k8s-securitylisted

# Kubernetes Security ## When to use This skill covers the cluster and workload layer on top of `container-hardening`. Image content and build live there; what K8s does with those images (scheduling, RBAC, networking, secrets, runtime policy) lives here. Activates on: - A request like "review our K8s manifests", "our RBAC is sprawling", "turn on Pod Security Standards", "write a NetworkPolicy", "which admission controller should we use", "cosign verification in the cluster". - New or modified manifests: `Deployment`, `StatefulSet`, `DaemonSet`, `Job`, `ServiceAccount`, `Role(Binding)`, `ClusterRole(Binding)`, `NetworkPolicy`, `ValidatingAdmissionPolicy`, Helm charts, Kustomize overlays. - A cluster audit driven by compliance (CIS Kubernetes Benchmark, NSA/CISA guide, PCI-DSS cloud scope). - A handoff from `security-review` when K8s is in scope. - An incident where lateral movement in a cluster is suspected (see `ir-runbook` for response). ### When NOT to use (handoff) - Container image content (base image, USER, caps) → `container-hardening`. This skill takes the image as given. - Cluster-provisioning IaC (EKS/GKE/AKS module, node groups, VPC) → `iac-security`. Manifest level here, infrastructure level there. - CI pipeline that applies manifests → `cicd-hardening`. GitOps controllers (Argo CD, Flux) we mention only as context here. - Secret backend (Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault) → `secrets-scanner`. External Secrets Operator bridges bo