>_

Unnamed Skill

Validate Kubernetes manifests, Helm charts, and Dapr configs against security and governance rules. Use when: (1) Generating K8s manifests, (2) Creating Helm charts, (3) Building Docker configurations, (4) Reviewing Dapr components, (5) After any infrastructure code generation, (6) Before deployment reviews. Validates container security, RBAC policies, resource limits, Dapr standards, and network policies.

$ Installieren

git clone https://github.com/majiayu000/claude-skill-registry /tmp/claude-skill-registry && cp -r /tmp/claude-skill-registry/skills/devops/constitution-enforcer ~/.claude/skills/claude-skill-registry

// tip: Run this command in your terminal to install the skill

SKILL.md
View on GitHub →

name: Constitution Enforcer description: Validate Kubernetes manifests, Helm charts, and Dapr configs against security and governance rules. Use when: (1) Generating K8s manifests, (2) Creating Helm charts, (3) Building Docker configurations, (4) Reviewing Dapr components, (5) After any infrastructure code generation, (6) Before deployment reviews. Validates container security, RBAC policies, resource limits, Dapr standards, and network policies.

Overview

This skill enforces cloud-native governance rules for Kubernetes deployments. Invoke it before and after generating infrastructure code to ensure compliance with security policies.

Validation Scripts

Use the provided validation scripts for automated checking:

# Validate Kubernetes manifests
python scripts/validate_k8s.py <manifest-file>

# Validate Helm charts
python scripts/validate_helm.py <chart-directory>

# Validate Dapr components
python scripts/validate_dapr.py <component-file>

# Run all validations
bash scripts/validate_all.sh <directory>

Rule Codes

CodeCategoryDescription
SEC-001SecurityMissing securityContext
SEC-002SecurityRunning as root (UID 0)
SEC-003SecurityPrivilege escalation enabled
SEC-004SecurityWritable root filesystem
SEC-005SecurityCapabilities not dropped
IMG-001ImageUsing 'latest' tag
IMG-002ImageMissing image pull policy
NET-001NetworkHost network enabled
NET-002NetworkHost PID enabled
NET-003NetworkMissing NetworkPolicy
RBAC-001RBACUsing default ServiceAccount
RBAC-002RBACClusterRole for app workload
RBAC-003RBACWildcard permissions (*)
RBAC-004RBACForbidden verbs (bind/escalate/impersonate)
RBAC-005RBACcluster-admin binding
RES-001ResourcesMissing CPU request
RES-002ResourcesMissing CPU limit
RES-003ResourcesMissing memory request
RES-004ResourcesMissing memory limit
DAPR-001DaprMissing namespace
DAPR-002DaprUsing 'default' namespace
DAPR-003DaprInline credentials
DAPR-004DaprMissing scopes
DAPR-005DaprmTLS not enabled
KAFKA-001KafkaInvalid topic naming
KAFKA-002KafkaMissing auth in production
KAFKA-003KafkaLow replication factor
DB-001DatabaseSSL not enabled
DB-002DatabaseHardcoded credentials
DB-003DatabaseCredentials not in Secret

Container Security Rules

Every container MUST have these security settings:

securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  runAsGroup: 1000
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop:
      - ALL

Violations that BLOCK deployment:

  • Running as root (UID 0)
  • Privilege escalation enabled
  • Using latest image tag
  • Host network or host PID enabled
  • Missing security context

RBAC Policies

RuleRequirement
Dedicated ServiceAccountEach app has its own SA
No default SANever use default service account
Namespace-scopedUse Role, not ClusterRole
Least privilegeOnly permissions actually needed
No cluster-adminNever bind cluster-admin to apps

Forbidden:

  • Wildcard permissions (*)
  • ClusterRoleBinding to applications
  • bind, escalate, impersonate verbs

Resource Limits

Every container MUST specify:

resources:
  requests:
    cpu: "<value>"
    memory: "<value>"
  limits:
    cpu: "<value>"
    memory: "<value>"

Defaults by component:

ComponentCPU ReqCPU LimitMem ReqMem Limit
Frontend100m500m128Mi256Mi
Backend200m1000m256Mi512Mi
MCP Server100m500m128Mi256Mi
Dapr Sidecar100m300m128Mi256Mi

Dapr Configuration Standards

Every Dapr component MUST have:

  • Explicit namespace (never "default")
  • Credentials via secretKeyRef (never inline)
  • Scopes defined (never empty)
  • mTLS enabled in Configuration resource

Kafka Event Governance

  • Topic naming: <domain>.<entity>.<event> (e.g., todo.task.created)
  • Auth required in production
  • Replication factor 2+ in production

Database Connection Security

  • SSL required: sslmode=require
  • Credentials in Kubernetes Secret only
  • No hardcoded credentials anywhere

Network Policies

  • Default deny all ingress/egress
  • Explicit allow rules only for required traffic

Validation Output Format

When violations found, output:

## Constitution Violation Report

### CRITICAL (Must Fix)
1. [RULE-CODE] Description
   - Location: file:line
   - Fix: How to fix

### WARNING (Should Fix)
1. [RULE-CODE] Description

### Status: PASSED / BLOCKED

Compliance Checklist

Container Security:
[ ] runAsNonRoot: true
[ ] allowPrivilegeEscalation: false
[ ] No latest tags

RBAC:
[ ] Dedicated ServiceAccount
[ ] Namespace-scoped Role

Resources:
[ ] CPU/Memory limits set

Dapr:
[ ] mTLS enabled
[ ] Scopes defined
[ ] secretKeyRef used

Database:
[ ] SSL enabled
[ ] Credentials in Secret

Repository

majiayu000
majiayu000
Author
majiayu000/claude-skill-registry/skills/devops/constitution-enforcer
0
Stars
0
Forks
Updated15h ago
Added1w ago

Actions

View on GitHubDownload ZIPReport Issue

Related Skills

skill-writer
pytorch/pytorch
95.4k
docstring
pytorch/pytorch
95.4k
at-dispatch-v2
pytorch/pytorch
95.4k
add-uint-support
pytorch/pytorch
95.4k
skill-creator
openai/codex
54.7k