بنقرة واحدة
opa-policies
Write OPA/Gatekeeper and Kyverno admission policies for Kubernetes security guardrails.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Write OPA/Gatekeeper and Kyverno admission policies for Kubernetes security guardrails.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
Production-grade GitHub Actions workflows — reusable workflows, OIDC cloud auth, caching, matrix builds, and environment protection rules. Use when the user creates, reviews, or debugs CI/CD pipelines in .github/workflows, or asks about GitHub Actions deployment, OIDC authentication, or workflow optimization.
Systematic diagnosis of Kubernetes pod failures — CrashLoopBackOff, OOMKilled, Pending, ImagePullBackOff, and service connectivity issues. Use when the user encounters pods not starting, container restart loops, scheduling failures, or service unreachability in a K8s cluster.
Implement distributed tracing with OpenTelemetry, Tempo/Jaeger — instrumentation, sampling, and trace-to-log correlation. Use when the user asks about distributed tracing, OpenTelemetry setup, span instrumentation, trace propagation, or connecting traces to logs and metrics.
Design reusable React components with compound patterns, controlled/uncontrolled hybrids, typed prop APIs, async state handling, and ARIA accessibility. Use when the user creates, refactors, or reviews React components, or mentions props, hooks, .tsx files, component APIs, or accessible UI patterns.
Apply STRIDE threat modeling to system designs, identify IDOR and authorization vulnerabilities, and build threat matrices for security reviews. Use when the user designs a new system, reviews an architecture, prepares for a security audit, or asks about common API vulnerabilities like IDOR or broken access control.
Secure CI/CD pipelines with keyless signing, OIDC federation, provenance attestations, policy enforcement, and hardened runners.
| name | opa-policies |
| type | skill |
| description | Write OPA/Gatekeeper and Kyverno admission policies for Kubernetes security guardrails. |
| related-rules | ["policy-as-code.md","container-security.md"] |
| allowed-tools | Read, Write, Edit, Bash |
Expertise: Gatekeeper ConstraintTemplates, Kyverno ClusterPolicies, validation + mutation + generation.
When writing admission policies, testing policy changes, or debugging policy-blocked deployments.
# 1. ConstraintTemplate — defines the policy logic in Rego
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequirenonroot
spec:
crd:
spec:
names: { kind: K8sRequireNonRoot }
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequirenonroot
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
not container.securityContext.runAsNonRoot
msg := sprintf("Container '%v' must set runAsNonRoot: true", [container.name])
}
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
container.securityContext.runAsUser == 0
msg := sprintf("Container '%v' must not run as UID 0", [container.name])
}
---
# 2. Constraint — applies the template to specific resources/namespaces
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNonRoot
metadata:
name: require-non-root-production
spec:
enforcementAction: deny # deny | warn | dryrun
match:
kinds:
- apiGroups: [apps]
kinds: [Deployment, StatefulSet, DaemonSet]
namespaceSelector:
matchExpressions:
- key: environment
operator: In
values: [production, staging]
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequireimagedigest
spec:
crd:
spec:
names: { kind: K8sRequireImageDigest }
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequireimagedigest
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
not contains(container.image, "@sha256:")
msg := sprintf(
"Container '%v' image '%v' must reference a digest (@sha256:...), not a mutable tag",
[container.name, container.image]
)
}
# Disallow privileged containers (Kyverno)
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-privileged-containers
spec:
validationFailureAction: Enforce
rules:
- name: check-privileged
match:
any:
- resources:
kinds: [Pod]
namespaces: [production, staging]
validate:
message: "Privileged containers are not allowed in production/staging"
pattern:
spec:
containers:
- =(securityContext):
=(privileged): "false"
# Kyverno MUTATION — auto-add security context defaults
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-default-securitycontext
spec:
rules:
- name: add-security-context
match:
any:
- resources: { kinds: [Pod] }
mutate:
patchStrategicMerge:
spec:
containers:
- (name): "*"
securityContext:
+(runAsNonRoot): true
+(allowPrivilegeEscalation): false
+(readOnlyRootFilesystem): true
# OPA unit tests
cat > policies/test_nonroot.rego << 'REGO'
package k8srequirenonroot
test_deny_root_container {
violation[{"msg": _}] with input as {
"review": {"object": {"spec": {"containers": [
{"name": "app", "securityContext": {"runAsUser": 0}}
]}}}
}
}
test_allow_nonroot_container {
count(violation) == 0 with input as {
"review": {"object": {"spec": {"containers": [
{"name": "app", "securityContext": {"runAsNonRoot": true, "runAsUser": 1000}}
]}}}
}
}
REGO
opa test policies/ -v
# Kyverno test with example manifests
kyverno test . \
--test-case-selector "policy=disallow-privileged-containers"
# Check which policies blocked a recent admission
kubectl get events -n <ns> | grep "denied\|violated"
# See why a deployment was rejected
kubectl describe deploy <n> -n <ns>
# Look at Events section for: "admission webhook ... denied"
# Check active constraints
kubectl get constraints
# Check constraint violations (audit mode)
kubectl get k8srequirenonroot.constraints.gatekeeper.sh -o jsonpath='{.items[*].status.violations}'