ワンクリックで
kickstart-safeguard-checklist
AKS deployment safeguard rules checklist for validating Kubernetes manifests.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
AKS deployment safeguard rules checklist for validating Kubernetes manifests.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
ACR integration for AKS Automatic. Teaches attaching an ACR, image reference conventions (digest pinning, no :latest), and pull-secret-free authentication via the managed identity.
Writing idiomatic, safe, and reviewable Bicep templates for Azure resources.
Non-blocking cluster status peek — run at the end of Phases 3, 4, 5 to check AKS provisioning progress without hanging.
Voice, tone, and interaction patterns for Kickstart agents.
Configure Infrastructure phase playbook — launch the dedicated Kickstart cluster-setup view, which collects and creates the Azure resources (subscription, resource group, AKS Automatic cluster, ACR) and hands the results back to the chat.
Deploy phase playbook — build, push, apply with Azure CLI and kubectl.
| name | kickstart-safeguard-checklist |
| description | AKS deployment safeguard rules checklist for validating Kubernetes manifests. |
| disable-model-invocation | true |
This skill provides a comprehensive checklist for validating generated Kubernetes manifests against AKS security and deployment best practices. Use this during the Review phase to ensure all generated configurations comply with organizational policies.
spec.containers[*].securityContext.privileged is not set to truespec.containers[*].resources.limits is defined for all containersspec.volumes[*].hostPath is null or not presentspec.containers[*].image does not end with :latestspec.containers[*].securityContext.allowPrivilegeEscalation is not set to truespec.containers[*].securityContext.capabilities.add does not contain any of: SYS_ADMIN, NET_ADMIN, ALL, SYS_PTRACE, SYS_MODULE, DAC_READ_SEARCHspec.securityContext.runAsNonRoot is set to truespec.hostNetwork is not set to truespec.hostPID is not set to truespec.containers[*].securityContext.readOnlyRootFilesystem is true (use tmpfs for writable paths)kind: Ingress resources exist; all ingress uses kind: HTTPRoute with gateway.networking.k8s.io/v1 APIazure.workload.identity/use: "true" label and ServiceAccount with azure.workload.identity/client-id annotation. No Azure connection strings or keys in env vars or secrets.*.azurecr.io). No imagePullSecrets with static credentials.kind: ResourceQuota exists in the namespace for production deploymentskind: NetworkPolicy exists restricting ingress/egress for production deploymentskind: PodDisruptionBudget exists with appropriate minAvailable or maxUnavailable for production deploymentsWhen possible, use the runCommands tool to validate manifests programmatically:
# Dry-run validation against K8s API schemas
kubectl apply --dry-run=client -f k8s/
# Validate with kubeconform (if installed)
kubeconform -strict -summary k8s/*.yaml
When reviewing manifests, use this checklist to validate each safeguard rule:
| Rule ID | Severity | Status | Notes |
|---------|----------|--------|-------|
| no-privileged | HIGH | ✓ PASS | securityContext.privileged is false |
| require-limits | MEDIUM | ✓ PASS | All containers have CPU/memory limits |
| no-hostpath | HIGH | ✓ PASS | No hostPath volumes defined |
| no-latest-tag | HIGH | ✓ PASS | Image uses pinned tag v1.2.3 |
| ... | ... | ... | ... |
Last updated: Safeguards from packages/pack-aks-automatic/src/safeguards.json