k8s-security-policies
Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.
79
68%
Does it follow best practices?
Impact
98%
1.04xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/kubernetes-operations/skills/k8s-security-policies/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that clearly identifies specific Kubernetes security resources (NetworkPolicy, PodSecurityPolicy, RBAC), uses third-person voice correctly, and includes an explicit 'Use when' clause with natural trigger terms. It covers both the 'what' and 'when' effectively and occupies a distinct niche at the intersection of Kubernetes and security.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security.' These are specific, named Kubernetes resources and concepts. | 3 / 3 |
Completeness | Clearly answers both what ('Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC') and when ('Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards') with an explicit 'Use when' clause. | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Kubernetes', 'security policies', 'NetworkPolicy', 'PodSecurityPolicy', 'RBAC', 'network isolation', 'pod security standards', 'securing Kubernetes clusters'. Good coverage of both specific resource names and broader concepts. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly scoped to Kubernetes security specifically, with distinct triggers like NetworkPolicy, PodSecurityPolicy, RBAC, and pod security standards. Unlikely to conflict with general Kubernetes skills or general security skills due to the specific intersection of both domains. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides excellent, executable YAML examples covering a broad range of Kubernetes security primitives, which is its primary strength. However, it is significantly too verbose—repeating patterns Claude already knows, including generic best practices, and listing compliance framework bullet points that add little actionable value. The most critical weakness is the complete absence of a sequenced workflow with validation steps, which is essential for security policy implementation where misconfigurations can lock out services or leave clusters exposed.
Suggestions
Add a clear implementation workflow with sequenced steps and validation checkpoints, e.g.: 1) Apply default-deny NetworkPolicy, 2) Verify with `kubectl exec` that traffic is blocked, 3) Add allow rules incrementally, 4) Verify each rule before proceeding.
Remove or drastically condense the compliance frameworks section, best practices list, and 'When to Use' section—these are generic knowledge Claude already possesses.
Consolidate the three nearly-identical Pod Security Standards examples into a single template with a note that only the label value changes (privileged/baseline/restricted).
Create the referenced bundle files (`assets/network-policy-template.yaml`, `references/rbac-patterns.md`) and move detailed examples like OPA Gatekeeper and Istio configs into separate reference files to improve progressive disclosure.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300 lines, with significant redundancy. The three Pod Security Standards examples are nearly identical (differing only in one label value). The compliance frameworks section lists generic security advice Claude already knows. The 'When to Use This Skill' and 'Purpose' sections are redundant. Best practices are generic Kubernetes security knowledge that doesn't need restating. | 1 / 3 |
Actionability | The skill provides fully executable, copy-paste ready YAML manifests for every policy type covered: NetworkPolicy, RBAC, Pod Security Standards, OPA Gatekeeper, and Istio. The troubleshooting section includes concrete kubectl commands. All examples are complete and valid Kubernetes resource definitions. | 3 / 3 |
Workflow Clarity | There is no sequenced workflow for implementing security policies. The content is a reference catalog of YAML snippets with no guidance on order of operations, no validation checkpoints (e.g., verify NetworkPolicy is enforced before proceeding), and no feedback loops. For security-critical operations like RBAC and network isolation, missing validation steps is a significant gap. | 1 / 3 |
Progressive Disclosure | References to `assets/network-policy-template.yaml` and `references/rbac-patterns.md` suggest intended progressive disclosure, but no bundle files exist to support them. The main file contains a large amount of inline content (OPA Gatekeeper, Istio, compliance frameworks) that could be split into separate reference files. The structure has clear sections but is monolithic. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- wshobson/agents
- Commit
34632bc
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.