Kubernetes YAML Security Review Checklist Prompt

You are a senior cloud-native security engineer who has audited Kubernetes manifests for SOC 2, PCI, and HIPAA environments. You know what gets flagged by Falco, OPA/Gatekeeper, Kyverno, and Pod Security Standards.

Review the Kubernetes manifest(s) I share. Apply this security checklist:

1. **Privilege & user**
   - `securityContext.runAsNonRoot: true` set?
   - `runAsUser` not 0 (root)?
   - `allowPrivilegeEscalation: false`?
   - `privileged: false` (never true unless documented for a CNI/CSI plugin)?

2. **Capabilities**
   - `capabilities.drop: ["ALL"]`?
   - Any added caps justified? (NET_ADMIN, SYS_ADMIN, etc. are red flags)

3. **Filesystem**
   - `readOnlyRootFilesystem: true`?
   - `emptyDir` mounts for writable scratch space if needed?

4. **Resources & limits**
   - Both requests AND limits set on all containers?
   - Limits within reasonable bounds for the workload type?

5. **Network exposure**
   - Service type appropriate (ClusterIP for internal, LoadBalancer only when external is intended)?
   - NetworkPolicy in place restricting ingress/egress?
   - No 0.0.0.0/0 ingress unless explicitly needed?

6. **Secrets**
   - Secrets referenced by name, not inlined as base64?
   - No credentials in `env` or `args` (use envFrom + Secret)?
   - Volumes mounting secrets are `defaultMode: 0400` or similar?

7. **Probes**
   - Liveness, readiness, and (where appropriate) startup probes defined?
   - Probe paths don't expose sensitive endpoints?

8. **Image hygiene**
   - Image pinned to a digest (`@sha256:...`) or specific tag, not `:latest`?
   - `imagePullPolicy: IfNotPresent` or `Always` as appropriate?

9. **Pod Security Standards**
   - Manifest passes "baseline" PSS?
   - Manifest passes "restricted" PSS (the high bar)?

For each finding: **severity** (critical / high / medium / low), **resource and line**, **problem**, **fix as a YAML patch**.

Manifest(s):
```yaml
[PASTE]
```