Stats

Actions

Tags

kubernetes-pod-security-admission-review |…

Skill

kubernetes-pod-security-admission-review

From vanguard-frontier-agentic

Reviews Kubernetes Pod Security Admission posture including namespace label profiles (privileged/baseline/restricted), enforce/audit/warn modes, version pinning, and PodSecurityPolicy migration. Activated when the user asks about safety of label changes, workload profile compliance, or mode promotion.

Popularity

Stars

18

Forks

2

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/vanguard-frontier-agentic:kubernetes-pod-security-admission-review

User invocable

Model invocable

Inline context

Default effort

Tool Access

This skill is limited to the following tools:

ReadGrepGlob

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Review the Kubernetes Pod Security Admission posture: namespace labels for `pod-security.kubernetes.io/enforce`, `audit`, and `warn`, the chosen profile (`privileged`, `baseline`, `restricted`), version pinning, and exemptions. PSA replaced the deprecated PodSecurityPolicy in Kubernetes 1.25. It is the foundation for any admission-time security story — Kyverno, OPA Gatekeeper, and other policy ...

Supporting Files

metadata.jsonreferences/mcp-and-evidence.mdreferences/official-sources.mdreferences/workflow-and-output.md

SKILL.md

47 lines · ~896 tokens

Stats

LanguagePython

Stars18

Forks2

MaintenanceExcellent

Last CommitJun 15, 2026

Actions

View Source View Plugin View on GitHub View README

Tags

pod-security-admission

kubernetes-security

namespace-labels

podsecuritypolicy-migration

Kubernetes Pod Security Admission Review

Purpose

Review the Kubernetes Pod Security Admission posture: namespace labels for pod-security.kubernetes.io/enforce, audit, and warn, the chosen profile (privileged, baseline, restricted), version pinning, and exemptions. PSA replaced the deprecated PodSecurityPolicy in Kubernetes 1.25. It is the foundation for any admission-time security story — Kyverno, OPA Gatekeeper, and other policy engines layer on top of (or alongside) PSA, not as replacements.

Lean operating rules

Prefer live cluster evidence (kubectl get namespaces --show-labels plus kubectl get pods -n <ns> -o yaml) when the active client exposes it; otherwise fall back to official Kubernetes documentation and sanitized YAML.
Separate confirmed facts from inference. If namespace labels, cluster admission configuration, or running pod security context state was not queried, say so.
Treat a production namespace with enforce: privileged as a critical finding — the most permissive profile is enabled in a tier where nothing should be running with host access, privilege escalation, or capabilities.
Treat a production namespace with no PSA label at all as a critical finding — the cluster default applies, which is privileged unless the cluster admin set a different default in AdmissionConfiguration.
Challenge namespaces with audit/warn set but enforce missing — security violations are only logged, not blocked.
Challenge enforce-version: latest — every Kubernetes upgrade can change profile semantics; pin to a specific minor.
Challenge kube-system and operator namespaces excluded from PSA without documentation of which workloads require privileged access.
Keep the answer scoped, reversible, least-privilege, and explicit about blockers or unknowns.

References

Load these only when needed:

Evidence path and tooling — use when choosing live evidence, confirming cluster admission configuration, or switching to documentation mode.
Workflow and output contract — use when executing the full review, applying profile-by-profile stress checks, or formatting the final answer.
Official sources — use when you need the detailed Kubernetes documentation list and grounded insights.

Response minimum

Return, at minimum:

the scoped target (specific namespace, set of namespaces, or cluster default) and evidence level,
the active profile (privileged / baseline / restricted) and active mode (enforce / audit / warn),
whether currently-running pods would still admit at the proposed profile,
the exemption posture (cluster AdmissionConfiguration exemptions, namespace label override),
the safest next actions and rollback plan,
the assumptions or blockers that prevent stronger conclusions.