一键导入
k8s-security
Kubernetes security best practices for manifests and Helm charts. Use on 'k8s security', 'manifest audit', 'helm security review', 'pod hardening'.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Kubernetes security best practices for manifests and Helm charts. Use on 'k8s security', 'manifest audit', 'helm security review', 'pod hardening'.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
Airflow DAG patterns, KubernetesPodOperator, and debugging. Use on 'dag', 'airflow', 'task', 'operator', 'KPO', 'scheduler', 'XCom'.
Create and debug AWS IAM policies with least-privilege. Use on 'IAM policy', 'permission denied', 'access denied', 'not authorized', 'create role'.
Create architecture diagrams with draw.io MCP server. Use on 'diagram', 'architecture', 'drawio', 'flowchart', 'visualize'.
Git operations including commits, branches, worktrees, and safety protocols. Use on 'git', 'commit', 'branch', 'worktree', 'rebase', 'merge'.
Helm chart policies, bitnami legacy repo, and release management. Use on 'helm-skill' or 'load helm skill'.
Build Python/K8s/AWS with minimal code. Every line is a liability. Use on 'build', 'implement', 'add', 'create', 'deploy'. Prioritizes deletion, reuse, and configuration over new code.
基于 SOC 职业分类
| name | k8s-security |
| description | Kubernetes security best practices for manifests and Helm charts. Use on 'k8s security', 'manifest audit', 'helm security review', 'pod hardening'. |
Security review for Kubernetes manifests and Helm charts. Focus on least privilege, isolation, and safe defaults.
helm template output)helm template to render with provided valueshelm lint ./chart
helm template ./chart -f values.yaml
image.tag: latestsecurityContext omitted or emptyrbac.create: true with cluster-wide rulesserviceAccount.create: true without scoped RBACingress.enabled: true without TLSextraEnv or env containing plaintext secretspodSecurityContext or container securityContext disabled via valuesrunAsNonRoot: truerunAsUser/runAsGroup set to non-rootreadOnlyRootFilesystem: trueallowPrivilegeEscalation: falsecapabilities.drop: ["ALL"]seccompProfile.type: RuntimeDefaultprivileged: false:latest tagimagePullPolicy: IfNotPresent unless immutable tagsresources.requests and resources.limits presentstartupProbe for slow-start appsNetworkPolicy present (ingress + egress)type: LoadBalancer unless requiredPodSecurityPolicy (removed in K8s 1.25)ResourceQuota and LimitRange for multi-tenant clustersSecret volumes or external secret managersenvFrom with broad ConfigMapsserviceAccountName specifiedcluster-admin bindingsautomountServiceAccountToken: true unless neededfsGroup set when neededhostPID/hostNetwork without justificationsecurityContextlatest image tags*)apiVersion: v1
kind: Namespace
metadata:
name: restricted-ns
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns
namespace: production
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- protocol: UDP
port: 53
kubectl auth can-i list pods --as system:serviceaccount:default:my-sa
CRITICAL: [issue]
Impact: [what breaks]
Fix: [action]
WARNING: [issue]
Risk: [consequence]
Fix: [action]
SMELL: [issue]
Cost: [future pain]
values.yaml or the rendered output