🛡️ SECURITY & IDENTITY

Defense in Depth

Zero-trust security: SSO, secrets management, policy enforcement, runtime detection, and certificate automation.

ZERO-TRUST SECURITY LAYERS

1

Identity

Keycloak

OIDC SSO across all services

2

Secrets

Vault + ESO

Encrypted at rest, synced to pods

3

Policy

Kyverno

Admission control, mutation, validation

4

Runtime

Falco

eBPF-based anomaly detection

5

Scanning

Kubescape

CIS, NSA, MITRE compliance

Single Sign-On Everywhere

One Keycloak login grants access to every platform service. No separate credentials anywhere.

Vault
Harbor
Grafana
ArgoCD
OneDev
AFFiNE
Backstage
APISIX Dashboard
Supabase
Matomo

Secrets Management

Zero secrets in Git. Zero secrets in etcd. Everything flows through Vault.

graph TD
  TF["Terraform"]:::terraform
  VAULT["Vault
HA / 3 Raft replicas
Encrypted at rest"]:::vault
  CSS["ClusterSecretStore
vault-backend"]:::store
  ES["ExternalSecret
Per-app, per-namespace"]:::external
  KS["Kubernetes Secret
Mounted as env or volume"]:::k8s
  POD["Pod
Consumes secret transparently"]:::pod

  TF -->|"Provision secrets"| VAULT
  VAULT --> CSS
  CSS --> ES
  ES --> KS
  KS --> POD

  classDef terraform fill:#0e3a3a,stroke:#06b6d4,color:#67e8f9,stroke-width:2px
  classDef vault fill:#2e2a0e,stroke:#facc15,color:#fde68a,stroke-width:2px
  classDef store fill:#14332a,stroke:#4ade80,color:#86efac,stroke-width:2px
  classDef external fill:#2e1a47,stroke:#a78bfa,color:#c4b5fd,stroke-width:2px
  classDef k8s fill:#1e3a5f,stroke:#60a5fa,color:#93c5fd,stroke-width:2px
  classDef pod fill:#2e1a0e,stroke:#f97316,color:#fdba74,stroke-width:2px

security.imageProxyTitle

security.imageProxyDesc

🔒

security.imageProxy1Title

security.imageProxy1Desc

🔄

security.imageProxy2Title

security.imageProxy2Desc

🚫

security.imageProxy3Title

security.imageProxy3Desc

All Components

Keycloak

production

Enterprise identity and access management with OIDC, SAML, social login, and LDAP integration.

Role: Centralized SSO for all platform services — Vault, Harbor, Grafana, ArgoCD, OneDev, Devtron

HashiCorp Vault

production

Secrets management, encryption as a service, and privileged access management.

Role: HA deployment (3-replica Raft cluster) storing all platform secrets, DNS credentials, TLS certificates

External Secrets Operator

production

Kubernetes operator that synchronizes secrets from external stores into Kubernetes secrets.

Role: Bridges Vault ↔ Kubernetes: syncs secrets to pods, pushes certificates back to Vault

cert-manager

production

Automatic TLS certificate management with Let's Encrypt ACME protocol support.

Role: Automated certificate issuance via DNS-01 challenges with Cloudflare

Kyverno

production

Kubernetes-native policy engine for validation, mutation, and generation of resources.

Role: Enforces security policies, injects PriorityClasses via mutation for charts that don't propagate values, image proxy rewriting to Harbor

Kubescape

deployed

Kubernetes security platform for continuous scanning against NSA, MITRE, and CIS benchmarks.

Role: Compliance scanning and hardening recommendations

Open AppSec

deployed

ML-based web application firewall and API security.

Role: WAF protection for exposed services

📊 KUBESCAPE SCAN RESULTS

Cluster Security Report

NSA, MITRE, CIS, SOC2 compliance scores — findings, coverage gaps, and remediation roadmap.

VIEW FULL REPORT →
← BACK TO FULL STACK