy:
,kyverno_*gatekeeper_* - Network:
,get_network_policiescilium_policies_* - Istio:
,istio_authorizationpolicies_list_toolistio_peerauthentications_list_tool
Related Skills
- k8s-policy - Policy management
- k8s-cilium - Cilium network security