mirror of
https://github.com/ghndrx/homelab-gitops.git
synced 2026-02-09 22:34:55 +00:00
3752fd0386
- Kyverno 3.3.4 via Helm (HA config: 3 admission, 2 background replicas) - Validation policies: - disallow-privileged-containers (Enforce) - require-resource-limits (Enforce) - require-labels (Audit - standard k8s labels) - require-run-as-non-root (Audit) - disallow-latest-tag (Enforce - GitOps reproducibility) - Mutating policy: - add-default-securitycontext (seccomp, drop caps, read-only fs) - System namespaces excluded (kube-system, kyverno, istio-system) - Auto-discovered by ArgoCD ApplicationSet Reference: CIS Kubernetes Benchmark, Pod Security Standards
Homelab GitOps
GitOps repository for homelab Kubernetes infrastructure. Everything as code, auto-synced by ArgoCD.
Quick Start
# Bootstrap cluster (after ArgoCD installed)
kubectl apply -k clusters/defiant/
See docs/BOOTSTRAP.md for full setup guide.
Infrastructure
| System | Role | Stack |
|---|---|---|
| defiant | k3s cluster | AMD Ryzen 9 7940HS, Istio, Knative |
| truenas | Storage + Docker | 50TB RAIDZ2, Plex, *arr stack |
| dell01 | Gateway | Clawdbot AI |
Structure
├── apps/ # Application deployments
│ ├── base/ # Base manifests (Kustomize)
│ └── overlays/ # Environment overrides
│ ├── prod/ # → Auto-discovered by ApplicationSet
│ └── dev/
├── infrastructure/ # Cluster infrastructure
│ ├── cert-manager/ # ✅ TLS with Let's Encrypt
│ ├── kyverno/ # ✅ Policy engine (security + best practices)
│ ├── networking/ # Istio gateway, NetworkPolicies
│ ├── storage/ # NFS StorageClass
│ └── monitoring/ # Prometheus, Grafana, Loki
├── clusters/
│ └── defiant/ # Cluster bootstrap
│ ├── kustomization.yaml
│ ├── root-applicationset.yaml # Git Directory Generator
│ └── projects.yaml # ArgoCD AppProjects
└── docs/
└── BOOTSTRAP.md # Setup guide
GitOps Pattern
Uses ArgoCD ApplicationSets with Git Directory Generator:
infrastructure/*→ Auto-creates ArgoCD Applicationsapps/overlays/prod/*→ Auto-creates prod Applications- Add a directory, push, ArgoCD syncs automatically
Defiant (k3s) Workloads
- 🏥 MediSynth - FHIR healthcare platform
- 🔧 Istio - Service mesh
- ⚡ Knative - Serverless
- 📜 Cert-Manager - TLS certificates
- 🗄️ CNPG - Cloud Native PostgreSQL
TrueNAS (Docker - not in this repo)
- 📺 Plex, Sonarr, Radarr, Prowlarr
- 📷 Immich
- 🏠 Home Assistant
- 📊 Homepage, Uptime Kuma
Policy Engine (Kyverno)
Kyverno enforces security and best practices across the cluster. Policies include:
| Policy | Mode | Description |
|---|---|---|
disallow-privileged |
Enforce | Blocks privileged containers |
require-resource-limits |
Enforce | Requires CPU/memory limits |
require-labels |
Audit | Standard labeling for workloads |
require-non-root |
Audit | Non-root container requirement |
disallow-latest-tag |
Enforce | Requires explicit image tags |
add-default-securitycontext |
Mutate | Adds secure defaults automatically |
Policies in Audit mode generate reports without blocking. Promote to Enforce after validating existing workloads.
# Check policy reports
kubectl get policyreports -A
kubectl get clusterpolicyreports
Secrets Management
Encrypted with SOPS + age. Configuration in .sops.yaml.
# Encrypt a secret
sops -e -i infrastructure/cert-manager/secret.yaml
# Decrypt for editing
sops infrastructure/cert-manager/secret.yaml
License
MIT