diff --git a/management/platform-apps/kustomization.yaml b/management/platform-apps/kustomization.yaml
index 4873dcc..8ba1126 100644
--- a/management/platform-apps/kustomization.yaml
+++ b/management/platform-apps/kustomization.yaml
@@ -6,5 +6,6 @@ resources:
   - kyverno-policies.yaml
   - tetragon-core.yaml
   - tetragon-policies.yaml
+  - sealed-secrets.yaml
   - forgejo.yaml
   - navidrome.yaml
diff --git a/management/platform-apps/sealed-secrets.yaml b/management/platform-apps/sealed-secrets.yaml
new file mode 100644
index 0000000..4b24f7d
--- /dev/null
+++ b/management/platform-apps/sealed-secrets.yaml
@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: sealed-secrets
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    path: platform/sealed-secrets
+    repoURL: 'https://github.com/gwg313/homelab-gitops.git'
+    targetRevision: main
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: sealed-secrets
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
diff --git a/platform/kyverno/policies/disallow-latest-tag.yaml b/platform/kyverno/policies/disallow-latest-tag.yaml
new file mode 100644
index 0000000..5af0d94
--- /dev/null
+++ b/platform/kyverno/policies/disallow-latest-tag.yaml
@@ -0,0 +1,27 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-latest-tag
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: validate-image-tag
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: "Using the 'latest' tag or omitting image tags is forbidden. Use a specific version semantic tag."
+        foreach:
+          - list: "request.object.spec.containers"
+            deny:
+              conditions:
+                any:
+                  - key: "{{ regex_match('^.*:latest$', '{{ element.image }}') }}"
+                    operator: Equals
+                    value: true
+                  - key: "{{ !contains('{{ element.image }}', ':') }}"
+                    operator: Equals
+                    value: true
diff --git a/platform/kyverno/policies/kustomization.yaml b/platform/kyverno/policies/kustomization.yaml
index b8df21c..3e4656c 100644
--- a/platform/kyverno/policies/kustomization.yaml
+++ b/platform/kyverno/policies/kustomization.yaml
@@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - purge-terminal-pods.yaml
   - cleanup-rbac.yaml
+  - purge-terminal-pods.yaml
+  - disallow-latest-tag.yaml
diff --git a/platform/sealed-secrets/Chart.yaml b/platform/sealed-secrets/Chart.yaml
new file mode 100644
index 0000000..09930e2
--- /dev/null
+++ b/platform/sealed-secrets/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+name: sealed-secrets
+description: Sealed Secrets
+type: application
+version: 1.0.0
+appVersion: 1.0.0
+
+dependencies:
+  - name: sealed-secrets
+    version: 2.18.5
+    repository: https://bitnami-labs.github.io/sealed-secrets
diff --git a/platform/sealed-secrets/values.yaml b/platform/sealed-secrets/values.yaml
new file mode 100644
index 0000000..f2d50fe
--- /dev/null
+++ b/platform/sealed-secrets/values.yaml
@@ -0,0 +1,2 @@
+sealed-secrets:
+  fullnameOverride: sealed-secrets-controller