Azure Kubernetes

Name: Azure Kubernetes
Author: microsoft

microsoft/azure-skills

Fix Kubernetes manifests for AKS Automatic compatibility constraints like resources, seccomp, and capabilities.

Install

npx skills add https://github.com/microsoft/azure-skills --skill azure-kubernetes

What is this skill?

Maps constraint IDs to YAML fix patterns for AKS Automatic safeguards.
Adds resource requests/limits, drops ALL capabilities, and seccomp profiles.
Flags genuinely incompatible apps like NET_ADMIN instead of silently weakening policy.

Adoption & trust: 204k installs on skills.sh; 1.2k GitHub stars; 3/3 security scanners passed (skills.sh audits).

Recommended Skills

Github Actions Docsxixu-me/skills

Answer GitHub Actions questions with official docs links and syntax-grounded YAML instead of stale CI/CD memory.187k installs·61 stars

Deploy To Vercelvercel-labs/agent-skills

Push a local app or site to Vercel as a preview URL while nudging the repo toward git-linked, long-term deploys.67.1k installs·27.7k stars

Vercel Cli With Tokensvercel-labs/agent-skills

Deploy and sync Vercel projects from CI or headless agents using VERCEL_TOKEN instead of interactive vercel login.47.2k installs·27.7k stars

Turborepovercel/turborepo

Configure Turborepo task pipelines, package scripts, caching, and `--filter` / `--affected` workflows in a JS/TS monorep…36k installs·30.5k stars

Docker Expertsickn33/antigravity-awesome-skills

Harden Dockerfiles, multi-stage builds, and container runtime settings before you ship or run a solo product in producti…18.7k installs·40.1k stars

Multi Stage Dockerfilegithub/awesome-copilot

Author smaller, more secure container images with a cache-friendly multi-stage Dockerfile before you deploy.14.7k installs·34.6k stars

Journey fit

Primary fit

AKS Automatic safeguard fixes belong in ship when manifests must pass cluster policy before deploy. Security subphase fits because fixes add resource limits, drop capabilities, and seccomp profiles for pod hardening.

Common Questions / FAQ

Is Azure Kubernetes safe to install?

skills.sh reports 3 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.

SKILL.md

READMESKILL.md - Azure Kubernetes

# Common Fix Patterns for AKS Automatic Compatibility

Loaded on demand when generating YAML fixes during assessment.
Maps to constraint IDs in `constraint-spec-v1.yaml`.

---

## `safeguard-container-resource-requests` — Add resource requests/limits

**Before:**
```yaml
containers:
  - name: web
    image: myapp:v1.0.0
```

**After:**
```yaml
containers:
  - name: web
    image: myapp:v1.0.0
    resources:
      requests:
        cpu: "250m"
        memory: "256Mi"
      limits:
        cpu: "500m"
        memory: "512Mi"
```

> 💡 **Tip:** Use safe minimums as starting values. VPA (auto-enabled on AKS Automatic) will tune these after deployment based on actual usage.

---

## `safeguard-container-capabilities` — Drop all capabilities

**Before:**
```yaml
securityContext:
  capabilities:
    add: ["NET_ADMIN"]
```

**After:**
```yaml
securityContext:
  capabilities:
    drop: ["ALL"]
```

> ⚠️ **Warning:** If the app genuinely requires `NET_ADMIN` or similar, it is **incompatible** with AKS Automatic. Do not silently drop — explain the incompatibility and suggest redesign.

---

## `safeguard-allowed-seccomp-profiles` — Add seccomp profile

**Before:**
```yaml
spec:
  containers:
    - name: web
```

**After:**
```yaml
spec:
  securityContext:
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: web
```

---

## `safeguard-allowed-seccomp-profiles` — Remove 'Unconfined' seccomp profile

**Before:**
```yaml
spec:
  securityContext:
    seccompProfile:
      type: Unconfined
  containers:
    - name: web
```

**After:**
```yaml
spec:
  containers:
    - name: web
```

---

## `safeguard-enforce-apparmor` — Add AppArmor annotation

**Before:**
```yaml
metadata:
  name: my-deployment
```

**After:**
```yaml
metadata:
  name: my-deployment
  annotations:
    container.apparmor.security.beta.kubernetes.io/web: runtime/default
```

> 💡 **Tip:** Replace `web` with the actual container name. Add one annotation per container.

---

## `safeguard-images-no-latest` — Pin image tag *(LLM-reasoned — ask user)*

**Before:**
```yaml
image: myapp:latest
```

**After:**
```yaml
image: myapp:v1.2.3   # ← version confirmed with user
```

> ⚠️ **Warning:** Do not guess the version. Ask the user: _"What specific version tag or SHA digest should I pin this image to?"_ If from a public registry, suggest checking Docker Hub or the registry for the latest stable tag.

---

## `safeguard-probes-configured` — Add probes *(best-practice recommendation — warning-only, not blocked at admission)*

**HTTP app (most common):**
```yaml
readinessProbe:
  httpGet:
    path: /healthz        # ← ask user for their health endpoint
    port: 8080            # ← ask user for port
  initialDelaySeconds: 5
  periodSeconds: 10
  failureThreshold: 3
livenessProbe:
  httpGet:
    path: /healthz
    port: 8080
  initialDelaySeconds: 15
  periodSeconds: 20
  failureThreshold: 3
```

**TCP-only app (databases, Redis, etc.):**
```yaml
readinessProbe:
  tcpSocket:
    port: 6379           # ← service port
  initialDelaySeconds: 5
  periodSeconds: 10
livenessProbe:
  tcpSocket:
    port: 6379
  initialDelaySeconds: 15
  periodSeconds: 20
```

**gRPC app:**
```yaml
readinessProbe:
  grpc:
    port: 50051
  initialDelaySeconds: 5
  periodSeconds: 10
```

---

## `safeguard-host-probes` — Remove host field in probes and lifecycle hooks

**Before:**
```yaml
spec:
  containers:
  - name: my-container
    image: nginx:v1.2.3
    livenessProbe:
      httpGet:
        host: "my-host"
        path: /healthz
        port: 8080
      initialDelaySeconds: 15
      periodSeconds: 20
      failureThreshold: 3
```

**After:**
Remove the `host` field
Example:
```yaml
spec:
  containers:
  - name: my-container
    image: nginx:v1.2.3
    livenessProbe:
      httpGet:
        path: /healthz
        port: 8080
      initialDelaySeconds: 15
      periodSeconds: 20
      failureThreshold: 3
```

---

## `safeguard-pod-enforce-antiaffinity` — Add topology spread *(LLM-reasoned —

What is this skill?

Maps constraint IDs to YAML fix patterns for AKS Automatic safeguards.

Adds resource requests/limits, drops ALL capabilities, and seccomp profiles.

Flags genuinely incompatible apps like NET_ADMIN instead of silently weakening policy.

Adoption & trust: 204k installs on skills.sh; 1.2k GitHub stars; 3/3 security scanners passed (skills.sh audits).

SKILL.md

READMESKILL.md - Azure Kubernetes

# Common Fix Patterns for AKS Automatic Compatibility

Loaded on demand when generating YAML fixes during assessment.
Maps to constraint IDs in `constraint-spec-v1.yaml`.

---

## `safeguard-container-resource-requests` — Add resource requests/limits

**Before:**
```yaml
containers:
  - name: web
    image: myapp:v1.0.0
```

**After:**
```yaml
containers:
  - name: web
    image: myapp:v1.0.0
    resources:
      requests:
        cpu: "250m"
        memory: "256Mi"
      limits:
        cpu: "500m"
        memory: "512Mi"
```

> 💡 **Tip:** Use safe minimums as starting values. VPA (auto-enabled on AKS Automatic) will tune these after deployment based on actual usage.

---

## `safeguard-container-capabilities` — Drop all capabilities

**Before:**
```yaml
securityContext:
  capabilities:
    add: ["NET_ADMIN"]
```

**After:**
```yaml
securityContext:
  capabilities:
    drop: ["ALL"]
```

> ⚠️ **Warning:** If the app genuinely requires `NET_ADMIN` or similar, it is **incompatible** with AKS Automatic. Do not silently drop — explain the incompatibility and suggest redesign.

---

## `safeguard-allowed-seccomp-profiles` — Add seccomp profile

**Before:**
```yaml
spec:
  containers:
    - name: web
```

**After:**
```yaml
spec:
  securityContext:
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: web
```

---

## `safeguard-allowed-seccomp-profiles` — Remove 'Unconfined' seccomp profile

**Before:**
```yaml
spec:
  securityContext:
    seccompProfile:
      type: Unconfined
  containers:
    - name: web
```

**After:**
```yaml
spec:
  containers:
    - name: web
```

---

## `safeguard-enforce-apparmor` — Add AppArmor annotation

**Before:**
```yaml
metadata:
  name: my-deployment
```

**After:**
```yaml
metadata:
  name: my-deployment
  annotations:
    container.apparmor.security.beta.kubernetes.io/web: runtime/default
```

> 💡 **Tip:** Replace `web` with the actual container name. Add one annotation per container.

---

## `safeguard-images-no-latest` — Pin image tag *(LLM-reasoned — ask user)*

**Before:**
```yaml
image: myapp:latest
```

**After:**
```yaml
image: myapp:v1.2.3   # ← version confirmed with user
```

> ⚠️ **Warning:** Do not guess the version. Ask the user: _"What specific version tag or SHA digest should I pin this image to?"_ If from a public registry, suggest checking Docker Hub or the registry for the latest stable tag.

---

## `safeguard-probes-configured` — Add probes *(best-practice recommendation — warning-only, not blocked at admission)*

**HTTP app (most common):**
```yaml
readinessProbe:
  httpGet:
    path: /healthz        # ← ask user for their health endpoint
    port: 8080            # ← ask user for port
  initialDelaySeconds: 5
  periodSeconds: 10
  failureThreshold: 3
livenessProbe:
  httpGet:
    path: /healthz
    port: 8080
  initialDelaySeconds: 15
  periodSeconds: 20
  failureThreshold: 3
```

**TCP-only app (databases, Redis, etc.):**
```yaml
readinessProbe:
  tcpSocket:
    port: 6379           # ← service port
  initialDelaySeconds: 5
  periodSeconds: 10
livenessProbe:
  tcpSocket:
    port: 6379
  initialDelaySeconds: 15
  periodSeconds: 20
```

**gRPC app:**
```yaml
readinessProbe:
  grpc:
    port: 50051
  initialDelaySeconds: 5
  periodSeconds: 10
```

---

## `safeguard-host-probes` — Remove host field in probes and lifecycle hooks

**Before:**
```yaml
spec:
  containers:
  - name: my-container
    image: nginx:v1.2.3
    livenessProbe:
      httpGet:
        host: "my-host"
        path: /healthz
        port: 8080
      initialDelaySeconds: 15
      periodSeconds: 20
      failureThreshold: 3
```

**After:**
Remove the `host` field
Example:
```yaml
spec:
  containers:
  - name: my-container
    image: nginx:v1.2.3
    livenessProbe:
      httpGet:
        path: /healthz
        port: 8080
      initialDelaySeconds: 15
      periodSeconds: 20
      failureThreshold: 3
```

---

## `safeguard-pod-enforce-antiaffinity` — Add topology spread *(LLM-reasoned —

Install

What is this skill?

Recommended Skills

Journey fit

Is Azure Kubernetes safe to install?

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

Is Azure Kubernetes safe to install?

SKILL.md