Menu
Kubernetes security: RBAC, PodSecurity, network policies.
| name | kubernetes-security |
| description | Kubernetes security: RBAC, PodSecurity, network policies. |
| user-invocable | false |
| context | fork |
| agent | kubernetes-helm-engineer |
| routing | {"triggers":["kubernetes security","k8s RBAC","RBAC setup","pod security policy","network policy"],"category":"kubernetes","pairs_with":["kubernetes-debugging","cobalt-core"]} |
Harden Kubernetes clusters and workloads through RBAC, pod security, network isolation, secret management, and supply chain controls.
| Signal | Reference | Size |
|---|---|---|
| RBAC, Role, RoleBinding, ClusterRole, ServiceAccount, least-privilege, access control, permissions | references/rbac-patterns.md | ~60 lines |
| PodSecurity, SecurityContext, runAsNonRoot, readOnlyRootFilesystem, restricted, baseline, image hardening, distroless, Dockerfile | references/pod-security.md | ~90 lines |
| NetworkPolicy, default-deny, allow-list, egress, ingress, DNS, lateral movement, namespace isolation | references/network-policies.md | ~70 lines |
| cosign, Kyverno, OPA, admission controller, Sealed Secrets, External Secrets, supply chain, misconfiguration, privileged | references/supply-chain.md | ~120 lines |
Load greedily. If the user's question touches any signal keyword, load the matching reference before responding. Multiple signals matching = load all matching references.
Determine which security domain the user is asking about.
| Domain | Reference |
|---|---|
| Access control, permissions, roles | references/rbac-patterns.md |
| Pod hardening, container security | references/pod-security.md |
| Network isolation, traffic rules | references/network-policies.md |
| Image signing, secrets, admission control | references/supply-chain.md |
If the question spans multiple domains, load all relevant references. Most production hardening tasks touch at least RBAC + pod security.
Gate: Domain identified. Reference(s) loaded. Proceed to Phase 2.
Use loaded reference knowledge to answer with concrete YAML manifests and specific configurations. The references contain complete, copy-paste-ready examples for each security domain.
For general Kubernetes debugging, pair with the kubernetes-debugging skill.
Gate: Question answered with reference-backed manifests, not generic advice.
Validate the security posture against the misconfiguration table in references/supply-chain.md. Flag any of the 8 common misconfigurations if present in the user's manifests.
Detect documentation drift against filesystem state.
Learning system interface: stats, search, graduate learnings. Backed by learning.db (SQLite + FTS5).
Structured multi-phase workflows: review, debug, refactor (tidy up, clean up, untangle messy code, reorganize without changing behaviour), deploy, create, research, and more.
People operations workflows — recruiting pipeline, performance reviews, compensation analysis, offer drafting, interview prep, onboarding, org planning. Use when managing hiring pipelines, writing performance reviews, analyzing compensation, drafting offers, or planning organizational changes.
Detect stale TODOs, unused imports, and dead code.
Unified voice content generation pipeline with mandatory validation and joy-check. 13-phase pipeline: LOAD, GROUND, STATS-CHECKPOINT, GENERATE, HOOK-GATE, VALIDATE, REFINE, VARIETY-GATE, JOY-CHECK, ANTI-AI, CLOSE-GATE, OUTPUT, CLEANUP. Use when writing articles, blog posts, or any content that uses a voice profile. Use for "write article", "blog post", "write in voice", "generate content", "draft article", "write about".
