updating to match everything in my homelab.

2026-02-05 16:13:53 -05:00
parent f8787379c5
commit 80fb911e22
30 changed files with 3107 additions and 7 deletions
--- a/diagrams/security-policy-enforcement.mmd
+++ b/diagrams/security-policy-enforcement.mmd
@@ -0,0 +1,81 @@
+```plaintext
+%% Security Policy Enforcement (ADR-0018)
+%% Flowchart showing admission control and vulnerability scanning
+
+flowchart TB
+    subgraph deploy["🚀 Deployment Sources"]
+        kubectl["kubectl"]
+        flux["Flux CD"]
+    end
+
+    subgraph admission["🛡️ Admission Control"]
+        api["Kubernetes<br/>API Server"]
+        gatekeeper["Gatekeeper (OPA)<br/>⚖️ Policy Validation"]
+    end
+
+    subgraph policies["📋 Policies"]
+        direction TB
+        p1["No privileged containers"]
+        p2["Required labels"]
+        p3["Resource limits"]
+        p4["Image registry whitelist"]
+    end
+
+    subgraph enforcement["🎯 Enforcement Modes"]
+        warn["⚠️ warn<br/>(log only)"]
+        dryrun["📊 dryrun<br/>(audit)"]
+        deny["🚫 deny<br/>(block)"]
+    end
+
+    subgraph workloads["☸️ Running Workloads"]
+        pods["Pods<br/>Deployments<br/>StatefulSets"]
+    end
+
+    subgraph scanning["🔍 Continuous Scanning"]
+        trivy["Trivy Operator"]
+        reports["VulnerabilityReports<br/>(CRDs)"]
+    end
+
+    subgraph observability["📈 Observability"]
+        prometheus["Prometheus<br/>📊 Metrics"]
+        grafana["Grafana<br/>📉 Dashboards"]
+        alertmanager["Alertmanager<br/>🔔 Alerts"]
+        ntfy["ntfy<br/>📱 Notifications"]
+    end
+
+    %% Admission flow
+    kubectl --> api
+    flux --> api
+    api -->|"Intercepts"| gatekeeper
+    gatekeeper -->|"Evaluates"| policies
+    policies --> enforcement
+    warn -->|"Allows"| workloads
+    dryrun -->|"Allows"| workloads
+    deny -->|"Blocks"| api
+    enforcement -->|"Violations"| prometheus
+
+    %% Scanning flow
+    workloads -->|"Scans images"| trivy
+    trivy -->|"Creates"| reports
+    reports -->|"Exports"| prometheus
+
+    %% Observability flow
+    prometheus --> grafana
+    prometheus --> alertmanager
+    alertmanager --> ntfy
+
+    classDef source fill:#f39c12,color:black
+    classDef admission fill:#3498db,color:white
+    classDef policy fill:#9b59b6,color:white
+    classDef workload fill:#27ae60,color:white
+    classDef scan fill:#e74c3c,color:white
+    classDef observe fill:#1abc9c,color:white
+
+    class kubectl,flux source
+    class api,gatekeeper admission
+    class p1,p2,p3,p4,warn,dryrun,deny policy
+    class pods workload
+    class trivy,reports scan
+    class prometheus,grafana,alertmanager,ntfy observe
+
+```