kubernetes-manifest-auditlisted

Audit Kubernetes manifests, Helm charts, and Kustomize overlays against CIS Kubernetes Benchmark and NSA/CISA hardening — pod security, resources, probes, RBAC, networking, secrets, availability. Static, live, apply, runtime modes.
anthril/official-claude-plugins · ★ 3 · DevOps & Infrastructure · score 82

Install: claude install-skill anthril/official-claude-plugins

# Kubernetes Manifest Audit ultrathink  > **Output path directive (canonical — overrides in-body references).** > All file outputs from this skill MUST be written under `.anthril/audits/kubernetes-manifest-audit/`. > Run `mkdir -p .anthril/audits/kubernetes-manifest-audit` before the first `Write` call. > Primary artefact: `.anthril/audits/kubernetes-manifest-audit/<artefact>`. > Do NOT write to the project root or to bare filenames at cwd. > Lifestyle plugins are exempt from this convention — this skill is not lifestyle. ## When to use Run this skill when the user mentions: - Kubernetes audit, k8s security - CIS Kubernetes Benchmark - Helm chart review, Kustomize review - Pod security standards - NSA/CISA Kubernetes Hardening Guide Covers nine categories: pod security (`runAsNonRoot`, `readOnlyRootFilesystem`, `allowPrivilegeEscalation`, dropped capabilities, no host namespaces), resource requests and limits, liveness/readiness/startup probes, image hygiene (digest pinning, pull policy, scoped `imagePullSecrets`), secrets and config (no plaintext Secrets in Git, external secret operators), networking (NetworkPolicies, Service types, Ingress TLS), RBAC (per-workload ServiceAccounts, no wildcard verbs), availability (PodDisruptionBudgets, replicas, topology spread, anti-affinity), and Helm hygiene (values.schema.json, sensible defaults). ## Before You Start 1. **Determine operating mode.** `--live` reads from a real cluster via `kubectl`