Kubectl MCP Tool

Overview Schema Related Servers Score Discussions

SKILL.md•4.55 KiB

--- name: k8s-security description: Audit Kubernetes RBAC, enforce policies, and manage secrets. Use for security reviews, permission audits, policy enforcement with Kyverno/Gatekeeper, and secret management. license: Apache-2.0 metadata: author: rohitg00 version: "1.0.0" tools: 10 category: security --- # Kubernetes Security Security auditing, RBAC management, and policy enforcement using kubectl-mcp-server tools. ## When to Apply Use this skill when: - User mentions: "security", "RBAC", "permissions", "policy", "audit", "secrets" - Operations: security review, permission check, policy enforcement - Keywords: "who can", "access control", "compliance", "vulnerable" ## Priority Rules | Priority | Rule | Impact | Tools | |----------|------|--------|-------| | 1 | Check cluster-admin bindings first | CRITICAL | `get_cluster_role_bindings` | | 2 | Audit secrets access permissions | CRITICAL | Review role rules | | 3 | Verify network isolation | HIGH | `get_network_policies` | | 4 | Check policy compliance | HIGH | `kyverno_*`, `gatekeeper_*` | | 5 | Review pod security contexts | MEDIUM | `describe_pod` | ## Quick Reference | Task | Tool | Example | |------|------|---------| | List roles | `get_roles` | `get_roles(namespace)` | | Cluster roles | `get_cluster_roles` | `get_cluster_roles()` | | Role bindings | `get_role_bindings` | `get_role_bindings(namespace)` | | Service accounts | `get_service_accounts` | `get_service_accounts(namespace)` | | Kyverno policies | `kyverno_clusterpolicies_list_tool` | `kyverno_clusterpolicies_list_tool()` | ## RBAC Auditing ### List Roles and Bindings ```python get_roles(namespace) get_cluster_roles() get_role_bindings(namespace) get_cluster_role_bindings() ``` ### Check Service Account Permissions ```python get_service_accounts(namespace) ``` ### Common RBAC Patterns | Pattern | Risk Level | Check | |---------|-----------|-------| | cluster-admin binding | Critical | `get_cluster_role_bindings()` | | Wildcard verbs (*) | High | Review role rules | | secrets access | High | Check get/list on secrets | | pod/exec | High | Allows container access | See [RBAC-PATTERNS.md](RBAC-PATTERNS.md) for detailed patterns and remediation. ## Policy Enforcement ### Kyverno Policies ```python kyverno_policies_list_tool(namespace) kyverno_clusterpolicies_list_tool() kyverno_policy_get_tool(name, namespace) ``` ### OPA Gatekeeper ```python gatekeeper_constraints_list_tool() gatekeeper_constraint_get_tool(kind, name) gatekeeper_templates_list_tool() ``` ### Common Policies to Enforce | Policy | Purpose | |--------|---------| | Disallow privileged | Prevent root containers | | Require resource limits | Prevent resource exhaustion | | Restrict host namespaces | Isolate from node | | Require labels | Ensure metadata | | Allowed registries | Control image sources | ## Secret Management ### List Secrets ```python get_secrets(namespace) ``` ### Secret Best Practices 1. Use external secret managers (Vault, AWS SM) 2. Encrypt secrets at rest (EncryptionConfiguration) 3. Limit secret access via RBAC 4. Rotate secrets regularly ## Network Policies ### List Policies ```python get_network_policies(namespace) ``` ### Cilium Network Policies ```python cilium_policies_list_tool(namespace) cilium_policy_get_tool(name, namespace) ``` ### Default Deny Template ```yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all spec: podSelector: {} policyTypes: - Ingress - Egress ``` ## Security Scanning Workflow 1. **RBAC Audit** ```python get_cluster_role_bindings() get_roles(namespace) ``` 2. **Policy Compliance** ```python kyverno_clusterpolicies_list_tool() gatekeeper_constraints_list_tool() ``` 3. **Network Isolation** ```python get_network_policies(namespace) cilium_endpoints_list_tool(namespace) ``` 4. **Pod Security** ```python get_pods(namespace) describe_pod(name, namespace) ``` ## Multi-Cluster Security Audit across clusters: ```python get_cluster_role_bindings(context="production") get_cluster_role_bindings(context="staging") ``` ## Automated Audit Script For comprehensive security audit, see [scripts/audit-rbac.py](scripts/audit-rbac.py). ## Related Tools - RBAC: `get_roles`, `get_cluster_roles`, `get_role_bindings` - Policy: `kyverno_*`, `gatekeeper_*` - Network: `get_network_policies`, `cilium_policies_*` - Istio: `istio_authorizationpolicies_list_tool`, `istio_peerauthentications_list_tool` ## Related Skills - [k8s-policy](../k8s-policy/SKILL.md) - Policy management - [k8s-cilium](../k8s-cilium/SKILL.md) - Cilium network security

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/rohitg00/kubectl-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

SKILL.md•4.55 KiB