creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-kubernetes-pod-security-standards/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

53 lines
1.5 KiB
Markdown
Raw Blame History

# API Reference: Implementing Kubernetes Pod Security Standards
## PSA Namespace Labels
```bash
# Apply restricted enforcement
kubectl label namespace production \
pod-security.kubernetes.io/enforce=restricted \
pod-security.kubernetes.io/audit=restricted \
pod-security.kubernetes.io/warn=restricted --overwrite
```
## Pod Security Standard Levels
| Level | Description | Blocks |
|-------|-------------|--------|
| Privileged | Unrestricted | Nothing |
| Baseline | Minimally restrictive | hostNetwork, privileged, hostPID/IPC |
| Restricted | Heavily restricted | + runAsNonRoot, drop ALL caps, seccomp |
## PSA Modes
| Mode | Behavior |
|------|----------|
| enforce | Reject violating pods |
| audit | Log violations (allow pod) |
| warn | Warn user (allow pod) |
## Baseline Violations
| Field | Forbidden Value |
|-------|----------------|
| `spec.hostNetwork` | true |
| `spec.hostPID` | true |
| `spec.hostIPC` | true |
| `containers[*].securityContext.privileged` | true |
| `containers[*].securityContext.capabilities.add` | Non-default |
## Restricted Violations (adds to Baseline)
| Field | Required |
|-------|----------|
| `runAsNonRoot` | true |
| `allowPrivilegeEscalation` | false |
| `capabilities.drop` | ["ALL"] |
| `seccompProfile.type` | RuntimeDefault or Localhost |
### References
- K8s PSS: https://kubernetes.io/docs/concepts/security/pod-security-standards/
- PSA: https://kubernetes.io/docs/concepts/security/pod-security-admission/
- Migrate from PSP: https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/
Reference in New Issue View Git Blame Copy Permalink