k8s-policy

Original source / Raw SKILL.md

---
name: k8s-policy
description: Kubernetes policy management with Kyverno and Gatekeeper. Use when enforcing security policies, validating resources, or auditing policy compliance.
license: Apache-2.0
metadata:
  author: rohitg00
  version: "1.0.0"
  tools: 6
  category: security
---

# Kubernetes Policy Management

Manage policies using kubectl-mcp-server's Kyverno and Gatekeeper tools.

## When to Apply

Use this skill when:
- User mentions: "Kyverno", "Gatekeeper", "OPA", "policy", "compliance"
- Operations: enforcing policies, checking violations, policy audit
- Keywords: "require labels", "block privileged", "validate", "enforce"

## Priority Rules

| Priority | Rule | Impact | Tools |
|----------|------|--------|-------|
| 1 | Detect policy engine first | CRITICAL | `kyverno_detect_tool`, `gatekeeper_detect_tool` |
| 2 | Use Audit mode before Enforce | HIGH | validationFailureAction |
| 3 | Check policy reports for violations | HIGH | `kyverno_clusterpolicyreports_list_tool` |
| 4 | Review constraint templates | MEDIUM | `gatekeeper_constrainttemplates_list_tool` |

## Quick Reference

| Task | Tool | Example |
|------|------|---------|
| List Kyverno cluster policies | `kyverno_clusterpolicies_list_tool` | `kyverno_clusterpolicies_list_tool()` |
| Get Kyverno policy | `kyverno_clusterpolicy_get_tool` | `kyverno_clusterpolicy_get_tool(name)` |
| List Gatekeeper constraints | `gatekeeper_constraints_list_tool` | `gatekeeper_constraints_list_tool()` |
| Get constraint | `gatekeeper_constraint_get_tool` | `gatekeeper_constraint_get_tool(kind, name)` |

## Kyverno

### Detect Installation

```python
kyverno_detect_tool()
```

### List Policies

```python
kyverno_clusterpolicies_list_tool()

kyverno_policies_list_tool(namespace="default")
```

### Get Policy Details

```python
kyverno_clusterpolicy_get_tool(name="require-labels")
kyverno_policy_get_tool(name="require-resources", namespace="default")
```

### Policy Reports

```python
kyverno_clusterpolicyreports_list_tool()

kyverno_policyreports_list_tool(namespace="default")
```

### Common Kyverno Policies

```python
kubectl_apply(manifest="""
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: Enforce
  rules:
  - name: require-app-label
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Label 'app' is required"
      pattern:
        metadata:
          labels:
            app: "?*"
""")

kubectl_apply(manifest="""
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-limits
spec:
  validationFailureAction: Enforce
  rules:
  - name: require-cpu-memory
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "CPU and memory limits required"
      pattern:
        spec:
          containers:
          - resources:
              limits:
                cpu: "?*"
                memory: "?*"
""")
```

## Gatekeeper (OPA)

### Detect Installation

```python
gatekeeper_detect_tool()
```

### List Constraints

```python
gatekeeper_constraints_list_tool()

gatekeeper_constrainttemplates_list_tool()
```

### Get Constraint Details

```python
gatekeeper_constraint_get_tool(
    kind="K8sRequiredLabels",
    name="require-app-label"
)

gatekeeper_constrainttemplate_get_tool(name="k8srequiredlabels")
```

### Common Gatekeeper Policies

```python
kubectl_apply(manifest="""
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
      validation:
        openAPIV3Schema:
          type: object
          properties:
            labels:
              type: array
              items:
                type: string
  targets:
  - target: admission.k8s.gatekeeper.sh
    rego: |
      package k8srequiredlabels
      violation[{"msg": msg}] {
        provided := {label | input.review.object.metadata.labels[label]}
        required := {label | label := input.parameters.labels[_]}
        missing := required - provided
        count(missing) > 0
        msg := sprintf("Missing labels: %v", [missing])
      }
""")

kubectl_apply(manifest="""
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: require-app-label
spec:
  match:
    kinds:
    - apiGroups: [""]
      kinds: ["Pod"]
  parameters:
    labels: ["app", "env"]
""")
```

## Policy Audit Workflow

```python
kyverno_detect_tool()
kyverno_clusterpolicies_list_tool()
kyverno_clusterpolicyreports_list_tool()
```

## Prerequisites

- **Kyverno**: Required for Kyverno tools
  ```bash
  kubectl create -f https://github.com/kyverno/kyverno/releases/latest/download/install.yaml
  ```
- **Gatekeeper**: Required for Gatekeeper tools
  ```bash
  kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
  ```

## Related Skills

- [k8s-security](../k8s-security/SKILL.md) - RBAC and security
- [k8s-operations](../k8s-operations/SKILL.md) - Apply policies


---

## Referenced Files

> The following files are referenced in this skill and included for context.

### ../k8s-security/SKILL.md

```markdown
---
name: k8s-security
description: Audit Kubernetes RBAC, enforce policies, and manage secrets. Use for security reviews, permission audits, policy enforcement with Kyverno/Gatekeeper, and secret management.
license: Apache-2.0
metadata:
  author: rohitg00
  version: "1.0.0"
  tools: 10
  category: security
---

# Kubernetes Security

Security auditing, RBAC management, and policy enforcement using kubectl-mcp-server tools.

## When to Apply

Use this skill when:
- User mentions: "security", "RBAC", "permissions", "policy", "audit", "secrets"
- Operations: security review, permission check, policy enforcement
- Keywords: "who can", "access control", "compliance", "vulnerable"

## Priority Rules

| Priority | Rule | Impact | Tools |
|----------|------|--------|-------|
| 1 | Check cluster-admin bindings first | CRITICAL | `get_cluster_role_bindings` |
| 2 | Audit secrets access permissions | CRITICAL | Review role rules |
| 3 | Verify network isolation | HIGH | `get_network_policies` |
| 4 | Check policy compliance | HIGH | `kyverno_*`, `gatekeeper_*` |
| 5 | Review pod security contexts | MEDIUM | `describe_pod` |

## Quick Reference

| Task | Tool | Example |
|------|------|---------|
| List roles | `get_roles` | `get_roles(namespace)` |
| Cluster roles | `get_cluster_roles` | `get_cluster_roles()` |
| Role bindings | `get_role_bindings` | `get_role_bindings(namespace)` |
| Service accounts | `get_service_accounts` | `get_service_accounts(namespace)` |
| Kyverno policies | `kyverno_clusterpolicies_list_tool` | `kyverno_clusterpolicies_list_tool()` |

## RBAC Auditing

### List Roles and Bindings

```python
get_roles(namespace)
get_cluster_roles()
get_role_bindings(namespace)
get_cluster_role_bindings()
```

### Check Service Account Permissions

```python
get_service_accounts(namespace)
```

### Common RBAC Patterns

| Pattern | Risk Level | Check |
|---------|-----------|-------|
| cluster-admin binding | Critical | `get_cluster_role_bindings()` |
| Wildcard verbs (*) | High | Review role rules |
| secrets access | High | Check get/list on secrets |
| pod/exec | High | Allows container access |

See [RBAC-PATTERNS.md](RBAC-PATTERNS.md) for detailed patterns and remediation.

## Policy Enforcement

### Kyverno Policies

```python
kyverno_policies_list_tool(namespace)
kyverno_clusterpolicies_list_tool()
kyverno_policy_get_tool(name, namespace)
```

### OPA Gatekeeper

```python
gatekeeper_constraints_list_tool()
gatekeeper_constraint_get_tool(kind, name)
gatekeeper_templates_list_tool()
```

### Common Policies to Enforce

| Policy | Purpose |
|--------|---------|
| Disallow privileged | Prevent root containers |
| Require resource limits | Prevent resource exhaustion |
| Restrict host namespaces | Isolate from node |
| Require labels | Ensure metadata |
| Allowed registries | Control image sources |

## Secret Management

### List Secrets

```python
get_secrets(namespace)
```

### Secret Best Practices

1. Use external secret managers (Vault, AWS SM)
2. Encrypt secrets at rest (EncryptionConfiguration)
3. Limit secret access via RBAC
4. Rotate secrets regularly

## Network Policies

### List Policies

```python
get_network_policies(namespace)
```

### Cilium Network Policies

```python
cilium_policies_list_tool(namespace)
cilium_policy_get_tool(name, namespace)
```

### Default Deny Template

```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
```

## Security Scanning Workflow

1. **RBAC Audit**
   ```python
   get_cluster_role_bindings()
   get_roles(namespace)
   ```

2. **Policy Compliance**
   ```python
   kyverno_clusterpolicies_list_tool()
   gatekeeper_constraints_list_tool()
   ```

3. **Network Isolation**
   ```python
   get_network_policies(namespace)
   cilium_endpoints_list_tool(namespace)
   ```

4. **Pod Security**
   ```python
   get_pods(namespace)
   describe_pod(name, namespace)
   ```

## Multi-Cluster Security

Audit across clusters:

```python
get_cluster_role_bindings(context="production")
get_cluster_role_bindings(context="staging")
```

## Automated Audit Script

For comprehensive security audit, see [scripts/audit-rbac.py](scripts/audit-rbac.py).

## Related Tools

- RBAC: `get_roles`, `get_cluster_roles`, `get_role_bindings`
- Policy: `kyverno_*`, `gatekeeper_*`
- Network: `get_network_policies`, `cilium_policies_*`
- Istio: `istio_authorizationpolicies_list_tool`, `istio_peerauthentications_list_tool`

## Related Skills

- [k8s-policy](../k8s-policy/SKILL.md) - Policy management
- [k8s-cilium](../k8s-cilium/SKILL.md) - Cilium network security

```

### ../k8s-operations/SKILL.md

```markdown
---
name: k8s-operations
description: kubectl operations for applying, patching, deleting, and executing commands on Kubernetes resources. Use when modifying resources, running commands in pods, or managing resource lifecycle.
license: Apache-2.0
metadata:
  author: rohitg00
  version: "1.0.0"
  tools: 14
  category: operations
---

# kubectl Operations

Execute kubectl commands using kubectl-mcp-server's operations tools.

## When to Apply

Use this skill when:
- User mentions: "apply", "patch", "delete", "exec", "scale", "rollout"
- Operations: modifying resources, running commands, scaling workloads
- Keywords: "update", "change", "modify", "run command", "restart"

## Priority Rules

| Priority | Rule | Impact | Tools |
|----------|------|--------|-------|
| 1 | Dry run before apply in production | CRITICAL | `kubectl_apply(dry_run=True)` |
| 2 | Check current state before patching | HIGH | `describe_*` tools |
| 3 | Avoid force delete unless necessary | HIGH | `kubectl_delete` |
| 4 | Verify rollout status after changes | MEDIUM | `kubectl_rollout_status` |

## Quick Reference

| Task | Tool | Example |
|------|------|---------|
| Apply manifest | `kubectl_apply` | `kubectl_apply(manifest=yaml)` |
| Patch resource | `kubectl_patch` | `kubectl_patch(type, name, namespace, patch)` |
| Delete resource | `kubectl_delete` | `kubectl_delete(type, name, namespace)` |
| Exec command | `kubectl_exec` | `kubectl_exec(pod, namespace, command)` |
| Scale deployment | `scale_deployment` | `scale_deployment(name, namespace, replicas)` |

## Apply Resources

```python
kubectl_apply(manifest="""
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
""")

kubectl_apply(file_path="/path/to/manifest.yaml")

kubectl_apply(manifest="...", dry_run=True)
```

## Patch Resources

```python
kubectl_patch(
    resource_type="deployment",
    name="nginx",
    namespace="default",
    patch={"spec": {"replicas": 5}}
)

kubectl_patch(
    resource_type="deployment",
    name="nginx",
    namespace="default",
    patch=[{"op": "replace", "path": "/spec/replicas", "value": 5}],
    patch_type="json"
)

kubectl_patch(
    resource_type="service",
    name="my-svc",
    namespace="default",
    patch={"metadata": {"annotations": {"key": "value"}}},
    patch_type="merge"
)
```

## Delete Resources

```python
kubectl_delete(resource_type="pod", name="my-pod", namespace="default")

kubectl_delete(
    resource_type="pods",
    namespace="default",
    label_selector="app=test"
)

kubectl_delete(
    resource_type="pod",
    name="stuck-pod",
    namespace="default",
    force=True,
    grace_period=0
)
```

## Execute Commands

```python
kubectl_exec(
    pod="my-pod",
    namespace="default",
    command="ls -la /app"
)

kubectl_exec(
    pod="my-pod",
    namespace="default",
    container="sidecar",
    command="cat /etc/config/settings.yaml"
)

kubectl_exec(
    pod="my-pod",
    namespace="default",
    command="sh -c 'curl -s localhost:8080/health'"
)
```

## Scale Resources

```python
scale_deployment(name="nginx", namespace="default", replicas=5)

scale_deployment(name="nginx", namespace="default", replicas=0)

kubectl_scale(
    resource_type="statefulset",
    name="mysql",
    namespace="default",
    replicas=3
)
```

## Rollout Management

```python
kubectl_rollout_status(
    resource_type="deployment",
    name="nginx",
    namespace="default"
)

kubectl_rollout_history(
    resource_type="deployment",
    name="nginx",
    namespace="default"
)

kubectl_rollout_restart(
    resource_type="deployment",
    name="nginx",
    namespace="default"
)

rollback_deployment(name="nginx", namespace="default", revision=1)
```

## Labels and Annotations

```python
kubectl_label(
    resource_type="pod",
    name="my-pod",
    namespace="default",
    labels={"env": "production"}
)

kubectl_annotate(
    resource_type="deployment",
    name="nginx",
    namespace="default",
    annotations={"description": "Main web server"}
)
```

## Related Skills

- [k8s-deploy](../k8s-deploy/SKILL.md) - Deployment strategies
- [k8s-helm](../k8s-helm/SKILL.md) - Helm operations

```