k8s-security-policies
Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.
79
68%
Does it follow best practices?
Impact
98%
1.04xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/kubernetes-operations/skills/k8s-security-policies/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly identifies its domain (Kubernetes security), lists specific capabilities (NetworkPolicy, PodSecurityPolicy, RBAC), and includes an explicit 'Use when' clause with natural trigger terms. It uses proper third-person voice and is concise without being vague. One minor note is that PodSecurityPolicy is deprecated in favor of Pod Security Standards/Admission, but this is a content accuracy issue rather than a description quality issue.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: implementing NetworkPolicy, PodSecurityPolicy, and RBAC. These are distinct, well-defined Kubernetes security mechanisms rather than vague abstractions. | 3 / 3 |
Completeness | Clearly answers both 'what' (implement NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security) and 'when' (explicit 'Use when' clause covering securing clusters, implementing network isolation, or enforcing pod security standards). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Kubernetes', 'NetworkPolicy', 'PodSecurityPolicy', 'RBAC', 'security policies', 'network isolation', 'pod security standards', 'securing Kubernetes clusters'. Good coverage of both specific resource names and broader concepts. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche targeting Kubernetes security policies with distinct trigger terms like NetworkPolicy, PodSecurityPolicy, and RBAC. Unlikely to conflict with general Kubernetes deployment skills or generic security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides comprehensive, executable YAML examples covering multiple Kubernetes security domains, which is its primary strength. However, it is far too verbose — much of the content is boilerplate YAML Claude can generate on its own, and sections like compliance frameworks add little actionable value. The critical weakness is the complete absence of a sequenced workflow with validation steps, which is essential for security policy implementation where missteps can lock out services or leave gaps.
Suggestions
Add a clear sequenced workflow (e.g., '1. Apply default-deny NetworkPolicy → 2. Verify pods are isolated with kubectl exec → 3. Add specific allow rules → 4. Verify connectivity') with explicit validation checkpoints between steps.
Consolidate the three nearly identical Pod Security Standards namespace examples into one example with a note that the label value can be 'privileged', 'baseline', or 'restricted'.
Move OPA Gatekeeper, Istio service mesh, and compliance framework content into separate reference files, keeping only a brief mention and link in the main SKILL.md.
Remove the 'Purpose', 'When to Use This Skill', and generic best practices that Claude already knows, and replace with a concise decision tree for which security mechanisms to apply in which scenarios.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300 lines, much of which is boilerplate YAML that Claude already knows how to generate. The Pod Security Standards section shows three nearly identical namespace manifests differing only in one label value. The compliance frameworks section lists generic security principles Claude already knows. The 'When to Use This Skill' and 'Purpose' sections are redundant. | 1 / 3 |
Actionability | The YAML manifests are complete, copy-paste ready, and cover real-world scenarios (default deny, frontend-to-backend, RBAC bindings, OPA Gatekeeper constraints). The troubleshooting section provides executable kubectl commands. All examples are concrete and directly applicable. | 3 / 3 |
Workflow Clarity | There is no sequenced workflow for implementing security policies. The content is a reference catalog of YAML snippets without any ordering, validation checkpoints, or feedback loops. For security-critical operations like applying NetworkPolicies or RBAC changes, there are no verification steps (e.g., 'apply default-deny first, then verify connectivity breaks, then add allow rules'). | 1 / 3 |
Progressive Disclosure | There are references to external files (assets/network-policy-template.yaml, references/rbac-patterns.md) and related skills, which is good. However, the main file is a monolithic wall of YAML that should be split — OPA Gatekeeper, Istio, and compliance frameworks could each be separate reference files, with the SKILL.md serving as a concise overview. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- wshobson/agents
- Commit
91fe43e
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.