update

Signed-off-by: gwg313 <gwg313@pm.me>

bootstrap/root-app-of-apps.yaml

@@ -1,16 +1,14 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: infra-root
+  name: root-app-of-apps
   namespace: argocd
 spec:
   project: default
   source:
-    repoURL: https://github.com/gwg313/homelab-gitops
+    repoURL: https://github.com/gwg313/homelab-gitops.git
     targetRevision: main
-    path: infra
-    directory:
-      recurse: true
+    path: management/platform-apps
   destination:
     server: https://kubernetes.default.svc
     namespace: argocd

management/platform-apps/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - kyverno-core.yaml
+  - kyverno-policies.yaml
+  - tetragon-core.yaml
+  - tetragon-policies.yaml
+

management/platform-apps/kyverno-core.yaml

@@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kyverno-core
+  namespace: argocd
+  annotations:
+    argoproj.io/sync-wave: "-10"
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/gwg313/homelab-gitops.git
+    targetRevision: main
+    path: platform/kyverno/core
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kyverno
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
+      - RespectIgnoreDifferences=true
+  
+  ignoreDifferences:
+    - group: apiextensions.k8s.io
+      kind: CustomResourceDefinition
+      jsonPointers:
+        - /metadata/labels
+        - /metadata/annotations

management/platform-apps/kyverno-policies.yaml

@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kyverno-policies
+  namespace: argocd
+  annotations:
+    argoproj.io/sync-wave: "-5"
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/gwg313/homelab-gitops.git
+    targetRevision: main
+    path: platform/kyverno/policies
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kyverno
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false
+      - ServerSideApply=true

management/platform-apps/tetragon-core.yaml

@@ -0,0 +1,32 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tetragon-core
+  namespace: argocd
+  annotations:
+    argoproj.io/sync-wave: "-10"
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/gwg313/homelab-gitops.git
+    targetRevision: main
+    path: platform/tetragon/core
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kube-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false
+      - ServerSideApply=true
+      - RespectIgnoreDifferences=true
+
+  ignoreDifferences:
+    - group: apiextensions.k8s.io
+      kind: CustomResourceDefinition
+      namespace: ""
+      jsonPointers:
+        - /metadata/labels
+        - /metadata/annotations

management/platform-apps/tetragon-policies.yaml

@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tetragon-policies
+  namespace: argocd
+  annotations:
+    argoproj.io/sync-wave: "-5"
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/gwg313/homelab-gitops.git
+    targetRevision: main
+    path: platform/tetragon/policies
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kube-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false
+      - ServerSideApply=true

platform/default-network-policies/kube-system-baseline.yaml

@@ -1,28 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: kube-system-baseline
-  namespace: kube-system
-spec:
-  endpointSelector: {}
-
-  ingress:
-    - fromEntities:
-        - cluster
-        - host
-        - remote-node
-
-  egress:
-    - toEntities:
-        - kube-apiserver
-        - cluster
-
-    - toEndpoints:
-        - matchLabels:
-            k8s:k8s-app: kube-dns
-      toPorts:
-        - ports:
-            - port: "53"
-              protocol: UDP
-            - port: "53"
-              protocol: TCP

platform/default-network-policies/kube-system-hardening.yaml

@@ -1,40 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: kube-system-hardening
-  namespace: kube-system
-spec:
-  endpointSelector: {}
-
-  ingress:
-    # Allow cluster-internal communication (required for DNS, CNI, etc.)
-    - fromEntities:
-        - cluster
-        - host
-        - remote-node
-
-    # Allow kube-apiserver to talk to system components
-    - fromEntities:
-        - kube-apiserver
-
-  egress:
-    # Core dependency: Kubernetes API
-    - toEntities:
-        - kube-apiserver
-
-    # CoreDNS access
-    - toEndpoints:
-        - matchLabels:
-            k8s:k8s-app: kube-dns
-      toPorts:
-        - ports:
-            - port: "53"
-              protocol: UDP
-            - port: "53"
-              protocol: TCP
-
-    # Allow internal cluster communication (important for CNI + service mesh)
-    - toEntities:
-        - cluster
-        - host
-        - remote-node

platform/default-network-policies/kube-system-restrict-external-egress.yaml

@@ -1,30 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: kube-system-restrict-external-egress
-  namespace: kube-system
-spec:
-  endpointSelector: {}
-
-  egress:
-    # Allow Kubernetes API
-    - toEntities:
-        - kube-apiserver
-
-    # Allow internal cluster communication
-    - toEntities:
-        - cluster
-        - host
-        - remote-node
-
-    # Allow DNS
-    - toEndpoints:
-        - matchLabels:
-            k8s:k8s-app: kube-dns
-      toPorts:
-        - ports:
-            - port: "53"
-              protocol: UDP
-            - port: "53"
-              protocol: TCP
-

platform/kyverno/core/Chart.yaml

@@ -0,0 +1,10 @@
+apiVersion: v2
+name: kyverno-core
+description: Kyverno Helm
+type: application
+version: 1.0.0
+appVersion: 1.0.0
+dependencies:
+  - name: kyverno
+    repository: https://kyverno.github.io/kyverno
+    version: 3.8.0

platform/kyverno/core/values.yaml

@@ -0,0 +1,7 @@
+kyverno:
+  admissionController:
+    replicas: 2
+    features:
+      loggingFormat: text
+    telemetry:
+      enabled: false

platform/kyverno/policies/cleanup-rbac.yaml

@@ -0,0 +1,10 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:cleanup-pods
+  labels:
+    rbac.kyverno.io/aggregate-to-cleanup-controller: "true"
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch", "delete"]

platform/kyverno/policies/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - purge-terminal-pods.yaml
+  - cleanup-rbac.yaml

platform/kyverno/policies/purge-terminal-pods.yaml

@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterCleanupPolicy
+metadata:
+  name: purge-terminal-pods
+spec:
+  match:
+    any:
+      - resources:
+          kinds:
+            - Pod
+  schedule: "*/15 * * * *"
+  conditions:
+    all:
+      - key: "{{ request.object.status.phase }}"
+        operator: AnyIn
+        value:
+          - Succeeded
+          - Failed
+      - key: "{{ request.object.metadata.creationTimestamp }}"
+        operator: DurationGreaterThan
+        value: 30m

platform/tetragon/core/Chart.yaml

@@ -0,0 +1,10 @@
+apiVersion: v2
+name: tetragon
+description: Setup Tetrgon
+type: application
+version: 1.0.0
+appVersion: 1.0.0
+dependencies:
+  - name: tetragon
+    repository: https://helm.cilium.io
+    version: 1.7.0

platform/tetragon/core/values.yaml

@@ -0,0 +1,13 @@
+tetragon:
+  enabled: true
+  
+  export:
+    enabled: true
+
+  # --- TALOS OS KERNEL MOUNT TUNING ---
+  btf: /sys/kernel/btf/vmlinux
+
+  bpf:
+    mountPath: /sys/fs/bpf
+  hostNetwork: true
+  hostPID: true

platform/tetragon/policies/example.yaml

@@ -0,0 +1,21 @@
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "fd-install"
+spec:
+  kprobes:
+  - call: "fd_install"
+    syscall: false
+    args:
+    - index: 0
+      type: "int"
+    - index: 1
+      type: "file"
+    selectors:
+    - matchArgs:
+      - index: 1
+        operator: "Equal"
+        values:
+        - "/tmp/tetragon"
+      matchActions:
+      - action: Sigkill

platform/tetragon/policies/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - example.yaml