How do I install k8s-security-policies?

Run `npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill k8s-security-policies` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does k8s-security-policies support?

k8s-security-policies works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is k8s-security-policies free to use?

Yes. k8s-security-policies is free to install and use. It is available from the open explainx.ai skill registry published by sickn33.

Where can I read ratings and reviews for k8s-security-policies?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

Cloud

k8s-security-policies▌

sickn33/antigravity-awesome-skills · updated Apr 8, 2026

$npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill k8s-security-policies

0 commentsdiscussion

summary

Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes.

skill.md

Kubernetes Security Policies

Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes.

Do not use this skill when

The task is unrelated to kubernetes security policies
You need a different domain or tool outside this scope

Instructions

Clarify goals, constraints, and required inputs.
Apply relevant best practices and validate outcomes.
Provide actionable steps and verification.
If detailed examples are required, open resources/implementation-playbook.md.

Purpose

Implement defense-in-depth security for Kubernetes clusters using network policies, pod security standards, and RBAC.

Use this skill when

Implement network segmentation
Configure pod security standards
Set up RBAC for least-privilege access
Create security policies for compliance
Implement admission control
Secure multi-tenant clusters

Pod Security Standards

1. Privileged (Unrestricted)

apiVersion: v1
kind: Namespace
metadata:
  name: privileged-ns
  labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/warn: privileged

2. Baseline (Minimally restrictive)

apiVersion: v1
kind: Namespace
metadata:
  name: baseline-ns
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/audit: baseline
    pod-security.kubernetes.io/warn: baseline

3. Restricted (Most restrictive)

apiVersion: v1
kind: Namespace
metadata:
  name: restricted-ns
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

Network Policies

Default Deny All

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

Allow Frontend to Backend

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-backend
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 8080

Allow DNS

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: kube-system
    ports:
    - protocol: UDP
      port: 53

Reference: See assets/network-policy-template.yaml

RBAC Configuration

Role (Namespace-scoped)

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: production
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

ClusterRole (Cluster-wide)

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

RoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: production
subjects:
- kind: User
  name: jane
  apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
  name: default
  namespace: production
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Reference: See references/rbac-patterns.md

Pod Security Context

Restricted Pod

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    image: myapp:1.0
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL

Policy Enforcement with OPA Gatekeeper

ConstraintTemplate

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
      validation:
        openAPIV3Schema:
          type: object
          properties:
            labels:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels
        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
          provided := {label | input.review.object.metadata.labels[label]}
          required := {label | label := input.parameters.labels[_]}
          missing := required - provided
          count(missing) > 0
          msg := sprintf("missing required labels: %v", [missing])
        }

Constraint

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: require-app-label
spec:
  match:
    kinds:
      - apiGroups: ["apps"]
        kinds: ["Deployment"]
  parameters:
    labels: ["app", "environment"]

Service Mesh Security (Istio)

PeerAuthentication (mTLS)

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: production
spec:
  mtls:
    mode: STRICT

AuthorizationPolicy

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-frontend
  namespace: production
spec:
  selector:
    matchLabels:
      app: backend
  action: ALLOW
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/production/sa/frontend"]

Best Practices

Implement Pod Security Standards at namespace level
Use Network Policies for network segmentation
Apply least-privilege RBAC for all service accounts
Enable admission control (OPA Gatekeeper/Kyverno)
Run containers as non-root
Use read-only root filesystem
Drop all capabilities unless needed
Implement resource quotas and limit ranges
Enable audit logging for security events
Regular security scanning of images

Compliance Frameworks

CIS Kubernetes Benchmark

Use RBAC authorization
Enable audit logging
Use Pod Security Standards
Configure network policies
Implement secrets encryption at rest
Enable node authentication

NIST Cybersecurity Framework

Implement defense in depth
Use network segmentation
Configure security monitoring
Implement access controls
Enable logging and monitoring

Troubleshooting

NetworkPolicy not working:

# Check if CNI supports NetworkPolicy
kubectl get nodes -o wide
kubectl describe networkpolicy <name>

RBAC permission denied:

# Check effective permissions
kubectl auth can-i list pods --as system:serviceaccount:default:my-sa
kubectl auth can-i '*' '*' --as system:serviceaccount:default:my-sa

Reference Files

assets/network-policy-template.yaml - Network policy examples
assets/pod-security-template.yaml - Pod security policies
references/rbac-patterns.md - RBAC configuration patterns

Related Skills

k8s-manifest-generator - For creating secure manifests
gitops-workflow - For automated policy deployment

Discussion

Product Hunt–style comments (not star reviews)

No comments yet — start the thread.

general reviews

Ratings

4.6★★★★★75 reviews

★★★★★Aisha Taylor· Dec 28, 2024
k8s-security-policies has been reliable in day-to-day use. Documentation quality is above average for community skills.
★★★★★Pratham Ware· Dec 24, 2024
Registry listing for k8s-security-policies matched our evaluation — installs cleanly and behaves as described in the markdown.
★★★★★Xiao Abbas· Dec 24, 2024
Useful defaults in k8s-security-policies — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
★★★★★Nia Ramirez· Dec 24, 2024
k8s-security-policies is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
★★★★★Nia Sanchez· Dec 20, 2024
I recommend k8s-security-policies for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
★★★★★Meera Patel· Dec 20, 2024
Useful defaults in k8s-security-policies — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
★★★★★Mateo Chen· Dec 4, 2024
Solid pick for teams standardizing on skills: k8s-security-policies is focused, and the summary matches what you get after install.
★★★★★Maya Kim· Nov 23, 2024
We added k8s-security-policies from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
★★★★★Maya Li· Nov 19, 2024
We added k8s-security-policies from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
★★★★★Sofia Ghosh· Nov 19, 2024
Useful defaults in k8s-security-policies — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

showing 1-10 of 75

1 / 8