Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From prodsec-skills
Validates Kubernetes platform configuration including boot parameters, hugepages, kernel state, sysctl settings, OpenShift lifecycle, and service mesh compliance for cluster auditing and upgrade preparation.
How this skill is triggered — by the user, by Claude, or both
Slash command
/prodsec-skills:platform-integrityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Validate that the underlying platform configuration meets operational and security requirements. These checks verify node-level settings that affect all workloads on the cluster.
Validate that the underlying platform configuration meets operational and security requirements. These checks verify node-level settings that affect all workloads on the cluster.
Boot parameters must be configured through MachineConfig or the Performance Addon Operator — not set manually on nodes. Manual changes are lost on reboot and create configuration drift between nodes.
Required for: Telco (mandatory), Far-Edge (mandatory), Extended (mandatory), Non-Telco (optional)
OpenShift Note: Use
MachineConfigorPerformanceProfileCRs to manage boot parameters declaratively.
Sysctl kernel parameters must match values defined in MachineConfig. Any sysctl values that differ from the MachineConfig-declared values indicate manual node modification or configuration drift.
Required for: Telco (mandatory), Far-Edge (mandatory), Extended (mandatory), Non-Telco (optional)
Node kernels must not be tainted. A tainted kernel indicates non-standard modules, out-of-tree drivers, or other modifications that may affect stability and supportability.
Required for: all profiles (mandatory)
Hugepage settings must be configured via MachineConfig — not manually on nodes. Manual hugepage allocation is lost on reboot.
Required for: Telco (mandatory), Far-Edge (mandatory), Extended (mandatory), Non-Telco (optional)
Pods using hugepages must use a single size:
Required for: Telco (mandatory), Far-Edge (mandatory), Extended (mandatory), Non-Telco (optional)
Required for: Far-Edge (mandatory), all others (optional)
resources:
requests:
hugepages-1Gi: 2Gi
memory: 256Mi
limits:
hugepages-1Gi: 2Gi
memory: 256Mi
Baremetal worker nodes must have hyperthreading enabled. Hyperthreading provides additional logical CPUs that improve throughput for many workload types.
Required for: Telco (mandatory), Far-Edge (mandatory), Extended (mandatory), Non-Telco (optional)
The OpenShift version must not be end-of-life. Running unsupported versions means no security patches, bug fixes, or Red Hat support.
Required for: all profiles (mandatory)
The node operating system must be compatible with the deployed OpenShift version. Mismatched OS and platform versions can cause unpredictable behavior.
Required for: all profiles (mandatory)
All cluster operators must be in Available state. Degraded or unavailable operators indicate platform issues that can affect workload reliability.
Required for: all profiles (mandatory)
If the istio-system namespace exists on the cluster, all workload pods must use Istio sidecar proxies. Pods without sidecars in a service mesh environment bypass traffic management, security policies, and observability features.
Required for: Telco (mandatory), Far-Edge (mandatory), Extended (mandatory), Non-Telco (optional)
| Guidance | Certsuite Test ID | Profiles |
|---|---|---|
| Boot params via MachineConfig | platform-alteration-boot-params | Telco/Far-Edge/Extended: mandatory, Non-Telco: optional |
| Sysctl matches MachineConfig | platform-alteration-sysctl-config | Telco/Far-Edge/Extended: mandatory, Non-Telco: optional |
| No tainted kernels | platform-alteration-tainted-node-kernel | All profiles: mandatory |
| Hugepages via MachineConfig | platform-alteration-hugepages-config | Telco/Far-Edge/Extended: mandatory, Non-Telco: optional |
| 1Gi hugepages only | platform-alteration-hugepages-1g-only | Telco/Far-Edge/Extended: mandatory, Non-Telco: optional |
| 2Mi hugepages only | platform-alteration-hugepages-2m-only | Far-Edge: mandatory, all others: optional |
| Hyperthreading enabled | platform-alteration-hyperthread-enable | Telco/Far-Edge/Extended: mandatory, Non-Telco: optional |
| OCP not end-of-life | platform-alteration-ocp-lifecycle | All profiles: mandatory |
| Node OS compatible | platform-alteration-ocp-node-os-lifecycle | All profiles: mandatory |
| Cluster operators healthy | platform-alteration-cluster-operator-health | All profiles: mandatory |
| Istio sidecars present | platform-alteration-service-mesh-usage | Telco/Far-Edge/Extended: mandatory, Non-Telco: optional |
npx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skillsEnforces least-privilege RBAC and secure runtime configuration for Kubernetes Operators. Use when building, reviewing, or auditing Operator manifests, ClusterRoles, Roles, OLM bundles, or CRD definitions.
Audits Kubernetes clusters against OWASP Kubernetes Top 10 (2022) vulnerability classes using kubectl commands and kube-bench, with remediation guidance.
Audits Kubernetes clusters against CIS benchmarks using kube-bench, covering control plane, worker nodes, etcd, and RBAC checks. Useful for security assessments and compliance validation.