Kubernetes Security
Security auditing, RBAC management, and policy enforcement using kubectl-mcp-server tools.
When to Apply
Use this skill when:
-
User mentions: "security", "RBAC", "permissions", "policy", "audit", "secrets"
-
Operations: security review, permission check, policy enforcement
-
Keywords: "who can", "access control", "compliance", "vulnerable"
Priority Rules
Priority Rule Impact Tools
1 Check cluster-admin bindings first CRITICAL get_cluster_role_bindings
2 Audit secrets access permissions CRITICAL Review role rules
3 Verify network isolation HIGH get_network_policies
4 Check policy compliance HIGH kyverno_* , gatekeeper_*
5 Review pod security contexts MEDIUM describe_pod
Quick Reference
Task Tool Example
List roles get_roles
get_roles(namespace)
Cluster roles get_cluster_roles
get_cluster_roles()
Role bindings get_role_bindings
get_role_bindings(namespace)
Service accounts get_service_accounts
get_service_accounts(namespace)
Kyverno policies kyverno_clusterpolicies_list_tool
kyverno_clusterpolicies_list_tool()
RBAC Auditing
List Roles and Bindings
get_roles(namespace) get_cluster_roles() get_role_bindings(namespace) get_cluster_role_bindings()
Check Service Account Permissions
get_service_accounts(namespace)
Common RBAC Patterns
Pattern Risk Level Check
cluster-admin binding Critical get_cluster_role_bindings()
Wildcard verbs (*) High Review role rules
secrets access High Check get/list on secrets
pod/exec High Allows container access
See RBAC-PATTERNS.md for detailed patterns and remediation.
Policy Enforcement
Kyverno Policies
kyverno_policies_list_tool(namespace) kyverno_clusterpolicies_list_tool() kyverno_policy_get_tool(name, namespace)
OPA Gatekeeper
gatekeeper_constraints_list_tool() gatekeeper_constraint_get_tool(kind, name) gatekeeper_templates_list_tool()
Common Policies to Enforce
Policy Purpose
Disallow privileged Prevent root containers
Require resource limits Prevent resource exhaustion
Restrict host namespaces Isolate from node
Require labels Ensure metadata
Allowed registries Control image sources
Secret Management
List Secrets
get_secrets(namespace)
Secret Best Practices
-
Use external secret managers (Vault, AWS SM)
-
Encrypt secrets at rest (EncryptionConfiguration)
-
Limit secret access via RBAC
-
Rotate secrets regularly
Network Policies
List Policies
get_network_policies(namespace)
Cilium Network Policies
cilium_policies_list_tool(namespace) cilium_policy_get_tool(name, namespace)
Default Deny Template
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all spec: podSelector: {} policyTypes:
- Ingress
- Egress
Security Scanning Workflow
RBAC Audit
get_cluster_role_bindings() get_roles(namespace)
Policy Compliance
kyverno_clusterpolicies_list_tool() gatekeeper_constraints_list_tool()
Network Isolation
get_network_policies(namespace) cilium_endpoints_list_tool(namespace)
Pod Security
get_pods(namespace) describe_pod(name, namespace)
Multi-Cluster Security
Audit across clusters:
get_cluster_role_bindings(context="production") get_cluster_role_bindings(context="staging")
Automated Audit Script
For comprehensive security audit, see scripts/audit-rbac.py.
Related Tools
-
RBAC: get_roles , get_cluster_roles , get_role_bindings
-
Policy: kyverno_* , gatekeeper_*
-
Network: get_network_policies , cilium_policies_*
-
Istio: istio_authorizationpolicies_list_tool , istio_peerauthentications_list_tool
Related Skills
-
k8s-policy - Policy management
-
k8s-cilium - Cilium network security