Agent skill
kyverno-network-security-templates
Kyverno network security policies that enforce NetworkPolicy requirements, Ingress rules, and Service restrictions in Kubernetes.
Install this agent skill to your Project
npx add-skill https://github.com/adaptive-enforcement-lab/claude-skills/tree/main/plugins/enforce/skills/kyverno-network-security-templates
SKILL.md
Kyverno Network Security Templates
When to Use This Skill
Network policies control traffic between pods, namespaces, and external endpoints. These templates enforce network segmentation and prevent unauthorized communication.
Network Policies Require CNI Support
NetworkPolicy resources only function when your CNI plugin supports them. Verify your cluster's CNI (Calico, Cilium, Weave Net) before deploying network policies.
When to Apply
Scenario 1: Prevent Unapproved External Exposure
Block LoadBalancer services except for approved namespaces:
# Enforced by: services.yaml
# Result: Only ingress-nginx namespace can create LoadBalancer services
# Impact: Prevents accidental exposure of internal services to the internet
Scenario 2: Mandate TLS for Public Services
Require TLS configuration on all Ingress resources:
# Enforced by: ingress-tls.yaml
# Result: All Ingress objects must define spec.tls with valid secrets
# Impact: Eliminates plaintext HTTP exposure for external services
Scenario 3: Enforce Namespace Isolation
Require NetworkPolicy in every namespace before pod creation:
# Enforced by: security.yaml
# Result: Namespaces must have NetworkPolicy resources before accepting workloads
# Impact: Prevents pods from communicating across namespace boundaries by default
Implementation
See the full implementation guide in the source documentation.
Techniques
Network Security Patterns
Defense in Depth
Layer network controls across multiple boundaries:
- Namespace NetworkPolicies - Default deny all traffic
- Service Restrictions - Limit LoadBalancer/NodePort usage
- Ingress Controls - Require TLS and approved ingress classes
- Egress Filtering - Block unauthorized external connections
Zero-Trust Networking
Never assume trust based on network location:
- Require explicit NetworkPolicy allow rules (no implicit trust)
- Mandate mTLS for service-to-service communication (use service mesh if needed)
- Validate identity at every network boundary (authentication, not IP allowlisting)
Production vs Non-Production
Use different enforcement levels based on environment:
- Production - Strict NetworkPolicy requirements, TLS mandatory, LoadBalancer restricted
- Development - Relaxed policies, allow broader access for testing
- Staging - Production-like policies to catch configuration issues early
Examples
See examples.md for code examples.
Related Patterns
- Kyverno Templates Overview
- Kyverno Pod Security
- Kyverno Resource Governance
References
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
github-token-permissions-overview
Understanding GITHUB_TOKEN scope, default permissions, and implementing least-privilege principle for GitHub Actions workflows.
secure
Find and fix security issues before they become incidents. Vulnerability scanning, SBOM generation, supply chain security, and secure authentication workflows.
complete-workflow-examples
Copy-paste hardened CI/CD workflows with SHA-pinned actions, minimal GITHUB_TOKEN permissions, OIDC authentication, and comprehensive security scanning for GitHub Actions.
ephemeral-runner-patterns
Disposable runner patterns for GitHub Actions. Container-based, VM-based, and ARC deployment strategies with complete state isolation between jobs.
action-pinning-overview
Why pinning GitHub Actions to SHA-256 commits matters for supply chain security. Attack vectors from unpinned actions and comparison of tag vs SHA pinning.
github-actions-security-patterns-hub
Complete security patterns for GitHub Actions covering action pinning, GITHUB_TOKEN permissions, third-party action risks, secret management, and runner security.
Didn't find tool you were looking for?