82 lines
2.3 KiB
Plaintext
82 lines
2.3 KiB
Plaintext
```plaintext
|
|
%% Security Policy Enforcement (ADR-0018)
|
|
%% Flowchart showing admission control and vulnerability scanning
|
|
|
|
flowchart TB
|
|
subgraph deploy["🚀 Deployment Sources"]
|
|
kubectl["kubectl"]
|
|
flux["Flux CD"]
|
|
end
|
|
|
|
subgraph admission["🛡️ Admission Control"]
|
|
api["Kubernetes<br/>API Server"]
|
|
gatekeeper["Gatekeeper (OPA)<br/>⚖️ Policy Validation"]
|
|
end
|
|
|
|
subgraph policies["📋 Policies"]
|
|
direction TB
|
|
p1["No privileged containers"]
|
|
p2["Required labels"]
|
|
p3["Resource limits"]
|
|
p4["Image registry whitelist"]
|
|
end
|
|
|
|
subgraph enforcement["🎯 Enforcement Modes"]
|
|
warn["⚠️ warn<br/>(log only)"]
|
|
dryrun["📊 dryrun<br/>(audit)"]
|
|
deny["🚫 deny<br/>(block)"]
|
|
end
|
|
|
|
subgraph workloads["☸️ Running Workloads"]
|
|
pods["Pods<br/>Deployments<br/>StatefulSets"]
|
|
end
|
|
|
|
subgraph scanning["🔍 Continuous Scanning"]
|
|
trivy["Trivy Operator"]
|
|
reports["VulnerabilityReports<br/>(CRDs)"]
|
|
end
|
|
|
|
subgraph observability["📈 Observability"]
|
|
prometheus["Prometheus<br/>📊 Metrics"]
|
|
grafana["Grafana<br/>📉 Dashboards"]
|
|
alertmanager["Alertmanager<br/>🔔 Alerts"]
|
|
ntfy["ntfy<br/>📱 Notifications"]
|
|
end
|
|
|
|
%% Admission flow
|
|
kubectl --> api
|
|
flux --> api
|
|
api -->|"Intercepts"| gatekeeper
|
|
gatekeeper -->|"Evaluates"| policies
|
|
policies --> enforcement
|
|
warn -->|"Allows"| workloads
|
|
dryrun -->|"Allows"| workloads
|
|
deny -->|"Blocks"| api
|
|
enforcement -->|"Violations"| prometheus
|
|
|
|
%% Scanning flow
|
|
workloads -->|"Scans images"| trivy
|
|
trivy -->|"Creates"| reports
|
|
reports -->|"Exports"| prometheus
|
|
|
|
%% Observability flow
|
|
prometheus --> grafana
|
|
prometheus --> alertmanager
|
|
alertmanager --> ntfy
|
|
|
|
classDef source fill:#f39c12,color:black
|
|
classDef admission fill:#3498db,color:white
|
|
classDef policy fill:#9b59b6,color:white
|
|
classDef workload fill:#27ae60,color:white
|
|
classDef scan fill:#e74c3c,color:white
|
|
classDef observe fill:#1abc9c,color:white
|
|
|
|
class kubectl,flux source
|
|
class api,gatekeeper admission
|
|
class p1,p2,p3,p4,warn,dryrun,deny policy
|
|
class pods workload
|
|
class trivy,reports scan
|
|
class prometheus,grafana,alertmanager,ntfy observe
|
|
|
|
```
|