K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
96 Commits 1 Branch 0 Tags
e1ecf4309659fe89e0d57687613e7284b6357932
Commit Graph

11 Commits

Author SHA1 Message Date
Mayne0213
1a551b47ca PERF(falco): optimize falco rules 
- and add sidekick memory limit
- Add macros to exclude trivy, postgres, minio, vault from rules
- Disable Container Drift Detection (too noisy)
- Remove /etc/passwd from sensitive file access (normal lookups)
- Add 256Mi memory limit to falcosidekick (was using 1.1GB)
 2026-01-05 00:40:26 +09:00
Mayne0213
4d4ecb13d6 FIX(falco): add NoExecute tolerations 
- and enable Redis persistence
- Add NoExecute tolerations for master/control-plane nodes to run Falco
  DaemonSet on all nodes
- Enable Redis storage to persist index data across pod restarts
 2026-01-04 23:41:39 +09:00
Mayne0213
7de57fc936 CHORE(authelia): disable falco-ui basic auth 
- Use Authelia SSO instead
- Remove basic auth configuration
 2026-01-04 23:41:39 +09:00
Mayne0213
2a4d84a0bc CHORE(deps): upgrade Falco to 0.40.0 
- Upgrade for kernel 6.14 support
- Apply dependency updates
 2026-01-04 23:41:39 +09:00
Mayne0213
5f197a607b FIX(falco): falco config errors 
- Remove unsupported outputs_queue_capacity option
- Fix Container Drift Detection rule (remove undefined rename macro)
 2026-01-04 23:41:39 +09:00
Mayne0213
765104bb4e REFACTOR(authelia): remove falco-ui-secret 
- Use Authelia SSO instead
- Remove basic auth secret
 2026-01-04 23:41:39 +09:00
Mayne0213
87b16d13e3 FEAT(falco): configure falco redis 
- with 200mb maxmemory and lru eviction
 2026-01-04 23:41:39 +09:00
Mayne0213
27d1e5c4b1 FIX(falco): re-enable falco webui 
- with redis memory limit 128mi
 2026-01-04 23:41:39 +09:00
Mayne0213
26e40d234a CHORE(falco): disable sidekick web ui 
- to save 535mb redis memory
 2026-01-04 23:41:39 +09:00
Mayne0213
368f7b5f5a PERF(falco): reduce falcosidekick replicas to 1 
- Scale down to single replica
- Reduce resource usage
 2026-01-04 23:41:39 +09:00
Mayne0213
34a1c9f783 REFACTOR(repo): restructure infra folder structure 
- Remove argocd/, helm-values/, ingress/ subdirectories
- Move files to parent directory with standardized names
- Add namespace.yaml to all apps with Goldilocks labels
- Preserve vault/ subdirectories (falco, velero)
- Update main kustomization.yaml to reference argocd.yaml files directly
- Comment out argocd.yaml in each app's kustomization.yaml to prevent
  circular reference

Applications restructured:
- cert-manager (2 ArgoCD apps)
- external-secrets
- reloader
- vault (2 ArgoCD apps)
- velero (2 ArgoCD apps)
- falco
- cnpg
- haproxy
- metallb
- vpa
- argocd
 2026-01-04 23:41:39 +09:00