Claude-skill-registry-data managing-network-policies

install

source · Clone the upstream repo

git clone https://github.com/majiayu000/claude-skill-registry-data

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry-data "$T" && mkdir -p ~/.claude/skills && cp -r "$T/data/managing-network-policies" ~/.claude/skills/majiayu000-claude-skill-registry-data-managing-network-policies && rm -rf "$T"

manifest: data/managing-network-policies/SKILL.md

source content

Network Policy Manager

This skill provides automated assistance for network policy manager tasks.

Overview

Creates Kubernetes NetworkPolicy manifests to enforce least-privilege ingress/egress between pods and namespaces, and helps validate connectivity after changes.

Prerequisites

Before using this skill, ensure:

Kubernetes cluster has network policy support enabled
Network plugin supports policies (Calico, Cilium, Weave)
Pod labels are properly defined for policy selectors
Understanding of application communication patterns
Namespace isolation strategy is defined

Instructions

Identify Requirements: Determine which pods need to communicate
Define Selectors: Use pod/namespace labels for policy targeting
Configure Ingress: Specify allowed incoming traffic sources and ports
Configure Egress: Define allowed outgoing traffic destinations
Test Policies: Verify connectivity works as expected
Monitor Denials: Check for blocked traffic in network plugin logs
Iterate: Refine policies based on application behavior

Output

Network Policy Examples:

# {baseDir}/network-policies/allow-frontend-to-backend.yaml


## Overview

This skill provides automated assistance for the described functionality.

## Examples

Example usage patterns will be demonstrated in context.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-backend
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
    - Ingress
  ingress:
    - from:
      - podSelector:
          matchLabels:
            app: frontend
      ports:
      - protocol: TCP
        port: 8080
---
# Deny all ingress by default
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Ingress

Egress Policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-external-api
spec:
  podSelector:
    matchLabels:
      app: api-client
  policyTypes:
    - Egress
  egress:
    - to:
      - namespaceSelector:
          matchLabels:
            name: external-services
      ports:
      - protocol: TCP
        port: 443

Error Handling

Policy Not Applied

Error: Traffic still blocked/allowed contrary to policy
Solution: Verify network plugin supports policies and policy is applied to correct namespace

DNS Resolution Fails

Error: Pods cannot resolve DNS after applying policy
Solution: Add egress rule allowing DNS traffic to kube-dns/coredns

No Communication After Policy

Error: All traffic blocked unexpectedly
Solution: Check for default-deny policies and ensure explicit allow rules exist

Label Mismatch

Error: Policy not targeting intended pods
Solution: Verify pod labels match policy selectors using
```
kubectl get pods --show-labels
```

Examples

"Restrict namespace
```
prod
```
so only the ingress controller can reach the web pods on 443."
"Create egress rules that allow the API to talk only to Postgres and Redis."

Resources

Kubernetes NetworkPolicy: https://kubernetes.io/docs/concepts/services-networking/network-policies/
Calico documentation: https://docs.projectcalico.org/
Example policies in {baseDir}/network-policy-examples/