| name | kickstart-safeguard-checklist |
| description | AKS deployment safeguard rules checklist for validating Kubernetes manifests. |
| disable-model-invocation | true |
AKS Deployment Safeguard Checklist
This skill provides a comprehensive checklist for validating generated Kubernetes manifests against AKS security and deployment best practices. Use this during the Review phase to ensure all generated configurations comply with organizational policies.
Safeguard Rules
Rule: no-privileged
Rule: require-limits
Rule: no-hostpath
Rule: no-latest-tag
Rule: no-privilege-escalation
Rule: no-dangerous-capabilities
Rule: run-as-non-root
Rule: no-host-network
Rule: no-host-pid
Rule: read-only-root-filesystem
Rule: gateway-api-for-ingress
Rule: workload-identity-required
Rule: acr-with-acrpull
Rule: resource-quotas-production
Rule: network-policies-production
Rule: pod-disruption-budget-production
Automated Validation
When possible, use the runCommands tool to validate manifests programmatically:
kubectl apply --dry-run=client -f k8s/
kubeconform -strict -summary k8s/*.yaml
Review Instructions
When reviewing manifests, use this checklist to validate each safeguard rule:
- For each rule above, examine the relevant manifest sections
- Mark the status for each rule as:
- ✓ PASS — The manifest complies with this rule
- ✗ FAIL — The manifest violates this rule
- ⊘ N/A — This rule does not apply to the manifest (e.g., a Deployment that has no volumes cannot violate the hostPath rule)
- Report results in a summary table showing rule ID, status, and any notes
- Block on failures: Any FAIL on a HIGH-severity rule must be fixed before the manifest proceeds to deployment
- Address medium-severity failures: MEDIUM-severity FAILs should be resolved or explicitly justified before proceeding
Example Review Output
| Rule ID | Severity | Status | Notes |
|---------|----------|--------|-------|
| no-privileged | HIGH | ✓ PASS | securityContext.privileged is false |
| require-limits | MEDIUM | ✓ PASS | All containers have CPU/memory limits |
| no-hostpath | HIGH | ✓ PASS | No hostPath volumes defined |
| no-latest-tag | HIGH | ✓ PASS | Image uses pinned tag v1.2.3 |
| ... | ... | ... | ... |
How to Use This Skill
- When validating K8s manifests, reference this checklist to ensure compliance
- Review the generated YAML against each rule listed above
- Document any violations and remediate before proceeding
- Use the severity levels to prioritize fixes (HIGH first, then MEDIUM)
Last updated: Safeguards from packages/pack-aks-automatic/src/safeguards.json