mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 05:05:16 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,26 @@
|
||||
# Standards Reference: Policy as Code with OPA
|
||||
|
||||
## NIST SP 800-53 - Security and Privacy Controls
|
||||
|
||||
| Control | OPA Policy | Description |
|
||||
|---------|-----------|-------------|
|
||||
| AC-3 | Block unauthorized access | Enforce RBAC and namespace isolation |
|
||||
| AC-6 | Least privilege | Block privileged containers and host access |
|
||||
| CM-2 | Baseline configuration | Require resource limits and labels |
|
||||
| CM-6 | Configuration settings | Enforce approved image registries |
|
||||
| SI-7 | Software integrity | Require image signatures and digests |
|
||||
|
||||
## CIS Kubernetes Benchmark Mapping
|
||||
|
||||
- 5.1.1: Ensure RBAC is enabled → OPA can enforce RBAC policies
|
||||
- 5.2.1: Minimize privileged containers → K8sBlockPrivileged constraint
|
||||
- 5.2.2: Minimize host namespace sharing → Block hostNetwork/hostPID
|
||||
- 5.2.5: Ensure allowPrivilegeEscalation is false → OPA constraint
|
||||
- 5.7.1: Create administrative boundaries between resources → Namespace policies
|
||||
|
||||
## OWASP Kubernetes Security Cheat Sheet
|
||||
|
||||
- Enforce Pod Security Standards via admission control
|
||||
- Restrict container capabilities using OPA policies
|
||||
- Enforce network policies and resource quotas
|
||||
- Validate image provenance and signatures
|
||||
@@ -0,0 +1,55 @@
|
||||
# Workflow Reference: Policy as Code with OPA
|
||||
|
||||
## Policy Lifecycle
|
||||
|
||||
```
|
||||
Author Rego Policy
|
||||
│
|
||||
▼
|
||||
┌──────────────────┐
|
||||
│ Unit Test with │
|
||||
│ OPA test │
|
||||
└──────┬───────────┘
|
||||
│
|
||||
▼
|
||||
┌──────────────────┐
|
||||
│ Integration Test │
|
||||
│ with conftest │
|
||||
└──────┬───────────┘
|
||||
│
|
||||
▼
|
||||
┌──────────────────┐
|
||||
│ Deploy to Cluster│
|
||||
│ (warn mode) │
|
||||
└──────┬───────────┘
|
||||
│
|
||||
▼
|
||||
┌──────────────────┐
|
||||
│ Monitor + Triage │
|
||||
│ Violations │
|
||||
└──────┬───────────┘
|
||||
│
|
||||
▼
|
||||
┌──────────────────┐
|
||||
│ Switch to deny │
|
||||
│ mode │
|
||||
└──────────────────┘
|
||||
```
|
||||
|
||||
## OPA/Gatekeeper Architecture
|
||||
|
||||
```
|
||||
API Request → Kubernetes API Server → Gatekeeper Webhook
|
||||
│
|
||||
┌──────┴──────┐
|
||||
│ OPA Engine │
|
||||
│ (Rego eval) │
|
||||
└──────┬──────┘
|
||||
│
|
||||
┌──────┴──────┐
|
||||
│ Constraint │
|
||||
│ Templates │
|
||||
└──────┬──────┘
|
||||
│
|
||||
Allow / Deny
|
||||
```
|
||||
Reference in New Issue
Block a user