Security Best Practices For CAST AI

v20260423

castai-security-basics

This guide details securing the CAST AI integration across multiple layers. It covers best practices for API key management (including rotation and secrets storage), implementing least-privilege RBAC using 'kubectl', deploying the Kvisor security agent for runtime scanning, and setting up Kubernetes Network Policies to restrict egress traffic. Use this when hardening production clusters or performing security audits.

Kubernetes Security RBAC API Key Management Network Policy Secrets Management Kvisor

Get Skill

372 downloads

Overview

CAST AI Security Basics

Overview

Secure your CAST AI integration: API key management, RBAC least-privilege, Kvisor runtime security agent, and network policy configuration.

Prerequisites

CAST AI agent installed on cluster
Cluster admin access for RBAC configuration
Secrets manager (AWS Secrets Manager, Vault, etc.)

Instructions

Step 1: API Key Management

# Use separate keys per environment
# console.cast.ai > API > API Access Keys

# Development: Read-Only key (monitoring only)
# Staging: Full Access key with limited cluster scope
# Production: Full Access key, rotated every 90 days

# Store in secrets manager, never in code
aws secretsmanager create-secret \
  --name "castai/prod/api-key" \
  --secret-string "${CASTAI_API_KEY}"

# Rotate key procedure:
# 1. Generate new key in console
# 2. Update secrets manager
# 3. Restart CAST AI agent pods to pick up new key
# 4. Verify agent reconnects
# 5. Revoke old key in console

Step 2: RBAC Least-Privilege Review

# Audit CAST AI ClusterRoles
kubectl get clusterroles -l app.kubernetes.io/managed-by=castai -o yaml

# The CAST AI agent needs these minimum permissions:
# - get/list/watch: pods, nodes, events, namespaces, replicasets
# - get: persistentvolumes, storageclasses
# The cluster controller additionally needs:
# - create/delete: nodes (for autoscaling)
# - patch: pods/eviction (for evictor)

# Check for overly broad permissions
kubectl auth can-i --list --as=system:serviceaccount:castai-agent:castai-agent

Step 3: Enable Kvisor Security Agent

# Kvisor scans for CVEs, misconfigurations, and runtime threats
helm upgrade --install castai-kvisor castai-helm/castai-kvisor \
  -n castai-agent \
  --set castai.apiKey="${CASTAI_API_KEY}" \
  --set castai.clusterID="${CASTAI_CLUSTER_ID}" \
  --set controller.extraArgs.image-scan-enabled=true \
  --set controller.extraArgs.kube-bench-enabled=true

# Verify Kvisor is running
kubectl get pods -n castai-agent -l app.kubernetes.io/name=castai-kvisor

Step 4: Network Policies

# Restrict CAST AI agent egress to only api.cast.ai
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: castai-agent-egress
  namespace: castai-agent
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: castai-agent
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0  # api.cast.ai resolves dynamically
      ports:
        - protocol: TCP
          port: 443
    - to:  # Allow DNS
        - namespaceSelector: {}
      ports:
        - protocol: UDP
          port: 53

Step 5: Security Checklist

API keys stored in secrets manager, not Helm values files
Separate keys per environment (dev/staging/prod)
Read-only keys for monitoring-only clusters
Key rotation scheduled every 90 days
Kvisor enabled for image scanning and CIS benchmarks
CAST AI namespace has network policies
Agent RBAC reviewed and minimized
Helm values files in .gitignore
Audit logs enabled in CAST AI console

Error Handling

Issue	Detection	Mitigation
API key in git history	`git log -S "CASTAI"`	Rotate key immediately
Agent has cluster-admin	`kubectl auth can-i --list`	Apply scoped ClusterRole
Kvisor high resource use	`kubectl top pods -n castai-agent`	Adjust scan intervals
Network policy blocks agent	Agent goes offline	Allow egress to 443

Resources

Next Steps

For production deployment checklist, see castai-prod-checklist.

Info

Category Engineering

Name castai-security-basics

Version v20260423

Size 4.33KB

Source jeremylongshore/claude-code-plugins-plus-skills

Updated At 2026-04-26