陌讯skills聚合平台

kubernetes-hardening

📁 bagelhole/devops-security-agent-skills 📅 9 days ago
1
总安装量
1
周安装量
#47148
全站排名
安装命令
npx skills add https://github.com/bagelhole/devops-security-agent-skills --skill kubernetes-hardening

Agent 安装分布

opencode 1
codex 1
claude-code 1

Skill 文档

Kubernetes Hardening

Secure Kubernetes clusters and workloads.

When to Use This Skill

Use this skill when:

  • Hardening Kubernetes clusters
  • Implementing Pod Security Standards
  • Configuring network policies
  • Meeting security compliance

Pod Security Standards

# Namespace with restricted policy
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

Security Context

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    image: myapp:latest
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop: ["ALL"]

Network Policies

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-web
spec:
  podSelector:
    matchLabels:
      app: web
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - port: 8080

RBAC

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: app-reader
rules:
- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: app-reader-binding
subjects:
- kind: ServiceAccount
  name: myapp
roleRef:
  kind: Role
  name: app-reader
  apiGroup: rbac.authorization.k8s.io

Best Practices

  • Enable Pod Security Standards
  • Implement network policies
  • Use RBAC with least privilege
  • Enable audit logging
  • Secure etcd with encryption
  • Use service mesh for mTLS
  • Regular security scanning

Related Skills

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。