mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 21:49:40 +03:00
Production hardening: security fixes, code quality, 724 skills complete
- Fix 25 shell=True subprocess calls with list-based commands - Fix 49 verify=False in defensive skills (env-var override) - Add timeout to 231 HTTP/subprocess/socket calls - Fix 6 SQL injection patterns with whitelist validation - Replace 8 __import__() with standard imports - Remove 701 unused imports across 442 files - Add authorized-testing disclaimers to all offensive skills - Complete 11 incomplete skill directories - Expand 10 stub SKILL.md files with full content - Fix 2 YAML parse errors in frontmatter - Fix 5 pre-existing syntax errors - Convert 22 hardcoded paths/ports to environment variables - Back up 21 redundant skill pairs to .bak - Fix 2 global declaration errors - 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE) - 0 compile errors across all 724 agent.py files
This commit is contained in:
+157
-15
@@ -1,27 +1,169 @@
|
||||
# API Reference: Kubernetes Pod Security Admission audit
|
||||
# API Reference: Kubernetes Pod Security Admission Controller
|
||||
|
||||
## API Endpoints
|
||||
CoreV1Api: list_namespace(), labels: pod-security.kubernetes.io/enforce, baseline/restricted
|
||||
## Libraries Used
|
||||
|
||||
| Library | Purpose |
|
||||
|---------|---------|
|
||||
| `kubernetes` | Official Kubernetes Python client for cluster API access |
|
||||
| `json` | Parse and format admission review payloads |
|
||||
| `yaml` | Read and write Pod Security Standard label configurations |
|
||||
|
||||
## Installation
|
||||
|
||||
```bash
|
||||
pip install kubernetes
|
||||
pip install kubernetes pyyaml
|
||||
```
|
||||
|
||||
## Libraries
|
||||
|
||||
| Library | Use |
|
||||
|---------|-----|
|
||||
| `kubernetes` | kubernetes SDK/client |
|
||||
|
||||
## Authentication
|
||||
|
||||
| Method | Header |
|
||||
|--------|--------|
|
||||
| Bearer Token | `Authorization: Bearer <token>` |
|
||||
| API Key | `X-API-Key: <key>` |
|
||||
```python
|
||||
from kubernetes import client, config
|
||||
|
||||
# In-cluster (running inside a pod)
|
||||
config.load_incluster_config()
|
||||
|
||||
# Local kubeconfig
|
||||
config.load_kube_config(context="my-cluster")
|
||||
|
||||
v1 = client.CoreV1Api()
|
||||
```
|
||||
|
||||
## Pod Security Standards Levels
|
||||
|
||||
| Level | Description |
|
||||
|-------|-------------|
|
||||
| `privileged` | Unrestricted — no restrictions applied |
|
||||
| `baseline` | Minimally restrictive — prevents known privilege escalation |
|
||||
| `restricted` | Heavily restricted — follows hardening best practices |
|
||||
|
||||
## Namespace Label API
|
||||
|
||||
Pod Security Admission is configured via namespace labels:
|
||||
|
||||
| Label | Purpose |
|
||||
|-------|---------|
|
||||
| `pod-security.kubernetes.io/enforce` | Reject pods that violate the policy |
|
||||
| `pod-security.kubernetes.io/enforce-version` | Pin policy to specific k8s version |
|
||||
| `pod-security.kubernetes.io/audit` | Log violations in audit log |
|
||||
| `pod-security.kubernetes.io/audit-version` | Pin audit policy version |
|
||||
| `pod-security.kubernetes.io/warn` | Show warnings to kubectl users |
|
||||
| `pod-security.kubernetes.io/warn-version` | Pin warning policy version |
|
||||
|
||||
## Core Operations
|
||||
|
||||
### List Namespaces with PSA Labels
|
||||
```python
|
||||
namespaces = v1.list_namespace()
|
||||
for ns in namespaces.items:
|
||||
labels = ns.metadata.labels or {}
|
||||
enforce = labels.get("pod-security.kubernetes.io/enforce", "none")
|
||||
audit = labels.get("pod-security.kubernetes.io/audit", "none")
|
||||
warn = labels.get("pod-security.kubernetes.io/warn", "none")
|
||||
print(f"{ns.metadata.name}: enforce={enforce} audit={audit} warn={warn}")
|
||||
```
|
||||
|
||||
### Apply PSA Labels to a Namespace
|
||||
```python
|
||||
body = {
|
||||
"metadata": {
|
||||
"labels": {
|
||||
"pod-security.kubernetes.io/enforce": "restricted",
|
||||
"pod-security.kubernetes.io/enforce-version": "latest",
|
||||
"pod-security.kubernetes.io/audit": "restricted",
|
||||
"pod-security.kubernetes.io/warn": "restricted",
|
||||
}
|
||||
}
|
||||
}
|
||||
v1.patch_namespace(name="production", body=body)
|
||||
```
|
||||
|
||||
### Audit All Namespaces for Missing PSA Labels
|
||||
```python
|
||||
def audit_psa_labels():
|
||||
findings = []
|
||||
namespaces = v1.list_namespace()
|
||||
for ns in namespaces.items:
|
||||
name = ns.metadata.name
|
||||
labels = ns.metadata.labels or {}
|
||||
if name in ("kube-system", "kube-public", "kube-node-lease"):
|
||||
continue
|
||||
enforce = labels.get("pod-security.kubernetes.io/enforce")
|
||||
if not enforce:
|
||||
findings.append({"namespace": name, "issue": "no enforce label"})
|
||||
elif enforce == "privileged":
|
||||
findings.append({"namespace": name, "issue": "enforce=privileged"})
|
||||
return findings
|
||||
```
|
||||
|
||||
### Check Pod Violations Against a Level
|
||||
```python
|
||||
def check_pod_security(namespace, level="restricted"):
|
||||
pods = v1.list_namespaced_pod(namespace=namespace)
|
||||
violations = []
|
||||
for pod in pods.items:
|
||||
for container in pod.spec.containers:
|
||||
sc = container.security_context
|
||||
if not sc:
|
||||
violations.append({
|
||||
"pod": pod.metadata.name,
|
||||
"container": container.name,
|
||||
"issue": "no securityContext defined",
|
||||
})
|
||||
continue
|
||||
if sc.privileged:
|
||||
violations.append({
|
||||
"pod": pod.metadata.name,
|
||||
"container": container.name,
|
||||
"issue": "privileged=true",
|
||||
})
|
||||
if sc.run_as_non_root is not True:
|
||||
violations.append({
|
||||
"pod": pod.metadata.name,
|
||||
"container": container.name,
|
||||
"issue": "runAsNonRoot not set",
|
||||
})
|
||||
caps = sc.capabilities
|
||||
if level == "restricted" and (not caps or not caps.drop or "ALL" not in caps.drop):
|
||||
violations.append({
|
||||
"pod": pod.metadata.name,
|
||||
"container": container.name,
|
||||
"issue": "capabilities.drop does not include ALL",
|
||||
})
|
||||
return violations
|
||||
```
|
||||
|
||||
## kubectl Equivalents
|
||||
|
||||
```bash
|
||||
# Label a namespace with restricted enforcement
|
||||
kubectl label namespace production \
|
||||
pod-security.kubernetes.io/enforce=restricted \
|
||||
pod-security.kubernetes.io/warn=restricted \
|
||||
--overwrite
|
||||
|
||||
# Dry-run to test impact before enforcing
|
||||
kubectl label --dry-run=server --overwrite namespace production \
|
||||
pod-security.kubernetes.io/enforce=restricted
|
||||
|
||||
# Check which namespaces have PSA labels
|
||||
kubectl get namespaces -L pod-security.kubernetes.io/enforce
|
||||
```
|
||||
|
||||
## Output Format
|
||||
|
||||
```json
|
||||
{"timestamp": "ISO-8601", "findings": [], "risk_level": "HIGH"}
|
||||
{
|
||||
"namespace": "production",
|
||||
"enforce_level": "restricted",
|
||||
"audit_level": "restricted",
|
||||
"warn_level": "restricted",
|
||||
"pod_violations": [
|
||||
{
|
||||
"pod": "legacy-app-7f8b9c",
|
||||
"container": "app",
|
||||
"issue": "privileged=true"
|
||||
}
|
||||
],
|
||||
"compliant": false
|
||||
}
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user