Stats
Actions
Tags
From vanguard-frontier-agentic
Reviews Kyverno Kubernetes admission policies for security, correctness, and failure modes. Analyzes PolicyExceptions, ImageValidatingPolicy, and Kyverno-vs-native-CEL tradeoffs.
How this skill is triggered — by the user, by Claude, or both
Slash command
/vanguard-frontier-agentic:kyverno-policy-reviewThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Review Kyverno policies and PolicyExceptions against admission correctness, supply chain integrity, blast radius, failure mode, and the Kyverno-vs-native-CEL architectural decision. Kyverno is the most widely deployed Kubernetes policy engine — every misconfigured policy is either a silent allow (security gap) or a silent deny (production outage).
Review Kyverno policies and PolicyExceptions against admission correctness, supply chain integrity, blast radius, failure mode, and the Kyverno-vs-native-CEL architectural decision. Kyverno is the most widely deployed Kubernetes policy engine — every misconfigured policy is either a silent allow (security gap) or a silent deny (production outage).
kubectl get policies.kyverno.io,clusterpolicies,policies,validatingpolicies,mutatingpolicies,imagevalidatingpolicies,policyexceptions -A -o yaml) when the active client exposes it; otherwise fall back to official Kyverno documentation (kyverno.io) and sanitized YAML from the user.failureAction: Audit (or legacy validationFailureAction: audit) on a production-relevant policy as a critical finding — admission violations become silent log lines.PolicyException as an audit-required artifact — every exception is a documented bypass with a name, reason, and reviewer.background: false paired with no match admission scope — the policy will never run.ImageValidatingPolicy with verifyImages: skip patterns, missing public keys, or mutateDigest: false — supply-chain attestations stop being enforced or stop being immutable.ValidatingAdmissionPolicy (CEL) — fewer moving parts, no Kyverno controller in the admission path.Load these only when needed:
Return, at minimum:
Audit vs Enforce) and whether it matches the production posture,npx claudepluginhub raishin/vanguard-frontier-agentic --plugin vanguard-frontier-agenticImplements policy-as-code enforcement using OPA Gatekeeper or Kyverno to validate and mutate Kubernetes resources. Use for enforcing resource standards, preventing security misconfigurations, and CI/CD shift-left validation.
Implements Open Policy Agent and Gatekeeper for policy-as-code enforcement in Kubernetes, covering Rego policies, admission control, and CI/CD integration.
Reviews Kubernetes Pod Security Admission posture including namespace label profiles (privileged/baseline/restricted), enforce/audit/warn modes, version pinning, and PodSecurityPolicy migration. Activated when the user asks about safety of label changes, workload profile compliance, or mode promotion.