k8s-security-policies

Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.

1.04x

Quality

68%

Does it follow best practices?

Impact

98%

1.04x

Average score across 3 eval scenarios

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./plugins/kubernetes-operations/skills/k8s-security-policies/SKILL.md

Quality

Content

37%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The skill provides excellent, executable YAML examples covering a broad range of Kubernetes security topics, but suffers from being a monolithic reference catalog rather than a structured, actionable guide. It lacks any workflow sequencing or validation steps for implementing security policies, which is critical for production security operations. Significant verbosity from generic best practices lists, compliance framework summaries, and topics Claude already understands wastes token budget.

Suggestions

Add a clear implementation workflow (e.g., '1. Apply default-deny NetworkPolicy → 2. Verify with kubectl describe → 3. Add allow rules → 4. Test connectivity → 5. Apply RBAC → 6. Verify with kubectl auth can-i') with explicit validation checkpoints between steps.

Remove or drastically condense the Best Practices, Compliance Frameworks, and 'When to Use This Skill' sections—these are generic knowledge Claude already has.

Split the detailed YAML examples for OPA Gatekeeper, Istio, and advanced patterns into separate referenced files, keeping SKILL.md as a concise overview with quick-start examples for the core topics (NetworkPolicy, RBAC, Pod Security Standards).

Add verification commands after each policy application step (e.g., 'After applying default-deny, verify: kubectl run test --image=busybox -- wget backend:8080 should fail').

Dimension	Reasoning	Score
Conciseness	The skill is extremely verbose at ~300 lines, with significant content Claude already knows (Pod Security Standards levels, basic RBAC concepts, CIS/NIST compliance checklists). The best practices section is a generic list that adds little actionable value. Multiple sections like Istio service mesh and OPA Gatekeeper expand scope beyond what's needed, and the compliance frameworks section is purely descriptive.	1 / 3
Actionability	The skill provides fully executable, copy-paste ready YAML manifests for every concept covered—NetworkPolicy, RBAC, Pod Security Context, OPA Gatekeeper, and Istio policies. The troubleshooting section includes concrete kubectl commands. All examples are complete and directly applicable.	3 / 3
Workflow Clarity	There is no sequenced workflow for implementing security policies. The content is a reference catalog of YAML snippets with no ordering, no validation checkpoints, and no guidance on which policies to apply first or how to verify they're working. For security-critical operations like network isolation and RBAC, missing validation/verification steps is a significant gap.	1 / 3
Progressive Disclosure	References to `assets/network-policy-template.yaml` and `references/rbac-patterns.md` are mentioned but no bundle files exist to support them. The content itself is a monolithic wall of YAML examples that could benefit from being split into separate reference files for each topic (network policies, RBAC, OPA, Istio), with the SKILL.md serving as a concise overview.	2 / 3
	Total	7 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong skill description that clearly identifies its domain (Kubernetes security), lists specific capabilities (NetworkPolicy, PodSecurityPolicy, RBAC), and includes an explicit 'Use when' clause with natural trigger terms. It uses proper third-person voice and is concise without being vague. One minor note is that PodSecurityPolicy is deprecated in favor of Pod Security Standards/Admission, but this is a content accuracy issue rather than a description quality issue.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: implementing NetworkPolicy, PodSecurityPolicy, and RBAC. These are distinct, well-defined Kubernetes security mechanisms rather than vague abstractions.	3 / 3
Completeness	Clearly answers both 'what' (implement NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security) and 'when' (explicit 'Use when' clause covering securing clusters, implementing network isolation, or enforcing pod security standards).	3 / 3
Trigger Term Quality	Includes strong natural keywords users would say: 'Kubernetes', 'security policies', 'NetworkPolicy', 'PodSecurityPolicy', 'RBAC', 'network isolation', 'pod security standards', 'securing Kubernetes clusters'. Good coverage of both specific resource names and general intent terms.	3 / 3
Distinctiveness Conflict Risk	Highly specific to Kubernetes security policies with distinct triggers like NetworkPolicy, PodSecurityPolicy, RBAC, and pod security standards. Unlikely to conflict with general Kubernetes deployment skills or generic security skills.	3 / 3
	Total	12 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: wshobson/agents
Commit: cf6059d

Reviewed: 4 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.