init

.opencode/skills/devops/references/kubernetes-security.md

@@ -0,0 +1,95 @@
+# Kubernetes Security
+
+## RBAC (Role-Based Access Control)
+
+### Role (namespace-scoped)
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: default
+  name: pod-reader
+rules:
+- apiGroups: [""]
+  resources: ["pods", "pods/log"]
+  verbs: ["get", "list", "watch"]
+```
+
+### RoleBinding
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: read-pods
+  namespace: default
+subjects:
+- kind: ServiceAccount
+  name: my-app-sa
+  namespace: default
+roleRef:
+  kind: Role
+  name: pod-reader
+  apiGroup: rbac.authorization.k8s.io
+```
+
+### Verify Permissions
+```bash
+kubectl auth can-i get pods --as=system:serviceaccount:default:my-sa
+kubectl get roles,rolebindings -n default
+```
+
+## Pod Security (Restricted)
+
+```yaml
+spec:
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 1000
+    seccompProfile:
+      type: RuntimeDefault
+  containers:
+  - name: app
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop: ["ALL"]
+```
+
+Enable on namespace:
+```bash
+kubectl label namespace default \
+  pod-security.kubernetes.io/enforce=restricted
+```
+
+## Network Policies
+
+### Default Deny
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+spec:
+  podSelector: {}
+  policyTypes: [Ingress, Egress]
+```
+
+### Allow Specific
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-frontend-to-backend
+spec:
+  podSelector:
+    matchLabels: { app: backend }
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels: { app: frontend }
+    ports:
+    - { protocol: TCP, port: 8080 }
+```
+
+See `kubernetes-security-advanced.md` for secrets, ClusterRoles, and checklist.