[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-a020063c-8324-41fe-bd50-8258bd368ac8":3,"$fA_LVb-U2pGJMBegRFBojMU08cChB5PuSR_rObRj8GnI":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"a020063c-8324-41fe-bd50-8258bd368ac8","k8s-security-policies","Kubernetes中实现NetworkPolicy、PodSecurityPolicy、RBAC和Pod安全标准的综合指南。","cat_coding_devops","mod_coding","sickn33,coding","---\nname: k8s-security-policies\ndescription: \"Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes.\"\nrisk: unknown\nsource: community\ndate_added: \"2026-02-27\"\n---\n\n# Kubernetes Security Policies\n\nComprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes.\n\n## Do not use this skill when\n\n- The task is unrelated to kubernetes security policies\n- You need a different domain or tool outside this scope\n\n## Instructions\n\n- Clarify goals, constraints, and required inputs.\n- Apply relevant best practices and validate outcomes.\n- Provide actionable steps and verification.\n- If detailed examples are required, open `resources\u002Fimplementation-playbook.md`.\n\n## Purpose\n\nImplement defense-in-depth security for Kubernetes clusters using network policies, pod security standards, and RBAC.\n\n## Use this skill when\n\n- Implement network segmentation\n- Configure pod security standards\n- Set up RBAC for least-privilege access\n- Create security policies for compliance\n- Implement admission control\n- Secure multi-tenant clusters\n\n## Pod Security Standards\n\n### 1. Privileged (Unrestricted)\n```yaml\napiVersion: v1\nkind: Namespace\nmetadata:\n name: privileged-ns\n labels:\n pod-security.kubernetes.io\u002Fenforce: privileged\n pod-security.kubernetes.io\u002Faudit: privileged\n pod-security.kubernetes.io\u002Fwarn: privileged\n```\n\n### 2. Baseline (Minimally restrictive)\n```yaml\napiVersion: v1\nkind: Namespace\nmetadata:\n name: baseline-ns\n labels:\n pod-security.kubernetes.io\u002Fenforce: baseline\n pod-security.kubernetes.io\u002Faudit: baseline\n pod-security.kubernetes.io\u002Fwarn: baseline\n```\n\n### 3. Restricted (Most restrictive)\n```yaml\napiVersion: v1\nkind: Namespace\nmetadata:\n name: restricted-ns\n labels:\n pod-security.kubernetes.io\u002Fenforce: restricted\n pod-security.kubernetes.io\u002Faudit: restricted\n pod-security.kubernetes.io\u002Fwarn: restricted\n```\n\n## Network Policies\n\n### Default Deny All\n```yaml\napiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n name: default-deny-all\n namespace: production\nspec:\n podSelector: {}\n policyTypes:\n - Ingress\n - Egress\n```\n\n### Allow Frontend to Backend\n```yaml\napiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n name: allow-frontend-to-backend\n namespace: production\nspec:\n podSelector:\n matchLabels:\n app: backend\n policyTypes:\n - Ingress\n ingress:\n - from:\n - podSelector:\n matchLabels:\n app: frontend\n ports:\n - protocol: TCP\n port: 8080\n```\n\n### Allow DNS\n```yaml\napiVersion: networking.k8s.io\u002Fv1\nkind: NetworkPolicy\nmetadata:\n name: allow-dns\n namespace: production\nspec:\n podSelector: {}\n policyTypes:\n - Egress\n egress:\n - to:\n - namespaceSelector:\n matchLabels:\n name: kube-system\n ports:\n - protocol: UDP\n port: 53\n```\n\n**Reference:** See `assets\u002Fnetwork-policy-template.yaml`\n\n## RBAC Configuration\n\n### Role (Namespace-scoped)\n```yaml\napiVersion: rbac.authorization.k8s.io\u002Fv1\nkind: Role\nmetadata:\n name: pod-reader\n namespace: production\nrules:\n- apiGroups: [\"\"]\n resources: [\"pods\"]\n verbs: [\"get\", \"watch\", \"list\"]\n```\n\n### ClusterRole (Cluster-wide)\n```yaml\napiVersion: rbac.authorization.k8s.io\u002Fv1\nkind: ClusterRole\nmetadata:\n name: secret-reader\nrules:\n- apiGroups: [\"\"]\n resources: [\"secrets\"]\n verbs: [\"get\", \"watch\", \"list\"]\n```\n\n### RoleBinding\n```yaml\napiVersion: rbac.authorization.k8s.io\u002Fv1\nkind: RoleBinding\nmetadata:\n name: read-pods\n namespace: production\nsubjects:\n- kind: User\n name: jane\n apiGroup: rbac.authorization.k8s.io\n- kind: ServiceAccount\n name: default\n namespace: production\nroleRef:\n kind: Role\n name: pod-reader\n apiGroup: rbac.authorization.k8s.io\n```\n\n**Reference:** See `references\u002Frbac-patterns.md`\n\n## Pod Security Context\n\n### Restricted Pod\n```yaml\napiVersion: v1\nkind: Pod\nmetadata:\n name: secure-pod\nspec:\n securityContext:\n runAsNonRoot: true\n runAsUser: 1000\n fsGroup: 1000\n seccompProfile:\n type: RuntimeDefault\n containers:\n - name: app\n image: myapp:1.0\n securityContext:\n allowPrivilegeEscalation: false\n readOnlyRootFilesystem: true\n capabilities:\n drop:\n - ALL\n```\n\n## Policy Enforcement with OPA Gatekeeper\n\n### ConstraintTemplate\n```yaml\napiVersion: templates.gatekeeper.sh\u002Fv1\nkind: ConstraintTemplate\nmetadata:\n name: k8srequiredlabels\nspec:\n crd:\n spec:\n names:\n kind: K8sRequiredLabels\n validation:\n openAPIV3Schema:\n type: object\n properties:\n labels:\n type: array\n items:\n type: string\n targets:\n - target: admission.k8s.gatekeeper.sh\n rego: |\n package k8srequiredlabels\n violation[{\"msg\": msg, \"details\": {\"missing_labels\": missing}}] {\n provided := {label | input.review.object.metadata.labels[label]}\n required := {label | label := input.parameters.labels[_]}\n missing := required - provided\n count(missing) > 0\n msg := sprintf(\"missing required labels: %v\", [missing])\n }\n```\n\n### Constraint\n```yaml\napiVersion: constraints.gatekeeper.sh\u002Fv1beta1\nkind: K8sRequiredLabels\nmetadata:\n name: require-app-label\nspec:\n match:\n kinds:\n - apiGroups: [\"apps\"]\n kinds: [\"Deployment\"]\n parameters:\n labels: [\"app\", \"environment\"]\n```\n\n## Service Mesh Security (Istio)\n\n### PeerAuthentication (mTLS)\n```yaml\napiVersion: security.istio.io\u002Fv1beta1\nkind: PeerAuthentication\nmetadata:\n name: default\n namespace: production\nspec:\n mtls:\n mode: STRICT\n```\n\n### AuthorizationPolicy\n```yaml\napiVersion: security.istio.io\u002Fv1beta1\nkind: AuthorizationPolicy\nmetadata:\n name: allow-frontend\n namespace: production\nspec:\n selector:\n matchLabels:\n app: backend\n action: ALLOW\n rules:\n - from:\n - source:\n principals: [\"cluster.local\u002Fns\u002Fproduction\u002Fsa\u002Ffrontend\"]\n```\n\n## Best Practices\n\n1. **Implement Pod Security Standards** at namespace level\n2. **Use Network Policies** for network segmentation\n3. **Apply least-privilege RBAC** for all service accounts\n4. **Enable admission control** (OPA Gatekeeper\u002FKyverno)\n5. **Run containers as non-root**\n6. **Use read-only root filesystem**\n7. **Drop all capabilities** unless needed\n8. **Implement resource quotas** and limit ranges\n9. **Enable audit logging** for security events\n10. **Regular security scanning** of images\n\n## Compliance Frameworks\n\n### CIS Kubernetes Benchmark\n- Use RBAC authorization\n- Enable audit logging\n- Use Pod Security Standards\n- Configure network policies\n- Implement secrets encryption at rest\n- Enable node authentication\n\n### NIST Cybersecurity Framework\n- Implement defense in depth\n- Use network segmentation\n- Configure security monitoring\n- Implement access controls\n- Enable logging and monitoring\n\n## Troubleshooting\n\n**NetworkPolicy not working:**\n```bash\n# Check if CNI supports NetworkPolicy\nkubectl get nodes -o wide\nkubectl describe networkpolicy \u003Cname>\n```\n\n**RBAC permission denied:**\n```bash\n# Check effective permissions\nkubectl auth can-i list pods --as system:serviceaccount:default:my-sa\nkubectl auth can-i '*' '*' --as system:serviceaccount:default:my-sa\n```\n\n## Reference Files\n\n- `assets\u002Fnetwork-policy-template.yaml` - Network policy examples\n- `assets\u002Fpod-security-template.yaml` - Pod security policies\n- `references\u002Frbac-patterns.md` - RBAC configuration patterns\n\n## Related Skills\n\n- `k8s-manifest-generator` - For creating secure manifests\n- `gitops-workflow` - For automated policy deployment\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,150,1067,"2026-05-16 13:24:48",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查,提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"DevOps","devops","mdi-cog-outline","CI\u002FCD、容器化、部署运维",3,162,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"b886c53c-1a85-49ee-b9f1-7d0949e7b371","1.0.0","k8s-security-policies.zip",5004,"uploads\u002Fskills\u002Fa020063c-8324-41fe-bd50-8258bd368ac8\u002Fk8s-security-policies.zip","629b704b39386e777eb9ecbf1a734600bdb460310c7b578e4590030ba7f73060","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":7935},{\"path\":\"assets\u002Fnetwork-policy-template.yaml\",\"isDirectory\":false,\"size\":3157},{\"path\":\"references\u002Frbac-patterns.md\",\"isDirectory\":false,\"size\":4076}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]