Stats
Actions
Tags
From vanguard-frontier-agentic
Reviews Cilium network policies across Kubernetes NetworkPolicy, CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy and CiliumEgressGatewayPolicy. Detects overly broad rules, missing default-deny, L7 enforcement issues, ClusterMesh semantics, and egress IP collisions.
How this skill is triggered — by the user, by Claude, or both
Slash command
/vanguard-frontier-agentic:cilium-network-policy-reviewThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Review Cilium policy resources against zero-trust correctness, blast radius, and the operational traps unique to eBPF-backed networking. Cilium's policy surface is broader than native Kubernetes NetworkPolicy — `CiliumNetworkPolicy` adds L7 rules, FQDN matching, ICMP control, and identity-based selectors; `CiliumClusterwideNetworkPolicy` applies cluster-wide; `CiliumEgressGatewayPolicy` control...
Review Cilium policy resources against zero-trust correctness, blast radius, and the operational traps unique to eBPF-backed networking. Cilium's policy surface is broader than native Kubernetes NetworkPolicy — CiliumNetworkPolicy adds L7 rules, FQDN matching, ICMP control, and identity-based selectors; CiliumClusterwideNetworkPolicy applies cluster-wide; CiliumEgressGatewayPolicy controls SNAT egress IPs; and policy-default-local-cluster changes how policy evaluates across ClusterMesh.
kubectl get networkpolicies,ciliumnetworkpolicies,ciliumclusterwidenetworkpolicies,ciliumegressgatewaypolicies -A -o yaml, cilium policy get, cilium clustermesh inspect-policy-default-local-cluster, and Hubble flow observation) when the active client exposes it; otherwise fall back to official Cilium documentation (docs.cilium.io) and sanitized YAML.NetworkPolicy in a namespace as a critical finding — pods become reachable from any source/destination unless another policy provides isolation.CiliumNetworkPolicy egress with toCIDRSet: [{cidr: 0.0.0.0/0}] (no except for sensitive CIDRs) as a critical finding — unrestricted egress is a documented data exfiltration path.policy-default-local-cluster in a ClusterMesh deployment as critical-blast-radius — every existing policy's cross-cluster semantics flip simultaneously.CiliumEgressGatewayPolicy with the same egressIP used in two policies — silent connection breakage when both match.CiliumNetworkPolicy for namespaces where Envoy proxy is not enabled — L7 fields require the proxy.Load these only when needed:
Return, at minimum:
NetworkPolicy, namespace CiliumNetworkPolicy, cluster-wide CiliumClusterwideNetworkPolicy, CiliumEgressGatewayPolicy) and evidence level,policy-default-local-cluster semantics),npx claudepluginhub raishin/vanguard-frontier-agentic --plugin vanguard-frontier-agenticReviews Kubernetes cluster network architecture: CNI choice, kube-proxy mode, IPAM, MTU, Service routing, Ingress vs Gateway API, CoreDNS, multi-cluster topology, and connectivity troubleshooting.
Generates Kubernetes NetworkPolicy manifests for zero-trust networking, ingress/egress rules using pod labels, namespaces, CIDRs, and ports.
Enforces Kubernetes network segmentation using Calico CNI network policies and global network policies to control pod-to-pod traffic, restrict egress, and implement zero-trust microsegmentation.