원클릭으로
kickstart-safeguard-checklist
AKS deployment safeguard rules checklist for validating Kubernetes manifests.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
AKS deployment safeguard rules checklist for validating Kubernetes manifests.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
ACR integration for AKS Automatic. Teaches attaching an ACR, image reference conventions (digest pinning, no :latest), and pull-secret-free authentication via the managed identity.
Writing idiomatic, safe, and reviewable Bicep templates for Azure resources.
Non-blocking cluster status peek — run at the end of Phases 3, 4, 5 to check AKS provisioning progress without hanging.
Voice, tone, and interaction patterns for Kickstart agents.
Configure Infrastructure phase playbook — launch the dedicated Kickstart cluster-setup view, which collects and creates the Azure resources (subscription, resource group, AKS Automatic cluster, ACR) and hands the results back to the chat.
Deploy phase playbook — build, push, apply with Azure CLI and kubectl.
| name | kickstart-safeguard-checklist |
| description | AKS deployment safeguard rules checklist for validating Kubernetes manifests. |
| disable-model-invocation | true |
This skill provides a comprehensive checklist for validating generated Kubernetes manifests against AKS security and deployment best practices. Use this during the Review phase to ensure all generated configurations comply with organizational policies.
spec.containers[*].securityContext.privileged is not set to truespec.containers[*].resources.limits is defined for all containersspec.volumes[*].hostPath is null or not presentspec.containers[*].image does not end with :latestspec.containers[*].securityContext.allowPrivilegeEscalation is not set to truespec.containers[*].securityContext.capabilities.add does not contain any of: SYS_ADMIN, NET_ADMIN, ALL, SYS_PTRACE, SYS_MODULE, DAC_READ_SEARCHspec.securityContext.runAsNonRoot is set to truespec.hostNetwork is not set to truespec.hostPID is not set to truespec.containers[*].securityContext.readOnlyRootFilesystem is true (use tmpfs for writable paths)kind: Ingress resources exist; all ingress uses kind: HTTPRoute with gateway.networking.k8s.io/v1 APIazure.workload.identity/use: "true" label and ServiceAccount with azure.workload.identity/client-id annotation. No Azure connection strings or keys in env vars or secrets.*.azurecr.io). No imagePullSecrets with static credentials.kind: ResourceQuota exists in the namespace for production deploymentskind: NetworkPolicy exists restricting ingress/egress for production deploymentskind: PodDisruptionBudget exists with appropriate minAvailable or maxUnavailable for production deploymentsWhen possible, use the runCommands tool to validate manifests programmatically:
# Dry-run validation against K8s API schemas
kubectl apply --dry-run=client -f k8s/
# Validate with kubeconform (if installed)
kubeconform -strict -summary k8s/*.yaml
When reviewing manifests, use this checklist to validate each safeguard rule:
| Rule ID | Severity | Status | Notes |
|---------|----------|--------|-------|
| no-privileged | HIGH | ✓ PASS | securityContext.privileged is false |
| require-limits | MEDIUM | ✓ PASS | All containers have CPU/memory limits |
| no-hostpath | HIGH | ✓ PASS | No hostPath volumes defined |
| no-latest-tag | HIGH | ✓ PASS | Image uses pinned tag v1.2.3 |
| ... | ... | ... | ... |
Last updated: Safeguards from packages/pack-aks-automatic/src/safeguards.json