owasp-kubernetes-top-10

OWASP Kubernetes Top 10 - prevention, detection, and remediation for Kubernetes security. Use when designing or reviewing K8s workloads and clusters - workload config, supply chain, RBAC, policy enforcement, logging, authentication, network segmentation, secrets, cluster components, vulnerable components.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "owasp-kubernetes-top-10" with this command: npx skills add yariv1025/skills/yariv1025-skills-owasp-kubernetes-top-10

OWASP Kubernetes Top 10

This skill encodes the OWASP Kubernetes Top 10 for secure cluster and workload design and review. References are loaded per risk. Based on OWASP Kubernetes Top 10 2022.

When to Read Which Reference

RiskRead
K01 Insecure Workload Configurationsreferences/k01-insecure-workload-configurations.md
K02 Supply Chain Vulnerabilitiesreferences/k02-supply-chain-vulnerabilities.md
K03 Overly Permissive RBACreferences/k03-permissive-rbac.md
K04 Lack of Centralized Policy Enforcementreferences/k04-policy-enforcement.md
K05 Inadequate Logging and Monitoringreferences/k05-logging-monitoring.md
K06 Broken Authentication Mechanismsreferences/k06-broken-authentication.md
K07 Missing Network Segmentationreferences/k07-network-segmentation.md
K08 Secrets Management Failuresreferences/k08-secrets-management.md
K09 Misconfigured Cluster Componentsreferences/k09-misconfigured-cluster-components.md
K10 Outdated and Vulnerable Componentsreferences/k10-vulnerable-components.md

Quick Patterns

  • Run workloads as non-root with read-only filesystem where possible; use image signing and supply chain controls. Apply least-privilege RBAC and network policies; centralize policy (e.g. OPA); secure secrets and audit logging.

Quick Reference / Examples

TaskApproach
Harden podNon-root, read-only rootfs, drop capabilities. See K01.
Secure imagesSign images, scan for CVEs, use trusted registries. See K02.
Limit RBACLeast privilege, no cluster-admin for workloads. See K03.
Network policiesDefault deny, explicit allow per namespace. See K07.
Manage secretsUse external secrets manager or encrypted secrets. See K08.

Safe - hardened SecurityContext:

securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop: ["ALL"]

Unsafe - privileged container:

securityContext:
  privileged: true  # NEVER in production - full host access

Network policy - default deny ingress:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
spec:
  podSelector: {}
  policyTypes: ["Ingress"]

Workflow

Load the reference for the risk you are addressing. See OWASP Kubernetes Top 10 for the official list.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

owasp-api-security-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
7-yariv1025
Coding

agent-dev-guardrails

No summary provided by upstream source.

Repository SourceNeeds Review
8-yariv1025
General

owasp-iot-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
6-yariv1025
General

owasp-mobile-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
6-yariv1025