agent security skill risk: low

Calico Kubernetes Network Policy Implementation

The prompt provides an overview, prerequisites, and four steps to audit existing policies, implement default-deny rules, create workload-specific allow rules, and validate enforcem…

SKILL 4 files · 2 folders

SKILL.md

Download

---
name: implementing-container-network-policies-with-calico
description: "Enforce Kubernetes network segmentation using Calico CNI network policies and global network policies to control"
---
# Implementing Container Network Policies with Calico

## Overview

Calico provides Kubernetes-native and extended network policy enforcement through its CNI plugin. This skill covers creating and auditing Calico NetworkPolicy and GlobalNetworkPolicy resources to implement pod-to-pod traffic control, namespace isolation, egress restrictions, and DNS-based policy rules using calicoctl and the Kubernetes API.


## When to Use

- When deploying or configuring implementing container network policies with calico capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation

## Prerequisites

- Kubernetes cluster with Calico CNI installed
- Python 3.9+ with `kubernetes` client library
- calicoctl CLI tool installed and configured
- kubectl access with RBAC permissions for network policy management

## Steps

### Step 1: Audit Existing Network Policies
Use calicoctl and kubectl to inventory current network policies and identify unprotected namespaces.

### Step 2: Implement Default-Deny Policies
Create default-deny ingress and egress policies per namespace as a zero-trust baseline.

### Step 3: Create Workload-Specific Allow Rules
Define granular allow rules for legitimate pod-to-pod and pod-to-service communication.

### Step 4: Validate Policy Enforcement
Test connectivity between pods to verify policies are correctly enforced.

## Expected Output

JSON audit report listing all network policies, unprotected namespaces, policy rule counts, and connectivity test results.

REQUIRED CONTEXT

Kubernetes cluster with Calico CNI installed
calicoctl CLI configured
kubectl access with RBAC for network policies
Python 3.9+ with kubernetes client

TOOLS REQUIRED

calicoctl
kubectl
kubernetes client library

EXPECTED OUTPUT

Format

json

Schema

json · all network policies, unprotected namespaces, policy rule counts, connectivity test results

Constraints

valid JSON only
include network policies list
include unprotected namespaces
include policy rule counts
include connectivity test results

SUCCESS CRITERIA

Audit existing network policies
Implement default-deny policies
Create workload-specific allow rules
Validate policy enforcement

CAVEATS

Dependencies

Kubernetes cluster with Calico CNI installed
Python 3.9+ with `kubernetes` client library
calicoctl CLI tool installed and configured
kubectl access with RBAC permissions for network policy management

Missing context

Exact structure or schema for the expected JSON audit report
Sample Calico policy manifests
Target cluster or namespace identifiers

Ambiguities

Overview description is truncated mid-sentence ('to control')
Steps are high-level directives without concrete commands, YAML, or examples

QUALITY

OVERALL: 0.60
CLARITY: 0.75
SPECIFICITY: 0.45
REUSABILITY: 0.60
COMPLETENESS: 0.55

IMPROVEMENT SUGGESTIONS

Complete the truncated overview sentence.
Expand each step with specific calicoctl/kubectl commands and minimal YAML examples.
Define the precise JSON schema for the audit report.

USAGE

Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.