blockmine 1.24.0 → 1.25.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +32 -0
- package/README.en.md +427 -0
- package/README.md +40 -0
- package/backend/cli.js +1 -1
- package/backend/src/ai/plugin-assistant-system-prompt.md +664 -5
- package/backend/src/api/routes/bots.js +13 -0
- package/backend/src/api/routes/servers.js +14 -2
- package/backend/src/core/BotProcess.js +98 -2
- package/backend/src/core/PluginLoader.js +83 -3
- package/backend/src/core/PluginManager.js +75 -5
- package/backend/src/core/services/BotLifecycleService.js +186 -2
- package/backend/src/server.js +11 -1
- package/frontend/dist/assets/browser-ponyfill-DN7pwmHT.js +2 -0
- package/frontend/dist/assets/index-LSy71uwm.js +11261 -0
- package/frontend/dist/assets/index-SfhKxI4-.css +32 -0
- package/frontend/dist/flags/en.svg +32 -0
- package/frontend/dist/flags/ru.svg +5 -0
- package/frontend/dist/index.html +2 -2
- package/frontend/dist/locales/en/admin.json +100 -0
- package/frontend/dist/locales/en/api-keys.json +58 -0
- package/frontend/dist/locales/en/bots.json +110 -0
- package/frontend/dist/locales/en/common.json +47 -0
- package/frontend/dist/locales/en/configuration.json +22 -0
- package/frontend/dist/locales/en/console.json +10 -0
- package/frontend/dist/locales/en/dashboard.json +85 -0
- package/frontend/dist/locales/en/dialogs.json +70 -0
- package/frontend/dist/locales/en/event-graphs.json +50 -0
- package/frontend/dist/locales/en/graph-store.json +70 -0
- package/frontend/dist/locales/en/login.json +34 -0
- package/frontend/dist/locales/en/management.json +114 -0
- package/frontend/dist/locales/en/minecraft-viewer.json +27 -0
- package/frontend/dist/locales/en/nodes.json +1077 -0
- package/frontend/dist/locales/en/permissions.json +50 -0
- package/frontend/dist/locales/en/plugin-detail.json +49 -0
- package/frontend/dist/locales/en/plugins.json +110 -0
- package/frontend/dist/locales/en/proxies.json +81 -0
- package/frontend/dist/locales/en/servers.json +39 -0
- package/frontend/dist/locales/en/setup.json +17 -0
- package/frontend/dist/locales/en/sidebar.json +27 -0
- package/frontend/dist/locales/en/tasks.json +62 -0
- package/frontend/dist/locales/en/visual-editor.json +219 -0
- package/frontend/dist/locales/en/websocket.json +86 -0
- package/frontend/dist/locales/ru/admin.json +100 -0
- package/frontend/dist/locales/ru/api-keys.json +58 -0
- package/frontend/dist/locales/ru/bots.json +110 -0
- package/frontend/dist/locales/ru/common.json +49 -0
- package/frontend/dist/locales/ru/configuration.json +22 -0
- package/frontend/dist/locales/ru/console.json +10 -0
- package/frontend/dist/locales/ru/dashboard.json +85 -0
- package/frontend/dist/locales/ru/dialogs.json +70 -0
- package/frontend/dist/locales/ru/event-graphs.json +50 -0
- package/frontend/dist/locales/ru/graph-store.json +70 -0
- package/frontend/dist/locales/ru/login.json +34 -0
- package/frontend/dist/locales/ru/management.json +114 -0
- package/frontend/dist/locales/ru/minecraft-viewer.json +27 -0
- package/frontend/dist/locales/ru/nodes.json +1077 -0
- package/frontend/dist/locales/ru/permissions.json +50 -0
- package/frontend/dist/locales/ru/plugin-detail.json +49 -0
- package/frontend/dist/locales/ru/plugins.json +110 -0
- package/frontend/dist/locales/ru/proxies.json +81 -0
- package/frontend/dist/locales/ru/servers.json +39 -0
- package/frontend/dist/locales/ru/setup.json +17 -0
- package/frontend/dist/locales/ru/sidebar.json +27 -0
- package/frontend/dist/locales/ru/tasks.json +62 -0
- package/frontend/dist/locales/ru/visual-editor.json +221 -0
- package/frontend/dist/locales/ru/websocket.json +86 -0
- package/frontend/dist/monacoeditorwork/css.worker.bundle.js +7 -7
- package/frontend/dist/monacoeditorwork/html.worker.bundle.js +7 -7
- package/frontend/dist/monacoeditorwork/json.worker.bundle.js +7 -7
- package/frontend/dist/monacoeditorwork/ts.worker.bundle.js +3 -3
- package/frontend/package.json +4 -0
- package/package.json +1 -1
- package/screen/3dviewer.png +0 -0
- package/screen/console.png +0 -0
- package/screen/dashboard.png +0 -0
- package/screen/graph_collabe.png +0 -0
- package/screen/graph_live_debug.png +0 -0
- package/screen/language_selector.png +0 -0
- package/screen/management_command.png +0 -0
- package/screen/node_debug_trace.png +0 -0
- package/screen/plugin_/320/276/320/261/320/267/320/276/321/200.png +0 -0
- package/screen/websocket.png +0 -0
- package/screen//320/275/320/260/321/201/321/202/321/200/320/276/320/271/320/272/320/270_/320/276/321/202/320/264/320/265/320/273/321/214/320/275/321/213/321/205_/320/272/320/276/320/274/320/260/320/275/320/264_/320/272/320/260/320/266/320/264/321/203_/320/272/320/276/320/274/320/260/320/275/320/273/320/264/321/203_/320/274/320/276/320/266/320/275/320/276_/320/275/320/260/321/201/321/202/321/200/320/260/320/270/320/262/320/260/321/202/321/214.png +0 -0
- package/screen//320/277/320/273/320/260/320/275/320/270/321/200/320/276/320/262/321/211/320/270/320/272_/320/274/320/276/320/266/320/275/320/276_/320/267/320/260/320/264/320/260/320/262/320/260/321/202/321/214_/320/264/320/265/320/271/321/201/321/202/320/262/320/270/321/217_/320/277/320/276_/320/262/321/200/320/265/320/274/320/265/320/275/320/270.png +0 -0
- package/.claude/agents/README.md +0 -469
- package/.claude/agents/auth-route-debugger.md +0 -118
- package/.claude/agents/auth-route-tester.md +0 -93
- package/.claude/agents/auto-error-resolver.md +0 -97
- package/.claude/agents/build-optimizer.md +0 -236
- package/.claude/agents/code-architect.md +0 -34
- package/.claude/agents/code-architecture-reviewer.md +0 -83
- package/.claude/agents/code-explorer.md +0 -51
- package/.claude/agents/code-refactor-master.md +0 -94
- package/.claude/agents/code-reviewer.md +0 -46
- package/.claude/agents/cost-optimizer.md +0 -134
- package/.claude/agents/deployment-orchestrator.md +0 -113
- package/.claude/agents/documentation-architect.md +0 -82
- package/.claude/agents/frontend-error-fixer.md +0 -77
- package/.claude/agents/iac-code-generator.md +0 -71
- package/.claude/agents/incident-responder.md +0 -346
- package/.claude/agents/infrastructure-architect.md +0 -31
- package/.claude/agents/kubernetes-specialist.md +0 -56
- package/.claude/agents/migration-planner.md +0 -181
- package/.claude/agents/network-architect.md +0 -196
- package/.claude/agents/plan-reviewer.md +0 -52
- package/.claude/agents/refactor-planner.md +0 -63
- package/.claude/agents/security-scanner.md +0 -102
- package/.claude/agents/web-research-specialist.md +0 -78
- package/.claude/commands/cost-analysis.md +0 -315
- package/.claude/commands/dev-docs-update.md +0 -55
- package/.claude/commands/dev-docs.md +0 -51
- package/.claude/commands/feature-dev.md +0 -125
- package/.claude/commands/incident-debug.md +0 -247
- package/.claude/commands/infra-plan.md +0 -81
- package/.claude/commands/migration-plan.md +0 -478
- package/.claude/commands/route-research-for-testing.md +0 -37
- package/.claude/commands/security-review.md +0 -66
- package/.claude/hooks/CONFIG.md +0 -448
- package/.claude/hooks/README.md +0 -163
- package/.claude/hooks/SKILL_ACTIVATION_COMPLETE.md +0 -226
- package/.claude/hooks/WINDOWS_HOOKS_README.md +0 -151
- package/.claude/hooks/add-skill-activation-banners.ts +0 -132
- package/.claude/hooks/comprehensive-skill-test.ts +0 -1315
- package/.claude/hooks/error-handling-reminder.sh +0 -12
- package/.claude/hooks/error-handling-reminder.ts +0 -222
- package/.claude/hooks/k8s-manifest-validator.sh +0 -56
- package/.claude/hooks/package-lock.json +0 -556
- package/.claude/hooks/package.json +0 -16
- package/.claude/hooks/post-tool-use-tracker.ps1 +0 -174
- package/.claude/hooks/post-tool-use-tracker.sh +0 -183
- package/.claude/hooks/security-policy-check.sh +0 -247
- package/.claude/hooks/skill-activation-prompt.ps1 +0 -10
- package/.claude/hooks/skill-activation-prompt.sh +0 -10
- package/.claude/hooks/skill-activation-prompt.ts +0 -141
- package/.claude/hooks/stop-build-check-enhanced.sh +0 -130
- package/.claude/hooks/terraform-validator.sh +0 -53
- package/.claude/hooks/test-input.json +0 -7
- package/.claude/hooks/test-skill-activation.ts +0 -427
- package/.claude/hooks/trigger-build-resolver.sh +0 -79
- package/.claude/hooks/tsc-check.sh +0 -173
- package/.claude/hooks/tsconfig.json +0 -19
- package/.claude/settings.json +0 -59
- package/.claude/settings.local.json +0 -67
- package/.claude/skills/README.md +0 -507
- package/.claude/skills/api-engineering/SKILL.md +0 -63
- package/.claude/skills/api-engineering/resources/api-versioning.md +0 -88
- package/.claude/skills/api-engineering/resources/graphql-patterns.md +0 -106
- package/.claude/skills/api-engineering/resources/rate-limiting.md +0 -118
- package/.claude/skills/api-engineering/resources/rest-api-design.md +0 -105
- package/.claude/skills/backend-dev-guidelines/SKILL.md +0 -306
- package/.claude/skills/backend-dev-guidelines/resources/architecture-overview.md +0 -451
- package/.claude/skills/backend-dev-guidelines/resources/async-and-errors.md +0 -307
- package/.claude/skills/backend-dev-guidelines/resources/complete-examples.md +0 -638
- package/.claude/skills/backend-dev-guidelines/resources/configuration.md +0 -275
- package/.claude/skills/backend-dev-guidelines/resources/database-patterns.md +0 -224
- package/.claude/skills/backend-dev-guidelines/resources/middleware-guide.md +0 -213
- package/.claude/skills/backend-dev-guidelines/resources/routing-and-controllers.md +0 -756
- package/.claude/skills/backend-dev-guidelines/resources/sentry-and-monitoring.md +0 -336
- package/.claude/skills/backend-dev-guidelines/resources/services-and-repositories.md +0 -789
- package/.claude/skills/backend-dev-guidelines/resources/testing-guide.md +0 -235
- package/.claude/skills/backend-dev-guidelines/resources/validation-patterns.md +0 -754
- package/.claude/skills/budget-and-cost-management/SKILL.md +0 -850
- package/.claude/skills/build-engineering/SKILL.md +0 -431
- package/.claude/skills/build-engineering/resources/artifact-repositories.md +0 -72
- package/.claude/skills/build-engineering/resources/build-caching.md +0 -96
- package/.claude/skills/build-engineering/resources/build-pipelines.md +0 -105
- package/.claude/skills/build-engineering/resources/build-security.md +0 -95
- package/.claude/skills/build-engineering/resources/build-systems.md +0 -389
- package/.claude/skills/build-engineering/resources/compilation-optimization.md +0 -201
- package/.claude/skills/build-engineering/resources/dependency-management.md +0 -73
- package/.claude/skills/build-engineering/resources/monorepo-builds.md +0 -110
- package/.claude/skills/build-engineering/resources/performance-optimization.md +0 -113
- package/.claude/skills/build-engineering/resources/reproducible-builds.md +0 -82
- package/.claude/skills/cloud-engineering/SKILL.md +0 -675
- package/.claude/skills/cloud-engineering/resources/aws-patterns.md +0 -742
- package/.claude/skills/cloud-engineering/resources/azure-patterns.md +0 -714
- package/.claude/skills/cloud-engineering/resources/cleared-cloud-environments.md +0 -987
- package/.claude/skills/cloud-engineering/resources/cloud-cost-optimization.md +0 -757
- package/.claude/skills/cloud-engineering/resources/cloud-networking.md +0 -1058
- package/.claude/skills/cloud-engineering/resources/cloud-security-tools.md +0 -1530
- package/.claude/skills/cloud-engineering/resources/cloud-security.md +0 -990
- package/.claude/skills/cloud-engineering/resources/gcp-patterns.md +0 -758
- package/.claude/skills/cloud-engineering/resources/migration-strategies.md +0 -820
- package/.claude/skills/cloud-engineering/resources/multi-cloud-strategies.md +0 -670
- package/.claude/skills/cloud-engineering/resources/oci-patterns.md +0 -1198
- package/.claude/skills/cloud-engineering/resources/serverless-patterns.md +0 -795
- package/.claude/skills/cloud-engineering/resources/well-architected-frameworks.md +0 -966
- package/.claude/skills/cybersecurity/SKILL.md +0 -409
- package/.claude/skills/cybersecurity/resources/security-architecture.md +0 -266
- package/.claude/skills/database-engineering/SKILL.md +0 -61
- package/.claude/skills/database-engineering/resources/backup-and-recovery.md +0 -72
- package/.claude/skills/database-engineering/resources/database-replication.md +0 -63
- package/.claude/skills/database-engineering/resources/postgresql-fundamentals.md +0 -70
- package/.claude/skills/database-engineering/resources/query-optimization.md +0 -68
- package/.claude/skills/devsecops/SKILL.md +0 -374
- package/.claude/skills/devsecops/resources/ci-cd-security.md +0 -204
- package/.claude/skills/devsecops/resources/compliance-automation.md +0 -530
- package/.claude/skills/devsecops/resources/compliance-frameworks.md +0 -2322
- package/.claude/skills/devsecops/resources/container-security.md +0 -915
- package/.claude/skills/devsecops/resources/cspm-integration.md +0 -1440
- package/.claude/skills/devsecops/resources/policy-enforcement.md +0 -619
- package/.claude/skills/devsecops/resources/secrets-management.md +0 -755
- package/.claude/skills/devsecops/resources/security-monitoring.md +0 -146
- package/.claude/skills/devsecops/resources/security-scanning.md +0 -887
- package/.claude/skills/devsecops/resources/security-testing.md +0 -203
- package/.claude/skills/devsecops/resources/supply-chain-security.md +0 -518
- package/.claude/skills/devsecops/resources/vulnerability-management.md +0 -481
- package/.claude/skills/devsecops/resources/zero-trust-architecture.md +0 -177
- package/.claude/skills/documentation-as-code/SKILL.md +0 -323
- package/.claude/skills/documentation-as-code/resources/api-documentation.md +0 -90
- package/.claude/skills/documentation-as-code/resources/changelog-management.md +0 -79
- package/.claude/skills/documentation-as-code/resources/diagram-generation.md +0 -44
- package/.claude/skills/documentation-as-code/resources/docs-as-code-workflow.md +0 -99
- package/.claude/skills/documentation-as-code/resources/documentation-automation.md +0 -68
- package/.claude/skills/documentation-as-code/resources/documentation-sites.md +0 -79
- package/.claude/skills/documentation-as-code/resources/markdown-best-practices.md +0 -162
- package/.claude/skills/documentation-as-code/resources/openapi-specification.md +0 -77
- package/.claude/skills/documentation-as-code/resources/readme-engineering.md +0 -60
- package/.claude/skills/documentation-as-code/resources/technical-writing-guide.md +0 -202
- package/.claude/skills/engineering-management/SKILL.md +0 -356
- package/.claude/skills/engineering-management/resources/career-ladders.md +0 -609
- package/.claude/skills/engineering-management/resources/hiring-and-assessment.md +0 -555
- package/.claude/skills/engineering-management/resources/one-on-one-guides.md +0 -609
- package/.claude/skills/engineering-management/resources/resource-planning.md +0 -557
- package/.claude/skills/engineering-management/resources/team-organization-patterns.md +0 -491
- package/.claude/skills/engineering-management/resources/technical-interviews.md +0 -474
- package/.claude/skills/engineering-operations-management/SKILL.md +0 -817
- package/.claude/skills/error-tracking/SKILL.md +0 -379
- package/.claude/skills/frontend-design/SKILL.md +0 -42
- package/.claude/skills/frontend-dev-guidelines/SKILL.md +0 -403
- package/.claude/skills/frontend-dev-guidelines/resources/common-patterns.md +0 -331
- package/.claude/skills/frontend-dev-guidelines/resources/complete-examples.md +0 -872
- package/.claude/skills/frontend-dev-guidelines/resources/component-patterns.md +0 -502
- package/.claude/skills/frontend-dev-guidelines/resources/data-fetching.md +0 -767
- package/.claude/skills/frontend-dev-guidelines/resources/file-organization.md +0 -502
- package/.claude/skills/frontend-dev-guidelines/resources/loading-and-error-states.md +0 -501
- package/.claude/skills/frontend-dev-guidelines/resources/performance.md +0 -406
- package/.claude/skills/frontend-dev-guidelines/resources/routing-guide.md +0 -364
- package/.claude/skills/frontend-dev-guidelines/resources/styling-guide.md +0 -428
- package/.claude/skills/frontend-dev-guidelines/resources/typescript-standards.md +0 -418
- package/.claude/skills/general-it-engineering/SKILL.md +0 -393
- package/.claude/skills/general-it-engineering/resources/asset-management.md +0 -712
- package/.claude/skills/general-it-engineering/resources/automation-orchestration.md +0 -817
- package/.claude/skills/general-it-engineering/resources/business-continuity.md +0 -786
- package/.claude/skills/general-it-engineering/resources/change-management.md +0 -715
- package/.claude/skills/general-it-engineering/resources/enterprise-monitoring.md +0 -729
- package/.claude/skills/general-it-engineering/resources/help-desk-operations.md +0 -738
- package/.claude/skills/general-it-engineering/resources/incident-service-management.md +0 -834
- package/.claude/skills/general-it-engineering/resources/it-governance.md +0 -753
- package/.claude/skills/general-it-engineering/resources/itil-framework.md +0 -503
- package/.claude/skills/general-it-engineering/resources/service-management.md +0 -669
- package/.claude/skills/infrastructure-architecture/SKILL.md +0 -328
- package/.claude/skills/infrastructure-architecture/resources/architecture-decision-records.md +0 -505
- package/.claude/skills/infrastructure-architecture/resources/architecture-patterns.md +0 -528
- package/.claude/skills/infrastructure-architecture/resources/capacity-planning.md +0 -453
- package/.claude/skills/infrastructure-architecture/resources/cleared-environment-architecture.md +0 -773
- package/.claude/skills/infrastructure-architecture/resources/cost-architecture.md +0 -499
- package/.claude/skills/infrastructure-architecture/resources/data-architecture.md +0 -501
- package/.claude/skills/infrastructure-architecture/resources/disaster-recovery.md +0 -535
- package/.claude/skills/infrastructure-architecture/resources/migration-architecture.md +0 -512
- package/.claude/skills/infrastructure-architecture/resources/multi-region-design.md +0 -608
- package/.claude/skills/infrastructure-architecture/resources/reference-architectures.md +0 -562
- package/.claude/skills/infrastructure-architecture/resources/security-architecture.md +0 -538
- package/.claude/skills/infrastructure-architecture/resources/system-design-principles.md +0 -489
- package/.claude/skills/infrastructure-architecture/resources/workload-classification.md +0 -1000
- package/.claude/skills/infrastructure-strategy/SKILL.md +0 -924
- package/.claude/skills/network-engineering/SKILL.md +0 -385
- package/.claude/skills/network-engineering/resources/dns-management.md +0 -738
- package/.claude/skills/network-engineering/resources/load-balancing.md +0 -820
- package/.claude/skills/network-engineering/resources/network-architecture.md +0 -546
- package/.claude/skills/network-engineering/resources/network-security.md +0 -921
- package/.claude/skills/network-engineering/resources/network-troubleshooting.md +0 -749
- package/.claude/skills/network-engineering/resources/routing-switching.md +0 -373
- package/.claude/skills/network-engineering/resources/sdn-networking.md +0 -695
- package/.claude/skills/network-engineering/resources/service-mesh-networking.md +0 -777
- package/.claude/skills/network-engineering/resources/tcp-ip-protocols.md +0 -444
- package/.claude/skills/network-engineering/resources/vpn-connectivity.md +0 -672
- package/.claude/skills/node-development/SKILL.md +0 -317
- package/.claude/skills/observability-engineering/SKILL.md +0 -101
- package/.claude/skills/observability-engineering/resources/apm-tools.md +0 -97
- package/.claude/skills/observability-engineering/resources/correlation-strategies.md +0 -87
- package/.claude/skills/observability-engineering/resources/distributed-tracing.md +0 -98
- package/.claude/skills/observability-engineering/resources/logs-aggregation.md +0 -118
- package/.claude/skills/observability-engineering/resources/observability-cost-optimization.md +0 -141
- package/.claude/skills/observability-engineering/resources/opentelemetry.md +0 -110
- package/.claude/skills/platform-engineering/SKILL.md +0 -555
- package/.claude/skills/platform-engineering/resources/architecture-overview.md +0 -600
- package/.claude/skills/platform-engineering/resources/container-orchestration.md +0 -916
- package/.claude/skills/platform-engineering/resources/cost-optimization.md +0 -634
- package/.claude/skills/platform-engineering/resources/developer-platforms.md +0 -670
- package/.claude/skills/platform-engineering/resources/gitops-automation.md +0 -650
- package/.claude/skills/platform-engineering/resources/infrastructure-as-code.md +0 -778
- package/.claude/skills/platform-engineering/resources/infrastructure-standards.md +0 -708
- package/.claude/skills/platform-engineering/resources/multi-tenancy.md +0 -602
- package/.claude/skills/platform-engineering/resources/platform-security.md +0 -711
- package/.claude/skills/platform-engineering/resources/resource-management.md +0 -592
- package/.claude/skills/platform-engineering/resources/service-mesh.md +0 -628
- package/.claude/skills/release-engineering/SKILL.md +0 -393
- package/.claude/skills/release-engineering/resources/artifact-management.md +0 -108
- package/.claude/skills/release-engineering/resources/build-optimization.md +0 -84
- package/.claude/skills/release-engineering/resources/ci-cd-pipelines.md +0 -411
- package/.claude/skills/release-engineering/resources/deployment-strategies.md +0 -197
- package/.claude/skills/release-engineering/resources/pipeline-security.md +0 -62
- package/.claude/skills/release-engineering/resources/progressive-delivery.md +0 -83
- package/.claude/skills/release-engineering/resources/release-automation.md +0 -68
- package/.claude/skills/release-engineering/resources/release-orchestration.md +0 -77
- package/.claude/skills/release-engineering/resources/rollback-strategies.md +0 -66
- package/.claude/skills/release-engineering/resources/versioning-strategies.md +0 -59
- package/.claude/skills/route-tester/SKILL.md +0 -392
- package/.claude/skills/skill-developer/ADVANCED.md +0 -197
- package/.claude/skills/skill-developer/HOOK_MECHANISMS.md +0 -306
- package/.claude/skills/skill-developer/PATTERNS_LIBRARY.md +0 -152
- package/.claude/skills/skill-developer/SKILL.md +0 -430
- package/.claude/skills/skill-developer/SKILL_RULES_REFERENCE.md +0 -315
- package/.claude/skills/skill-developer/TRIGGER_TYPES.md +0 -305
- package/.claude/skills/skill-developer/TROUBLESHOOTING.md +0 -514
- package/.claude/skills/skill-rules.json +0 -2989
- package/.claude/skills/sre/SKILL.md +0 -464
- package/.claude/skills/sre/resources/alerting-best-practices.md +0 -282
- package/.claude/skills/sre/resources/capacity-planning.md +0 -226
- package/.claude/skills/sre/resources/chaos-engineering.md +0 -193
- package/.claude/skills/sre/resources/disaster-recovery.md +0 -232
- package/.claude/skills/sre/resources/incident-management.md +0 -436
- package/.claude/skills/sre/resources/observability-stack.md +0 -240
- package/.claude/skills/sre/resources/on-call-runbooks.md +0 -167
- package/.claude/skills/sre/resources/performance-optimization.md +0 -108
- package/.claude/skills/sre/resources/reliability-patterns.md +0 -183
- package/.claude/skills/sre/resources/slo-sli-sla.md +0 -464
- package/.claude/skills/sre/resources/toil-reduction.md +0 -145
- package/.claude/skills/systems-engineering/SKILL.md +0 -648
- package/.claude/skills/systems-engineering/resources/automation-patterns.md +0 -771
- package/.claude/skills/systems-engineering/resources/configuration-management.md +0 -998
- package/.claude/skills/systems-engineering/resources/linux-administration.md +0 -672
- package/.claude/skills/systems-engineering/resources/networking-fundamentals.md +0 -982
- package/.claude/skills/systems-engineering/resources/performance-tuning.md +0 -871
- package/.claude/skills/systems-engineering/resources/powershell-scripting.md +0 -482
- package/.claude/skills/systems-engineering/resources/security-hardening.md +0 -739
- package/.claude/skills/systems-engineering/resources/shell-scripting.md +0 -915
- package/.claude/skills/systems-engineering/resources/storage-management.md +0 -628
- package/.claude/skills/systems-engineering/resources/system-monitoring.md +0 -787
- package/.claude/skills/systems-engineering/resources/troubleshooting-guide.md +0 -753
- package/.claude/skills/systems-engineering/resources/windows-administration.md +0 -738
- package/.claude/skills/technical-leadership/SKILL.md +0 -728
- package/backend/docs/SECRETS_DOCUMENTATION.md +0 -327
- package/frontend/dist/assets/index-BC-NbKXi.css +0 -32
- package/frontend/dist/assets/index-DqJXZMHY.js +0 -11266
|
@@ -1,711 +0,0 @@
|
|
|
1
|
-
# Platform Security
|
|
2
|
-
|
|
3
|
-
Pod security standards, network policies, secrets management, vulnerability scanning, runtime security, and security best practices for Kubernetes platforms.
|
|
4
|
-
|
|
5
|
-
## Table of Contents
|
|
6
|
-
|
|
7
|
-
- [Pod Security Standards](#pod-security-standards)
|
|
8
|
-
- [Network Security](#network-security)
|
|
9
|
-
- [Secrets Management](#secrets-management)
|
|
10
|
-
- [Image Security](#image-security)
|
|
11
|
-
- [Runtime Security](#runtime-security)
|
|
12
|
-
- [Access Control](#access-control)
|
|
13
|
-
- [Security Monitoring](#security-monitoring)
|
|
14
|
-
- [Best Practices](#best-practices)
|
|
15
|
-
|
|
16
|
-
## Pod Security Standards
|
|
17
|
-
|
|
18
|
-
### Privileged Policy (Least Restrictive)
|
|
19
|
-
|
|
20
|
-
```yaml
|
|
21
|
-
# Allow all - NOT RECOMMENDED for production
|
|
22
|
-
apiVersion: v1
|
|
23
|
-
kind: Namespace
|
|
24
|
-
metadata:
|
|
25
|
-
name: system
|
|
26
|
-
labels:
|
|
27
|
-
pod-security.kubernetes.io/enforce: privileged
|
|
28
|
-
```
|
|
29
|
-
|
|
30
|
-
### Baseline Policy (Minimally Restrictive)
|
|
31
|
-
|
|
32
|
-
```yaml
|
|
33
|
-
# Prevent known privilege escalations
|
|
34
|
-
apiVersion: v1
|
|
35
|
-
kind: Namespace
|
|
36
|
-
metadata:
|
|
37
|
-
name: staging
|
|
38
|
-
labels:
|
|
39
|
-
pod-security.kubernetes.io/enforce: baseline
|
|
40
|
-
pod-security.kubernetes.io/audit: restricted
|
|
41
|
-
pod-security.kubernetes.io/warn: restricted
|
|
42
|
-
```
|
|
43
|
-
|
|
44
|
-
### Restricted Policy (Most Secure - Production)
|
|
45
|
-
|
|
46
|
-
```yaml
|
|
47
|
-
# Enforce hardening best practices
|
|
48
|
-
apiVersion: v1
|
|
49
|
-
kind: Namespace
|
|
50
|
-
metadata:
|
|
51
|
-
name: production
|
|
52
|
-
labels:
|
|
53
|
-
pod-security.kubernetes.io/enforce: restricted
|
|
54
|
-
pod-security.kubernetes.io/audit: restricted
|
|
55
|
-
pod-security.kubernetes.io/warn: restricted
|
|
56
|
-
```
|
|
57
|
-
|
|
58
|
-
**Compliant Pod:**
|
|
59
|
-
```yaml
|
|
60
|
-
apiVersion: v1
|
|
61
|
-
kind: Pod
|
|
62
|
-
metadata:
|
|
63
|
-
name: secure-app
|
|
64
|
-
namespace: production
|
|
65
|
-
spec:
|
|
66
|
-
# Pod-level security
|
|
67
|
-
securityContext:
|
|
68
|
-
runAsNonRoot: true
|
|
69
|
-
runAsUser: 1000
|
|
70
|
-
runAsGroup: 1000
|
|
71
|
-
fsGroup: 1000
|
|
72
|
-
seccompProfile:
|
|
73
|
-
type: RuntimeDefault
|
|
74
|
-
supplementalGroups: [1000]
|
|
75
|
-
|
|
76
|
-
# Service account (not default)
|
|
77
|
-
serviceAccountName: app-service-account
|
|
78
|
-
automountServiceAccountToken: false
|
|
79
|
-
|
|
80
|
-
containers:
|
|
81
|
-
- name: app
|
|
82
|
-
image: app:1.0
|
|
83
|
-
imagePullPolicy: Always
|
|
84
|
-
|
|
85
|
-
# Container-level security
|
|
86
|
-
securityContext:
|
|
87
|
-
allowPrivilegeEscalation: false
|
|
88
|
-
readOnlyRootFilesystem: true
|
|
89
|
-
runAsNonRoot: true
|
|
90
|
-
runAsUser: 1000
|
|
91
|
-
capabilities:
|
|
92
|
-
drop:
|
|
93
|
-
- ALL
|
|
94
|
-
|
|
95
|
-
# Resource limits (required)
|
|
96
|
-
resources:
|
|
97
|
-
requests:
|
|
98
|
-
memory: "128Mi"
|
|
99
|
-
cpu: "100m"
|
|
100
|
-
limits:
|
|
101
|
-
memory: "256Mi"
|
|
102
|
-
cpu: "500m"
|
|
103
|
-
|
|
104
|
-
# Writable volumes
|
|
105
|
-
volumeMounts:
|
|
106
|
-
- name: tmp
|
|
107
|
-
mountPath: /tmp
|
|
108
|
-
- name: cache
|
|
109
|
-
mountPath: /app/cache
|
|
110
|
-
|
|
111
|
-
volumes:
|
|
112
|
-
- name: tmp
|
|
113
|
-
emptyDir: {}
|
|
114
|
-
- name: cache
|
|
115
|
-
emptyDir: {}
|
|
116
|
-
```
|
|
117
|
-
|
|
118
|
-
## Network Security
|
|
119
|
-
|
|
120
|
-
### Default Deny All Traffic
|
|
121
|
-
|
|
122
|
-
```yaml
|
|
123
|
-
# Block all ingress and egress by default
|
|
124
|
-
apiVersion: networking.k8s.io/v1
|
|
125
|
-
kind: NetworkPolicy
|
|
126
|
-
metadata:
|
|
127
|
-
name: default-deny-all
|
|
128
|
-
namespace: production
|
|
129
|
-
spec:
|
|
130
|
-
podSelector: {}
|
|
131
|
-
policyTypes:
|
|
132
|
-
- Ingress
|
|
133
|
-
- Egress
|
|
134
|
-
```
|
|
135
|
-
|
|
136
|
-
### Allow DNS Only
|
|
137
|
-
|
|
138
|
-
```yaml
|
|
139
|
-
apiVersion: networking.k8s.io/v1
|
|
140
|
-
kind: NetworkPolicy
|
|
141
|
-
metadata:
|
|
142
|
-
name: allow-dns-access
|
|
143
|
-
namespace: production
|
|
144
|
-
spec:
|
|
145
|
-
podSelector: {}
|
|
146
|
-
policyTypes:
|
|
147
|
-
- Egress
|
|
148
|
-
egress:
|
|
149
|
-
# Allow DNS queries
|
|
150
|
-
- to:
|
|
151
|
-
- namespaceSelector:
|
|
152
|
-
matchLabels:
|
|
153
|
-
name: kube-system
|
|
154
|
-
ports:
|
|
155
|
-
- protocol: UDP
|
|
156
|
-
port: 53
|
|
157
|
-
- protocol: TCP
|
|
158
|
-
port: 53
|
|
159
|
-
```
|
|
160
|
-
|
|
161
|
-
### Microsegmentation
|
|
162
|
-
|
|
163
|
-
```yaml
|
|
164
|
-
# API service can only talk to database
|
|
165
|
-
apiVersion: networking.k8s.io/v1
|
|
166
|
-
kind: NetworkPolicy
|
|
167
|
-
metadata:
|
|
168
|
-
name: api-to-database
|
|
169
|
-
namespace: production
|
|
170
|
-
spec:
|
|
171
|
-
podSelector:
|
|
172
|
-
matchLabels:
|
|
173
|
-
app: api-service
|
|
174
|
-
policyTypes:
|
|
175
|
-
- Egress
|
|
176
|
-
egress:
|
|
177
|
-
# Allow DNS
|
|
178
|
-
- to:
|
|
179
|
-
- namespaceSelector:
|
|
180
|
-
matchLabels:
|
|
181
|
-
name: kube-system
|
|
182
|
-
ports:
|
|
183
|
-
- protocol: UDP
|
|
184
|
-
port: 53
|
|
185
|
-
|
|
186
|
-
# Allow database access
|
|
187
|
-
- to:
|
|
188
|
-
- podSelector:
|
|
189
|
-
matchLabels:
|
|
190
|
-
app: postgres
|
|
191
|
-
ports:
|
|
192
|
-
- protocol: TCP
|
|
193
|
-
port: 5432
|
|
194
|
-
|
|
195
|
-
# Allow external HTTPS (if needed)
|
|
196
|
-
- to:
|
|
197
|
-
- namespaceSelector: {}
|
|
198
|
-
ports:
|
|
199
|
-
- protocol: TCP
|
|
200
|
-
port: 443
|
|
201
|
-
```
|
|
202
|
-
|
|
203
|
-
### Ingress Controls
|
|
204
|
-
|
|
205
|
-
```yaml
|
|
206
|
-
# Only allow traffic from ingress controller
|
|
207
|
-
apiVersion: networking.k8s.io/v1
|
|
208
|
-
kind: NetworkPolicy
|
|
209
|
-
metadata:
|
|
210
|
-
name: allow-from-ingress
|
|
211
|
-
namespace: production
|
|
212
|
-
spec:
|
|
213
|
-
podSelector:
|
|
214
|
-
matchLabels:
|
|
215
|
-
app: frontend
|
|
216
|
-
policyTypes:
|
|
217
|
-
- Ingress
|
|
218
|
-
ingress:
|
|
219
|
-
- from:
|
|
220
|
-
- namespaceSelector:
|
|
221
|
-
matchLabels:
|
|
222
|
-
name: ingress-nginx
|
|
223
|
-
- podSelector:
|
|
224
|
-
matchLabels:
|
|
225
|
-
app.kubernetes.io/name: ingress-nginx
|
|
226
|
-
ports:
|
|
227
|
-
- protocol: TCP
|
|
228
|
-
port: 8080
|
|
229
|
-
```
|
|
230
|
-
|
|
231
|
-
## Secrets Management
|
|
232
|
-
|
|
233
|
-
### Kubernetes Secrets (Encrypted at Rest)
|
|
234
|
-
|
|
235
|
-
```yaml
|
|
236
|
-
# Enable encryption at rest (kube-apiserver flag)
|
|
237
|
-
--encryption-provider-config=/etc/kubernetes/encryption-config.yaml
|
|
238
|
-
|
|
239
|
-
# encryption-config.yaml
|
|
240
|
-
apiVersion: apiserver.config.k8s.io/v1
|
|
241
|
-
kind: EncryptionConfiguration
|
|
242
|
-
resources:
|
|
243
|
-
- resources:
|
|
244
|
-
- secrets
|
|
245
|
-
providers:
|
|
246
|
-
- aescbc:
|
|
247
|
-
keys:
|
|
248
|
-
- name: key1
|
|
249
|
-
secret: <base64-encoded-32-byte-key>
|
|
250
|
-
- identity: {} # Fallback to plaintext
|
|
251
|
-
```
|
|
252
|
-
|
|
253
|
-
**Create Secret:**
|
|
254
|
-
```bash
|
|
255
|
-
kubectl create secret generic db-credentials \
|
|
256
|
-
--from-literal=username=admin \
|
|
257
|
-
--from-literal=password='super-secret-password' \
|
|
258
|
-
--namespace=production
|
|
259
|
-
```
|
|
260
|
-
|
|
261
|
-
### External Secrets Operator
|
|
262
|
-
|
|
263
|
-
**Install:**
|
|
264
|
-
```bash
|
|
265
|
-
helm repo add external-secrets https://charts.external-secrets.io
|
|
266
|
-
helm install external-secrets \
|
|
267
|
-
external-secrets/external-secrets \
|
|
268
|
-
-n external-secrets-system \
|
|
269
|
-
--create-namespace
|
|
270
|
-
```
|
|
271
|
-
|
|
272
|
-
**AWS Secrets Manager Integration:**
|
|
273
|
-
```yaml
|
|
274
|
-
# SecretStore for AWS Secrets Manager
|
|
275
|
-
apiVersion: external-secrets.io/v1beta1
|
|
276
|
-
kind: SecretStore
|
|
277
|
-
metadata:
|
|
278
|
-
name: aws-secrets-manager
|
|
279
|
-
namespace: production
|
|
280
|
-
spec:
|
|
281
|
-
provider:
|
|
282
|
-
aws:
|
|
283
|
-
service: SecretsManager
|
|
284
|
-
region: us-east-1
|
|
285
|
-
auth:
|
|
286
|
-
jwt:
|
|
287
|
-
serviceAccountRef:
|
|
288
|
-
name: external-secrets-sa
|
|
289
|
-
|
|
290
|
-
---
|
|
291
|
-
# External Secret
|
|
292
|
-
apiVersion: external-secrets.io/v1beta1
|
|
293
|
-
kind: ExternalSecret
|
|
294
|
-
metadata:
|
|
295
|
-
name: database-credentials
|
|
296
|
-
namespace: production
|
|
297
|
-
spec:
|
|
298
|
-
refreshInterval: 1h
|
|
299
|
-
secretStoreRef:
|
|
300
|
-
name: aws-secrets-manager
|
|
301
|
-
kind: SecretStore
|
|
302
|
-
|
|
303
|
-
target:
|
|
304
|
-
name: database-credentials
|
|
305
|
-
creationPolicy: Owner
|
|
306
|
-
|
|
307
|
-
data:
|
|
308
|
-
- secretKey: username
|
|
309
|
-
remoteRef:
|
|
310
|
-
key: prod/database/username
|
|
311
|
-
|
|
312
|
-
- secretKey: password
|
|
313
|
-
remoteRef:
|
|
314
|
-
key: prod/database/password
|
|
315
|
-
|
|
316
|
-
- secretKey: connection-string
|
|
317
|
-
remoteRef:
|
|
318
|
-
key: prod/database/connection-string
|
|
319
|
-
```
|
|
320
|
-
|
|
321
|
-
**HashiCorp Vault Integration:**
|
|
322
|
-
```yaml
|
|
323
|
-
apiVersion: external-secrets.io/v1beta1
|
|
324
|
-
kind: SecretStore
|
|
325
|
-
metadata:
|
|
326
|
-
name: vault-backend
|
|
327
|
-
namespace: production
|
|
328
|
-
spec:
|
|
329
|
-
provider:
|
|
330
|
-
vault:
|
|
331
|
-
server: "https://vault.company.com"
|
|
332
|
-
path: "secret"
|
|
333
|
-
version: "v2"
|
|
334
|
-
auth:
|
|
335
|
-
kubernetes:
|
|
336
|
-
mountPath: "kubernetes"
|
|
337
|
-
role: "external-secrets"
|
|
338
|
-
serviceAccountRef:
|
|
339
|
-
name: external-secrets-sa
|
|
340
|
-
```
|
|
341
|
-
|
|
342
|
-
### Sealed Secrets
|
|
343
|
-
|
|
344
|
-
```bash
|
|
345
|
-
# Install sealed-secrets controller
|
|
346
|
-
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
|
|
347
|
-
|
|
348
|
-
# Install kubeseal CLI
|
|
349
|
-
brew install kubeseal
|
|
350
|
-
|
|
351
|
-
# Create sealed secret
|
|
352
|
-
echo -n 'super-secret' | kubectl create secret generic db-password \
|
|
353
|
-
--dry-run=client \
|
|
354
|
-
--from-file=password=/dev/stdin \
|
|
355
|
-
-o yaml | \
|
|
356
|
-
kubeseal -o yaml > sealed-secret.yaml
|
|
357
|
-
|
|
358
|
-
# Commit sealed secret to Git (safe to do)
|
|
359
|
-
git add sealed-secret.yaml
|
|
360
|
-
git commit -m "Add database password"
|
|
361
|
-
```
|
|
362
|
-
|
|
363
|
-
## Image Security
|
|
364
|
-
|
|
365
|
-
### Image Scanning with Trivy
|
|
366
|
-
|
|
367
|
-
```yaml
|
|
368
|
-
# Scan image before deployment
|
|
369
|
-
apiVersion: batch/v1
|
|
370
|
-
kind: Job
|
|
371
|
-
metadata:
|
|
372
|
-
name: trivy-scan
|
|
373
|
-
spec:
|
|
374
|
-
template:
|
|
375
|
-
spec:
|
|
376
|
-
containers:
|
|
377
|
-
- name: trivy
|
|
378
|
-
image: aquasec/trivy:latest
|
|
379
|
-
command:
|
|
380
|
-
- trivy
|
|
381
|
-
- image
|
|
382
|
-
- --exit-code
|
|
383
|
-
- "1" # Fail on vulnerabilities
|
|
384
|
-
- --severity
|
|
385
|
-
- CRITICAL,HIGH
|
|
386
|
-
- --no-progress
|
|
387
|
-
- company/api-service:v1.2.3
|
|
388
|
-
restartPolicy: Never
|
|
389
|
-
```
|
|
390
|
-
|
|
391
|
-
**CI/CD Integration:**
|
|
392
|
-
```yaml
|
|
393
|
-
# .github/workflows/security-scan.yaml
|
|
394
|
-
name: Security Scan
|
|
395
|
-
|
|
396
|
-
on: [push]
|
|
397
|
-
|
|
398
|
-
jobs:
|
|
399
|
-
trivy:
|
|
400
|
-
runs-on: ubuntu-latest
|
|
401
|
-
steps:
|
|
402
|
-
- uses: actions/checkout@v3
|
|
403
|
-
|
|
404
|
-
- name: Build image
|
|
405
|
-
run: docker build -t ${{ github.repository }}:${{ github.sha }} .
|
|
406
|
-
|
|
407
|
-
- name: Run Trivy scan
|
|
408
|
-
uses: aquasecurity/trivy-action@master
|
|
409
|
-
with:
|
|
410
|
-
image-ref: ${{ github.repository }}:${{ github.sha }}
|
|
411
|
-
format: 'sarif'
|
|
412
|
-
output: 'trivy-results.sarif'
|
|
413
|
-
severity: 'CRITICAL,HIGH'
|
|
414
|
-
|
|
415
|
-
- name: Upload results
|
|
416
|
-
uses: github/codeql-action/upload-sarif@v2
|
|
417
|
-
with:
|
|
418
|
-
sarif_file: 'trivy-results.sarif'
|
|
419
|
-
```
|
|
420
|
-
|
|
421
|
-
### Image Policy (Kyverno)
|
|
422
|
-
|
|
423
|
-
```yaml
|
|
424
|
-
# Only allow images from trusted registries
|
|
425
|
-
apiVersion: kyverno.io/v1
|
|
426
|
-
kind: ClusterPolicy
|
|
427
|
-
metadata:
|
|
428
|
-
name: restrict-image-registries
|
|
429
|
-
spec:
|
|
430
|
-
validationFailureAction: enforce
|
|
431
|
-
background: false
|
|
432
|
-
rules:
|
|
433
|
-
- name: validate-registries
|
|
434
|
-
match:
|
|
435
|
-
any:
|
|
436
|
-
- resources:
|
|
437
|
-
kinds:
|
|
438
|
-
- Pod
|
|
439
|
-
validate:
|
|
440
|
-
message: "Images must be from approved registries"
|
|
441
|
-
pattern:
|
|
442
|
-
spec:
|
|
443
|
-
containers:
|
|
444
|
-
- image: "registry.company.com/* | ghcr.io/company/*"
|
|
445
|
-
|
|
446
|
-
---
|
|
447
|
-
# Require image digest (not tags)
|
|
448
|
-
apiVersion: kyverno.io/v1
|
|
449
|
-
kind: ClusterPolicy
|
|
450
|
-
metadata:
|
|
451
|
-
name: require-image-digest
|
|
452
|
-
spec:
|
|
453
|
-
validationFailureAction: enforce
|
|
454
|
-
rules:
|
|
455
|
-
- name: check-image-digest
|
|
456
|
-
match:
|
|
457
|
-
any:
|
|
458
|
-
- resources:
|
|
459
|
-
kinds:
|
|
460
|
-
- Pod
|
|
461
|
-
validate:
|
|
462
|
-
message: "Images must use digest (not tags)"
|
|
463
|
-
pattern:
|
|
464
|
-
spec:
|
|
465
|
-
containers:
|
|
466
|
-
- image: "*@sha256:*"
|
|
467
|
-
```
|
|
468
|
-
|
|
469
|
-
### Vulnerability Admission Controller
|
|
470
|
-
|
|
471
|
-
```yaml
|
|
472
|
-
# ImagePolicyWebhook admission controller
|
|
473
|
-
apiVersion: imagepolicy.k8s.io/v1alpha1
|
|
474
|
-
kind: ImageReview
|
|
475
|
-
spec:
|
|
476
|
-
containers:
|
|
477
|
-
- image: company/api-service:v1.2.3
|
|
478
|
-
annotations:
|
|
479
|
-
imagepolicy.k8s.io/policy: restricted
|
|
480
|
-
namespace: production
|
|
481
|
-
```
|
|
482
|
-
|
|
483
|
-
## Runtime Security
|
|
484
|
-
|
|
485
|
-
### Falco Rules
|
|
486
|
-
|
|
487
|
-
```yaml
|
|
488
|
-
# Install Falco
|
|
489
|
-
helm repo add falcosecurity https://falcosecurity.github.io/charts
|
|
490
|
-
helm install falco falcosecurity/falco \
|
|
491
|
-
--namespace falco-system \
|
|
492
|
-
--create-namespace \
|
|
493
|
-
--set driver.kind=ebpf
|
|
494
|
-
|
|
495
|
-
# Custom rules
|
|
496
|
-
# /etc/falco/falco_rules.local.yaml
|
|
497
|
-
- rule: Unauthorized Process in Container
|
|
498
|
-
desc: Detect unexpected process spawned in container
|
|
499
|
-
condition: >
|
|
500
|
-
spawned_process and
|
|
501
|
-
container and
|
|
502
|
-
not proc.name in (node, npm, python, java)
|
|
503
|
-
output: >
|
|
504
|
-
Unexpected process spawned in container
|
|
505
|
-
(user=%user.name command=%proc.cmdline container=%container.name)
|
|
506
|
-
priority: WARNING
|
|
507
|
-
tags: [container, process]
|
|
508
|
-
|
|
509
|
-
- rule: Write to Non-Temp Directory
|
|
510
|
-
desc: Detect writes to non-temporary directories
|
|
511
|
-
condition: >
|
|
512
|
-
open_write and
|
|
513
|
-
container and
|
|
514
|
-
not fd.name pmatch (/tmp/*, /var/tmp/*)
|
|
515
|
-
output: >
|
|
516
|
-
Write to non-temp directory in container
|
|
517
|
-
(user=%user.name file=%fd.name container=%container.name)
|
|
518
|
-
priority: WARNING
|
|
519
|
-
```
|
|
520
|
-
|
|
521
|
-
### AppArmor
|
|
522
|
-
|
|
523
|
-
```yaml
|
|
524
|
-
# Load AppArmor profile
|
|
525
|
-
apiVersion: v1
|
|
526
|
-
kind: Pod
|
|
527
|
-
metadata:
|
|
528
|
-
name: secure-app
|
|
529
|
-
annotations:
|
|
530
|
-
container.apparmor.security.beta.kubernetes.io/app: localhost/k8s-apparmor-example
|
|
531
|
-
spec:
|
|
532
|
-
containers:
|
|
533
|
-
- name: app
|
|
534
|
-
image: app:1.0
|
|
535
|
-
```
|
|
536
|
-
|
|
537
|
-
**AppArmor Profile:**
|
|
538
|
-
```
|
|
539
|
-
#include <tunables/global>
|
|
540
|
-
|
|
541
|
-
profile k8s-apparmor-example flags=(attach_disconnected) {
|
|
542
|
-
#include <abstractions/base>
|
|
543
|
-
|
|
544
|
-
# Allow network access
|
|
545
|
-
network,
|
|
546
|
-
|
|
547
|
-
# Allow reading from /tmp
|
|
548
|
-
/tmp/** r,
|
|
549
|
-
|
|
550
|
-
# Deny everything else by default
|
|
551
|
-
deny /** w,
|
|
552
|
-
}
|
|
553
|
-
```
|
|
554
|
-
|
|
555
|
-
## Access Control
|
|
556
|
-
|
|
557
|
-
### RBAC Least Privilege
|
|
558
|
-
|
|
559
|
-
```yaml
|
|
560
|
-
# Read-only access to pods
|
|
561
|
-
apiVersion: rbac.authorization.k8s.io/v1
|
|
562
|
-
kind: Role
|
|
563
|
-
metadata:
|
|
564
|
-
name: pod-reader
|
|
565
|
-
namespace: production
|
|
566
|
-
rules:
|
|
567
|
-
- apiGroups: [""]
|
|
568
|
-
resources: ["pods", "pods/log"]
|
|
569
|
-
verbs: ["get", "list", "watch"]
|
|
570
|
-
|
|
571
|
-
---
|
|
572
|
-
# Deploy-only access
|
|
573
|
-
apiVersion: rbac.authorization.k8s.io/v1
|
|
574
|
-
kind: Role
|
|
575
|
-
metadata:
|
|
576
|
-
name: deployment-manager
|
|
577
|
-
namespace: production
|
|
578
|
-
rules:
|
|
579
|
-
- apiGroups: ["apps"]
|
|
580
|
-
resources: ["deployments"]
|
|
581
|
-
verbs: ["get", "list", "watch", "update", "patch"]
|
|
582
|
-
- apiGroups: [""]
|
|
583
|
-
resources: ["pods"]
|
|
584
|
-
verbs: ["get", "list"]
|
|
585
|
-
|
|
586
|
-
---
|
|
587
|
-
# Bind to service account
|
|
588
|
-
apiVersion: rbac.authorization.k8s.io/v1
|
|
589
|
-
kind: RoleBinding
|
|
590
|
-
metadata:
|
|
591
|
-
name: ci-deployer
|
|
592
|
-
namespace: production
|
|
593
|
-
subjects:
|
|
594
|
-
- kind: ServiceAccount
|
|
595
|
-
name: github-actions
|
|
596
|
-
namespace: production
|
|
597
|
-
roleRef:
|
|
598
|
-
kind: Role
|
|
599
|
-
name: deployment-manager
|
|
600
|
-
apiGroup: rbac.authorization.k8s.io
|
|
601
|
-
```
|
|
602
|
-
|
|
603
|
-
### Audit Logging
|
|
604
|
-
|
|
605
|
-
```yaml
|
|
606
|
-
# Audit policy
|
|
607
|
-
apiVersion: audit.k8s.io/v1
|
|
608
|
-
kind: Policy
|
|
609
|
-
rules:
|
|
610
|
-
# Log all requests at RequestResponse level
|
|
611
|
-
- level: RequestResponse
|
|
612
|
-
omitStages:
|
|
613
|
-
- RequestReceived
|
|
614
|
-
verbs: ["create", "update", "patch", "delete"]
|
|
615
|
-
|
|
616
|
-
# Log metadata for reads
|
|
617
|
-
- level: Metadata
|
|
618
|
-
verbs: ["get", "list", "watch"]
|
|
619
|
-
|
|
620
|
-
# Don't log these
|
|
621
|
-
- level: None
|
|
622
|
-
users: ["system:kube-proxy"]
|
|
623
|
-
verbs: ["watch"]
|
|
624
|
-
resources:
|
|
625
|
-
- group: ""
|
|
626
|
-
resources: ["endpoints", "services"]
|
|
627
|
-
```
|
|
628
|
-
|
|
629
|
-
## Security Monitoring
|
|
630
|
-
|
|
631
|
-
### Prometheus Alerts
|
|
632
|
-
|
|
633
|
-
```yaml
|
|
634
|
-
# alerts.yaml
|
|
635
|
-
groups:
|
|
636
|
-
- name: security
|
|
637
|
-
interval: 30s
|
|
638
|
-
rules:
|
|
639
|
-
# Alert on privileged pods
|
|
640
|
-
- alert: PrivilegedPodDetected
|
|
641
|
-
expr: |
|
|
642
|
-
kube_pod_container_status_running == 1
|
|
643
|
-
and
|
|
644
|
-
kube_pod_security_context_privileged == 1
|
|
645
|
-
for: 5m
|
|
646
|
-
annotations:
|
|
647
|
-
summary: "Privileged pod detected: {{ $labels.pod }}"
|
|
648
|
-
|
|
649
|
-
# Alert on excessive RBAC permissions
|
|
650
|
-
- alert: ExcessiveRBACPermissions
|
|
651
|
-
expr: |
|
|
652
|
-
kube_role_rules{verb="*"} > 0
|
|
653
|
-
annotations:
|
|
654
|
-
summary: "Role with wildcard permissions: {{ $labels.role }}"
|
|
655
|
-
|
|
656
|
-
# Alert on failed auth attempts
|
|
657
|
-
- alert: AuthenticationFailures
|
|
658
|
-
expr: |
|
|
659
|
-
rate(apiserver_audit_event_total{verb="create",objectRef_resource="serviceaccounts/token",responseStatus_code="401"}[5m]) > 5
|
|
660
|
-
annotations:
|
|
661
|
-
summary: "High rate of authentication failures"
|
|
662
|
-
```
|
|
663
|
-
|
|
664
|
-
## Best Practices
|
|
665
|
-
|
|
666
|
-
### 1. Defense in Depth
|
|
667
|
-
|
|
668
|
-
Implement multiple layers of security controls.
|
|
669
|
-
|
|
670
|
-
### 2. Least Privilege
|
|
671
|
-
|
|
672
|
-
Grant minimum necessary permissions.
|
|
673
|
-
|
|
674
|
-
### 3. Network Segmentation
|
|
675
|
-
|
|
676
|
-
Use network policies to restrict traffic.
|
|
677
|
-
|
|
678
|
-
### 4. Secrets Management
|
|
679
|
-
|
|
680
|
-
Never commit secrets to Git, use external secrets.
|
|
681
|
-
|
|
682
|
-
### 5. Image Security
|
|
683
|
-
|
|
684
|
-
Scan images, use trusted registries, require digests.
|
|
685
|
-
|
|
686
|
-
### 6. Runtime Protection
|
|
687
|
-
|
|
688
|
-
Monitor and detect anomalous behavior.
|
|
689
|
-
|
|
690
|
-
### 7. Regular Updates
|
|
691
|
-
|
|
692
|
-
Keep Kubernetes and all components updated.
|
|
693
|
-
|
|
694
|
-
### 8. Audit Everything
|
|
695
|
-
|
|
696
|
-
Enable comprehensive audit logging.
|
|
697
|
-
|
|
698
|
-
### 9. Immutable Infrastructure
|
|
699
|
-
|
|
700
|
-
Use read-only root filesystems.
|
|
701
|
-
|
|
702
|
-
### 10. Security as Code
|
|
703
|
-
|
|
704
|
-
Automate security testing in CI/CD.
|
|
705
|
-
|
|
706
|
-
---
|
|
707
|
-
|
|
708
|
-
**Related Resources:**
|
|
709
|
-
- [infrastructure-standards.md](infrastructure-standards.md) - Security baselines
|
|
710
|
-
- [container-orchestration.md](container-orchestration.md) - Pod security
|
|
711
|
-
- [multi-tenancy.md](multi-tenancy.md) - Isolation and RBAC
|