Summary
Vigilante should support Kubernetes-centric repositories with a dedicated Kubernetes-focused implementation skill that teaches coding agents to make safe manifest and deployment changes while following current Kubernetes application-security guidance.
Problem
- Vigilante currently has no dedicated Kubernetes implementation skill.
- That makes coding agents more likely to miss Kubernetes-specific security posture around service accounts,
securityContext, RBAC scope, network policy assumptions, and image security when working on deployment manifests.
- Kubernetes changes are operationally sensitive and should not be treated like generic YAML edits.
Context
- Kubernetes publishes an official application security checklist aimed at application developers working with namespaced objects, covering service accounts, pod/container security contexts, RBAC, image security, and network policy.
- The skill should remain developer-focused and avoid turning every Kubernetes issue into a full cluster-security redesign.
Reference Material
Desired Outcome
- Vigilante can detect Kubernetes-centric repositories or issue surfaces and attach a Kubernetes-focused implementation skill or equivalent prompt layer.
- The guidance tells the coding agent to make safe manifest changes and account for current Kubernetes application-security posture.
- The guidance is concise and does not broaden scope into unrelated cluster-ops work.
- Existing operational policies, including
vigilante commit, remain intact.
Implementation Notes
- Detect Kubernetes-focused implementation surfaces using signals such as manifest directories,
kustomization.yaml, Kubernetes resource YAML, deployment overlays, or repo-defined Kubernetes workflows.
- Distill Kubernetes-specific execution rules for coding agents. Required areas to cover include:
- service-account hygiene such as avoiding the default service account and unnecessary token mounts where relevant
- pod/container
securityContext guidance such as non-root execution, reduced privilege, and read-only root filesystem where practical
- least-privilege RBAC and careful handling of namespace/cluster-scoped permissions
- image-security and scanning awareness
- network-policy and resource-request awareness where relevant to the touched manifests
- avoiding broad cluster-wide changes when the issue only requires application-level manifest updates
- Preserve repo-specific instructions as authoritative over generic Kubernetes guidance.
- Preserve commit-path constraints: use
vigilante commit only.
Acceptance Criteria
Testing Expectations
- Add or update tests for Kubernetes-focused detection and skill or prompt selection.
- Add or update tests for prompt content so Kubernetes-focused issues receive expected manifest/security guidance and unrelated repositories do not.
- Cover regressions where the Kubernetes guidance is missing or incorrectly injected.
Operational / UX Considerations
- Keep this skill focused on application/deployment manifest work rather than cluster-operator governance.
- Do not assume all repos enforce every security checklist item; guide the agent to preserve or improve posture where relevant.
Summary
Vigilante should support Kubernetes-centric repositories with a dedicated Kubernetes-focused implementation skill that teaches coding agents to make safe manifest and deployment changes while following current Kubernetes application-security guidance.
Problem
securityContext, RBAC scope, network policy assumptions, and image security when working on deployment manifests.Context
Reference Material
Desired Outcome
vigilante commit, remain intact.Implementation Notes
kustomization.yaml, Kubernetes resource YAML, deployment overlays, or repo-defined Kubernetes workflows.securityContextguidance such as non-root execution, reduced privilege, and read-only root filesystem where practicalvigilante commitonly.Acceptance Criteria
vigilante commitpolicies continue to apply.Testing Expectations
Operational / UX Considerations