k8s-security-policies

Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.

Install with Tessl CLI

npx tessl i github:wshobson/agents --skill k8s-security-policies

What are skills?

Review — 76%

Does it follow best practices?

If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:

npx tessl skill review --optimize ./path/to/skill

Learn more

Validation — 11 / 11 Passed

Validation for skill structure

SKILL.md

Review

Evals

Evaluation results

100%

50%

Network Isolation for a Three-Tier E-Commerce Application

NetworkPolicy defense-in-depth

Criteria

Without context

With context

Default-deny-all policy

100%

DNS allowance

100%

Tier labels in ingress selectors

100%

Tier labels in target selectors

100%

Metadata service blocked

100%

Combined cross-namespace selector

100%

No unrestricted allow-all

100%

Port specificity

50%

100%

Without context: $0.3333 · 1m 44s · 9 turns · 73 in / 6,228 out tokens

With context: $0.4776 · 2m 17s · 19 turns · 219 in / 6,809 out tokens

85%

Kubernetes Access Control for a Data Pipeline Service

RBAC least-privilege configuration

Criteria

Without context

With context

Role not ClusterRole

100%

No wildcard verbs

100%

No wildcard resources

100%

resourceNames restriction

Dedicated ServiceAccount

100%

Token auto-mount disabled

100%

RoleBinding to ServiceAccount

100%

Minimal verbs

100%

Without context: $0.2320 · 1m 7s · 8 turns · 65 in / 4,013 out tokens

With context: $0.3553 · 1m 22s · 13 turns · 3,855 in / 4,348 out tokens

100%

Hardened Kubernetes Manifests for a Financial Services Workload

Pod security hardening

Criteria

Without context

With context

PSS enforce label

100%

PSS audit label

100%

PSS warn label

100%

runAsNonRoot set

100%

runAsUser set

100%

fsGroup set

100%

seccompProfile set

100%

No privilege escalation

100%

Read-only filesystem

100%

All capabilities dropped

100%

Without context: $0.1891 · 50s · 8 turns · 65 in / 2,720 out tokens

With context: $0.3535 · 1m 12s · 18 turns · 147 in / 3,240 out tokens

Evaluated: about 19 hours ago
Agent: Claude Code

Table of Contents

Network Isolation for a Three-Tier E-Commerce Application Kubernetes Access Control for a Data Pipeline Service Hardened Kubernetes Manifests for a Financial Services Workload

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.