style: format all files with prettier

plugins/kubernetes-operations/skills/k8s-security-policies/SKILL.md

@@ -23,6 +23,7 @@ Implement defense-in-depth security for Kubernetes clusters using network polici
 ## Pod Security Standards
 
 ### 1. Privileged (Unrestricted)
+
 ```yaml
 apiVersion: v1
 kind: Namespace
@@ -35,6 +36,7 @@ metadata:
 ```
 
 ### 2. Baseline (Minimally restrictive)
+
 ```yaml
 apiVersion: v1
 kind: Namespace
@@ -47,6 +49,7 @@ metadata:
 ```
 
 ### 3. Restricted (Most restrictive)
+
 ```yaml
 apiVersion: v1
 kind: Namespace
@@ -61,6 +64,7 @@ metadata:
 ## Network Policies
 
 ### Default Deny All
+
 ```yaml
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -70,11 +74,12 @@ metadata:
 spec:
   podSelector: {}
   policyTypes:
-  - Ingress
-  - Egress
+    - Ingress
+    - Egress
 ```
 
 ### Allow Frontend to Backend
+
 ```yaml
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -86,18 +91,19 @@ spec:
     matchLabels:
       app: backend
   policyTypes:
-  - Ingress
+    - Ingress
   ingress:
-  - from:
-    - podSelector:
-        matchLabels:
-          app: frontend
-    ports:
-    - protocol: TCP
-      port: 8080
+    - from:
+        - podSelector:
+            matchLabels:
+              app: frontend
+      ports:
+        - protocol: TCP
+          port: 8080
 ```
 
 ### Allow DNS
+
 ```yaml
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -107,15 +113,15 @@ metadata:
 spec:
   podSelector: {}
   policyTypes:
-  - Egress
+    - Egress
   egress:
-  - to:
-    - namespaceSelector:
-        matchLabels:
-          name: kube-system
-    ports:
-    - protocol: UDP
-      port: 53
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              name: kube-system
+      ports:
+        - protocol: UDP
+          port: 53
 ```
 
 **Reference:** See `assets/network-policy-template.yaml`
@@ -123,6 +129,7 @@ spec:
 ## RBAC Configuration
 
 ### Role (Namespace-scoped)
+
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -130,24 +137,26 @@ metadata:
   name: pod-reader
   namespace: production
 rules:
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get", "watch", "list"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "watch", "list"]
 ```
 
 ### ClusterRole (Cluster-wide)
+
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: secret-reader
 rules:
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get", "watch", "list"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
 ```
 
 ### RoleBinding
+
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -155,12 +164,12 @@ metadata:
   name: read-pods
   namespace: production
 subjects:
-- kind: User
-  name: jane
-  apiGroup: rbac.authorization.k8s.io
-- kind: ServiceAccount
-  name: default
-  namespace: production
+  - kind: User
+    name: jane
+    apiGroup: rbac.authorization.k8s.io
+  - kind: ServiceAccount
+    name: default
+    namespace: production
 roleRef:
   kind: Role
   name: pod-reader
@@ -172,6 +181,7 @@ roleRef:
 ## Pod Security Context
 
 ### Restricted Pod
+
 ```yaml
 apiVersion: v1
 kind: Pod
@@ -185,19 +195,20 @@ spec:
     seccompProfile:
       type: RuntimeDefault
   containers:
-  - name: app
-    image: myapp:1.0
-    securityContext:
-      allowPrivilegeEscalation: false
-      readOnlyRootFilesystem: true
-      capabilities:
-        drop:
-        - ALL
+    - name: app
+      image: myapp:1.0
+      securityContext:
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        capabilities:
+          drop:
+            - ALL
 ```
 
 ## Policy Enforcement with OPA Gatekeeper
 
 ### ConstraintTemplate
+
 ```yaml
 apiVersion: templates.gatekeeper.sh/v1
 kind: ConstraintTemplate
@@ -230,6 +241,7 @@ spec:
 ```
 
 ### Constraint
+
 ```yaml
 apiVersion: constraints.gatekeeper.sh/v1beta1
 kind: K8sRequiredLabels
@@ -247,6 +259,7 @@ spec:
 ## Service Mesh Security (Istio)
 
 ### PeerAuthentication (mTLS)
+
 ```yaml
 apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
@@ -259,6 +272,7 @@ spec:
 ```
 
 ### AuthorizationPolicy
+
 ```yaml
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -271,9 +285,9 @@ spec:
       app: backend
   action: ALLOW
   rules:
-  - from:
-    - source:
-        principals: ["cluster.local/ns/production/sa/frontend"]
+    - from:
+        - source:
+            principals: ["cluster.local/ns/production/sa/frontend"]
 ```
 
 ## Best Practices
@@ -292,6 +306,7 @@ spec:
 ## Compliance Frameworks
 
 ### CIS Kubernetes Benchmark
+
 - Use RBAC authorization
 - Enable audit logging
 - Use Pod Security Standards
@@ -300,6 +315,7 @@ spec:
 - Enable node authentication
 
 ### NIST Cybersecurity Framework
+
 - Implement defense in depth
 - Use network segmentation
 - Configure security monitoring
@@ -309,6 +325,7 @@ spec:
 ## Troubleshooting
 
 **NetworkPolicy not working:**
+
 ```bash
 # Check if CNI supports NetworkPolicy
 kubectl get nodes -o wide
@@ -316,6 +333,7 @@ kubectl describe networkpolicy <name>
 ```
 
 **RBAC permission denied:**
+
 ```bash
 # Check effective permissions
 kubectl auth can-i list pods --as system:serviceaccount:default:my-sa

plugins/kubernetes-operations/skills/k8s-security-policies/references/rbac-patterns.md

@@ -3,18 +3,20 @@
 ## Common RBAC Patterns
 
 ### Pattern 1: Read-Only Access
+
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: read-only
 rules:
-- apiGroups: ["", "apps", "batch"]
-  resources: ["*"]
-  verbs: ["get", "list", "watch"]
+  - apiGroups: ["", "apps", "batch"]
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
 ```
 
 ### Pattern 2: Namespace Admin
+
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -22,12 +24,13 @@ metadata:
   name: namespace-admin
   namespace: production
 rules:
-- apiGroups: ["", "apps", "batch", "extensions"]
-  resources: ["*"]
-  verbs: ["*"]
+  - apiGroups: ["", "apps", "batch", "extensions"]
+    resources: ["*"]
+    verbs: ["*"]
 ```
 
 ### Pattern 3: Deployment Manager
+
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -35,15 +38,16 @@ metadata:
   name: deployment-manager
   namespace: production
 rules:
-- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
 ```
 
 ### Pattern 4: Secret Reader (ServiceAccount)
+
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -51,10 +55,10 @@ metadata:
   name: secret-reader
   namespace: production
 rules:
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get"]
-  resourceNames: ["app-secrets"]  # Specific secret only
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get"]
+    resourceNames: ["app-secrets"] # Specific secret only
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -62,9 +66,9 @@ metadata:
   name: app-secret-reader
   namespace: production
 subjects:
-- kind: ServiceAccount
-  name: my-app
-  namespace: production
+  - kind: ServiceAccount
+    name: my-app
+    namespace: production
 roleRef:
   kind: Role
   name: secret-reader
@@ -72,26 +76,28 @@ roleRef:
 ```
 
 ### Pattern 5: CI/CD Pipeline Access
+
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: cicd-deployer
 rules:
-- apiGroups: ["apps"]
-  resources: ["deployments", "replicasets"]
-  verbs: ["get", "list", "create", "update", "patch"]
-- apiGroups: [""]
-  resources: ["services", "configmaps"]
-  verbs: ["get", "list", "create", "update", "patch"]
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get", "list"]
+  - apiGroups: ["apps"]
+    resources: ["deployments", "replicasets"]
+    verbs: ["get", "list", "create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["services", "configmaps"]
+    verbs: ["get", "list", "create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
 ```
 
 ## ServiceAccount Best Practices
 
 ### Create Dedicated ServiceAccounts
+
 ```yaml
 apiVersion: v1
 kind: ServiceAccount
@@ -107,10 +113,11 @@ spec:
   template:
     spec:
       serviceAccountName: my-app
-      automountServiceAccountToken: false  # Disable if not needed
+      automountServiceAccountToken: false # Disable if not needed
 ```
 
 ### Least-Privilege ServiceAccount
+
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -118,10 +125,10 @@ metadata:
   name: my-app-role
   namespace: production
 rules:
-- apiGroups: [""]
-  resources: ["configmaps"]
-  verbs: ["get"]
-  resourceNames: ["my-app-config"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get"]
+    resourceNames: ["my-app-config"]
 ```
 
 ## Security Best Practices
@@ -140,18 +147,21 @@ rules:
 ## Troubleshooting RBAC
 
 ### Check User Permissions
+
 ```bash
 kubectl auth can-i list pods --as john@example.com
 kubectl auth can-i '*' '*' --as system:serviceaccount:default:my-app
 ```
 
 ### View Effective Permissions
+
 ```bash
 kubectl describe clusterrole cluster-admin
 kubectl describe rolebinding -n production
 ```
 
 ### Debug Access Issues
+
 ```bash
 kubectl get rolebindings,clusterrolebindings --all-namespaces -o wide | grep my-user
 ```
@@ -171,6 +181,7 @@ kubectl get rolebindings,clusterrolebindings --all-namespaces -o wide | grep my-
 ## Resource Scope
 
 ### Cluster-Scoped Resources
+
 - Nodes
 - PersistentVolumes
 - ClusterRoles
@@ -178,6 +189,7 @@ kubectl get rolebindings,clusterrolebindings --all-namespaces -o wide | grep my-
 - Namespaces
 
 ### Namespace-Scoped Resources
+
 - Pods
 - Services
 - Deployments