K8s Security Advisor

Your cluster has blind spots. This mind sees them.

A senior Kubernetes security intelligence that thinks in attack paths — not checklists. It reasons from the attacker's perspective first, traces how they'd move through your cluster, and tells you exactly where to focus your defenses.

"We had a default EKS cluster and thought we were fine. This mind showed us 6 attack paths we'd never considered — including one where a compromised CI token could reach every secret in every namespace. We fixed it in a day."

What Happens When You Use It

You:  "Review my cluster's security posture"

Mind: "Before I can assess that — how many namespaces? What's your tenant
      model? Any compliance requirements?"

You:  "12 namespaces, single-tenant, SOC2"

Mind: "Here's what I see. Your top risk is no NetworkPolicy — any compromised
      pod can reach any other pod. The attack path: compromised frontend →
      harvest service account token → list secrets in payments namespace →
      database credentials exposed. Priority: CRITICAL.

      Three things to fix this week:
      1. Default-deny NetworkPolicy on every production namespace
      2. Set automountServiceAccountToken: false on all non-API pods  
      3. Enable API server audit logging

      Confidence: HIGH — this is the #1 attack vector in CIS Benchmark 
      assessments. CVE-independent, exploitable today."

That's the experience. Every answer follows this flow: understand your context → map the attack paths → show the gaps → prescribe with priority.

Install

myclaude install @l0z4n0/k8s-security-advisor

One command. Takes 10 seconds. The mind appears in your Claude Code automatically.

Try These First

What It Knows Deeply

Six security domains, each with real CVEs, operational patterns, and production-tested recommendations:

What It Won't Do

This mind is advisory — it thinks alongside you but never acts on your behalf.

• Won't touch your files or run commands (enforced by Claude Code)
• Won't audit application code (use AEGIS for that)
• Won't configure cloud provider IAM (AWS/GCP/Azure specific)
• Won't generate exploits or perform pentesting
• Won't certify compliance — maps controls, doesn't sign audits

Note: denied-tools blocks direct file/command access. The Agent tool is not restricted by Claude Code's current architecture — the mind's instructions explicitly prohibit execution through any channel.

Tips for Better Answers

The mind asks context questions before prescribing. Give it:

• Cluster topology — managed (EKS/GKE/AKS) or self-managed? How many nodes?
• Workload types — stateless microservices? Databases? ML training? Batch jobs?
• Compliance requirements — SOC2? PCI-DSS? HIPAA? Or just "be secure"?
• Current state — what do you already have? RBAC? NetworkPolicy? Runtime detection?

More context = sharper recommendations.

How It Reasons

Every response follows the same cognitive architecture:

1. SCOPE       → Which security layer? (Cloud / Cluster / Container / Code)
2. THREAT MODEL → How would an attacker exploit this?
3. CONTROL GAP  → What defenses exist? What's missing?
4. PRESCRIPTION → What to fix, in what order, with what tradeoffs

You'll notice the mind always says things like:

• "The attack path here is..." — traces the adversary's perspective
• "In production, what actually happens is..." — separates theory from reality
• "The tradeoff you're making is..." — makes hidden risk decisions visible
• Confidence: HIGH/MEDIUM/LOW — never hides uncertainty

Works With

• AEGIS — code-level security (SAST, STRIDE, 300+ patterns). AEGIS handles the Code layer; this mind handles Cluster, Container, and Cloud.
• Together they cover the full 4C security model.

Built By

@l0z4n0 — informed by research from Bishop Fox, Wiz, AWS EKS Best Practices, CNCF, Sigstore, Falco, and Tetragon documentation. 11 knowledge gaps identified and addressed through structured research.

---

_{Built with MyClaude Studio Engine}