CtrlK
BlogDocsLog inGet started
Tessl Logo

k8s-security-policies

Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.

79

1.04x
Quality

68%

Does it follow best practices?

Impact

98%

1.04x

Average score across 3 eval scenarios

SecuritybySnyk

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./plugins/kubernetes-operations/skills/k8s-security-policies/SKILL.md
SKILL.md
Quality
Evals
Security

Evaluation results

100%

Secure Kubernetes Namespace and Workload Deployment

Secure namespace and pod configuration

Criteria
Without context
With context

PSS enforce label

100%

100%

PSS audit label

100%

100%

PSS warn label

100%

100%

Dedicated ServiceAccount

100%

100%

Token auto-mount disabled

100%

100%

runAsNonRoot

100%

100%

runAsUser set

100%

100%

seccompProfile RuntimeDefault

100%

100%

allowPrivilegeEscalation false

100%

100%

readOnlyRootFilesystem

100%

100%

Capabilities dropped

100%

100%

Deployment references SA

100%

100%

94%

8%

Network Isolation for a Three-Tier E-Commerce Application

Network policy segmentation

Criteria
Without context
With context

Default deny all policy

100%

100%

DNS allow policy present

100%

100%

DNS targets kube-system by namespace label

0%

100%

Frontend-to-backend uses tier labels

100%

100%

Frontend-to-backend allows port 8080

100%

100%

Frontend-to-backend allows port 9090

0%

0%

External HTTPS egress uses ipBlock

100%

100%

Metadata service blocked

100%

100%

Ingress controller access

100%

100%

Database access restricted

100%

100%

100%

3%

RBAC Setup and Admission Control for a Multi-Team Platform

RBAC least-privilege and admission control

Criteria
Without context
With context

Role for app configmap access

100%

100%

resourceNames specified

100%

100%

No wildcard verbs in production roles

100%

100%

Role for alice (namespace-scoped)

100%

100%

Role for cicd-bot (namespace-scoped)

100%

100%

RoleBindings present

100%

100%

ConstraintTemplate apiVersion

100%

100%

Rego package name

100%

100%

Rego violation rule

70%

100%

Constraint targets Deployments

100%

100%

Constraint requires app+environment labels

100%

100%

Constraint apiVersion correct

100%

100%

Repository
wshobson/agents
Commit

91fe43e

Evaluated
Agent
Claude Code
Model
Claude Sonnet 4.6

Table of Contents

Secure Kubernetes Namespace and Workload DeploymentNetwork Isolation for a Three-Tier E-Commerce ApplicationRBAC Setup and Admission Control for a Multi-Team Platform

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill