ghndrx/homelab-gitops
1
0
Fork 0
mirror of https://github.com/ghndrx/homelab-gitops.git synced 2026-02-10 06:44:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(kyverno): add policy engine with security baseline

Browse Source 
- Kyverno 3.3.4 via Helm (HA config: 3 admission, 2 background replicas)
- Validation policies:
  - disallow-privileged-containers (Enforce)
  - require-resource-limits (Enforce)
  - require-labels (Audit - standard k8s labels)
  - require-run-as-non-root (Audit)
  - disallow-latest-tag (Enforce - GitOps reproducibility)
- Mutating policy:
  - add-default-securitycontext (seccomp, drop caps, read-only fs)
- System namespaces excluded (kube-system, kyverno, istio-system)
- Auto-discovered by ArgoCD ApplicationSet

Reference: CIS Kubernetes Benchmark, Pod Security Standards
This commit is contained in:
Greg Hendrickson
2026-02-09 18:02:21 +00:00
parent 124a29a0a9
commit 3752fd0386
10 changed files with 445 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
README.md
View File

@@ -34,6 +34,7 @@ See [docs/BOOTSTRAP.md](docs/BOOTSTRAP.md) for full setup guide.
│ └── dev/
├── infrastructure/ # Cluster infrastructure
│ ├── cert-manager/ # ✅ TLS with Let's Encrypt
│ ├── kyverno/ # ✅ Policy engine (security + best practices)
│ ├── networking/ # Istio gateway, NetworkPolicies
│ ├── storage/ # NFS StorageClass
│ └── monitoring/ # Prometheus, Grafana, Loki
@@ -69,6 +70,27 @@ Uses **ArgoCD ApplicationSets** with Git Directory Generator:
- 🏠 Home Assistant
- 📊 Homepage, Uptime Kuma
## Policy Engine (Kyverno)
Kyverno enforces security and best practices across the cluster. Policies include:
| Policy | Mode | Description |
|--------|------|-------------|
| `disallow-privileged` | Enforce | Blocks privileged containers |
| `require-resource-limits` | Enforce | Requires CPU/memory limits |
| `require-labels` | Audit | Standard labeling for workloads |
| `require-non-root` | Audit | Non-root container requirement |
| `disallow-latest-tag` | Enforce | Requires explicit image tags |
| `add-default-securitycontext` | Mutate | Adds secure defaults automatically |
Policies in **Audit** mode generate reports without blocking. Promote to **Enforce** after validating existing workloads.
```bash
# Check policy reports
kubectl get policyreports -A
kubectl get clusterpolicyreports
```
## Secrets Management
Encrypted with **SOPS + age**. Configuration in `.sops.yaml`.