style: format all files with prettier

2026-03-18 09:37:15 +00:00 · 2026-01-19 17:07:03 -05:00
parent 8d37048deb
commit 56848874a2
355 changed files with 15215 additions and 10241 deletions
--- a/plugins/kubernetes-operations/skills/k8s-security-policies/SKILL.md
+++ b/plugins/kubernetes-operations/skills/k8s-security-policies/SKILL.md
@@ -23,6 +23,7 @@ Implement defense-in-depth security for Kubernetes clusters using network polici
 ## Pod Security Standards

 ### 1. Privileged (Unrestricted)
+
 ```yaml
 apiVersion: v1
 kind: Namespace
@@ -35,6 +36,7 @@ metadata:
 ```

 ### 2. Baseline (Minimally restrictive)
+
 ```yaml
 apiVersion: v1
 kind: Namespace
@@ -47,6 +49,7 @@ metadata:
 ```

 ### 3. Restricted (Most restrictive)
+
 ```yaml
 apiVersion: v1
 kind: Namespace
@@ -61,6 +64,7 @@ metadata:
 ## Network Policies

 ### Default Deny All
+
 ```yaml
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -70,11 +74,12 @@ metadata:
 spec:
  podSelector: {}
  policyTypes:
-  - Ingress
-  - Egress
+    - Ingress
+    - Egress
 ```

 ### Allow Frontend to Backend
+
 ```yaml
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -86,18 +91,19 @@ spec:
    matchLabels:
      app: backend
  policyTypes:
-  - Ingress
+    - Ingress
  ingress:
-  - from:
-    - podSelector:
-        matchLabels:
-          app: frontend
-    ports:
-    - protocol: TCP
-      port: 8080
+    - from:
+        - podSelector:
+            matchLabels:
+              app: frontend
+      ports:
+        - protocol: TCP
+          port: 8080
 ```

 ### Allow DNS
+
 ```yaml
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -107,15 +113,15 @@ metadata:
 spec:
  podSelector: {}
  policyTypes:
-  - Egress
+    - Egress
  egress:
-  - to:
-    - namespaceSelector:
-        matchLabels:
-          name: kube-system
-    ports:
-    - protocol: UDP
-      port: 53
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              name: kube-system
+      ports:
+        - protocol: UDP
+          port: 53
 ```

 **Reference:** See `assets/network-policy-template.yaml`
@@ -123,6 +129,7 @@ spec:
 ## RBAC Configuration

 ### Role (Namespace-scoped)
+
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -130,24 +137,26 @@ metadata:
  name: pod-reader
  namespace: production
 rules:
- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get", "watch", "list"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "watch", "list"]
 ```

 ### ClusterRole (Cluster-wide)
+
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: secret-reader
 rules:
- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get", "watch", "list"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
 ```

 ### RoleBinding
+
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -155,12 +164,12 @@ metadata:
  name: read-pods
  namespace: production
 subjects:
- kind: User
-  name: jane
-  apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
-  name: default
-  namespace: production
+  - kind: User
+    name: jane
+    apiGroup: rbac.authorization.k8s.io
+  - kind: ServiceAccount
+    name: default
+    namespace: production
 roleRef:
  kind: Role
  name: pod-reader
@@ -172,6 +181,7 @@ roleRef:
 ## Pod Security Context

 ### Restricted Pod
+
 ```yaml
 apiVersion: v1
 kind: Pod
@@ -185,19 +195,20 @@ spec:
    seccompProfile:
      type: RuntimeDefault
  containers:
-  - name: app
-    image: myapp:1.0
-    securityContext:
-      allowPrivilegeEscalation: false
-      readOnlyRootFilesystem: true
-      capabilities:
-        drop:
-        - ALL
+    - name: app
+      image: myapp:1.0
+      securityContext:
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        capabilities:
+          drop:
+            - ALL
 ```

 ## Policy Enforcement with OPA Gatekeeper

 ### ConstraintTemplate
+
 ```yaml
 apiVersion: templates.gatekeeper.sh/v1
 kind: ConstraintTemplate
@@ -230,6 +241,7 @@ spec:
 ```

 ### Constraint
+
 ```yaml
 apiVersion: constraints.gatekeeper.sh/v1beta1
 kind: K8sRequiredLabels
@@ -247,6 +259,7 @@ spec:
 ## Service Mesh Security (Istio)

 ### PeerAuthentication (mTLS)
+
 ```yaml
 apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
@@ -259,6 +272,7 @@ spec:
 ```

 ### AuthorizationPolicy
+
 ```yaml
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -271,9 +285,9 @@ spec:
      app: backend
  action: ALLOW
  rules:
-  - from:
-    - source:
-        principals: ["cluster.local/ns/production/sa/frontend"]
+    - from:
+        - source:
+            principals: ["cluster.local/ns/production/sa/frontend"]
 ```

 ## Best Practices
@@ -292,6 +306,7 @@ spec:
 ## Compliance Frameworks

 ### CIS Kubernetes Benchmark
+
 - Use RBAC authorization
 - Enable audit logging
 - Use Pod Security Standards
@@ -300,6 +315,7 @@ spec:
 - Enable node authentication

 ### NIST Cybersecurity Framework
+
 - Implement defense in depth
 - Use network segmentation
 - Configure security monitoring
@@ -309,6 +325,7 @@ spec:
 ## Troubleshooting

 **NetworkPolicy not working:**
+
 ```bash
 # Check if CNI supports NetworkPolicy
 kubectl get nodes -o wide
@@ -316,6 +333,7 @@ kubectl describe networkpolicy <name>
 ```

 **RBAC permission denied:**
+
 ```bash
 # Check effective permissions
 kubectl auth can-i list pods --as system:serviceaccount:default:my-sa