Kubernetes manifests demonstrating zero-trust architecture with admission control, policy enforcement, and GitOps automation.
Production Kubernetes manifests with:
- β Zero-Trust Networking - Default-deny NetworkPolicies
- β Admission Control - Kyverno validates all deployments
- β GitOps - ArgoCD auto-sync from Git
- β Multi-Environment - Dev, Staging, Production with Kustomize
- β Secret Management - External Secrets Operator + AWS Secrets Manager
- β Runtime Security - Falco threat detection
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Git Repository β
β (Source of Truth for Cluster State) β
βββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββ
β
Application push updates image digest
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ArgoCD β
β - Detects changes every 3 minutes β
β - Auto-sync to dev β
β - Manual sync to staging/production β
βββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββ
β
kubectl apply
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Admission Control β
β Kyverno Validates: β
β β Block unsigned images β
β β Block missing SBOM β
β β Block latest tag β
β β Block privileged containers β
β β
Allow only compliant workloads β
βββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββ
β
If validation passes
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Kubernetes Cluster (EKS) β
β β
β ββββββββββββββββββ ββββββββββββββββββ β
β β Backend β β Database β β
β β (IRSA) β β (StatefulSet)β β
β ββββββββββ¬ββββββββ ββββββββββ¬ββββββββ β
β β β β
β βββββ NetworkPolicy ββ β
β (Zero-Trust) β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Falco (Runtime Security) β β
β β - Detects shell spawns β β
β β - Detects privilege escalation β β
β β - Alerts to Slack β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
.
βββ argocd/
β βββ applications/
β β βββ app-of-apps.yaml # Root application
β β βββ backend.yaml
β β βββ admin.yaml
β β βββ platform.yaml
β βββ projects/
β βββ ecommerce.yaml
β
βββ base/ # Kustomize base manifests
β βββ backend/
β β βββ deployment.yaml
β β βββ service.yaml
β β βββ serviceaccount.yaml # IRSA annotation
β β βββ externalsecret.yaml # Secrets from AWS
β β βββ networkpolicy.yaml # Zero-trust rules
β β βββ kustomization.yaml
β β
β βββ platform/
β β βββ external-secrets/
β β βββ kyverno/
β β β βββ verify-images.yaml
β β β βββ require-sbom.yaml
β β β βββ security-policies.yaml
β β βββ falco/
β β βββ custom-rules.yaml
β β
β βββ ...
β
βββ overlays/ # Environment-specific
βββ dev/
β βββ backend/
β βββ kustomization.yaml
β βββ patches/
β βββ replicas.yaml # 1 replica
β βββ resources.yaml # Lower limits
β
βββ staging/ # 2 replicas
βββ production/ # 3 replicas + HPA
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress# Backend can ONLY talk to:
# - Database (port 5432)
# - Redis (port 6379)
# - External HTTPS (port 443)
# - DNS (port 53)1. Verify Image Signatures
- Block unsigned images
- Verify Cosign signature with GitHub OIDC
- Use Rekor transparency log2. Require SBOM
- Block images without SBOM attestation
- Support SPDX and CycloneDX formats3. Security Best Practices
- Require non-root user
- Block latest tag
- Require resource limits
- Block privileged containers
- Require read-only root filesystem# Developer pushes code
git push origin main
# CI/CD builds, signs, scans image
# Updates this GitOps repo with new image digest
# ArgoCD detects change (within 3 min)
# Auto-syncs to dev environment
# Kyverno validates signature
# Deployment proceeds# Create PR to promote
gh pr create --title "Promote backend to staging"
# Team reviews
# Merge PR
# ArgoCD syncs (manual approval required)
# Canary deployment with Argo Rolloutskubectl create namespace argocd
kubectl apply -n argocd -f \
https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yamlkubectl apply -f argocd/applications/app-of-apps.yaml# Get admin password
kubectl -n argocd get secret argocd-initial-admin-secret \
-o jsonpath="{.data.password}" | base64 -d
# Port forward
kubectl port-forward svc/argocd-server -n argocd 8080:443- ADR-007: GitOps with ArgoCD
- ADR-008: Kyverno vs OPA
- ADR-009: Zero-Trust Networking
- Runbook: Deployment
- Runbook: Rollback
# Should FAIL (default deny)
kubectl run test --image=busybox -- wget backend:9000
# Should SUCCEED (after adding label)
kubectl label pod test app=admin
kubectl exec test -- wget backend:9000# Should FAIL (unsigned)
kubectl run test --image=nginx:latest
# Should SUCCEED (signed)
kubectl run test --image=ACCOUNT.dkr.ecr.REGION.amazonaws.com/backend@sha256:...- Sync success rate
- Sync duration
- Application health status
- Policy violations
- Admission decisions
- Background scan results
Chetan Patil - Senior DevSecOps Engineer
- Portfolio: chetanpatil.dev
- GitHub: @chetanpatil
β Demonstrates production GitOps and zero-trust security