Agent skill
runtime-security
Pod Security Standards and admission controllers for GKE. Runtime monitoring with Falco and behavioral analysis to detect anomalous workload activity.
Install this agent skill to your Project
npx add-skill https://github.com/adaptive-enforcement-lab/claude-skills/tree/main/plugins/secure/skills/runtime-security
SKILL.md
Runtime Security
When to Use This Skill
This section covers runtime security for GKE clusters:
- Pod Security Standards: Namespace-level security policies (baseline, restricted)
- Admission Controllers: Pre-deployment validation and policy enforcement
- Runtime Monitoring: Behavioral detection with Falco or GKE Cloud Logging
Prerequisites
- GCP project with billing enabled
- Terraform 1.0+
- kubectl configured for cluster access
Implementation
- Cluster Configuration - Private GKE, Workload Identity
- Network Security - VPC networking, Network Policies
- IAM Configuration - Least-privilege IAM
Key Principles
Defense in Depth
Multiple layers of runtime security controls:
- Pod Security Standards enforce secure defaults
- Admission controllers block invalid configurations
- Runtime monitoring detects anomalous behavior
- Audit logging captures all activity
Secure by Default
Production workloads must meet strict security requirements:
- Run as non-root user
- Read-only root filesystem
- Drop all Linux capabilities
- No privilege escalation
- Resource limits defined
Continuous Monitoring
Runtime monitoring provides visibility into pod behavior:
- Process execution tracking
- File access monitoring
- Network connection detection
- System call auditing
Related Patterns
- Cluster Configuration
- Network Security
- IAM Configuration
References
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
github-token-permissions-overview
Understanding GITHUB_TOKEN scope, default permissions, and implementing least-privilege principle for GitHub Actions workflows.
secure
Find and fix security issues before they become incidents. Vulnerability scanning, SBOM generation, supply chain security, and secure authentication workflows.
complete-workflow-examples
Copy-paste hardened CI/CD workflows with SHA-pinned actions, minimal GITHUB_TOKEN permissions, OIDC authentication, and comprehensive security scanning for GitHub Actions.
ephemeral-runner-patterns
Disposable runner patterns for GitHub Actions. Container-based, VM-based, and ARC deployment strategies with complete state isolation between jobs.
action-pinning-overview
Why pinning GitHub Actions to SHA-256 commits matters for supply chain security. Attack vectors from unpinned actions and comparison of tag vs SHA pinning.
github-actions-security-patterns-hub
Complete security patterns for GitHub Actions covering action pinning, GITHUB_TOKEN permissions, third-party action risks, secret management, and runner security.
Didn't find tool you were looking for?