k8s-security-policies
Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.
79
68%
Does it follow best practices?
Impact
98%
1.04xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/kubernetes-operations/skills/k8s-security-policies/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that clearly identifies specific Kubernetes security resources (NetworkPolicy, PodSecurityPolicy, RBAC), uses natural trigger terms users would employ, and includes an explicit 'Use when' clause. It occupies a clear niche at the intersection of Kubernetes and security, making it distinctive and unlikely to conflict with broader skills. One minor note is that PodSecurityPolicy is deprecated in favor of Pod Security Standards, but the description does mention 'pod security standards' in the trigger clause.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security.' These are specific, named Kubernetes resources and concepts. | 3 / 3 |
Completeness | Clearly answers both what ('Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC') and when ('Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards') with an explicit 'Use when' clause. | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Kubernetes', 'security policies', 'NetworkPolicy', 'PodSecurityPolicy', 'RBAC', 'network isolation', 'pod security standards', 'securing Kubernetes clusters'. Good coverage of both specific resource names and broader concepts. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly scoped to Kubernetes security specifically, with distinct triggers like NetworkPolicy, PodSecurityPolicy, RBAC, and pod security standards. Unlikely to conflict with general Kubernetes skills or general security skills due to the specific intersection of both domains. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a comprehensive catalog of executable Kubernetes security YAML manifests, which is its primary strength. However, it is excessively verbose with redundant examples and explanatory content Claude already knows (compliance frameworks, best practices lists). Most critically, it lacks any sequenced workflow or validation steps for implementing these policies, making it a reference dump rather than an actionable guide.
Suggestions
Add a clear implementation workflow (e.g., '1. Apply default-deny NetworkPolicy → 2. Verify with kubectl describe → 3. Add allow rules → 4. Test connectivity → 5. Apply RBAC → 6. Verify with kubectl auth can-i') with explicit validation checkpoints between steps.
Consolidate the three nearly-identical Pod Security Standards examples into one template with a note that the label value can be 'privileged', 'baseline', or 'restricted'.
Remove the Compliance Frameworks and Best Practices sections—these are general knowledge Claude already has—or reduce them to a single-line reference to an external document.
Split OPA Gatekeeper and Istio service mesh content into separate referenced files, keeping SKILL.md as a concise overview with links to detailed guides.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300 lines, with significant redundancy. The three Pod Security Standards examples are nearly identical (differing only in one label value). The 'Purpose' and 'When to Use' sections restate the description. Compliance framework bullet lists and best practices are things Claude already knows. Much of this could be condensed by 60%+. | 1 / 3 |
Actionability | The content provides fully executable, copy-paste-ready YAML manifests and kubectl commands covering NetworkPolicy, RBAC, Pod Security Context, OPA Gatekeeper, and Istio policies. The troubleshooting section includes concrete diagnostic commands. | 3 / 3 |
Workflow Clarity | There is no sequenced workflow for implementing security policies. The content is a reference catalog of YAML snippets with no ordering, no validation checkpoints, and no feedback loops. For security policy implementation—which involves destructive/cluster-wide changes—the absence of a step-by-step process with verification is a significant gap. | 1 / 3 |
Progressive Disclosure | There are two references to external files (assets/network-policy-template.yaml and references/rbac-patterns.md) and links to related skills, showing some structure. However, the main file is a monolithic wall of YAML that should be split—e.g., OPA Gatekeeper and Istio sections could be separate references. The inline content is far too long for an overview. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- wshobson/agents
- Commit
27a7ed9
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.