@raishin/vanguard-frontier-agentic 1.2.0 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +250 -110
- package/agents/AGENTS.md +263 -21
- package/agents/argocd/README.md +46 -0
- package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/AGENT.md +55 -0
- package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/claude-code.agent.md +35 -0
- package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/codex.toml +29 -0
- package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/copilot.agent.md +35 -0
- package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/cursor.agent.md +35 -0
- package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/gemini.agent.md +35 -0
- package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/harnesses/kiro-ide.agent.md +35 -0
- package/agents/argocd/argo-rollouts-progressive-delivery-review-agent/metadata.json +31 -0
- package/agents/argocd/argocd-gitops-review-agent/AGENT.md +55 -0
- package/agents/argocd/argocd-gitops-review-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/argocd/argocd-gitops-review-agent/harnesses/codex.toml +32 -0
- package/agents/argocd/argocd-gitops-review-agent/harnesses/copilot.agent.md +38 -0
- package/agents/argocd/argocd-gitops-review-agent/harnesses/cursor.agent.md +38 -0
- package/agents/argocd/argocd-gitops-review-agent/harnesses/gemini.agent.md +38 -0
- package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/argocd/argocd-gitops-review-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/argocd/argocd-gitops-review-agent/metadata.json +30 -0
- package/agents/aws/aws-live-deployment-guarded-operator-agent/metadata.json +10 -1
- package/agents/aws/aws-live-ecs-rollout-guard-agent/metadata.json +10 -1
- package/agents/aws/aws-live-iac-change-guard-agent/metadata.json +10 -1
- package/agents/aws/aws-live-pipeline-approval-operator-agent/metadata.json +10 -1
- package/agents/aws/aws-live-serverless-release-guard-agent/metadata.json +10 -1
- package/agents/aws/aws-private-ca-issuer-review-agent/AGENT.md +53 -0
- package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
- package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/codex.toml +27 -0
- package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/copilot.agent.md +36 -0
- package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/cursor.agent.md +36 -0
- package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/gemini.agent.md +36 -0
- package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/aws/aws-private-ca-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
- package/agents/aws/aws-private-ca-issuer-review-agent/metadata.json +37 -0
- package/agents/azure/README.md +45 -0
- package/agents/azure/azure-keyvault-certificate-issuer-review-agent/AGENT.md +53 -0
- package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
- package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/codex.toml +27 -0
- package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/copilot.agent.md +36 -0
- package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/cursor.agent.md +36 -0
- package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/gemini.agent.md +36 -0
- package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/azure/azure-keyvault-certificate-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
- package/agents/azure/azure-keyvault-certificate-issuer-review-agent/metadata.json +36 -0
- package/agents/azure/azure-live-aks-rollout-guard-agent/metadata.json +10 -1
- package/agents/azure/azure-live-app-service-slot-swap-guard-agent/metadata.json +10 -1
- package/agents/azure/azure-live-arm-deployment-stack-guard-agent/metadata.json +10 -1
- package/agents/azure/azure-live-cost-budget-action-guard-agent/metadata.json +10 -1
- package/agents/azure/azure-live-entra-role-assignment-guard-agent/AGENT.md +59 -0
- package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/claude-code.agent.md +42 -0
- package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/codex.toml +34 -0
- package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/copilot.agent.md +55 -0
- package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/cursor.agent.md +44 -0
- package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/gemini.agent.md +43 -0
- package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/azure/azure-live-entra-role-assignment-guard-agent/harnesses/kiro-ide.agent.md +42 -0
- package/agents/azure/azure-live-entra-role-assignment-guard-agent/metadata.json +37 -0
- package/agents/azure/azure-live-keyvault-rotation-purge-guard-agent/metadata.json +10 -1
- package/agents/azure/azure-live-pim-jit-activation-guard-agent/metadata.json +11 -2
- package/agents/backstage/README.md +36 -0
- package/agents/backstage/backstage-scaffolder-template-review-agent/AGENT.md +54 -0
- package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/claude-code.agent.md +37 -0
- package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/codex.toml +31 -0
- package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/copilot.agent.md +37 -0
- package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/cursor.agent.md +37 -0
- package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/gemini.agent.md +37 -0
- package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/backstage/backstage-scaffolder-template-review-agent/harnesses/kiro-ide.agent.md +37 -0
- package/agents/backstage/backstage-scaffolder-template-review-agent/metadata.json +30 -0
- package/agents/cert-manager/README.md +46 -0
- package/agents/cert-manager/cert-manager-issuer-trust-review-agent/AGENT.md +55 -0
- package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/claude-code.agent.md +35 -0
- package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/codex.toml +29 -0
- package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/copilot.agent.md +35 -0
- package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/cursor.agent.md +35 -0
- package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/gemini.agent.md +35 -0
- package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/cert-manager/cert-manager-issuer-trust-review-agent/harnesses/kiro-ide.agent.md +35 -0
- package/agents/cert-manager/cert-manager-issuer-trust-review-agent/metadata.json +31 -0
- package/agents/cilium/README.md +46 -0
- package/agents/cilium/cilium-network-policy-review-agent/AGENT.md +55 -0
- package/agents/cilium/cilium-network-policy-review-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/cilium/cilium-network-policy-review-agent/harnesses/codex.toml +32 -0
- package/agents/cilium/cilium-network-policy-review-agent/harnesses/copilot.agent.md +38 -0
- package/agents/cilium/cilium-network-policy-review-agent/harnesses/cursor.agent.md +38 -0
- package/agents/cilium/cilium-network-policy-review-agent/harnesses/gemini.agent.md +38 -0
- package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/cilium/cilium-network-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/cilium/cilium-network-policy-review-agent/metadata.json +37 -0
- package/agents/falco/README.md +36 -0
- package/agents/falco/falco-runtime-threat-rules-review-agent/AGENT.md +49 -0
- package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/claude-code.agent.md +33 -0
- package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/codex.toml +31 -0
- package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/copilot.agent.md +33 -0
- package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/cursor.agent.md +33 -0
- package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/gemini.agent.md +33 -0
- package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/falco/falco-runtime-threat-rules-review-agent/harnesses/kiro-ide.agent.md +33 -0
- package/agents/falco/falco-runtime-threat-rules-review-agent/metadata.json +31 -0
- package/agents/finops/README.md +27 -0
- package/agents/finops/finops-cloud-price-advisor-agent/metadata.json +10 -1
- package/agents/fluxcd/README.md +39 -0
- package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/AGENT.md +55 -0
- package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/codex.toml +32 -0
- package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/copilot.agent.md +38 -0
- package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/cursor.agent.md +38 -0
- package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/gemini.agent.md +38 -0
- package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/fluxcd/fluxcd-kustomization-helmrelease-review-agent/metadata.json +31 -0
- package/agents/istio/README.md +46 -0
- package/agents/istio/istio-ambient-mesh-review-agent/AGENT.md +55 -0
- package/agents/istio/istio-ambient-mesh-review-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/istio/istio-ambient-mesh-review-agent/harnesses/codex.toml +32 -0
- package/agents/istio/istio-ambient-mesh-review-agent/harnesses/copilot.agent.md +38 -0
- package/agents/istio/istio-ambient-mesh-review-agent/harnesses/cursor.agent.md +38 -0
- package/agents/istio/istio-ambient-mesh-review-agent/harnesses/gemini.agent.md +38 -0
- package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/istio/istio-ambient-mesh-review-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/istio/istio-ambient-mesh-review-agent/metadata.json +30 -0
- package/agents/kubernetes/README.md +143 -0
- package/agents/kubernetes/external-secrets-operator-review-agent/AGENT.md +49 -0
- package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/claude-code.agent.md +33 -0
- package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/codex.toml +31 -0
- package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/copilot.agent.md +33 -0
- package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/cursor.agent.md +33 -0
- package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/gemini.agent.md +33 -0
- package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/external-secrets-operator-review-agent/harnesses/kiro-ide.agent.md +33 -0
- package/agents/kubernetes/external-secrets-operator-review-agent/metadata.json +31 -0
- package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/AGENT.md +56 -0
- package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/claude-code.agent.md +39 -0
- package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/codex.toml +34 -0
- package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/copilot.agent.md +39 -0
- package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/cursor.agent.md +39 -0
- package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/gemini.agent.md +39 -0
- package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/harnesses/kiro-ide.agent.md +39 -0
- package/agents/kubernetes/kubecost-chargeback-allocation-review-agent/metadata.json +31 -0
- package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/AGENT.md +59 -0
- package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/codex.toml +33 -0
- package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/copilot.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/cursor.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/gemini.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-admission-policy-guard-agent/metadata.json +37 -0
- package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/AGENT.md +59 -0
- package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/claude-code.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/codex.toml +33 -0
- package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/copilot.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/cursor.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/gemini.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/harnesses/kiro-ide.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/metadata.json +37 -0
- package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/AGENT.md +59 -0
- package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/codex.toml +33 -0
- package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/copilot.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/cursor.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/gemini.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/metadata.json +37 -0
- package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/AGENT.md +59 -0
- package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/claude-code.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/codex.toml +33 -0
- package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/copilot.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/cursor.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/gemini.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/harnesses/kiro-ide.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-network-policy-guard-agent/metadata.json +37 -0
- package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/AGENT.md +59 -0
- package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/claude-code.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/codex.toml +34 -0
- package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/copilot.agent.md +55 -0
- package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/cursor.agent.md +44 -0
- package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/gemini.agent.md +43 -0
- package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/harnesses/kiro-ide.agent.md +42 -0
- package/agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/metadata.json +36 -0
- package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/AGENT.md +62 -0
- package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/claude-code.agent.md +43 -0
- package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/codex.toml +35 -0
- package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/copilot.agent.md +43 -0
- package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/cursor.agent.md +43 -0
- package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/gemini.agent.md +43 -0
- package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/harnesses/kiro-ide.agent.md +43 -0
- package/agents/kubernetes/kubernetes-live-velero-restore-guard-agent/metadata.json +38 -0
- package/agents/kubernetes/kubernetes-maestro-agent/AGENT.md +55 -0
- package/agents/kubernetes/kubernetes-maestro-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/kubernetes/kubernetes-maestro-agent/harnesses/codex.toml +34 -0
- package/agents/kubernetes/kubernetes-maestro-agent/harnesses/copilot.agent.md +38 -0
- package/agents/kubernetes/kubernetes-maestro-agent/harnesses/cursor.agent.md +38 -0
- package/agents/kubernetes/kubernetes-maestro-agent/harnesses/gemini.agent.md +38 -0
- package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/kubernetes/kubernetes-maestro-agent/metadata.json +40 -0
- package/agents/kubernetes/kubernetes-pod-spec-review-agent/AGENT.md +54 -0
- package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/claude-code.agent.md +37 -0
- package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/codex.toml +27 -0
- package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/copilot.agent.md +37 -0
- package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/cursor.agent.md +37 -0
- package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/gemini.agent.md +37 -0
- package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-pod-spec-review-agent/harnesses/kiro-ide.agent.md +37 -0
- package/agents/kubernetes/kubernetes-pod-spec-review-agent/metadata.json +38 -0
- package/agents/kubernetes/kubernetes-psa-review-agent/AGENT.md +55 -0
- package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/claude-code.agent.md +36 -0
- package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/codex.toml +29 -0
- package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/copilot.agent.md +36 -0
- package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/cursor.agent.md +36 -0
- package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/gemini.agent.md +36 -0
- package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-psa-review-agent/harnesses/kiro-ide.agent.md +36 -0
- package/agents/kubernetes/kubernetes-psa-review-agent/metadata.json +38 -0
- package/agents/kubernetes/kubernetes-rbac-review-agent/AGENT.md +55 -0
- package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/codex.toml +32 -0
- package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/copilot.agent.md +51 -0
- package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/cursor.agent.md +40 -0
- package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/gemini.agent.md +39 -0
- package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-rbac-review-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/kubernetes/kubernetes-rbac-review-agent/metadata.json +36 -0
- package/agents/kubernetes/kubernetes-workload-identity-review-agent/AGENT.md +55 -0
- package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/claude-code.agent.md +37 -0
- package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/codex.toml +29 -0
- package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/copilot.agent.md +37 -0
- package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/cursor.agent.md +37 -0
- package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/gemini.agent.md +37 -0
- package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kubernetes/kubernetes-workload-identity-review-agent/harnesses/kiro-ide.agent.md +37 -0
- package/agents/kubernetes/kubernetes-workload-identity-review-agent/metadata.json +37 -0
- package/agents/kyverno/README.md +46 -0
- package/agents/kyverno/kyverno-policy-review-agent/AGENT.md +55 -0
- package/agents/kyverno/kyverno-policy-review-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/kyverno/kyverno-policy-review-agent/harnesses/codex.toml +32 -0
- package/agents/kyverno/kyverno-policy-review-agent/harnesses/copilot.agent.md +38 -0
- package/agents/kyverno/kyverno-policy-review-agent/harnesses/cursor.agent.md +38 -0
- package/agents/kyverno/kyverno-policy-review-agent/harnesses/gemini.agent.md +38 -0
- package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/kyverno/kyverno-policy-review-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/kyverno/kyverno-policy-review-agent/metadata.json +30 -0
- package/agents/oci/README.md +45 -0
- package/agents/oci/oci-certificates-issuer-review-agent/AGENT.md +53 -0
- package/agents/oci/oci-certificates-issuer-review-agent/harnesses/claude-code.agent.md +36 -0
- package/agents/oci/oci-certificates-issuer-review-agent/harnesses/codex.toml +27 -0
- package/agents/oci/oci-certificates-issuer-review-agent/harnesses/copilot.agent.md +36 -0
- package/agents/oci/oci-certificates-issuer-review-agent/harnesses/cursor.agent.md +36 -0
- package/agents/oci/oci-certificates-issuer-review-agent/harnesses/gemini.agent.md +36 -0
- package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/oci/oci-certificates-issuer-review-agent/harnesses/kiro-ide.agent.md +36 -0
- package/agents/oci/oci-certificates-issuer-review-agent/metadata.json +36 -0
- package/agents/oci/oci-live-autonomous-db-lifecycle-guard-agent/metadata.json +11 -2
- package/agents/oci/oci-live-cost-budget-runaway-guard-agent/metadata.json +11 -2
- package/agents/oci/oci-live-iam-policy-compartment-guard-agent/metadata.json +10 -1
- package/agents/oci/oci-live-network-security-rule-guard-agent/AGENT.md +59 -0
- package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/claude-code.agent.md +42 -0
- package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/codex.toml +34 -0
- package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/copilot.agent.md +55 -0
- package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/cursor.agent.md +44 -0
- package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/gemini.agent.md +43 -0
- package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/oci/oci-live-network-security-rule-guard-agent/harnesses/kiro-ide.agent.md +42 -0
- package/agents/oci/oci-live-network-security-rule-guard-agent/metadata.json +37 -0
- package/agents/oci/oci-live-oke-rollout-guard-agent/metadata.json +11 -2
- package/agents/oci/oci-live-resource-manager-stack-guard-agent/metadata.json +10 -1
- package/agents/oci/oci-live-vault-key-destruction-guard-agent/metadata.json +10 -1
- package/agents/opentelemetry/README.md +37 -0
- package/agents/opentelemetry/opentelemetry-collector-config-review-agent/AGENT.md +55 -0
- package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/codex.toml +32 -0
- package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/copilot.agent.md +38 -0
- package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/cursor.agent.md +38 -0
- package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/gemini.agent.md +38 -0
- package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/opentelemetry/opentelemetry-collector-config-review-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/opentelemetry/opentelemetry-collector-config-review-agent/metadata.json +37 -0
- package/agents/prometheus/README.md +36 -0
- package/agents/prometheus/prometheus-alerting-cardinality-review-agent/AGENT.md +48 -0
- package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/claude-code.agent.md +32 -0
- package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/codex.toml +31 -0
- package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/copilot.agent.md +32 -0
- package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/cursor.agent.md +32 -0
- package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/gemini.agent.md +32 -0
- package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/prometheus/prometheus-alerting-cardinality-review-agent/harnesses/kiro-ide.agent.md +32 -0
- package/agents/prometheus/prometheus-alerting-cardinality-review-agent/metadata.json +31 -0
- package/agents/sigstore/README.md +38 -0
- package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/AGENT.md +55 -0
- package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/claude-code.agent.md +35 -0
- package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/codex.toml +29 -0
- package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/copilot.agent.md +35 -0
- package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/cursor.agent.md +35 -0
- package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/gemini.agent.md +35 -0
- package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/harnesses/kiro-ide.agent.md +35 -0
- package/agents/sigstore/sigstore-cosign-supply-chain-review-agent/metadata.json +31 -0
- package/agents/terraform/README.md +29 -0
- package/agents/terraform/terraform-reviewer/AGENT.md +2 -1
- package/agents/terraform/terraform-reviewer/harnesses/claude-code.agent.md +29 -0
- package/agents/terraform/terraform-reviewer/harnesses/codex.toml +29 -0
- package/agents/terraform/terraform-reviewer/harnesses/copilot.agent.md +42 -0
- package/agents/terraform/terraform-reviewer/harnesses/cursor.agent.md +31 -0
- package/agents/terraform/terraform-reviewer/harnesses/gemini.agent.md +30 -0
- package/agents/terraform/terraform-reviewer/harnesses/kiro-cli.agent.json +5 -0
- package/agents/terraform/terraform-reviewer/harnesses/kiro-ide.agent.md +29 -0
- package/agents/terraform/terraform-reviewer/metadata.json +10 -1
- package/agents/velero/README.md +41 -0
- package/assets/logos/vanguard-frontier-agentic-logo.png +0 -0
- package/catalog/agents.json +1452 -634
- package/catalog/install-roles.json +455 -0
- package/catalog/skill-manifest.json +1089 -335
- package/catalog/skills.json +1298 -528
- package/package.json +32 -3
- package/schemas/AGENTS.md +14 -0
- package/schemas/agent.frontmatter.schema.json +89 -0
- package/schemas/agent.schema.json +8 -0
- package/schemas/skill.frontmatter.schema.json +95 -0
- package/scripts/apply-skill-allowed-tools.py +142 -0
- package/scripts/backfill-skill-metadata.py +410 -0
- package/scripts/export-marketplace-agents.mjs +275 -9
- package/scripts/update-catalog-new-agents.py +88 -0
- package/skills/argocd/README.md +30 -0
- package/skills/argocd/argo-rollouts-progressive-delivery-review/SKILL.md +43 -0
- package/skills/argocd/argo-rollouts-progressive-delivery-review/metadata.json +22 -0
- package/skills/argocd/argo-rollouts-progressive-delivery-review/references/workflow-and-output.md +248 -0
- package/skills/argocd/argocd-gitops-review/SKILL.md +46 -0
- package/skills/argocd/argocd-gitops-review/metadata.json +30 -0
- package/skills/argocd/argocd-gitops-review/references/mcp-and-evidence.md +53 -0
- package/skills/argocd/argocd-gitops-review/references/official-sources.md +32 -0
- package/skills/argocd/argocd-gitops-review/references/workflow-and-output.md +120 -0
- package/skills/aws/README.md +3 -1
- package/skills/aws/aws-agentcore/SKILL.md +3 -0
- package/skills/aws/aws-api-edge-delivery-review/SKILL.md +3 -0
- package/skills/aws/aws-bedrock-agent-security-governor/SKILL.md +3 -0
- package/skills/aws/aws-change-impact-advisor/SKILL.md +3 -0
- package/skills/aws/aws-ci-cd-release-engineer/SKILL.md +3 -0
- package/skills/aws/aws-compliance-evidence-mapper/SKILL.md +3 -0
- package/skills/aws/aws-cost-anomaly-watch-coordinator/SKILL.md +3 -0
- package/skills/aws/aws-cost-optimization-governor/SKILL.md +3 -0
- package/skills/aws/aws-daily-operations-briefing-coordinator/SKILL.md +3 -0
- package/skills/aws/aws-data-protection-backup-steward/SKILL.md +3 -0
- package/skills/aws/aws-deployment-hotfix-operator/SKILL.md +3 -0
- package/skills/aws/aws-devops-agent-skill-designer/SKILL.md +3 -0
- package/skills/aws/aws-dynamodb-data-modeling-performance-review/SKILL.md +3 -0
- package/skills/aws/aws-ec2-compute-operations-steward/SKILL.md +3 -0
- package/skills/aws/aws-ecs-fargate-platform-operator/SKILL.md +3 -0
- package/skills/aws/aws-ecs-service-remediation-operator/SKILL.md +3 -0
- package/skills/aws/aws-eks-platform-operator/SKILL.md +3 -0
- package/skills/aws/aws-event-driven-architecture-review/SKILL.md +3 -0
- package/skills/aws/aws-generative-ai-developer/SKILL.md +3 -0
- package/skills/aws/aws-iac-change-safety-review/SKILL.md +3 -0
- package/skills/aws/aws-iac-patch-executor/SKILL.md +3 -0
- package/skills/aws/aws-iam-least-privilege-review/SKILL.md +3 -0
- package/skills/aws/aws-kms-secrets-lifecycle-steward/SKILL.md +3 -0
- package/skills/aws/aws-landing-zone-governor/SKILL.md +3 -0
- package/skills/aws/aws-live-deployment-guarded-operator/SKILL.md +3 -0
- package/skills/aws/aws-live-ecs-rollout-guard/SKILL.md +3 -0
- package/skills/aws/aws-live-iac-change-guard/SKILL.md +3 -0
- package/skills/aws/aws-live-pipeline-approval-operator/SKILL.md +3 -0
- package/skills/aws/aws-live-serverless-release-guard/SKILL.md +3 -0
- package/skills/aws/aws-maestro/SKILL.md +3 -0
- package/skills/aws/aws-maestro/references/workflow-and-output.md +2 -0
- package/skills/aws/aws-migration-cutover-architect/SKILL.md +3 -0
- package/skills/aws/aws-network-architect/SKILL.md +3 -0
- package/skills/aws/aws-non-destructive-task-automation-advisor/SKILL.md +3 -0
- package/skills/aws/aws-observability-incident-responder/SKILL.md +3 -0
- package/skills/aws/aws-pipeline-fix-operator/SKILL.md +3 -0
- package/skills/aws/aws-private-ca-issuer-review/SKILL.md +42 -0
- package/skills/aws/aws-private-ca-issuer-review/metadata.json +21 -0
- package/skills/aws/aws-private-ca-issuer-review/references/official-sources.md +22 -0
- package/skills/aws/aws-private-ca-issuer-review/references/safety-checklist.md +30 -0
- package/skills/aws/aws-private-ca-issuer-review/references/workflow-and-output.md +214 -0
- package/skills/aws/aws-rds-aurora-performance-investigator/SKILL.md +3 -0
- package/skills/aws/aws-resilience-bcdr-review/SKILL.md +3 -0
- package/skills/aws/aws-s3-data-perimeter-governor/SKILL.md +3 -0
- package/skills/aws/aws-security-posture-hardening/SKILL.md +3 -0
- package/skills/aws/aws-serverless-production-readiness/SKILL.md +3 -0
- package/skills/aws/aws-serverless-rollout-corrector/SKILL.md +3 -0
- package/skills/aws/aws-solution-architect/SKILL.md +3 -0
- package/skills/aws/aws-ticket-triage-escalation-coordinator/SKILL.md +3 -0
- package/skills/azure/README.md +3 -1
- package/skills/azure/azure-ai-foundry-ops-governor/SKILL.md +3 -0
- package/skills/azure/azure-aks-platform-operator/SKILL.md +3 -0
- package/skills/azure/azure-app-service-production-readiness/SKILL.md +3 -0
- package/skills/azure/azure-cosmosdb-application-developer/SKILL.md +3 -0
- package/skills/azure/azure-cosmosdb-performance-investigator/SKILL.md +3 -0
- package/skills/azure/azure-cosmosdb-platform-operator/SKILL.md +3 -0
- package/skills/azure/azure-cost-estimation-review/SKILL.md +3 -0
- package/skills/azure/azure-cost-optimization-governor/SKILL.md +3 -0
- package/skills/azure/azure-entra-id-specialist/SKILL.md +3 -0
- package/skills/azure/azure-governance-policy-guardrails/SKILL.md +3 -0
- package/skills/azure/azure-identity-governance-review/SKILL.md +3 -0
- package/skills/azure/azure-key-vault-secret-lifecycle-auditor/SKILL.md +3 -0
- package/skills/azure/azure-keyvault-certificate-issuer-review/SKILL.md +40 -0
- package/skills/azure/azure-keyvault-certificate-issuer-review/metadata.json +20 -0
- package/skills/azure/azure-keyvault-certificate-issuer-review/references/workflow-and-output.md +190 -0
- package/skills/azure/azure-landing-zone-architect/SKILL.md +3 -0
- package/skills/azure/azure-live-aks-rollout-guard/SKILL.md +3 -0
- package/skills/azure/azure-live-app-service-slot-swap-guard/SKILL.md +3 -0
- package/skills/azure/azure-live-arm-deployment-stack-guard/SKILL.md +3 -0
- package/skills/azure/azure-live-cost-budget-action-guard/SKILL.md +3 -0
- package/skills/azure/azure-live-entra-role-assignment-guard/SKILL.md +59 -0
- package/skills/azure/azure-live-entra-role-assignment-guard/metadata.json +28 -0
- package/skills/azure/azure-live-entra-role-assignment-guard/references/official-sources.md +21 -0
- package/skills/azure/azure-live-entra-role-assignment-guard/references/permission-model.md +70 -0
- package/skills/azure/azure-live-entra-role-assignment-guard/references/preflight-commands.md +69 -0
- package/skills/azure/azure-live-entra-role-assignment-guard/references/rollback-playbook.md +51 -0
- package/skills/azure/azure-live-keyvault-rotation-purge-guard/SKILL.md +3 -0
- package/skills/azure/azure-live-pim-jit-activation-guard/SKILL.md +3 -0
- package/skills/azure/azure-maestro/SKILL.md +3 -0
- package/skills/azure/azure-migrate-landing-zone-cutover/SKILL.md +3 -0
- package/skills/azure/azure-network-topology-review/SKILL.md +3 -0
- package/skills/azure/azure-observability-investigator/SKILL.md +3 -0
- package/skills/azure/azure-platform-automation-devops/SKILL.md +3 -0
- package/skills/azure/azure-private-endpoint-adoption-planner/SKILL.md +3 -0
- package/skills/azure/azure-rbac-review/SKILL.md +3 -0
- package/skills/azure/azure-resilience-bcdr-review/SKILL.md +3 -0
- package/skills/azure/azure-resource-health-incident-triage/SKILL.md +3 -0
- package/skills/azure/azure-role-selector/SKILL.md +3 -0
- package/skills/azure/azure-security-posture-hardening/SKILL.md +3 -0
- package/skills/azure/azure-subscription-resource-organization/SKILL.md +3 -0
- package/skills/backstage/backstage-scaffolder-template-review/SKILL.md +42 -0
- package/skills/backstage/backstage-scaffolder-template-review/metadata.json +21 -0
- package/skills/backstage/backstage-scaffolder-template-review/references/workflow-and-output.md +179 -0
- package/skills/cert-manager/cert-manager-issuer-trust-review/SKILL.md +43 -0
- package/skills/cert-manager/cert-manager-issuer-trust-review/metadata.json +22 -0
- package/skills/cert-manager/cert-manager-issuer-trust-review/references/workflow-and-output.md +222 -0
- package/skills/cilium/README.md +30 -0
- package/skills/cilium/cilium-network-policy-review/SKILL.md +46 -0
- package/skills/cilium/cilium-network-policy-review/metadata.json +30 -0
- package/skills/cilium/cilium-network-policy-review/references/mcp-and-evidence.md +52 -0
- package/skills/cilium/cilium-network-policy-review/references/official-sources.md +30 -0
- package/skills/cilium/cilium-network-policy-review/references/workflow-and-output.md +130 -0
- package/skills/falco/falco-runtime-threat-rules-review/SKILL.md +40 -0
- package/skills/falco/falco-runtime-threat-rules-review/metadata.json +22 -0
- package/skills/falco/falco-runtime-threat-rules-review/references/workflow-and-output.md +249 -0
- package/skills/finops/README.md +30 -0
- package/skills/finops/finops-cloud-price-advisor/SKILL.md +3 -0
- package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/SKILL.md +43 -0
- package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/metadata.json +22 -0
- package/skills/fluxcd/fluxcd-kustomization-helmrelease-review/references/workflow-and-output.md +243 -0
- package/skills/istio/README.md +28 -0
- package/skills/istio/istio-ambient-mesh-review/SKILL.md +46 -0
- package/skills/istio/istio-ambient-mesh-review/metadata.json +30 -0
- package/skills/istio/istio-ambient-mesh-review/references/mcp-and-evidence.md +59 -0
- package/skills/istio/istio-ambient-mesh-review/references/official-sources.md +32 -0
- package/skills/istio/istio-ambient-mesh-review/references/workflow-and-output.md +128 -0
- package/skills/kubernetes/README.md +30 -0
- package/skills/kubernetes/external-secrets-operator-review/SKILL.md +40 -0
- package/skills/kubernetes/external-secrets-operator-review/metadata.json +22 -0
- package/skills/kubernetes/external-secrets-operator-review/references/workflow-and-output.md +280 -0
- package/skills/kubernetes/kubecost-chargeback-allocation-review/SKILL.md +43 -0
- package/skills/kubernetes/kubecost-chargeback-allocation-review/metadata.json +22 -0
- package/skills/kubernetes/kubecost-chargeback-allocation-review/references/workflow-and-output.md +215 -0
- package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/SKILL.md +60 -0
- package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/metadata.json +27 -0
- package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/official-sources.md +18 -0
- package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/permission-model.md +78 -0
- package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/preflight-commands.md +81 -0
- package/skills/kubernetes/kubernetes-live-rbac-mutation-guard/references/rollback-playbook.md +61 -0
- package/skills/kubernetes/kubernetes-maestro/SKILL.md +48 -0
- package/skills/kubernetes/kubernetes-maestro/metadata.json +24 -0
- package/skills/kubernetes/kubernetes-maestro/references/safety-checklist.md +78 -0
- package/skills/kubernetes/kubernetes-maestro/references/workflow-and-output.md +206 -0
- package/skills/kubernetes/kubernetes-pod-security-admission-review/SKILL.md +46 -0
- package/skills/kubernetes/kubernetes-pod-security-admission-review/metadata.json +28 -0
- package/skills/kubernetes/kubernetes-pod-security-admission-review/references/mcp-and-evidence.md +49 -0
- package/skills/kubernetes/kubernetes-pod-security-admission-review/references/official-sources.md +26 -0
- package/skills/kubernetes/kubernetes-pod-security-admission-review/references/workflow-and-output.md +129 -0
- package/skills/kubernetes/kubernetes-pod-spec-review/SKILL.md +41 -0
- package/skills/kubernetes/kubernetes-pod-spec-review/metadata.json +22 -0
- package/skills/kubernetes/kubernetes-pod-spec-review/references/workflow-and-output.md +229 -0
- package/skills/kubernetes/kubernetes-rbac-review/SKILL.md +41 -0
- package/skills/kubernetes/kubernetes-rbac-review/metadata.json +27 -0
- package/skills/kubernetes/kubernetes-rbac-review/references/mcp-and-evidence.md +34 -0
- package/skills/kubernetes/kubernetes-rbac-review/references/official-sources.md +22 -0
- package/skills/kubernetes/kubernetes-rbac-review/references/workflow-and-output.md +44 -0
- package/skills/kubernetes/kubernetes-workload-identity-review/SKILL.md +46 -0
- package/skills/kubernetes/kubernetes-workload-identity-review/metadata.json +29 -0
- package/skills/kubernetes/kubernetes-workload-identity-review/references/mcp-and-evidence.md +57 -0
- package/skills/kubernetes/kubernetes-workload-identity-review/references/official-sources.md +47 -0
- package/skills/kubernetes/kubernetes-workload-identity-review/references/workflow-and-output.md +166 -0
- package/skills/kyverno/README.md +30 -0
- package/skills/kyverno/kyverno-policy-review/SKILL.md +46 -0
- package/skills/kyverno/kyverno-policy-review/metadata.json +30 -0
- package/skills/kyverno/kyverno-policy-review/references/mcp-and-evidence.md +49 -0
- package/skills/kyverno/kyverno-policy-review/references/official-sources.md +31 -0
- package/skills/kyverno/kyverno-policy-review/references/workflow-and-output.md +106 -0
- package/skills/oci/README.md +63 -0
- package/skills/oci/oci-autonomous-database-architect/SKILL.md +3 -0
- package/skills/oci/oci-certificates-issuer-review/SKILL.md +40 -0
- package/skills/oci/oci-certificates-issuer-review/metadata.json +20 -0
- package/skills/oci/oci-certificates-issuer-review/references/workflow-and-output.md +207 -0
- package/skills/oci/oci-cloud-guard-responder/SKILL.md +3 -0
- package/skills/oci/oci-compute-instance-agent-operator/SKILL.md +3 -0
- package/skills/oci/oci-compute-platform-operator/SKILL.md +3 -0
- package/skills/oci/oci-cost-finops-analyst/SKILL.md +3 -0
- package/skills/oci/oci-database-platform-dba/SKILL.md +3 -0
- package/skills/oci/oci-dbtools-sql-analyst/SKILL.md +3 -0
- package/skills/oci/oci-devops-container-platform-engineer/SKILL.md +3 -0
- package/skills/oci/oci-exadata-database-architect/SKILL.md +3 -0
- package/skills/oci/oci-exadata-platform-architect/SKILL.md +3 -0
- package/skills/oci/oci-fusion-apps-environment-operator/SKILL.md +3 -0
- package/skills/oci/oci-goldengate-replication-operator/SKILL.md +3 -0
- package/skills/oci/oci-identity-access-governor/SKILL.md +3 -0
- package/skills/oci/oci-iot-digital-twin-engineer/SKILL.md +3 -0
- package/skills/oci/oci-limits-capacity-planner/SKILL.md +3 -0
- package/skills/oci/oci-live-autonomous-db-lifecycle-guard/SKILL.md +3 -0
- package/skills/oci/oci-live-cost-budget-runaway-guard/SKILL.md +3 -0
- package/skills/oci/oci-live-iam-policy-compartment-guard/SKILL.md +3 -0
- package/skills/oci/oci-live-network-security-rule-guard/SKILL.md +60 -0
- package/skills/oci/oci-live-network-security-rule-guard/metadata.json +28 -0
- package/skills/oci/oci-live-network-security-rule-guard/references/official-sources.md +21 -0
- package/skills/oci/oci-live-network-security-rule-guard/references/permission-model.md +65 -0
- package/skills/oci/oci-live-network-security-rule-guard/references/preflight-commands.md +69 -0
- package/skills/oci/oci-live-network-security-rule-guard/references/rollback-playbook.md +79 -0
- package/skills/oci/oci-live-oke-rollout-guard/SKILL.md +3 -0
- package/skills/oci/oci-live-resource-manager-stack-guard/SKILL.md +3 -0
- package/skills/oci/oci-live-vault-key-destruction-guard/SKILL.md +3 -0
- package/skills/oci/oci-load-balancer-traffic-engineer/SKILL.md +3 -0
- package/skills/oci/oci-maestro/SKILL.md +3 -0
- package/skills/oci/oci-migration-cutover-architect/SKILL.md +3 -0
- package/skills/oci/oci-multi-cloud-architect/SKILL.md +3 -0
- package/skills/oci/oci-mysql-heatwave-ai-specialist/SKILL.md +3 -0
- package/skills/oci/oci-network-architect/SKILL.md +3 -0
- package/skills/oci/oci-observability-incident-responder/SKILL.md +3 -0
- package/skills/oci/oci-recovery-service-operator/SKILL.md +3 -0
- package/skills/oci/oci-registry-artifact-governor/SKILL.md +3 -0
- package/skills/oci/oci-resource-search-inventory-analyst/SKILL.md +3 -0
- package/skills/oci/oci-security-compliance-reviewer/SKILL.md +3 -0
- package/skills/oci/oci-solution-architect/SKILL.md +3 -0
- package/skills/oci/oci-storage-backup-steward/SKILL.md +3 -0
- package/skills/oci/oci-support-incident-coordinator/SKILL.md +3 -0
- package/skills/oci/oracle-oci-mcp-grounded-advisor/SKILL.md +3 -0
- package/skills/opentelemetry/README.md +31 -0
- package/skills/opentelemetry/opentelemetry-collector-config-review/SKILL.md +47 -0
- package/skills/opentelemetry/opentelemetry-collector-config-review/metadata.json +30 -0
- package/skills/opentelemetry/opentelemetry-collector-config-review/references/mcp-and-evidence.md +49 -0
- package/skills/opentelemetry/opentelemetry-collector-config-review/references/official-sources.md +31 -0
- package/skills/opentelemetry/opentelemetry-collector-config-review/references/workflow-and-output.md +155 -0
- package/skills/prometheus/prometheus-alerting-cardinality-review/SKILL.md +41 -0
- package/skills/prometheus/prometheus-alerting-cardinality-review/metadata.json +22 -0
- package/skills/prometheus/prometheus-alerting-cardinality-review/references/workflow-and-output.md +221 -0
- package/skills/sigstore/sigstore-cosign-supply-chain-review/SKILL.md +42 -0
- package/skills/sigstore/sigstore-cosign-supply-chain-review/metadata.json +22 -0
- package/skills/sigstore/sigstore-cosign-supply-chain-review/references/workflow-and-output.md +196 -0
- package/skills/terraform/README.md +29 -0
- package/skills/terraform/terraform-maestro/SKILL.md +3 -0
- package/skills/velero/velero-backup-restore-guard/SKILL.md +44 -0
- package/skills/velero/velero-backup-restore-guard/metadata.json +21 -0
- package/skills/velero/velero-backup-restore-guard/references/safety-checklist.md +40 -0
- package/skills/velero/velero-backup-restore-guard/references/workflow-and-output.md +202 -0
|
@@ -0,0 +1,229 @@
|
|
|
1
|
+
# Workflow and Output Contract
|
|
2
|
+
|
|
3
|
+
## Review Workflow
|
|
4
|
+
|
|
5
|
+
### Step 1 — Identify the workload type
|
|
6
|
+
|
|
7
|
+
Determine whether the input is a Pod, Deployment, StatefulSet, DaemonSet, Job, or CronJob spec. The review scope differs:
|
|
8
|
+
|
|
9
|
+
- **Pod / Deployment** — full probe, resource, securityContext, topology spread review
|
|
10
|
+
- **StatefulSet** — same as Deployment plus PVC template review, ordered startup considerations
|
|
11
|
+
- **DaemonSet** — probe review less critical; focus on host namespace usage, privileged mode, resource limits
|
|
12
|
+
- **Job / CronJob** — no readiness probe required; focus on `activeDeadlineSeconds`, `backoffLimit`, resource limits
|
|
13
|
+
|
|
14
|
+
### Step 2 — Probe review
|
|
15
|
+
|
|
16
|
+
```yaml
|
|
17
|
+
# Minimum production-ready probe configuration
|
|
18
|
+
livenessProbe:
|
|
19
|
+
httpGet:
|
|
20
|
+
path: /healthz
|
|
21
|
+
port: 8080
|
|
22
|
+
initialDelaySeconds: 15
|
|
23
|
+
periodSeconds: 20
|
|
24
|
+
failureThreshold: 3 # >=3 to tolerate GC pauses
|
|
25
|
+
timeoutSeconds: 5
|
|
26
|
+
|
|
27
|
+
readinessProbe:
|
|
28
|
+
httpGet:
|
|
29
|
+
path: /ready
|
|
30
|
+
port: 8080
|
|
31
|
+
initialDelaySeconds: 10
|
|
32
|
+
periodSeconds: 10
|
|
33
|
+
failureThreshold: 3
|
|
34
|
+
timeoutSeconds: 3
|
|
35
|
+
|
|
36
|
+
startupProbe: # required if startup > 30s
|
|
37
|
+
httpGet:
|
|
38
|
+
path: /healthz
|
|
39
|
+
port: 8080
|
|
40
|
+
failureThreshold: 30 # 30 * periodSeconds(10) = 300s max startup
|
|
41
|
+
periodSeconds: 10
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
**Flags:**
|
|
45
|
+
- Missing `livenessProbe` on a long-running container — HIGH
|
|
46
|
+
- Missing `readinessProbe` on a Deployment that receives traffic — HIGH
|
|
47
|
+
- `livenessProbe.failureThreshold: 1` or `2` — HIGH (kills pod during GC pause)
|
|
48
|
+
- `readinessProbe.initialDelaySeconds` < known startup time — HIGH (probe fails before app ready)
|
|
49
|
+
- Missing `startupProbe` when app startup > 30s — MEDIUM
|
|
50
|
+
|
|
51
|
+
### Step 3 — Resource QoS review
|
|
52
|
+
|
|
53
|
+
```yaml
|
|
54
|
+
resources:
|
|
55
|
+
requests:
|
|
56
|
+
cpu: "250m"
|
|
57
|
+
memory: "256Mi"
|
|
58
|
+
limits:
|
|
59
|
+
cpu: "500m" # CPU limits cause throttling; consider removing if not required
|
|
60
|
+
memory: "512Mi"
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
**QoS tier resolution:**
|
|
64
|
+
|
|
65
|
+
| Condition | QoS Class | Risk |
|
|
66
|
+
|-----------|-----------|------|
|
|
67
|
+
| `requests == limits` for all containers | Guaranteed | Lowest eviction priority |
|
|
68
|
+
| `requests` set, `limits` not equal | Burstable | Evicted under node pressure |
|
|
69
|
+
| No `requests`, no `limits` | BestEffort | First evicted under any pressure |
|
|
70
|
+
|
|
71
|
+
**Flags:**
|
|
72
|
+
- No `resources.requests` — MEDIUM (BestEffort QoS, evicted first)
|
|
73
|
+
- `limits.memory` without `requests.memory` — MEDIUM (Burstable, OOM killed under node pressure)
|
|
74
|
+
- `limits.cpu` set to a value significantly lower than typical usage — MEDIUM (CPU throttle)
|
|
75
|
+
- Critical workload without Guaranteed QoS (`requests != limits`) — MEDIUM
|
|
76
|
+
|
|
77
|
+
### Step 4 — securityContext review
|
|
78
|
+
|
|
79
|
+
```yaml
|
|
80
|
+
# Pod-level
|
|
81
|
+
spec:
|
|
82
|
+
securityContext:
|
|
83
|
+
runAsNonRoot: true
|
|
84
|
+
runAsUser: 1000
|
|
85
|
+
seccompProfile:
|
|
86
|
+
type: RuntimeDefault # K8s 1.22+
|
|
87
|
+
|
|
88
|
+
# Container-level
|
|
89
|
+
containers:
|
|
90
|
+
- name: app
|
|
91
|
+
securityContext:
|
|
92
|
+
allowPrivilegeEscalation: false
|
|
93
|
+
readOnlyRootFilesystem: true
|
|
94
|
+
capabilities:
|
|
95
|
+
drop:
|
|
96
|
+
- ALL
|
|
97
|
+
add: [] # only add specific caps if truly required
|
|
98
|
+
```
|
|
99
|
+
|
|
100
|
+
**Flags:**
|
|
101
|
+
- Missing `runAsNonRoot: true` — HIGH (runs as root by default)
|
|
102
|
+
- `allowPrivilegeEscalation: true` or missing — HIGH
|
|
103
|
+
- Missing `readOnlyRootFilesystem: true` — MEDIUM (writable filesystem enables malware persistence)
|
|
104
|
+
- Missing `capabilities.drop: [ALL]` — MEDIUM
|
|
105
|
+
- `privileged: true` — CRITICAL (host-level access)
|
|
106
|
+
- Missing `seccompProfile` — LOW (defaults to unconfined syscall access)
|
|
107
|
+
|
|
108
|
+
### Step 5 — Image pull policy and tag review
|
|
109
|
+
|
|
110
|
+
```yaml
|
|
111
|
+
# Correct for digest-pinned images
|
|
112
|
+
image: myregistry/myapp@sha256:abc123...
|
|
113
|
+
imagePullPolicy: IfNotPresent
|
|
114
|
+
|
|
115
|
+
# Correct for latest or mutable tags
|
|
116
|
+
image: myregistry/myapp:latest
|
|
117
|
+
imagePullPolicy: Always
|
|
118
|
+
```
|
|
119
|
+
|
|
120
|
+
**Flags:**
|
|
121
|
+
- `latest` tag with `imagePullPolicy: IfNotPresent` — HIGH (stale image after first pull)
|
|
122
|
+
- `latest` tag at all — MEDIUM (non-deterministic deployments)
|
|
123
|
+
- No image digest pinning for critical workloads — LOW
|
|
124
|
+
|
|
125
|
+
### Step 6 — Secret and ConfigMap consumption review
|
|
126
|
+
|
|
127
|
+
```yaml
|
|
128
|
+
# PREFERRED: Volume mount (secret not in env, not in describe output)
|
|
129
|
+
volumes:
|
|
130
|
+
- name: db-creds
|
|
131
|
+
secret:
|
|
132
|
+
secretName: db-credentials
|
|
133
|
+
containers:
|
|
134
|
+
- volumeMounts:
|
|
135
|
+
- name: db-creds
|
|
136
|
+
mountPath: /etc/secrets
|
|
137
|
+
readOnly: true
|
|
138
|
+
|
|
139
|
+
# ACCEPTABLE: Specific env var from secret key
|
|
140
|
+
env:
|
|
141
|
+
- name: DB_PASSWORD
|
|
142
|
+
valueFrom:
|
|
143
|
+
secretKeyRef:
|
|
144
|
+
name: db-credentials
|
|
145
|
+
key: password
|
|
146
|
+
|
|
147
|
+
# AVOID: Bulk-mount exposes ALL secret keys including unused ones
|
|
148
|
+
envFrom:
|
|
149
|
+
- secretRef:
|
|
150
|
+
name: db-credentials
|
|
151
|
+
```
|
|
152
|
+
|
|
153
|
+
**Flags:**
|
|
154
|
+
- `envFrom.secretRef` bulk-mount — MEDIUM (all keys exposed to process env and kubectl describe)
|
|
155
|
+
- `env.valueFrom.secretKeyRef` — ACCEPTABLE (only named key exposed)
|
|
156
|
+
- Secret as environment variable (either method) — NOTE (appears in /proc/self/environ)
|
|
157
|
+
|
|
158
|
+
### Step 7 — Topology spread and affinity review
|
|
159
|
+
|
|
160
|
+
```yaml
|
|
161
|
+
# Preferred: topology spread (K8s 1.19+)
|
|
162
|
+
topologySpreadConstraints:
|
|
163
|
+
- maxSkew: 1
|
|
164
|
+
topologyKey: topology.kubernetes.io/zone
|
|
165
|
+
whenUnsatisfiable: DoNotSchedule
|
|
166
|
+
labelSelector:
|
|
167
|
+
matchLabels:
|
|
168
|
+
app: myapp
|
|
169
|
+
|
|
170
|
+
# Also check podAntiAffinity for legacy configs
|
|
171
|
+
affinity:
|
|
172
|
+
podAntiAffinity:
|
|
173
|
+
preferredDuringSchedulingIgnoredDuringExecution:
|
|
174
|
+
- weight: 100
|
|
175
|
+
podAffinityTerm:
|
|
176
|
+
topologyKey: kubernetes.io/hostname
|
|
177
|
+
labelSelector:
|
|
178
|
+
matchLabels:
|
|
179
|
+
app: myapp
|
|
180
|
+
```
|
|
181
|
+
|
|
182
|
+
**Flags:**
|
|
183
|
+
- Multi-replica Deployment (>1 replica) with no `topologySpreadConstraints` and no `podAntiAffinity` — MEDIUM
|
|
184
|
+
- `topologySpreadConstraints` present but `topologyKey: kubernetes.io/hostname` only (no zone spread) — LOW
|
|
185
|
+
- `whenUnsatisfiable: ScheduleAnyway` on a critical workload — LOW (spread not enforced)
|
|
186
|
+
|
|
187
|
+
### Step 8 — Termination grace period review
|
|
188
|
+
|
|
189
|
+
```yaml
|
|
190
|
+
spec:
|
|
191
|
+
terminationGracePeriodSeconds: 60 # increase for gRPC, database draining
|
|
192
|
+
```
|
|
193
|
+
|
|
194
|
+
**Flags:**
|
|
195
|
+
- Default 30s for gRPC servers with long-lived streams — MEDIUM
|
|
196
|
+
- Default 30s for database pods (PostgreSQL, MySQL) that need checkpoint time — MEDIUM
|
|
197
|
+
- `terminationGracePeriodSeconds: 0` — HIGH (immediate SIGKILL, no graceful shutdown)
|
|
198
|
+
|
|
199
|
+
---
|
|
200
|
+
|
|
201
|
+
## Output Format
|
|
202
|
+
|
|
203
|
+
Return findings in this structure:
|
|
204
|
+
|
|
205
|
+
### Finding: `<short title>`
|
|
206
|
+
|
|
207
|
+
| Field | Value |
|
|
208
|
+
|-------|-------|
|
|
209
|
+
| Severity | CRITICAL / HIGH / MEDIUM / LOW |
|
|
210
|
+
| Field path | `spec.containers[0].livenessProbe` |
|
|
211
|
+
| Evidence | documentation-based / live evidence / inference |
|
|
212
|
+
| Description | What is wrong and why it matters |
|
|
213
|
+
| Remediation | YAML snippet or command |
|
|
214
|
+
|
|
215
|
+
---
|
|
216
|
+
|
|
217
|
+
### Overall Verdict
|
|
218
|
+
|
|
219
|
+
| Category | Status |
|
|
220
|
+
|----------|--------|
|
|
221
|
+
| Probes | PASS / FAIL |
|
|
222
|
+
| Resource QoS | PASS / FAIL |
|
|
223
|
+
| Security context | PASS / FAIL |
|
|
224
|
+
| Image hygiene | PASS / FAIL |
|
|
225
|
+
| Secret consumption | PASS / FAIL |
|
|
226
|
+
| Topology spread | PASS / FAIL |
|
|
227
|
+
| Termination grace | PASS / FAIL |
|
|
228
|
+
|
|
229
|
+
**Production-ready:** YES / NO / CONDITIONAL (list conditions)
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: kubernetes-rbac-review
|
|
3
|
+
description: Use this skill for Kubernetes RBAC, Role, ClusterRole, RoleBinding, ClusterRoleBinding, ServiceAccount, workload identity, or least-privilege review tasks. Trigger when the user asks whether cluster access is too broad, how to grant workload permissions safely, or how to audit RBAC state.
|
|
4
|
+
allowed-tools: Read Grep Glob
|
|
5
|
+
metadata:
|
|
6
|
+
author: github: Raishin
|
|
7
|
+
version: 0.1.0
|
|
8
|
+
updated: "2026-05-05"
|
|
9
|
+
category: security
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
# Kubernetes RBAC Review
|
|
13
|
+
|
|
14
|
+
## Purpose
|
|
15
|
+
|
|
16
|
+
Review Kubernetes RBAC objects — Roles, ClusterRoles, RoleBindings, ClusterRoleBindings, and ServiceAccounts — against least privilege, namespace scope minimization, and operational safety.
|
|
17
|
+
|
|
18
|
+
## Lean operating rules
|
|
19
|
+
|
|
20
|
+
- Prefer live cluster evidence (`kubectl auth can-i`, `kubectl get rolebinding`, audit logs) when the active client exposes it; otherwise fall back to official Kubernetes documentation and sanitized user evidence.
|
|
21
|
+
- Separate confirmed facts from inference. If state was not queried or shown, say so.
|
|
22
|
+
- Challenge cluster-scoped access granted to workloads that only need namespace-scoped access.
|
|
23
|
+
- Challenge wildcard verbs (`*`), wildcard resources (`*`), and wildcard API groups (`*`) unless explicitly justified.
|
|
24
|
+
- Keep the answer scoped, reversible, least-privilege, and explicit about blockers or unknowns.
|
|
25
|
+
|
|
26
|
+
## References
|
|
27
|
+
|
|
28
|
+
Load these only when needed:
|
|
29
|
+
|
|
30
|
+
- [Evidence path and tooling](references/mcp-and-evidence.md) — use when choosing live cluster evidence, confirming MCP capability, or switching to documentation mode.
|
|
31
|
+
- [Workflow and output contract](references/workflow-and-output.md) — use when executing the full review, applying stress checks, or formatting the final answer.
|
|
32
|
+
- [Official sources](references/official-sources.md) — use when you need the detailed Kubernetes documentation list or source notes.
|
|
33
|
+
|
|
34
|
+
## Response minimum
|
|
35
|
+
|
|
36
|
+
Return, at minimum:
|
|
37
|
+
|
|
38
|
+
- the scoped target and evidence level,
|
|
39
|
+
- the main risks or control gaps,
|
|
40
|
+
- the safest next actions,
|
|
41
|
+
- the assumptions or blockers that prevent stronger conclusions.
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "kubernetes-rbac-review",
|
|
3
|
+
"name": "Kubernetes RBAC Review",
|
|
4
|
+
"type": "skill",
|
|
5
|
+
"provider": "kubernetes",
|
|
6
|
+
"harnesses": [
|
|
7
|
+
"codex",
|
|
8
|
+
"claude-code",
|
|
9
|
+
"cursor",
|
|
10
|
+
"gemini",
|
|
11
|
+
"kiro",
|
|
12
|
+
"other"
|
|
13
|
+
],
|
|
14
|
+
"summary": "Review Kubernetes Roles, ClusterRoles, RoleBindings, ClusterRoleBindings, and ServiceAccounts for least-privilege, namespace-scope, and workload identity safety.",
|
|
15
|
+
"source_type": "original",
|
|
16
|
+
"official_docs": [
|
|
17
|
+
"https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
|
|
18
|
+
"https://kubernetes.io/docs/concepts/security/rbac-good-practices/",
|
|
19
|
+
"https://kubernetes.io/docs/reference/access-authn-authz/authorization/",
|
|
20
|
+
"https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
|
|
21
|
+
],
|
|
22
|
+
"security_notes": "Do not recommend ClusterAdmin or wildcard bindings unless explicitly justified. Prefer namespace-scoped Roles over ClusterRoles for workloads that do not need cluster-wide access. Do not auto-mount service account tokens unless the workload requires API server access.",
|
|
23
|
+
"last_verified": "2026-05-01",
|
|
24
|
+
"path": "skills/kubernetes/kubernetes-rbac-review",
|
|
25
|
+
"author": "github: Raishin",
|
|
26
|
+
"version": "0.1.0"
|
|
27
|
+
}
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
# Evidence Path and Tooling
|
|
2
|
+
|
|
3
|
+
## Evidence path
|
|
4
|
+
|
|
5
|
+
1. Prefer live cluster evidence when the active client exposes relevant Kubernetes MCP capabilities or a working `kubectl` context.
|
|
6
|
+
2. Fall back to official Kubernetes documentation when live inspection is unavailable, incomplete, or unsafe.
|
|
7
|
+
3. Ask only for sanitized RBAC YAML or `kubectl` output when current-state proof matters.
|
|
8
|
+
4. Label conclusions as `live evidence`, `documentation-based`, `sanitized user evidence`, or `inference`.
|
|
9
|
+
|
|
10
|
+
## Useful live-evidence commands
|
|
11
|
+
|
|
12
|
+
```shell
|
|
13
|
+
# List all RoleBindings in a namespace
|
|
14
|
+
kubectl get rolebindings -n <namespace> -o yaml
|
|
15
|
+
|
|
16
|
+
# List all ClusterRoleBindings
|
|
17
|
+
kubectl get clusterrolebindings -o yaml
|
|
18
|
+
|
|
19
|
+
# Check effective permissions for a ServiceAccount
|
|
20
|
+
kubectl auth can-i --list --as=system:serviceaccount:<namespace>:<sa-name>
|
|
21
|
+
|
|
22
|
+
# Check a specific verb/resource
|
|
23
|
+
kubectl auth can-i <verb> <resource> --as=system:serviceaccount:<namespace>:<sa-name> -n <namespace>
|
|
24
|
+
|
|
25
|
+
# Describe a Role or ClusterRole
|
|
26
|
+
kubectl describe role <name> -n <namespace>
|
|
27
|
+
kubectl describe clusterrole <name>
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
## Platform-agnostic execution
|
|
31
|
+
|
|
32
|
+
- Keep examples neutral with placeholders until the user's cluster context and toolchain are known.
|
|
33
|
+
- Do not request kubeconfig files, bearer tokens, service account JWT tokens, or cloud-provider credentials in chat.
|
|
34
|
+
- If a Kubernetes MCP server or kubectl is unavailable, say so and fall back to reviewing sanitized YAML provided by the user.
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
# Official Sources
|
|
2
|
+
|
|
3
|
+
Load these only when needed:
|
|
4
|
+
|
|
5
|
+
- [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) — use for Role, ClusterRole, RoleBinding, ClusterRoleBinding structure, aggregation rules, default roles, and `kubectl auth` usage.
|
|
6
|
+
- [RBAC Good Practices](https://kubernetes.io/docs/concepts/security/rbac-good-practices/) — use for least privilege, wildcard cautions, privilege escalation paths, impersonation risks, and workload namespace isolation.
|
|
7
|
+
- [Authorization Overview](https://kubernetes.io/docs/reference/access-authn-authz/authorization/) — use when confirming how Kubernetes evaluates requests and which authorizers are stacked.
|
|
8
|
+
- [Configure Service Accounts for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) — use for `automountServiceAccountToken`, dedicated ServiceAccount patterns, and token projection.
|
|
9
|
+
- [Kubernetes Security Checklist](https://kubernetes.io/docs/concepts/security/security-checklist/) — use for a holistic posture check covering RBAC alongside admission, network policies, and pod security.
|
|
10
|
+
- [Bound Service Account Tokens](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-tokens) — use when reviewing projected token lifetimes, audience binding, and migration from legacy auto-mounted tokens.
|
|
11
|
+
|
|
12
|
+
## Grounded insights worth carrying into the skill
|
|
13
|
+
|
|
14
|
+
- Kubernetes RBAC is additive: there are no deny rules. Any binding that grants a permission cannot be overridden by another binding.
|
|
15
|
+
- `pods/exec` and `pods/attach` are equivalent to remote-shell access on any pod; treat both as high-severity grants requiring explicit justification.
|
|
16
|
+
- `pods/portforward` tunnels arbitrary TCP to pod ports; treat as high-severity for database and internal-service workloads.
|
|
17
|
+
- `nodes/proxy` grants proxy access to the kubelet API on every node — this is effectively cluster-admin for node-level operations and is rarely justified for any non-system workload.
|
|
18
|
+
- `secrets` `get`/`list` access at ClusterRole scope means reading every secret in every namespace — almost always over-privileged for a workload.
|
|
19
|
+
- `escalate` on roles/clusterroles, `bind` on bindings, and `impersonate` on users/groups/serviceaccounts are Kubernetes' three dedicated privilege-escalation verbs. Any Role that grants these is high severity regardless of other verb restrictions — they allow the holder to exceed their own permission set.
|
|
20
|
+
- The `system:masters` group bypasses all RBAC checks, including admission webhooks; never bind real workloads to it.
|
|
21
|
+
- Aggregated ClusterRoles (`aggregationRule`) inherit rules from any ClusterRole that matches the label selector — third-party operators can silently expand them.
|
|
22
|
+
- Setting `automountServiceAccountToken: false` on the ServiceAccount (or the Pod spec) is the correct default for workloads that do not call the Kubernetes API.
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
# Workflow and Output Contract
|
|
2
|
+
|
|
3
|
+
## Workflow
|
|
4
|
+
|
|
5
|
+
1. Identify the target: namespace-scoped Role/RoleBinding or cluster-scoped ClusterRole/ClusterRoleBinding.
|
|
6
|
+
2. Identify the principal: ServiceAccount, user, or Group (including `system:` groups).
|
|
7
|
+
3. Prefer namespace-scoped Roles before ClusterRoles when the workload only operates in one namespace.
|
|
8
|
+
4. Challenge dangerous defaults:
|
|
9
|
+
- `cluster-admin` ClusterRoleBinding for any non-infrastructure workload,
|
|
10
|
+
- Wildcard verbs (`*`) or wildcard resources (`*`) in any Role or ClusterRole,
|
|
11
|
+
- Wildcard API groups (`*`) that grant cross-group access,
|
|
12
|
+
- Binding to the `default` ServiceAccount (shared blast radius),
|
|
13
|
+
- `automountServiceAccountToken: true` (default) on pods that do not need API server access,
|
|
14
|
+
- ClusterRoleBindings where a RoleBinding to a namespaced ClusterRole would suffice,
|
|
15
|
+
- Aggregated ClusterRoles with labels that may attract unexpected rules from third-party operators.
|
|
16
|
+
5. **Check privilege-escalation verbs explicitly** — these three verbs bypass Kubernetes' own escalation prevention controls and must be flagged as high severity whenever present:
|
|
17
|
+
- `escalate` on `clusterroles` or `roles` — allows granting permissions the subject does not itself hold; the textbook Kubernetes privilege escalation path,
|
|
18
|
+
- `bind` on `clusterroles`, `roles`, `clusterrolebindings`, or `rolebindings` — allows creating bindings to roles the subject is not bound to,
|
|
19
|
+
- `impersonate` on `users`, `groups`, or `serviceaccounts` — allows acting as any other identity, bypassing all authentication controls.
|
|
20
|
+
6. Check whether RBAC controls reach high-severity resources:
|
|
21
|
+
- `secrets` (get/list at ClusterRole scope = read every secret cluster-wide),
|
|
22
|
+
- `pods/exec` and `pods/attach` (interactive shell on any pod — same severity),
|
|
23
|
+
- `pods/portforward` (tunnel to pod ports),
|
|
24
|
+
- `nodes/proxy` (proxy to kubelet API on every node — effectively cluster-admin for node operations),
|
|
25
|
+
- `nodes`, `namespaces`, `clusterroles`, `clusterrolebindings`.
|
|
26
|
+
7. Stress-test operational hygiene:
|
|
27
|
+
- prefer dedicated ServiceAccounts per workload over shared accounts,
|
|
28
|
+
- prefer explicit `resources` lists over wildcards,
|
|
29
|
+
- prefer explicit `verbs` lists (`get`, `list`, `watch`) over `*`,
|
|
30
|
+
- challenge escalation paths: can the bound account create/update Roles or RoleBindings?
|
|
31
|
+
|
|
32
|
+
## Output
|
|
33
|
+
|
|
34
|
+
Return:
|
|
35
|
+
|
|
36
|
+
- current access summary,
|
|
37
|
+
- risk findings (with severity: high / medium / low),
|
|
38
|
+
- least-privilege alternative,
|
|
39
|
+
- validation commands or manifest corrections,
|
|
40
|
+
- assumptions and missing facts.
|
|
41
|
+
|
|
42
|
+
## Security notes
|
|
43
|
+
|
|
44
|
+
Do not suggest `cluster-admin` bindings or wildcard grants unless the user has explicitly justified the blast radius and there is no namespace-scoped alternative.
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: kubernetes-workload-identity-review
|
|
3
|
+
description: Use this skill for Kubernetes workload identity review covering AWS IRSA (IAM Roles for Service Accounts), Azure Workload Identity, GCP Workload Identity Federation, and the underlying ServiceAccount token volume projection plus OIDC issuer trust. Trigger when the user asks how a pod should authenticate to cloud services, whether long-lived credentials in a Secret can be replaced, whether the OIDC trust policy is correctly scoped, or whether ServiceAccount token reuse is a risk.
|
|
4
|
+
allowed-tools: Read Grep Glob
|
|
5
|
+
metadata:
|
|
6
|
+
author: "github: Raishin"
|
|
7
|
+
version: "0.1.0"
|
|
8
|
+
updated: "2026-05-05"
|
|
9
|
+
category: security
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
# Kubernetes Workload Identity Review
|
|
13
|
+
|
|
14
|
+
## Purpose
|
|
15
|
+
|
|
16
|
+
Review how pods authenticate to cloud services. Long-lived static credentials in Secrets are the largest unmanaged credential surface in most Kubernetes deployments. Workload identity replaces them with short-lived federated tokens via the cluster's OIDC issuer. The review covers ServiceAccount token projection, OIDC issuer trust policy, the cloud-provider IAM mapping, and the runtime check that the pod is actually using the federated token rather than falling back to a static credential.
|
|
17
|
+
|
|
18
|
+
## Lean operating rules
|
|
19
|
+
|
|
20
|
+
- Prefer live cluster evidence (`kubectl get serviceaccount,pods -A -o yaml` plus the cluster's OIDC issuer URL and the cloud-provider IAM trust policy) when the active client exposes it; otherwise fall back to official cloud-provider and Kubernetes documentation.
|
|
21
|
+
- Separate confirmed facts from inference. If the OIDC issuer URL, IAM trust policy, or pod's projected token volume was not queried, say so.
|
|
22
|
+
- Treat **a Pod with both a workload-identity ServiceAccount AND a long-lived credential Secret mounted** as a critical finding — credential precedence often falls back to the static credential, defeating the migration.
|
|
23
|
+
- Treat an **OIDC trust policy with `StringEquals` on `aud` but `StringLike` (wildcard) on `sub`** as a critical finding — any ServiceAccount in the cluster can assume the role.
|
|
24
|
+
- Treat **`automountServiceAccountToken: true` on pods that don't use the Kubernetes API** as a high finding — token is mounted and exfiltratable, even when not used.
|
|
25
|
+
- Challenge ServiceAccount tokens with no `audiences` claim — projected tokens should target a specific cloud audience (`sts.amazonaws.com`, `api://AzureADTokenExchange`, `https://iam.googleapis.com/projects/.../workloadIdentityPools/...`).
|
|
26
|
+
- Challenge token expiry windows longer than 1 hour — projected tokens should be short-lived.
|
|
27
|
+
- Keep the answer scoped, reversible, least-privilege, and explicit about blockers or unknowns.
|
|
28
|
+
|
|
29
|
+
## References
|
|
30
|
+
|
|
31
|
+
Load these only when needed:
|
|
32
|
+
|
|
33
|
+
- [Evidence path and tooling](references/mcp-and-evidence.md) — use when choosing live evidence, confirming OIDC issuer and IAM trust state, or switching to documentation mode.
|
|
34
|
+
- [Workflow and output contract](references/workflow-and-output.md) — use when executing the full review, applying provider-specific stress checks, or formatting the final answer.
|
|
35
|
+
- [Official sources](references/official-sources.md) — use when you need the detailed AWS / Azure / GCP / Kubernetes documentation list and grounded insights.
|
|
36
|
+
|
|
37
|
+
## Response minimum
|
|
38
|
+
|
|
39
|
+
Return, at minimum:
|
|
40
|
+
|
|
41
|
+
- the cloud provider (AWS, Azure, GCP, or generic OIDC) and evidence level,
|
|
42
|
+
- the ServiceAccount → IAM identity binding (annotation, label, or trust policy claim) and whether it is correctly scoped,
|
|
43
|
+
- the OIDC trust policy scope (`aud`, `sub`, `iss`) — must constrain to a specific ServiceAccount,
|
|
44
|
+
- whether long-lived credentials still exist anywhere in the workload (Secret mounts, env vars, sidecars),
|
|
45
|
+
- the safest next actions and rollback plan,
|
|
46
|
+
- the assumptions or blockers that prevent stronger conclusions.
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "kubernetes-workload-identity-review",
|
|
3
|
+
"name": "Kubernetes Workload Identity Review",
|
|
4
|
+
"type": "skill",
|
|
5
|
+
"provider": "kubernetes",
|
|
6
|
+
"harnesses": [
|
|
7
|
+
"codex",
|
|
8
|
+
"claude-code",
|
|
9
|
+
"cursor",
|
|
10
|
+
"gemini",
|
|
11
|
+
"kiro",
|
|
12
|
+
"other"
|
|
13
|
+
],
|
|
14
|
+
"summary": "Review Kubernetes workload identity bindings across AWS IRSA, Azure Workload Identity, GCP Workload Identity Federation, and the underlying ServiceAccount projected token model with OIDC issuer trust scope and short-lived federation.",
|
|
15
|
+
"source_type": "original",
|
|
16
|
+
"official_docs": [
|
|
17
|
+
"https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/",
|
|
18
|
+
"https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/",
|
|
19
|
+
"https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html",
|
|
20
|
+
"https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview",
|
|
21
|
+
"https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity",
|
|
22
|
+
"https://openid.net/specs/openid-connect-core-1_0.html"
|
|
23
|
+
],
|
|
24
|
+
"security_notes": "Workload identity OIDC trust policy with wildcard sub claim allows any ServiceAccount in the cluster to assume the role. Pods with both a workload-identity SA and a long-lived credential Secret typically fall back to the static credential. Tokens with audiences not pinned to the cloud target are reusable elsewhere.",
|
|
25
|
+
"last_verified": "2026-05-01",
|
|
26
|
+
"path": "skills/kubernetes/kubernetes-workload-identity-review",
|
|
27
|
+
"author": "github: Raishin",
|
|
28
|
+
"version": "0.1.0"
|
|
29
|
+
}
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
# Evidence Path and Tooling
|
|
2
|
+
|
|
3
|
+
## Evidence path
|
|
4
|
+
|
|
5
|
+
1. Prefer live cluster evidence (`kubectl`) plus the cloud-provider's CLI (`aws`, `az`, `gcloud`) or MCP server when available.
|
|
6
|
+
2. Fall back to official documentation: Kubernetes ServiceAccount admin, AWS IRSA, Azure Workload Identity, GCP Workload Identity Federation.
|
|
7
|
+
3. Ask only for sanitized ServiceAccount, Pod, and trust policy YAML/JSON, plus the cluster's OIDC issuer URL.
|
|
8
|
+
4. Label conclusions as `live evidence`, `documentation-based`, `sanitized user evidence`, or `inference`.
|
|
9
|
+
|
|
10
|
+
## Useful live-evidence commands
|
|
11
|
+
|
|
12
|
+
```shell
|
|
13
|
+
# ServiceAccount with workload identity annotations
|
|
14
|
+
kubectl get serviceaccount -A -o yaml | grep -A2 -E 'eks\.amazonaws\.com/role-arn|azure\.workload\.identity/client-id|iam\.gke\.io/gcp-service-account'
|
|
15
|
+
|
|
16
|
+
# Pod's projected ServiceAccount token volume
|
|
17
|
+
kubectl get pod <pod> -n <ns> -o yaml | grep -A20 'projected:'
|
|
18
|
+
|
|
19
|
+
# Verify pod is consuming the projected token
|
|
20
|
+
kubectl exec -it <pod> -n <ns> -- ls -la /var/run/secrets/tokens/
|
|
21
|
+
kubectl exec -it <pod> -n <ns> -- cat /var/run/secrets/tokens/<audience-token>
|
|
22
|
+
|
|
23
|
+
# Cluster OIDC issuer (each cluster has one — IAM trusts it)
|
|
24
|
+
# AWS EKS:
|
|
25
|
+
aws eks describe-cluster --name <cluster> --query "cluster.identity.oidc.issuer" --output text
|
|
26
|
+
# Azure AKS:
|
|
27
|
+
az aks show --resource-group <rg> --name <cluster> --query "oidcIssuerProfile.issuerUrl" --output tsv
|
|
28
|
+
# GKE:
|
|
29
|
+
gcloud container clusters describe <cluster> --location <location> --format='value(workloadIdentityConfig.workloadPool)'
|
|
30
|
+
|
|
31
|
+
# Confirm there's no static credential alongside
|
|
32
|
+
kubectl exec -it <pod> -n <ns> -- env | grep -E 'AWS_ACCESS_KEY_ID|AZURE_CLIENT_SECRET|GOOGLE_APPLICATION_CREDENTIALS'
|
|
33
|
+
kubectl exec -it <pod> -n <ns> -- ls /var/run/secrets/
|
|
34
|
+
|
|
35
|
+
# AWS — view IAM role trust policy
|
|
36
|
+
aws iam get-role --role-name <role-name> --query 'Role.AssumeRolePolicyDocument'
|
|
37
|
+
|
|
38
|
+
# Azure — view federated identity credentials on the user-assigned managed identity
|
|
39
|
+
az identity federated-credential list --identity-name <mi> --resource-group <rg>
|
|
40
|
+
|
|
41
|
+
# GCP — view IAM policy on the service account
|
|
42
|
+
gcloud iam service-accounts get-iam-policy <gsa>@<project>.iam.gserviceaccount.com
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
## Cluster state to confirm before review
|
|
46
|
+
|
|
47
|
+
- **OIDC issuer enabled** on the cluster (provider-specific switch).
|
|
48
|
+
- **OIDC issuer URL** — IAM trust policies key off this URL.
|
|
49
|
+
- **Webhook installed** for the workload identity model (AWS Pod Identity Webhook, Azure Workload Identity admission webhook, GKE built-in).
|
|
50
|
+
- **Default audience** for the cluster (cloud-specific): `sts.amazonaws.com` on AWS, `api://AzureADTokenExchange` on Azure, `<workload-identity-pool-name>` on GCP.
|
|
51
|
+
- **Service account → IAM mapping mechanism**: annotation, label, federated identity credential, or IAM policy binding.
|
|
52
|
+
|
|
53
|
+
## Sanitization rules
|
|
54
|
+
|
|
55
|
+
- Never request kubeconfig contents, IAM access keys, Azure client secrets, GCP service account JSON keys.
|
|
56
|
+
- Replace identifiable cluster URLs, account IDs, tenant IDs, and project IDs with placeholders unless the user provides them.
|
|
57
|
+
- Do not print projected ServiceAccount token JWTs; reference the file path and audience claim only.
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
# Official Sources
|
|
2
|
+
|
|
3
|
+
Load these only when needed:
|
|
4
|
+
|
|
5
|
+
## Kubernetes core
|
|
6
|
+
|
|
7
|
+
- [Configure ServiceAccounts for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) — use for `automountServiceAccountToken`, projected token volumes, and dedicated SA patterns.
|
|
8
|
+
- [ServiceAccount admin guide](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/) — use for bound ServiceAccount tokens, audience binding, and migration from legacy auto-mounted tokens.
|
|
9
|
+
- [TokenRequest API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) — use when reviewing custom code that calls `TokenRequest` for bespoke token issuance.
|
|
10
|
+
- [OIDC issuer discovery](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) — use when the cluster's own OIDC issuer is consumed by external trust policies.
|
|
11
|
+
|
|
12
|
+
## AWS IRSA
|
|
13
|
+
|
|
14
|
+
- [IAM Roles for Service Accounts overview](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) — use as the entry point for IRSA.
|
|
15
|
+
- [IRSA technical deep dive](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html) — use for the OIDC trust policy structure (`Federated`, `Condition.StringEquals` on `aud` and `sub`) and the AssumeRoleWithWebIdentity flow.
|
|
16
|
+
- [Configuring IRSA pod identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html) — use for the ServiceAccount annotation, env injection, and credential-chain interaction.
|
|
17
|
+
- [EKS Pod Identity (the newer alternative)](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) — use when the cluster has migrated to EKS Pod Identity instead of IRSA; the trust model is different.
|
|
18
|
+
|
|
19
|
+
## Azure Workload Identity
|
|
20
|
+
|
|
21
|
+
- [Azure Workload Identity overview](https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview) — use for the federated identity credential model and AKS-specific configuration.
|
|
22
|
+
- [Workload Identity deploy and configure](https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster) — use for OIDC issuer enablement, webhook installation, and the ServiceAccount/Pod label/annotation set.
|
|
23
|
+
- [Federated identity credentials on a user-assigned managed identity](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation) — use for the issuer/subject/audience trust scope.
|
|
24
|
+
|
|
25
|
+
## GCP Workload Identity Federation
|
|
26
|
+
|
|
27
|
+
- [GKE Workload Identity overview](https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity) — use for KSA → GSA mapping via `iam.gke.io/gcp-service-account` annotation and the `roles/iam.workloadIdentityUser` IAM binding.
|
|
28
|
+
- [GKE Workload Identity setup](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) — use for cluster-level config and migration steps.
|
|
29
|
+
- [Workload Identity Federation (non-GKE)](https://cloud.google.com/iam/docs/workload-identity-federation) — use when the workload runs outside GKE but federates to GCP IAM.
|
|
30
|
+
|
|
31
|
+
## Specifications
|
|
32
|
+
|
|
33
|
+
- [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) — use for the standard claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`) that all three providers verify.
|
|
34
|
+
- [JSON Web Token (JWT) — RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519) — use for token structure and validation.
|
|
35
|
+
|
|
36
|
+
## Grounded insights worth carrying into the skill
|
|
37
|
+
|
|
38
|
+
- Workload identity replaces long-lived static credentials with short-lived federated tokens issued by the cluster's OIDC issuer. The cloud's IAM trusts the cluster's OIDC issuer URL and the trust policy narrows on `iss`, `aud`, `sub` claims.
|
|
39
|
+
- The most-cited trust-policy mistake across all three providers is a wildcard in `sub` (AWS), `subject` (Azure), or member set (GCP). Wildcards mean any ServiceAccount in scope can assume the cloud identity.
|
|
40
|
+
- Cloud SDK credential chains explain why workloads frequently keep using static credentials after a workload identity migration. The SDK searches for credentials in a fixed order (env vars → file → instance metadata → web identity); whichever is found first wins. Leaving a static credential anywhere in the chain defeats the migration.
|
|
41
|
+
- The Kubernetes-native primitive under all three flavors is the **projected ServiceAccount token volume** with `audience` and `expirationSeconds`. The cloud webhook (AWS Pod Identity Webhook, Azure Workload Identity admission webhook) automates the projection setup.
|
|
42
|
+
- AWS IRSA injects `AWS_ROLE_ARN` and `AWS_WEB_IDENTITY_TOKEN_FILE` env vars into pods whose ServiceAccount carries the `eks.amazonaws.com/role-arn` annotation. The AWS SDK then calls `sts:AssumeRoleWithWebIdentity` to exchange the projected JWT for IAM credentials.
|
|
43
|
+
- Azure Workload Identity requires both a label on the ServiceAccount AND a label on the Pod (`azure.workload.identity/use: "true"`). Forgetting the Pod label is a frequent silent failure — the SDK falls back to other auth modes.
|
|
44
|
+
- GKE Workload Identity uses a metadata-server proxy on each node. SDK calls to `metadata.google.internal` are intercepted and federated to the bound GSA. There is no token file mounted into the pod.
|
|
45
|
+
- Projected ServiceAccount tokens are auto-rotated by the kubelet at ~50% of `expirationSeconds`. Long-running SDK clients must read the token file dynamically, not cache it.
|
|
46
|
+
- EKS Pod Identity is AWS's newer alternative to IRSA. It uses a node-level agent and a different trust model (no OIDC trust policy on the IAM role; instead a Pod Identity Association resource). Reviews must distinguish which model is in use because the controls are different.
|
|
47
|
+
- Setting `automountServiceAccountToken: false` on the ServiceAccount is the correct safer default for workloads that do not call the Kubernetes API. Pod spec overrides this; the override is the failure mode.
|