```plaintext
%% Security Policy Enforcement (ADR-0018)
%% Flowchart showing admission control and vulnerability scanning
flowchart TB
subgraph deploy["π Deployment Sources"]
kubectl["kubectl"]
flux["Flux CD"]
end
subgraph admission["π‘οΈ Admission Control"]
api["Kubernetes
API Server"]
gatekeeper["Gatekeeper (OPA)
βοΈ Policy Validation"]
end
subgraph policies["π Policies"]
direction TB
p1["No privileged containers"]
p2["Required labels"]
p3["Resource limits"]
p4["Image registry whitelist"]
end
subgraph enforcement["π― Enforcement Modes"]
warn["β οΈ warn
(log only)"]
dryrun["π dryrun
(audit)"]
deny["π« deny
(block)"]
end
subgraph workloads["βΈοΈ Running Workloads"]
pods["Pods
Deployments
StatefulSets"]
end
subgraph scanning["π Continuous Scanning"]
trivy["Trivy Operator"]
reports["VulnerabilityReports
(CRDs)"]
end
subgraph observability["π Observability"]
prometheus["Prometheus
π Metrics"]
grafana["Grafana
π Dashboards"]
alertmanager["Alertmanager
π Alerts"]
ntfy["ntfy
π± Notifications"]
end
%% Admission flow
kubectl --> api
flux --> api
api -->|"Intercepts"| gatekeeper
gatekeeper -->|"Evaluates"| policies
policies --> enforcement
warn -->|"Allows"| workloads
dryrun -->|"Allows"| workloads
deny -->|"Blocks"| api
enforcement -->|"Violations"| prometheus
%% Scanning flow
workloads -->|"Scans images"| trivy
trivy -->|"Creates"| reports
reports -->|"Exports"| prometheus
%% Observability flow
prometheus --> grafana
prometheus --> alertmanager
alertmanager --> ntfy
classDef source fill:#f39c12,color:black
classDef admission fill:#3498db,color:white
classDef policy fill:#9b59b6,color:white
classDef workload fill:#27ae60,color:white
classDef scan fill:#e74c3c,color:white
classDef observe fill:#1abc9c,color:white
class kubectl,flux source
class api,gatekeeper admission
class p1,p2,p3,p4,warn,dryrun,deny policy
class pods workload
class trivy,reports scan
class prometheus,grafana,alertmanager,ntfy observe
```