k8s-security-policiesの使い方を教えてください。

プロジェクトにスキルをインストールすると、関連するタスクやキーワードに応じて自動的にアクティブになります。特定のコマンドや操作を行う際に、ベストプラクティスに基づいたガイダンスを提供します。

k8s-security-policiesで自動化できるタスクは何ですか？

ワークフロー全体の自動化をサポートし、繰り返し作業の削減と一貫性のある成果物の生成を実現します。

k8s-security-policiesのAPI連携はどのように設定しますか？

スキルが提供するガイドラインに従って、APIエンドポイントの定義、認証設定、リクエスト/レスポンスの型定義を行います。型安全な実装をサポートします。

← スキル一覧に戻る

k8s-security-policies

Name: k8s-security-policies
Rating: 85
Author: wshobson

by wshobson

k8s-security-policiesは、業務プロセスの自動化を支援するスキルです。ワークフロー管理と自動化により、生産性の向上と運用効率の改善を実現します。

⭐ 26,323🍴 2,924📅 2026年1月23日

agents anthropic anthropic-claude automation claude claude-code claude-code-cli claude-code-commands

GitHubで見る Manusで実行

ユースケース

🤖

ワークフロー自動化

繰り返し作業を自動化し、手動作業を削減。

🚀

CI/CDパイプライン構築

ビルド・テスト・デプロイの自動化パイプラインを構築。

⏰

スケジュール実行

定期的なタスクを自動でスケジュール実行。

FAQ

SKILL.md

name: k8s-security-policies description: Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.

Kubernetes Security Policies

Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes.

Purpose

Implement defense-in-depth security for Kubernetes clusters using network policies, pod security standards, and RBAC.

When to Use This Skill

Implement network segmentation
Configure pod security standards
Set up RBAC for least-privilege access
Create security policies for compliance
Implement admission control
Secure multi-tenant clusters

Pod Security Standards

1. Privileged (Unrestricted)

apiVersion: v1
kind: Namespace
metadata:
  name: privileged-ns
  labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/warn: privileged

2. Baseline (Minimally restrictive)

apiVersion: v1
kind: Namespace
metadata:
  name: baseline-ns
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/audit: baseline
    pod-security.kubernetes.io/warn: baseline

3. Restricted (Most restrictive)

apiVersion: v1
kind: Namespace
metadata:
  name: restricted-ns
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

Network Policies

Default Deny All

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

Allow Frontend to Backend

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-backend
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: frontend
      ports:
        - protocol: TCP
          port: 8080

Allow DNS

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              name: kube-system
      ports:
        - protocol: UDP
          port: 53

Reference: See assets/network-policy-template.yaml

RBAC Configuration

Role (Namespace-scoped)

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: production
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "watch", "list"]

ClusterRole (Cluster-wide)

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: secret-reader
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "watch", "list"]

RoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: production
subjects:
  - kind: User
    name: jane
    apiGroup: rbac.authorization.k8s.io
  - kind: ServiceAccount
    name: default
    namespace: production
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Reference: See references/rbac-patterns.md

Pod Security Context

Restricted Pod

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: app
      image: myapp:1.0
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        capabilities:
          drop:
            - ALL

Policy Enforcement with OPA Gatekeeper

ConstraintTemplate

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
      validation:
        openAPIV3Schema:
          type: object
          properties:
            labels:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels
        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
          provided := {label | input.review.object.metadata.labels[label]}
          required := {label | label := input.parameters.labels[_]}
          missing := required - provided
          count(missing) > 0
          msg := sprintf("missing required labels: %v", [missing])
        }

Constraint

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: require-app-label
spec:
  match:
    kinds:
      - apiGroups: ["apps"]
        kinds: ["Deployment"]
  parameters:
    labels: ["app", "environment"]

Service Mesh Security (Istio)

PeerAuthentication (mTLS)

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: production
spec:
  mtls:
    mode: STRICT

AuthorizationPolicy

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-frontend
  namespace: production
spec:
  selector:
    matchLabels:
      app: backend
  action: ALLOW
  rules:
    - from:
        - source:
            principals: ["cluster.local/ns/production/sa/frontend"]

Best Practices

Implement Pod Security Standards at namespace level
Use Network Policies for network segmentation
Apply least-privilege RBAC for all service accounts
Enable admission control (OPA Gatekeeper/Kyverno)
Run containers as non-root
Use read-only root filesystem
Drop all capabilities unless needed
Implement resource quotas and limit ranges
Enable audit logging for security events
Regular security scanning of images

Compliance Frameworks

CIS Kubernetes Benchmark

Use RBAC authorization
Enable audit logging
Use Pod Security Standards
Configure network policies
Implement secrets encryption at rest
Enable node authentication

NIST Cybersecurity Framework

Implement defense in depth
Use network segmentation
Configure security monitoring
Implement access controls
Enable logging and monitoring

Troubleshooting

NetworkPolicy not working:

# Check if CNI supports NetworkPolicy
kubectl get nodes -o wide
kubectl describe networkpolicy <name>

RBAC permission denied:

# Check effective permissions
kubectl auth can-i list pods --as system:serviceaccount:default:my-sa
kubectl auth can-i '*' '*' --as system:serviceaccount:default:my-sa

Reference Files

assets/network-policy-template.yaml - Network policy examples
assets/pod-security-template.yaml - Pod security policies
references/rbac-patterns.md - RBAC configuration patterns

k8s-manifest-generator - For creating secure manifests
gitops-workflow - For automated policy deployment

スコア

総合スコア

85/100

リポジトリの品質指標に基づく評価

✓SKILL.md

SKILL.mdファイルが含まれている

+20

✓LICENSE

ライセンスが設定されている

+10

○説明文

100文字以上の説明がある

0/10

✓人気

GitHub Stars 1000以上

+15

✓最近の活動

3ヶ月以内に更新

✓フォーク

10回以上フォークされている

✓Issue管理

オープンIssueが50未満

✓言語

プログラミング言語が設定されている

✓タグ

1つ以上のタグが設定されている

レビュー

💬

レビュー機能は近日公開予定です