Kubernetes security: RBAC, PodSecurity, network policies.
Harden Kubernetes clusters and workloads through RBAC, pod security, network isolation, secret management, and supply chain controls.
| Signal | Reference | Size |
|---|---|---|
| RBAC, Role, RoleBinding, ClusterRole, ServiceAccount, least-privilege, access control, permissions | references/rbac-patterns.md | ~60 lines |
| PodSecurity, SecurityContext, runAsNonRoot, readOnlyRootFilesystem, restricted, baseline, image hardening, distroless, Dockerfile | references/pod-security.md | ~90 lines |
| NetworkPolicy, default-deny, allow-list, egress, ingress, DNS, lateral movement, namespace isolation | references/network-policies.md | ~70 lines |
| cosign, Kyverno, OPA, admission controller, Sealed Secrets, External Secrets, supply chain, misconfiguration, privileged | references/supply-chain.md |
| ~120 lines |
Load greedily. If the user's question touches any signal keyword, load the matching reference before responding. Multiple signals matching = load all matching references.
Determine which security domain the user is asking about.
| Domain | Reference |
|---|---|
| Access control, permissions, roles | references/rbac-patterns.md |
| Pod hardening, container security | references/pod-security.md |
| Network isolation, traffic rules | references/network-policies.md |
| Image signing, secrets, admission control | references/supply-chain.md |
If the question spans multiple domains, load all relevant references. Most production hardening tasks touch at least RBAC + pod security.
Gate: Domain identified. Reference(s) loaded. Proceed to Phase 2.
Use loaded reference knowledge to answer with concrete YAML manifests and specific configurations. The references contain complete, copy-paste-ready examples for each security domain.
For general Kubernetes debugging, pair with the kubernetes-debugging skill.
Gate: Question answered with reference-backed manifests, not generic advice.
Validate the security posture against the misconfiguration table in references/supply-chain.md. Flag any of the 8 common misconfigurations if present in the user's manifests.