name: security-audit
description: Audits Kubernetes security posture including RBAC permissions, network policies, pod security, and compliance. Use for security reviews, RBAC analysis, permission checks, network policy validation, CVE assessment, or compliance verification.
allowed-tools: Read, Glob, Grep, Bash(kubectl:get,describe,auth,api-resources)

Security Audit

Audits and validates security posture of the Kubernetes Cell Platform.

Quick Security Check

# RBAC overview
kubectl get clusterroles | wc -l
kubectl get clusterrolebindings | wc -l

# Network policies
kubectl get networkpolicies -A

# Pod security
kubectl get pods -A -o jsonpath='{range .items[*]}{.metadata.namespace}/{.metadata.name}: privileged={.spec.containers[*].securityContext.privileged}{"\n"}{end}' | grep -v "privileged=$"

# Secrets (just count, don't expose)
kubectl get secrets -A --no-headers | wc -l

RBAC Audit

List Permissions

# What can a service account do?
kubectl auth can-i --list --as=system:serviceaccount:<namespace>:<sa-name>

# Who can perform an action?
kubectl auth can-i create pods --all-namespaces --list

# Check specific permission
kubectl auth can-i delete pods -n <namespace> --as=<user>

Risky Permissions

# Find cluster-admin bindings
kubectl get clusterrolebindings -o json | jq -r '.items[] | select(.roleRef.name=="cluster-admin") | .metadata.name + ": " + (.subjects[]?.name // "unknown")'

# Find privileged roles
kubectl get clusterroles -o json | jq -r '.items[] | select(.rules[]?.resources[]? == "*" and .rules[]?.verbs[]? == "*") | .metadata.name'

Network Policy Audit

# Namespaces without policies
for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}'); do
  count=$(kubectl get networkpolicies -n $ns --no-headers 2>/dev/null | wc -l)
  if [ "$count" -eq "0" ]; then echo "$ns: NO POLICIES"; fi
done

# View policies
kubectl get networkpolicies -A -o wide
kubectl describe networkpolicy <name> -n <namespace>

Pod Security

Check Privileged Containers

kubectl get pods -A -o json | jq -r '.items[] | select(.spec.containers[].securityContext.privileged==true) | .metadata.namespace + "/" + .metadata.name'

Check Host Access

# Host network
kubectl get pods -A -o json | jq -r '.items[] | select(.spec.hostNetwork==true) | .metadata.namespace + "/" + .metadata.name'

# Host PID
kubectl get pods -A -o json | jq -r '.items[] | select(.spec.hostPID==true) | .metadata.namespace + "/" + .metadata.name'

Secret Audit

# List secrets by type
kubectl get secrets -A -o jsonpath='{range .items[*]}{.type}{"\n"}{end}' | sort | uniq -c

# Find secrets not used by pods
# (Compare with mounted secrets in pods)

Compliance Checklist

CIS Kubernetes Benchmark

• [ ] API server uses TLS
• [ ] Audit logging enabled
• [ ] RBAC enabled
• [ ] Network policies in place
• [ ] Pod security standards enforced
• [ ] Secrets encrypted at rest

Platform-Specific

• [ ] Talos immutable OS (L0)
• [ ] Cilium network policies (L0)
• [ ] Kyverno policies active (L2)
• [ ] Linkerd mTLS enabled (L2)
• [ ] No cluster-admin for apps

Memory Files

• meta/memory/architecture-decisions.md - Security ADRs

Reference Documentation

• reference/rbac-checklist.md - RBAC best practices
• reference/network-policies.md - Network policy templates

Audit Script

Run scripts/audit-rbac.sh for comprehensive RBAC audit report.

Security by Layer