Open Skills Logo
Open Skills

k8s-security-policies

Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.

Author

@sickn33

Category

Other Tools

Install

Hot:13

Download and extract to your skills directory

Copy command and send to OpenClaw for auto-install:

Download and install this skill https://openskills.cc/api/download?slug=sickn33-skills-k8s-security-policies&locale=en&source=copy

Kubernetes Security Policies

Skills Overview


Implement production-grade security policies for Kubernetes clusters, including NetworkPolicy network isolation, Pod Security Standards, RBAC permission control, and admission control rules.

Use Cases

  • Harden Production Environments

    • Configure multi-layer security defenses for Kubernetes production clusters, including network segmentation, container security standards, and access control, to meet enterprise security and compliance requirements.

  • Multi-Tenant Cluster Isolation

    • Isolate network traffic and resource access permissions for different teams or applications within the same Kubernetes cluster to achieve secure separation between tenants.

  • Security Policy Automation

    • Use OPA Gatekeeper or Kyverno admission control to automatically validate and enforce security policies, preventing insecure configurations from entering the cluster.

    Core Features

  • Network Policy Configuration

    • Provide NetworkPolicy templates and best practices to implement segmented network rules with a default-deny approach and selective allow, including DNS access, service-to-service communication, and control of external egress.

  • Pod Security Standards

    • Configure three security levels of Pod Security Standards (Privileged/Baseline/Restricted) to enforce that containers run as non-root users, use a read-only root filesystem, and apply a minimal set of capabilities.

  • RBAC Permission Management

    • Create least-privilege Roles and ClusterRoles, use RoleBindings to precisely control resource access for ServiceAccounts and users, and support permission verification and troubleshooting.

    Frequently Asked Questions

    Why doesn’t NetworkPolicy work after configuration?


    First confirm that your CNI network plugin supports NetworkPolicy (e.g., Calico, Cilium, Weave Net). You can use kubectl get nodes -o wide to check which CNI is in use, and kubectl describe networkpolicy <name> to review the policy details. Common causes include: Pod label mismatches, incorrect port/protocol configuration, or the CNI not supporting policy enforcement.

    Pod Security Policy is deprecated—what should I use instead?


    Pod Security Policy (PSP) was formally removed in Kubernetes 1.25. It’s recommended to use Pod Security Standards instead. Pod Security Standards configure three levels (privileged/baseline/restricted) via Namespace labels, which is simpler to use and integrates natively with Kubernetes.

    How can I verify that Kubernetes RBAC is configured correctly?


    Use the kubectl auth can-i command to simulate permission checks for a user or ServiceAccount:
    kubectl auth can-i list pods --as system:serviceaccount:default:my-sa
kubectl auth can-i '*' '*' --as system:serviceaccount:default:my-sa

    This helps you confirm whether the role bindings are taking effect and whether the user has permission to perform specific actions.