mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 12:45:17 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,42 @@
|
||||
# Pod Security Admission Deployment Plan
|
||||
|
||||
## Namespace PSA Configuration
|
||||
|
||||
| Namespace | Enforce | Audit | Warn | Justification |
|
||||
|-----------|---------|-------|------|---------------|
|
||||
| production | restricted | restricted | restricted | Production workloads |
|
||||
| staging | baseline | restricted | restricted | Pre-production testing |
|
||||
| development | baseline | restricted | restricted | Developer workloads |
|
||||
| kube-system | privileged | - | - | System components |
|
||||
| monitoring | privileged | - | - | Prometheus, Grafana |
|
||||
| ingress-nginx | baseline | restricted | restricted | Ingress controller |
|
||||
|
||||
## Migration Checklist
|
||||
|
||||
- [ ] Audit all namespaces with dry-run
|
||||
- [ ] Document violations per namespace
|
||||
- [ ] Apply audit+warn mode first
|
||||
- [ ] Fix violations in workloads
|
||||
- [ ] Test enforcement with dry-run
|
||||
- [ ] Apply enforce mode
|
||||
- [ ] Set cluster-wide defaults
|
||||
- [ ] Monitor for rejected pods
|
||||
- [ ] Remove deprecated PSPs (if applicable)
|
||||
|
||||
## Compliant Security Context Template
|
||||
|
||||
```yaml
|
||||
spec:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
fsGroup: 2000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
```
|
||||
Reference in New Issue
Block a user