homelab-gitops

ghndrx/homelab-gitops

Fork 0

mirror of https://github.com/ghndrx/homelab-gitops.git synced 2026-02-10 06:44:57 +00:00

Commit Graph

Author	SHA1	Message	Date
Greg Hendrickson	3752fd0386	feat(kyverno): add policy engine with security baseline - Kyverno 3.3.4 via Helm (HA config: 3 admission, 2 background replicas) - Validation policies: - disallow-privileged-containers (Enforce) - require-resource-limits (Enforce) - require-labels (Audit - standard k8s labels) - require-run-as-non-root (Audit) - disallow-latest-tag (Enforce - GitOps reproducibility) - Mutating policy: - add-default-securitycontext (seccomp, drop caps, read-only fs) - System namespaces excluded (kube-system, kyverno, istio-system) - Auto-discovered by ArgoCD ApplicationSet Reference: CIS Kubernetes Benchmark, Pod Security Standards	2026-02-09 18:02:21 +00:00

Author

SHA1

Message

Date

Greg Hendrickson

3752fd0386

feat(kyverno): add policy engine with security baseline

- Kyverno 3.3.4 via Helm (HA config: 3 admission, 2 background replicas)
- Validation policies:
  - disallow-privileged-containers (Enforce)
  - require-resource-limits (Enforce)
  - require-labels (Audit - standard k8s labels)
  - require-run-as-non-root (Audit)
  - disallow-latest-tag (Enforce - GitOps reproducibility)
- Mutating policy:
  - add-default-securitycontext (seccomp, drop caps, read-only fs)
- System namespaces excluded (kube-system, kyverno, istio-system)
- Auto-discovered by ArgoCD ApplicationSet

Reference: CIS Kubernetes Benchmark, Pod Security Standards

2026-02-09 18:02:21 +00:00

1 Commits