Chris Farhood
19b175dcf2
Best Practices / Kube-score Analysis (push) Has been cancelled
Best Practices / Polaris Audit (push) Has been cancelled
Best Practices / Resource Usage Analysis (push) Has been cancelled
Best Practices / PR Summary Report (push) Has been cancelled
Best Practices / Polaris PR Review (push) Has been cancelled
Security Scan / Trivy Security Scan (push) Has been cancelled
Security Scan / Trivy PR Review (push) Has been cancelled
Security Scan / Checkov IaC Scan (push) Has been cancelled
Security Scan / Checkov PR Review (push) Has been cancelled
Validate Manifests / Kustomize Build Test (push) Successful in 35s
Validate Manifests / YAML Lint (push) Failing after 35s
Validate Manifests / Kubernetes Schema Validation (push) Successful in 35s
Add CiliumNetworkPolicy ingress rules so thelounge only accepts traffic from the cilium external gateway in gateway-system, and znc only from the thelounge pod. Allow host entity on both for kubelet probes. Switch znc service to ClusterIP and drop the external-dns annotation since direct external IRC client access is no longer desired.
IRC Applications
Kubernetes manifests for IRC applications, deployed via Flux CD.
Applications
- The Lounge - Modern web IRC client with persistent connections
- ZNC - IRC bouncer for persistent IRC presence
Deployment
This repository is deployed to Kubernetes using Flux CD with variable substitution. Configuration variables (e.g., hostnames) are provided via ConfigMaps at deployment time.
Important: Manifests use Flux variable syntax (${VARIABLE_NAME}). Do not replace these with hardcoded values.
Architecture
- Kustomize-based: Uses Kustomize for manifest organization
- StatefulSets: Both apps use StatefulSets with persistent volumes (4Gi each)
- Security hardened:
- Run as non-root (UID 1000)
- Seccomp profiles enabled (RuntimeDefault)
- All capabilities dropped
- Network policies configured
- Resource managed: CPU and memory limits set, including ephemeral storage
- Health checks: Liveness and readiness probes configured
Local Development
Validate manifests
# YAML linting
yamllint -c .yamllint.yaml .
# Test kustomize builds
kubectl kustomize .
kubectl kustomize ./thelounge
kubectl kustomize ./znc
# Validate schemas
kubectl kustomize . | kubeconform \
-schema-location default \
-schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' \
-skip HTTPRoute \
-ignore-missing-schemas
Security scanning
# Trivy
trivy config --severity CRITICAL,HIGH --ignorefile .trivyignore .
# Checkov
checkov -d . --config-file .checkov.yaml
Best practices
# Kube-score
kubectl kustomize . | kube-score score - \
--ignore-test container-image-tag \
--ignore-test container-security-context-readonlyrootfilesystem
# Polaris
kubectl kustomize . | polaris audit --format pretty
CI/CD
Automated validation and security scanning via Gitea Actions:
Validate Manifests
- YAML linting (yamllint)
- Kustomize build tests
- Kubernetes schema validation (kubeconform, skips HTTPRoute with variables)
Security Scan
- Trivy: Vulnerability scanning with automated PR reviews
- Checkov: IaC security scanning with automated PR reviews
- Blocks PRs on critical findings, warns on high severity
Best Practices
- kube-score: Kubernetes best practices analysis
- Polaris: Security and reliability audit with automated PR reviews
- Resource analysis: CPU/memory configuration review
All workflows run on push/PR to main branch.
Documentation
See CLAUDE.md for comprehensive development documentation.