How do I install K8s Security Policies?

Install K8s Security Policies with a single command: npx mdskills install sickn33/k8s-security-policies. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support K8s Security Policies?

K8s Security Policies works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

K8s Security Policies

Name: K8s Security Policies: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

Intermediate

Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/k8s-security-policies

Fork & Edit

Skill Advisor8.0

Comprehensive K8s security policy guide with excellent examples for NetworkPolicy, RBAC, and Pod Security Standards

+Provides extensive, production-ready YAML examples for all major security policies
+Covers defense-in-depth with NetworkPolicy, RBAC, OPA Gatekeeper, and service mesh security
+Includes troubleshooting commands and compliance framework guidance
-Declares shell execution and network access but examples only show kubectl commands
-References external files that may not be accessible to the agent

SKILL.md

Edit in Browser

1---
2name: k8s-security-policies
3description: Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.
4---
5 
6# Kubernetes Security Policies
7 
8Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes.
9 
10## Do not use this skill when
11 
12- The task is unrelated to kubernetes security policies
13- You need a different domain or tool outside this scope
14 
15## Instructions
16 
17- Clarify goals, constraints, and required inputs.
18- Apply relevant best practices and validate outcomes.
19- Provide actionable steps and verification.
20- If detailed examples are required, open `resources/implementation-playbook.md`.
21 
22## Purpose
23 
24Implement defense-in-depth security for Kubernetes clusters using network policies, pod security standards, and RBAC.
25 
26## Use this skill when
27 
28- Implement network segmentation
29- Configure pod security standards
30- Set up RBAC for least-privilege access
31- Create security policies for compliance
32- Implement admission control
33- Secure multi-tenant clusters
34 
35## Pod Security Standards
36 
37### 1. Privileged (Unrestricted)
38```yaml
39apiVersion: v1
40kind: Namespace
41metadata:
42  name: privileged-ns
43  labels:
44    pod-security.kubernetes.io/enforce: privileged
45    pod-security.kubernetes.io/audit: privileged
46    pod-security.kubernetes.io/warn: privileged
47```
48 
49### 2. Baseline (Minimally restrictive)
50```yaml
51apiVersion: v1
52kind: Namespace
53metadata:
54  name: baseline-ns
55  labels:
56    pod-security.kubernetes.io/enforce: baseline
57    pod-security.kubernetes.io/audit: baseline
58    pod-security.kubernetes.io/warn: baseline
59```
60 
61### 3. Restricted (Most restrictive)
62```yaml
63apiVersion: v1
64kind: Namespace
65metadata:
66  name: restricted-ns
67  labels:
68    pod-security.kubernetes.io/enforce: restricted
69    pod-security.kubernetes.io/audit: restricted
70    pod-security.kubernetes.io/warn: restricted
71```
72 
73## Network Policies
74 
75### Default Deny All
76```yaml
77apiVersion: networking.k8s.io/v1
78kind: NetworkPolicy
79metadata:
80  name: default-deny-all
81  namespace: production
82spec:
83  podSelector: {}
84  policyTypes:
85  - Ingress
86  - Egress
87```
88 
89### Allow Frontend to Backend
90```yaml
91apiVersion: networking.k8s.io/v1
92kind: NetworkPolicy
93metadata:
94  name: allow-frontend-to-backend
95  namespace: production
96spec:
97  podSelector:
98    matchLabels:
99      app: backend
100  policyTypes:
101  - Ingress
102  ingress:
103  - from:
104    - podSelector:
105        matchLabels:
106          app: frontend
107    ports:
108    - protocol: TCP
109      port: 8080
110```
111 
112### Allow DNS
113```yaml
114apiVersion: networking.k8s.io/v1
115kind: NetworkPolicy
116metadata:
117  name: allow-dns
118  namespace: production
119spec:
120  podSelector: {}
121  policyTypes:
122  - Egress
123  egress:
124  - to:
125    - namespaceSelector:
126        matchLabels:
127          name: kube-system
128    ports:
129    - protocol: UDP
130      port: 53
131```
132 
133**Reference:** See `assets/network-policy-template.yaml`
134 
135## RBAC Configuration
136 
137### Role (Namespace-scoped)
138```yaml
139apiVersion: rbac.authorization.k8s.io/v1
140kind: Role
141metadata:
142  name: pod-reader
143  namespace: production
144rules:
145- apiGroups: [""]
146  resources: ["pods"]
147  verbs: ["get", "watch", "list"]
148```
149 
150### ClusterRole (Cluster-wide)
151```yaml
152apiVersion: rbac.authorization.k8s.io/v1
153kind: ClusterRole
154metadata:
155  name: secret-reader
156rules:
157- apiGroups: [""]
158  resources: ["secrets"]
159  verbs: ["get", "watch", "list"]
160```
161 
162### RoleBinding
163```yaml
164apiVersion: rbac.authorization.k8s.io/v1
165kind: RoleBinding
166metadata:
167  name: read-pods
168  namespace: production
169subjects:
170- kind: User
171  name: jane
172  apiGroup: rbac.authorization.k8s.io
173- kind: ServiceAccount
174  name: default
175  namespace: production
176roleRef:
177  kind: Role
178  name: pod-reader
179  apiGroup: rbac.authorization.k8s.io
180```
181 
182**Reference:** See `references/rbac-patterns.md`
183 
184## Pod Security Context
185 
186### Restricted Pod
187```yaml
188apiVersion: v1
189kind: Pod
190metadata:
191  name: secure-pod
192spec:
193  securityContext:
194    runAsNonRoot: true
195    runAsUser: 1000
196    fsGroup: 1000
197    seccompProfile:
198      type: RuntimeDefault
199  containers:
200  - name: app
201    image: myapp:1.0
202    securityContext:
203      allowPrivilegeEscalation: false
204      readOnlyRootFilesystem: true
205      capabilities:
206        drop:
207        - ALL
208```
209 
210## Policy Enforcement with OPA Gatekeeper
211 
212### ConstraintTemplate
213```yaml
214apiVersion: templates.gatekeeper.sh/v1
215kind: ConstraintTemplate
216metadata:
217  name: k8srequiredlabels
218spec:
219  crd:
220    spec:
221      names:
222        kind: K8sRequiredLabels
223      validation:
224        openAPIV3Schema:
225          type: object
226          properties:
227            labels:
228              type: array
229              items:
230                type: string
231  targets:
232    - target: admission.k8s.gatekeeper.sh
233      rego: |
234        package k8srequiredlabels
235        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
236          provided := {label | input.review.object.metadata.labels[label]}
237          required := {label | label := input.parameters.labels[_]}
238          missing := required - provided
239          count(missing) > 0
240          msg := sprintf("missing required labels: %v", [missing])
241        }
242```
243 
244### Constraint
245```yaml
246apiVersion: constraints.gatekeeper.sh/v1beta1
247kind: K8sRequiredLabels
248metadata:
249  name: require-app-label
250spec:
251  match:
252    kinds:
253      - apiGroups: ["apps"]
254        kinds: ["Deployment"]
255  parameters:
256    labels: ["app", "environment"]
257```
258 
259## Service Mesh Security (Istio)
260 
261### PeerAuthentication (mTLS)
262```yaml
263apiVersion: security.istio.io/v1beta1
264kind: PeerAuthentication
265metadata:
266  name: default
267  namespace: production
268spec:
269  mtls:
270    mode: STRICT
271```
272 
273### AuthorizationPolicy
274```yaml
275apiVersion: security.istio.io/v1beta1
276kind: AuthorizationPolicy
277metadata:
278  name: allow-frontend
279  namespace: production
280spec:
281  selector:
282    matchLabels:
283      app: backend
284  action: ALLOW
285  rules:
286  - from:
287    - source:
288        principals: ["cluster.local/ns/production/sa/frontend"]
289```
290 
291## Best Practices
292 
2931. **Implement Pod Security Standards** at namespace level
2942. **Use Network Policies** for network segmentation
2953. **Apply least-privilege RBAC** for all service accounts
2964. **Enable admission control** (OPA Gatekeeper/Kyverno)
2975. **Run containers as non-root**
2986. **Use read-only root filesystem**
2997. **Drop all capabilities** unless needed
3008. **Implement resource quotas** and limit ranges
3019. **Enable audit logging** for security events
30210. **Regular security scanning** of images
303 
304## Compliance Frameworks
305 
306### CIS Kubernetes Benchmark
307- Use RBAC authorization
308- Enable audit logging
309- Use Pod Security Standards
310- Configure network policies
311- Implement secrets encryption at rest
312- Enable node authentication
313 
314### NIST Cybersecurity Framework
315- Implement defense in depth
316- Use network segmentation
317- Configure security monitoring
318- Implement access controls
319- Enable logging and monitoring
320 
321## Troubleshooting
322 
323**NetworkPolicy not working:**
324```bash
325# Check if CNI supports NetworkPolicy
326kubectl get nodes -o wide
327kubectl describe networkpolicy <name>
328```
329 
330**RBAC permission denied:**
331```bash
332# Check effective permissions
333kubectl auth can-i list pods --as system:serviceaccount:default:my-sa
334kubectl auth can-i '*' '*' --as system:serviceaccount:default:my-sa
335```
336 
337## Reference Files
338 
339- `assets/network-policy-template.yaml` - Network policy examples
340- `assets/pod-security-template.yaml` - Pod security policies
341- `references/rbac-patterns.md` - RBAC configuration patterns
342 
343## Related Skills
344 
345- `k8s-manifest-generator` - For creating secure manifests
346- `gitops-workflow` - For automated policy deployment
347

Full transparency — inspect the skill content before installing.