mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
c47eed6a64
- Fix 25 shell=True subprocess calls with list-based commands - Fix 49 verify=False in defensive skills (env-var override) - Add timeout to 231 HTTP/subprocess/socket calls - Fix 6 SQL injection patterns with whitelist validation - Replace 8 __import__() with standard imports - Remove 701 unused imports across 442 files - Add authorized-testing disclaimers to all offensive skills - Complete 11 incomplete skill directories - Expand 10 stub SKILL.md files with full content - Fix 2 YAML parse errors in frontmatter - Fix 5 pre-existing syntax errors - Convert 22 hardcoded paths/ports to environment variables - Back up 21 redundant skill pairs to .bak - Fix 2 global declaration errors - 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE) - 0 compile errors across all 724 agent.py files
1.6 KiB
1.6 KiB
Kubernetes RBAC Workflows
Workflow 1: New Team Onboarding
- Create dedicated namespace for the team
- Create ResourceQuota and LimitRange for the namespace
- Create NetworkPolicy to isolate namespace traffic
- Design Roles based on team member personas (admin, developer, viewer)
- Create RoleBindings mapped to OIDC groups
- Create dedicated service accounts for CI/CD
- Test access with
kubectl auth can-ifor each persona - Document namespace ownership and contact
Workflow 2: RBAC Audit
- List all ClusterRoleBindings:
kubectl get clusterrolebindings -o wide - Identify bindings to cluster-admin role
- Review each cluster-admin binding for necessity
- Check for wildcard permissions in custom roles
- Verify service accounts have minimum permissions
- Test pod escape scenarios (exec, privileged containers)
- Generate compliance report with findings
Workflow 3: Privilege Escalation Prevention
- Restrict who can create/modify Roles and RoleBindings
- Prevent escalate verb usage (only cluster-admin should have it)
- Block bind verb for non-admin users
- Prevent impersonate verb usage
- Use admission controllers (OPA Gatekeeper) for policy enforcement
- Monitor audit logs for RBAC modification attempts
Workflow 4: Service Account Hardening
- List all service accounts:
kubectl get sa --all-namespaces - Identify service accounts with ClusterRole bindings
- Remove unnecessary ClusterRoleBindings
- Set automountServiceAccountToken: false in namespace default SA
- Create per-application service accounts with minimum roles
- Use projected service account tokens with short expiry