k8s-security-policies

This skill provides a comprehensive framework for securing Kubernetes environments, designed for DevOps engineers, platform security teams, and cloud architects. It covers the critical layers of Kubernetes security, from network-level isolation to cluster-wide identity management and admission control. By leveraging this skill, users can ensure their clusters meet compliance benchmarks, minimize attack surfaces through the principle of least privilege, and automate the enforcement of security configurations.

• Implements network segmentation via NetworkPolicy, including default deny-all patterns and specific traffic allow-listing for microservices.

• Manages Pod Security Standards (PSS) by defining privileged, baseline, and restricted namespaces using labels and security context.

• Enforces RBAC with specific Role and ClusterRole definitions for service accounts and users, ensuring least-privilege access.

• Facilitates admission control with OPA Gatekeeper templates and constraints to enforce governance policies like required labels.

• Integrates Service Mesh security configurations using Istio PeerAuthentication (mTLS) and AuthorizationPolicies.

• Best practices for running containers with read-only root filesystems and non-root users.

• Instructions for auditing logs and regular security scanning of container images.

• Designed for multi-tenant environments requiring strict inter-pod and inter-namespace isolation.

• The skill assumes the user has access to a Kubernetes cluster and basic familiarity with kubectl and YAML manifest structures.

• Outputs consist of valid, production-ready Kubernetes manifests and policy definitions for OPA/Gatekeeper or Istio.