mirror of https://github.com/ghndrx/homelab-gitops.git synced 2026-02-10 06:44:57 +00:00

Files

Greg Hendrickson 3752fd0386 feat(kyverno): add policy engine with security baseline

- Kyverno 3.3.4 via Helm (HA config: 3 admission, 2 background replicas)
- Validation policies:
  - disallow-privileged-containers (Enforce)
  - require-resource-limits (Enforce)
  - require-labels (Audit - standard k8s labels)
  - require-run-as-non-root (Audit)
  - disallow-latest-tag (Enforce - GitOps reproducibility)
- Mutating policy:
  - add-default-securitycontext (seccomp, drop caps, read-only fs)
- System namespaces excluded (kube-system, kyverno, istio-system)
- Auto-discovered by ArgoCD ApplicationSet

Reference: CIS Kubernetes Benchmark, Pod Security Standards

2026-02-09 18:02:21 +00:00

3.5 KiB

Raw Blame History

Homelab GitOps

GitOps repository for homelab Kubernetes infrastructure. Everything as code, auto-synced by ArgoCD.

Quick Start

# Bootstrap cluster (after ArgoCD installed)
kubectl apply -k clusters/defiant/

See docs/BOOTSTRAP.md for full setup guide.

Infrastructure

System	Role	Stack
defiant	k3s cluster	AMD Ryzen 9 7940HS, Istio, Knative
truenas	Storage + Docker	50TB RAIDZ2, Plex, *arr stack
dell01	Gateway	Clawdbot AI

Structure

├── apps/                    # Application deployments
│   ├── base/               # Base manifests (Kustomize)
│   └── overlays/           # Environment overrides
│       ├── prod/           # → Auto-discovered by ApplicationSet
│       └── dev/
├── infrastructure/          # Cluster infrastructure
│   ├── cert-manager/       # ✅ TLS with Let's Encrypt
│   ├── kyverno/            # ✅ Policy engine (security + best practices)
│   ├── networking/         # Istio gateway, NetworkPolicies
│   ├── storage/            # NFS StorageClass
│   └── monitoring/         # Prometheus, Grafana, Loki
├── clusters/
│   └── defiant/            # Cluster bootstrap
│       ├── kustomization.yaml
│       ├── root-applicationset.yaml  # Git Directory Generator
│       └── projects.yaml   # ArgoCD AppProjects
└── docs/
    └── BOOTSTRAP.md        # Setup guide

GitOps Pattern

Uses ArgoCD ApplicationSets with Git Directory Generator:

infrastructure/* → Auto-creates ArgoCD Applications
apps/overlays/prod/* → Auto-creates prod Applications
Add a directory, push, ArgoCD syncs automatically

Defiant (k3s) Workloads

🏥 MediSynth - FHIR healthcare platform
🔧 Istio - Service mesh
⚡ Knative - Serverless
📜 Cert-Manager - TLS certificates
🗄️ CNPG - Cloud Native PostgreSQL

TrueNAS (Docker - not in this repo)

📺 Plex, Sonarr, Radarr, Prowlarr
📷 Immich
🏠 Home Assistant
📊 Homepage, Uptime Kuma

Policy Engine (Kyverno)

Kyverno enforces security and best practices across the cluster. Policies include:

Policy	Mode	Description
`disallow-privileged`	Enforce	Blocks privileged containers
`require-resource-limits`	Enforce	Requires CPU/memory limits
`require-labels`	Audit	Standard labeling for workloads
`require-non-root`	Audit	Non-root container requirement
`disallow-latest-tag`	Enforce	Requires explicit image tags
`add-default-securitycontext`	Mutate	Adds secure defaults automatically

Policies in Audit mode generate reports without blocking. Promote to Enforce after validating existing workloads.

# Check policy reports
kubectl get policyreports -A
kubectl get clusterpolicyreports

Secrets Management

Encrypted with SOPS + age. Configuration in .sops.yaml.

# Encrypt a secret
sops -e -i infrastructure/cert-manager/secret.yaml

# Decrypt for editing
sops infrastructure/cert-manager/secret.yaml

License

MIT

3.5 KiB Raw Blame History