Kubernetes Security

Security auditing, RBAC management, and policy enforcement using kubectl-mcp-server tools.

When to Apply

Use this skill when:

• User mentions: "security", "RBAC", "permissions", "policy", "audit", "secrets"
• Operations: security review, permission check, policy enforcement
• Keywords: "who can", "access control", "compliance", "vulnerable"

Priority Rules

Priority	Rule	Impact	Tools
1	Check cluster-admin bindings first	CRITICAL	get_cluster_role_bindings
2	Audit secrets access permissions	CRITICAL	Review role rules
3	Verify network isolation	HIGH	get_network_policies
4	Check policy compliance	HIGH	kyverno_*, gatekeeper_*
5	Review pod security contexts	MEDIUM	describe_pod

Quick Reference

Task	Tool	Example
List roles	get_roles	get_roles(namespace)
Cluster roles	get_cluster_roles	get_cluster_roles()
Role bindings	get_role_bindings	get_role_bindings(namespace)
Service accounts	get_service_accounts	get_service_accounts(namespace)
Kyverno policies	kyverno_clusterpolicies_list_tool	kyverno_clusterpolicies_list_tool()

RBAC Auditing

List Roles and Bindings

get_roles(namespace)
get_cluster_roles()
get_role_bindings(namespace)
get_cluster_role_bindings()

Check Service Account Permissions

get_service_accounts(namespace)

Common RBAC Patterns

Pattern	Risk Level	Check
cluster-admin binding	Critical	get_cluster_role_bindings()
Wildcard verbs (*)	High	Review role rules
secrets access	High	Check get/list on secrets
pod/exec	High	Allows container access

See RBAC-PATTERNS.md for detailed patterns and remediation.

Policy Enforcement

Kyverno Policies

kyverno_policies_list_tool(namespace)
kyverno_clusterpolicies_list_tool()
kyverno_policy_get_tool(name, namespace)

OPA Gatekeeper

gatekeeper_constraints_list_tool()
gatekeeper_constraint_get_tool(kind, name)
gatekeeper_templates_list_tool()

Common Policies to Enforce

Policy	Purpose
Disallow privileged	Prevent root containers
Require resource limits	Prevent resource exhaustion
Restrict host namespaces	Isolate from node
Require labels	Ensure metadata
Allowed registries	Control image sources

Secret Management

List Secrets

get_secrets(namespace)

Secret Best Practices

1. Use external secret managers (Vault, AWS SM)
2. Encrypt secrets at rest (EncryptionConfiguration)
3. Limit secret access via RBAC
4. Rotate secrets regularly

Network Policies

List Policies

get_network_policies(namespace)

Cilium Network Policies

cilium_policies_list_tool(namespace)
cilium_policy_get_tool(name, namespace)

Default Deny Template

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

Security Scanning Workflow

1. RBAC Audit

   get_cluster_role_bindings()
   get_roles(namespace)

2. Policy Compliance

   kyverno_clusterpolicies_list_tool()
   gatekeeper_constraints_list_tool()

3. Network Isolation

   get_network_policies(namespace)
   cilium_endpoints_list_tool(namespace)

4. Pod Security

   get_pods(namespace)
   describe_pod(name, namespace)

Multi-Cluster Security

Audit across clusters:

get_cluster_role_bindings(context="production")
get_cluster_role_bindings(context="staging")

Automated Audit Script

For comprehensive security audit, see scripts/audit-rbac.py.

Related Tools

• RBAC: get_roles, get_cluster_roles, get_role_bindings
• Policy: kyverno_*, gatekeeper_*
• Network: get_network_policies, cilium_policies_*
• Istio: istio_authorizationpolicies_list_tool, istio_peerauthentications_list_tool

Related Skills

• k8s-policy - Policy management
• k8s-cilium - Cilium network security