diff --git a/apps/bytestash.yaml b/apps_bak/bytestash.yaml similarity index 100% rename from apps/bytestash.yaml rename to apps_bak/bytestash.yaml diff --git a/apps/cert-issuer.yaml b/apps_bak/cert-issuer.yaml similarity index 100% rename from apps/cert-issuer.yaml rename to apps_bak/cert-issuer.yaml diff --git a/apps/cert-manager.yaml b/apps_bak/cert-manager.yaml similarity index 100% rename from apps/cert-manager.yaml rename to apps_bak/cert-manager.yaml diff --git a/apps/focalboard.yaml b/apps_bak/focalboard.yaml similarity index 100% rename from apps/focalboard.yaml rename to apps_bak/focalboard.yaml diff --git a/apps/harbor-config.yaml b/apps_bak/harbor-config.yaml similarity index 100% rename from apps/harbor-config.yaml rename to apps_bak/harbor-config.yaml diff --git a/apps/harbor.yaml b/apps_bak/harbor.yaml similarity index 100% rename from apps/harbor.yaml rename to apps_bak/harbor.yaml diff --git a/apps/hedgedoc.yaml b/apps_bak/hedgedoc.yaml similarity index 100% rename from apps/hedgedoc.yaml rename to apps_bak/hedgedoc.yaml diff --git a/apps/karakeep.yaml b/apps_bak/karakeep.yaml similarity index 100% rename from apps/karakeep.yaml rename to apps_bak/karakeep.yaml diff --git a/apps/kube-prometheus-stack-config.yaml b/apps_bak/kube-prometheus-stack-config.yaml similarity index 100% rename from apps/kube-prometheus-stack-config.yaml rename to apps_bak/kube-prometheus-stack-config.yaml diff --git a/apps/kube-prometheus-stack.yaml b/apps_bak/kube-prometheus-stack.yaml similarity index 100% rename from apps/kube-prometheus-stack.yaml rename to apps_bak/kube-prometheus-stack.yaml diff --git a/apps/minio-config.yaml b/apps_bak/minio-config.yaml similarity index 100% rename from apps/minio-config.yaml rename to apps_bak/minio-config.yaml diff --git a/apps/minio.yaml b/apps_bak/minio.yaml similarity index 100% rename from apps/minio.yaml rename to apps_bak/minio.yaml diff --git a/apps/nfs-subdir.yaml b/apps_bak/nfs-subdir.yaml similarity index 100% rename from apps/nfs-subdir.yaml rename to apps_bak/nfs-subdir.yaml diff --git a/apps/sealed-secrets.yaml b/apps_bak/sealed-secrets.yaml similarity index 100% rename from apps/sealed-secrets.yaml rename to apps_bak/sealed-secrets.yaml diff --git a/apps/security.yaml b/apps_bak/security.yaml similarity index 100% rename from apps/security.yaml rename to apps_bak/security.yaml diff --git a/apps/stirling-pdf.yaml b/apps_bak/stirling-pdf.yaml similarity index 100% rename from apps/stirling-pdf.yaml rename to apps_bak/stirling-pdf.yaml diff --git a/apps/woodpecker-manifests.yaml b/apps_bak/woodpecker-manifests.yaml similarity index 100% rename from apps/woodpecker-manifests.yaml rename to apps_bak/woodpecker-manifests.yaml diff --git a/apps/woodpecker.yaml b/apps_bak/woodpecker.yaml similarity index 100% rename from apps/woodpecker.yaml rename to apps_bak/woodpecker.yaml diff --git a/apps/yopass.yaml b/apps_bak/yopass.yaml similarity index 100% rename from apps/yopass.yaml rename to apps_bak/yopass.yaml diff --git a/platform/infra-root.yaml b/bootstrap/root-app-of-apps.yaml similarity index 69% rename from platform/infra-root.yaml rename to bootstrap/root-app-of-apps.yaml index 9867ee0..a3431d4 100644 --- a/platform/infra-root.yaml +++ b/bootstrap/root-app-of-apps.yaml @@ -1,16 +1,14 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: infra-root + name: root-app-of-apps namespace: argocd spec: project: default source: - repoURL: https://github.com/gwg313/homelab-gitops + repoURL: https://github.com/gwg313/homelab-gitops.git targetRevision: main - path: infra - directory: - recurse: true + path: management/platform-apps destination: server: https://kubernetes.default.svc namespace: argocd diff --git a/management/platform-apps/kustomization.yaml b/management/platform-apps/kustomization.yaml new file mode 100644 index 0000000..1f675a3 --- /dev/null +++ b/management/platform-apps/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - kyverno-core.yaml + - kyverno-policies.yaml + - tetragon-core.yaml + - tetragon-policies.yaml + diff --git a/management/platform-apps/kyverno-core.yaml b/management/platform-apps/kyverno-core.yaml new file mode 100644 index 0000000..db565c9 --- /dev/null +++ b/management/platform-apps/kyverno-core.yaml @@ -0,0 +1,31 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kyverno-core + namespace: argocd + annotations: + argoproj.io/sync-wave: "-10" +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops.git + targetRevision: main + path: platform/kyverno/core + destination: + server: https://kubernetes.default.svc + namespace: kyverno + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + - RespectIgnoreDifferences=true + + ignoreDifferences: + - group: apiextensions.k8s.io + kind: CustomResourceDefinition + jsonPointers: + - /metadata/labels + - /metadata/annotations diff --git a/management/platform-apps/kyverno-policies.yaml b/management/platform-apps/kyverno-policies.yaml new file mode 100644 index 0000000..ea889cc --- /dev/null +++ b/management/platform-apps/kyverno-policies.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kyverno-policies + namespace: argocd + annotations: + argoproj.io/sync-wave: "-5" +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops.git + targetRevision: main + path: platform/kyverno/policies + destination: + server: https://kubernetes.default.svc + namespace: kyverno + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=false + - ServerSideApply=true diff --git a/management/platform-apps/tetragon-core.yaml b/management/platform-apps/tetragon-core.yaml new file mode 100644 index 0000000..38d0595 --- /dev/null +++ b/management/platform-apps/tetragon-core.yaml @@ -0,0 +1,32 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: tetragon-core + namespace: argocd + annotations: + argoproj.io/sync-wave: "-10" +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops.git + targetRevision: main + path: platform/tetragon/core + destination: + server: https://kubernetes.default.svc + namespace: kube-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=false + - ServerSideApply=true + - RespectIgnoreDifferences=true + + ignoreDifferences: + - group: apiextensions.k8s.io + kind: CustomResourceDefinition + namespace: "" + jsonPointers: + - /metadata/labels + - /metadata/annotations diff --git a/management/platform-apps/tetragon-policies.yaml b/management/platform-apps/tetragon-policies.yaml new file mode 100644 index 0000000..075147f --- /dev/null +++ b/management/platform-apps/tetragon-policies.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: tetragon-policies + namespace: argocd + annotations: + argoproj.io/sync-wave: "-5" +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops.git + targetRevision: main + path: platform/tetragon/policies + destination: + server: https://kubernetes.default.svc + namespace: kube-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=false + - ServerSideApply=true diff --git a/platform/default-network-policies/kube-system-baseline.yaml b/platform/default-network-policies/kube-system-baseline.yaml deleted file mode 100644 index 1654862..0000000 --- a/platform/default-network-policies/kube-system-baseline.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: kube-system-baseline - namespace: kube-system -spec: - endpointSelector: {} - - ingress: - - fromEntities: - - cluster - - host - - remote-node - - egress: - - toEntities: - - kube-apiserver - - cluster - - - toEndpoints: - - matchLabels: - k8s:k8s-app: kube-dns - toPorts: - - ports: - - port: "53" - protocol: UDP - - port: "53" - protocol: TCP diff --git a/platform/default-network-policies/kube-system-hardening.yaml b/platform/default-network-policies/kube-system-hardening.yaml deleted file mode 100644 index 5d3eb34..0000000 --- a/platform/default-network-policies/kube-system-hardening.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: kube-system-hardening - namespace: kube-system -spec: - endpointSelector: {} - - ingress: - # Allow cluster-internal communication (required for DNS, CNI, etc.) - - fromEntities: - - cluster - - host - - remote-node - - # Allow kube-apiserver to talk to system components - - fromEntities: - - kube-apiserver - - egress: - # Core dependency: Kubernetes API - - toEntities: - - kube-apiserver - - # CoreDNS access - - toEndpoints: - - matchLabels: - k8s:k8s-app: kube-dns - toPorts: - - ports: - - port: "53" - protocol: UDP - - port: "53" - protocol: TCP - - # Allow internal cluster communication (important for CNI + service mesh) - - toEntities: - - cluster - - host - - remote-node diff --git a/platform/default-network-policies/kube-system-restrict-external-egress.yaml b/platform/default-network-policies/kube-system-restrict-external-egress.yaml deleted file mode 100644 index 36827f8..0000000 --- a/platform/default-network-policies/kube-system-restrict-external-egress.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: kube-system-restrict-external-egress - namespace: kube-system -spec: - endpointSelector: {} - - egress: - # Allow Kubernetes API - - toEntities: - - kube-apiserver - - # Allow internal cluster communication - - toEntities: - - cluster - - host - - remote-node - - # Allow DNS - - toEndpoints: - - matchLabels: - k8s:k8s-app: kube-dns - toPorts: - - ports: - - port: "53" - protocol: UDP - - port: "53" - protocol: TCP - diff --git a/platform/kyverno/core/Chart.yaml b/platform/kyverno/core/Chart.yaml new file mode 100644 index 0000000..f04332f --- /dev/null +++ b/platform/kyverno/core/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +name: kyverno-core +description: Kyverno Helm +type: application +version: 1.0.0 +appVersion: 1.0.0 +dependencies: + - name: kyverno + repository: https://kyverno.github.io/kyverno + version: 3.8.0 diff --git a/platform/kyverno/core/values.yaml b/platform/kyverno/core/values.yaml new file mode 100644 index 0000000..5b568b3 --- /dev/null +++ b/platform/kyverno/core/values.yaml @@ -0,0 +1,7 @@ +kyverno: + admissionController: + replicas: 2 + features: + loggingFormat: text + telemetry: + enabled: false diff --git a/platform/kyverno/policies/cleanup-rbac.yaml b/platform/kyverno/policies/cleanup-rbac.yaml new file mode 100644 index 0000000..4b77d0b --- /dev/null +++ b/platform/kyverno/policies/cleanup-rbac.yaml @@ -0,0 +1,10 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:cleanup-pods + labels: + rbac.kyverno.io/aggregate-to-cleanup-controller: "true" +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch", "delete"] diff --git a/platform/kyverno/policies/kustomization.yaml b/platform/kyverno/policies/kustomization.yaml new file mode 100644 index 0000000..b8df21c --- /dev/null +++ b/platform/kyverno/policies/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - purge-terminal-pods.yaml + - cleanup-rbac.yaml diff --git a/platform/kyverno/policies/purge-terminal-pods.yaml b/platform/kyverno/policies/purge-terminal-pods.yaml new file mode 100644 index 0000000..d974772 --- /dev/null +++ b/platform/kyverno/policies/purge-terminal-pods.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterCleanupPolicy +metadata: + name: purge-terminal-pods +spec: + match: + any: + - resources: + kinds: + - Pod + schedule: "*/15 * * * *" + conditions: + all: + - key: "{{ request.object.status.phase }}" + operator: AnyIn + value: + - Succeeded + - Failed + - key: "{{ request.object.metadata.creationTimestamp }}" + operator: DurationGreaterThan + value: 30m diff --git a/platform/tetragon/core/Chart.yaml b/platform/tetragon/core/Chart.yaml new file mode 100644 index 0000000..664fd0a --- /dev/null +++ b/platform/tetragon/core/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +name: tetragon +description: Setup Tetrgon +type: application +version: 1.0.0 +appVersion: 1.0.0 +dependencies: + - name: tetragon + repository: https://helm.cilium.io + version: 1.7.0 diff --git a/platform/tetragon/core/values.yaml b/platform/tetragon/core/values.yaml new file mode 100644 index 0000000..eca2a8e --- /dev/null +++ b/platform/tetragon/core/values.yaml @@ -0,0 +1,13 @@ +tetragon: + enabled: true + + export: + enabled: true + + # --- TALOS OS KERNEL MOUNT TUNING --- + btf: /sys/kernel/btf/vmlinux + + bpf: + mountPath: /sys/fs/bpf + hostNetwork: true + hostPID: true diff --git a/platform/tetragon/policies/example.yaml b/platform/tetragon/policies/example.yaml new file mode 100644 index 0000000..11b47b3 --- /dev/null +++ b/platform/tetragon/policies/example.yaml @@ -0,0 +1,21 @@ +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "fd-install" +spec: + kprobes: + - call: "fd_install" + syscall: false + args: + - index: 0 + type: "int" + - index: 1 + type: "file" + selectors: + - matchArgs: + - index: 1 + operator: "Equal" + values: + - "/tmp/tetragon" + matchActions: + - action: Sigkill diff --git a/platform/tetragon/policies/kustomization.yaml b/platform/tetragon/policies/kustomization.yaml new file mode 100644 index 0000000..95c85d3 --- /dev/null +++ b/platform/tetragon/policies/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - example.yaml