一键导入
network-policies
Design and implement Kubernetes NetworkPolicy and Cilium network policies for namespace isolation and service-to-service access control.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Design and implement Kubernetes NetworkPolicy and Cilium network policies for namespace isolation and service-to-service access control.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Production-grade GitHub Actions workflows — reusable workflows, OIDC cloud auth, caching, matrix builds, and environment protection rules. Use when the user creates, reviews, or debugs CI/CD pipelines in .github/workflows, or asks about GitHub Actions deployment, OIDC authentication, or workflow optimization.
Systematic diagnosis of Kubernetes pod failures — CrashLoopBackOff, OOMKilled, Pending, ImagePullBackOff, and service connectivity issues. Use when the user encounters pods not starting, container restart loops, scheduling failures, or service unreachability in a K8s cluster.
Implement distributed tracing with OpenTelemetry, Tempo/Jaeger — instrumentation, sampling, and trace-to-log correlation. Use when the user asks about distributed tracing, OpenTelemetry setup, span instrumentation, trace propagation, or connecting traces to logs and metrics.
Design reusable React components with compound patterns, controlled/uncontrolled hybrids, typed prop APIs, async state handling, and ARIA accessibility. Use when the user creates, refactors, or reviews React components, or mentions props, hooks, .tsx files, component APIs, or accessible UI patterns.
Apply STRIDE threat modeling to system designs, identify IDOR and authorization vulnerabilities, and build threat matrices for security reviews. Use when the user designs a new system, reviews an architecture, prepares for a security audit, or asks about common API vulnerabilities like IDOR or broken access control.
Secure CI/CD pipelines with keyless signing, OIDC federation, provenance attestations, policy enforcement, and hardened runners.
| name | network-policies |
| type | skill |
| description | Design and implement Kubernetes NetworkPolicy and Cilium network policies for namespace isolation and service-to-service access control. |
| related-rules | ["workload-security.md","cluster-standards.md"] |
| allowed-tools | Read, Write, Edit, Bash |
Expertise: K8s NetworkPolicy + Cilium policy design for multi-tenant namespace isolation and zero-trust traffic control.
When isolating a new namespace, allowing specific service-to-service communication, debugging traffic being blocked, or auditing inter-namespace access.
# 1. Default deny-all (must be first)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: my-app
spec:
podSelector: {} # matches ALL pods in namespace
policyTypes: [Ingress, Egress]
---
# 2. Allow DNS (required for all pods)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns-egress
namespace: my-app
spec:
podSelector: {}
policyTypes: [Egress]
egress:
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
---
# 3. Allow ingress from ingress controller
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-controller
namespace: my-app
spec:
podSelector:
matchLabels:
app: my-service
policyTypes: [Ingress]
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ingress-nginx
ports:
- port: 8080
# Allow order-service (in orders ns) to call payment-service (in payments ns)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-orders
namespace: payments
spec:
podSelector:
matchLabels:
app: payment-service
policyTypes: [Ingress]
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: orders
podSelector:
matchLabels:
app: order-service
ports:
- port: 8080
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-prometheus-scrape
namespace: my-app
spec:
podSelector: {} # allow scraping all pods in ns
policyTypes: [Ingress]
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: monitoring
ports:
- port: 9090 # metrics port
# Cilium L7 policy — allow only GET /api/* (not POST/DELETE)
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: order-service-l7
namespace: production
spec:
endpointSelector:
matchLabels:
app: order-service
ingress:
- fromEndpoints:
- matchLabels:
app: frontend
toPorts:
- ports:
- port: "8080"
protocol: TCP
rules:
http:
- method: GET
path: /api/.*
# Cilium: observe dropped packets in real-time
kubectl -n kube-system exec -it $(kubectl -n kube-system get pods -l k8s-app=cilium -o jsonpath='{.items[0].metadata.name}') \
-- cilium monitor --type drop
# Hubble (if installed): flows between pods
hubble observe --namespace my-app --verdict DROPPED
# Calico: check policy hits
kubectl exec -n kube-system <calico-node-pod> -- calicoctl get networkpolicy -n my-app
# Test connectivity manually
kubectl run test-pod --image=curlimages/curl -it --rm --restart=Never -- \
curl -v http://payment-service.payments.svc.cluster.local:8080/health
namespaceSelector with metadata label