Who is Muhammad Usman Akbar?

Muhammad Usman Akbar is a world-class AI Transformation Consultant and Agentic Architect focused on achieving 30x industrial efficiency through autonomous ecosystems.

What results can an AI Transformation Consultant provide?

By replacing manual work with autonomous AI workflows, a consultant like Muhammad Usman can deliver up to 30x growth in output while reducing operational overhead by 40%.

What is Agentic AI Orchestration?

It is the engineering of multi-agent systems where autonomous AI entities collaborate to manage complex industrial operations in production environments.

Build Your Cloud Security Skill

In January 2024, a major cryptocurrency exchange lost $230 million because an attacker exploited misconfigured Kubernetes RBAC—a service account with cluster-admin privileges was exposed through a debugging pod left running in production. The attacker didn't break encryption or exploit zero-days. They walked through a door that should have been locked.

Your Task API is running in Kubernetes. Before learning how to protect it—configuring RBAC, isolating network traffic, enforcing Pod Security Standards—you will own a cloud-security skill that generates secure configurations from day one.

This skill becomes a component of your sellable Digital FTE portfolio. By the end of this chapter, you will have a production-tested skill that implements defense-in-depth security for any Kubernetes workload.

Step 1: Get the Skills Lab

Go to github.com/fistasolutions/claude-code-skills-lab
Click the green Code button
Select Download ZIP
Extract the ZIP file
Open the extracted folder in your terminal

bash

cd claude-code-skills-lab

Output:

bash

Claude Code v1.0.0
Type your message or ? for help
>

Step 2: Write Your LEARNING-SPEC.md

Before asking Claude to build your skill, define what you want to learn. Create a file named LEARNING-SPEC.md:

markdown

# Cloud Security Learning Specification

## What
A skill for securing Kubernetes workloads using:
- RBAC (Roles, RoleBindings, ServiceAccounts)
- NetworkPolicies (default deny, explicit allow)
- Pod Security Standards (PSS enforcement)
- Secrets management (External Secrets Operator patterns)
- Image scanning (Trivy integration)
- Dapr security (mTLS, component scopes)

## Why
Production AI agents handle sensitive data and make autonomous decisions.
A single misconfiguration—an overprivileged service account, missing
network isolation, a container running as root—can expose the entire
cluster. The 4C security model (Cloud, Cluster, Container, Code)
provides defense-in-depth.

## Success Criteria
- [ ] Skill generates valid ServiceAccount + Role + RoleBinding YAML
- [ ] kubectl apply --dry-run=client accepts generated configurations
- [ ] Skill enforces least privilege (no wildcards in RBAC rules)
- [ ] Skill references official Kubernetes security documentation

Output:

bash

LEARNING-SPEC.md created (892 bytes)

This specification tells Claude exactly what you need and how you will measure success.

Step 3: Fetch Official Documentation

Ask Claude to gather the authoritative source material:

bash

Using your Context7 skill, fetch the official Kubernetes security
documentation. I need to understand RBAC (Roles, ClusterRoles,
RoleBindings), NetworkPolicy, and Pod Security Standards.

Claude will retrieve documentation from the official Kubernetes project, giving your skill accurate, up-to-date patterns rather than hallucinated configurations.

Output:

text

Fetching Kubernetes security documentation via Context7...

Retrieved:
- RBAC authorization patterns
- NetworkPolicy specification
- Pod Security Standards (Privileged, Baseline, Restricted)
- Secrets management best practices
- Security context configuration

Documentation ready for skill creation.

Step 4: Create Your Skill

Now prompt Claude to build the skill using the fetched documentation:

bash

Using your skill creator skill, create a new skill for Kubernetes security.
I will use it to secure Python/FastAPI applications from dev to production.
Cover RBAC, NetworkPolicies, Pod Security Standards, secrets management,
image scanning with Trivy, and Dapr security. Use the Kubernetes security
docs you just fetched.

Claude will:

Study the fetched documentation
Ask clarifying questions about your security requirements
Create the skill with security templates and best practices

Output:

text

Creating cloud-security skill...

Questions:
1. Should I include patterns for External Secrets Operator?

2. What base PSS level should be the default (baseline or restricted)?

3. Do you need Dapr-specific security patterns?

[After your answers]

Skill created at .claude/skills/cloud-security/
- SKILL.md: Core patterns and decision trees
- templates/: RBAC, NetworkPolicy, PSS examples
- references/: Links to official documentation

Your skill appears at .claude/skills/cloud-security/.

Step 5: Test Your Skill

Verify your new skill generates valid Kubernetes YAML:

bash

Using my cloud-security skill, show me how to create a dedicated
Service
Account for my Task API with minimal permissions.

Output:

yaml

# task-api-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: task-api-sa
  namespace: task-api
automountServiceAccountToken: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: task-api-role
  namespace: task-api
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: task-api-role-binding
  namespace: task-api
subjects:
- kind: ServiceAccount
  name: task-api-sa
roleRef:
  kind: Role
  name: task-api-role
  apiGroup: rbac.authorization.k8s.io

Save the output and validate:

bash

kubectl apply --dry-run=client -f task-api-rbac.yaml

Output:

bash

serviceaccount/task-api-sa created (dry run)
role.rbac.authorization.k8s.io/task-api-role created (dry run)
rolebinding.rbac.authorization.k8s.io/task-api-role-binding created (dry run)

If dry-run succeeds, your skill generates valid RBAC configurations following least privilege principles. Notice that the Role specifies only configmaps with get and list verbs—no wildcards, no cluster-wide access.

Done

You now own a cloud-security skill built from official Kubernetes security documentation. The rest of this chapter teaches you what it knows—and how to make it better.

Next Lesson: The 4C Security Model

Try With AI

Now that you have a working skill, test its gap identification capabilities.

Prompt 1:

bash

Using my cloud-security skill, show me how to create a dedicated
Service
Account for my Task API with minimal permissions.

What you're learning: How your skill generates RBAC patterns following least privilege. Notice whether it avoids wildcards (*) in verbs and resources, and whether it suggests automountServiceAccountToken: false by default.

Prompt 2:

bash

What's missing from this skill for production workloads?

What you're learning: Gap identification is a critical meta-skill. Your skill might be missing NetworkPolicy defaults, PSS enforcement labels, Trivy scanning integration, or Dapr component scopes. Each gap becomes a learning target for this chapter's lessons.

Security Reminder

Never test security configurations on production clusters. Always use --dry-run=client first, then apply to a development namespace. Security misconfigurations can expose your entire cluster.