docs: updating the structure and some of the docs

gambol99 · gambol99 · commit ae6bfa7b89fb · 2025-03-11T08:07:52.000Z
diff --git a/docs/docs/catalog/features.md b/docs/docs/catalog/features.md
@@ -0,0 +1,26 @@
+# Product Features
+
+## Features
+
+The following provides a collection of addons, description and the feature flag (i.e. a label within the cluster definition) to enable it.
+
+| Chart | Namespace | Description | Feature Flag |
+|-------|-----------|-------------|-------------|
+| metrics-server | kube-system | Collects resource metrics from Kubelets for pod autoscaling and kubectl top | enable_metrics_server |
+| volcano | volcano-system | Batch system and job scheduler for high-performance workloads | enable_volcano |
+| cert-manager | cert-manager | Automatic certificate management for Kubernetes | enable_cert_manager |
+| cluster-autoscaler | kube-system | Automatically adjusts the size of Kubernetes clusters | enable_cluster_autoscaler |
+| external-dns | kube-system | Synchronizes exposed Services and Ingresses with DNS providers | enable_external_dns |
+| external-secrets | external-secrets | Integrates external secret management systems with Kubernetes | enable_external_secrets |
+| argo-cd | argocd | Declarative GitOps continuous delivery tool | enable_argocd |
+| argo-events | argocd | Event-driven workflow automation framework | enable_argo_events |
+| argo-rollouts | argocd-rollouts | Progressive delivery controller for Kubernetes | enable_argo_rollouts |
+| argo-workflows | argo-workflows | Workflow engine for Kubernetes | enable_argo_workflows |
+| ingress-nginx | ingress-nginx | Ingress controller for Kubernetes using NGINX | enable_ingress_nginx |
+| keda | keda-system | Kubernetes-based Event Driven Autoscaling | enable_keda |
+| kro | kro-system | Kubernetes Resource Operator for custom resources | enable_kro |
+| kube-prometheus-stack | prometheus | Monitoring and alerting stack including Prometheus, Grafana, and Alertmanager | enable_kube_prometheus_stack |
+| kyverno | kyverno-system | Kubernetes native policy management | enable_kyverno |
+| prometheus-adapter | prometheus | Adapter to use Prometheus metrics with Kubernetes HPA | enable_prometheus_adapter |
+| secrets-store-csi-driver | kube-system | Interface between Kubernetes and external secret stores | enable_secrets_store_csi_driver |
+| vpa | kube-system | Vertical Pod Autoscaler for automatic CPU and memory requests | enable_vpa |
diff --git a/docs/docs/catalog/overview.md b/docs/docs/catalog/overview.md
@@ -0,0 +1 @@
+# Catalog Overview
diff --git a/docs/docs/getting-started/standalone-aws.md b/docs/docs/getting-started/standalone-aws.md
@@ -0,0 +1,20 @@
+# Building Standalone Cluster in AWS
+
+!!! note "Note"
+
+    This documentation is a work in progress and is subject to change. Please check back regularly for updates.
+
+This repository includes a terraform pipeline / codebase to validate locally a standalone build within AWS infrastructure. Enabling the platform team to validate any changes, add-ons, configurations and so forth before taking it to a revision.
+
+## Prerequisites
+
+- AWS CLI (<https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html>)
+- Kubectl (<https://kubernetes.io/docs/tasks/tools/#kubectl>)
+- Terraform (<https://developer.hashicorp.com/terraform/downloads>)
+
+## Terraform
+
+The terraform codebase can be found in the `terraform` directory. This currently uses two modules to handle the provisioning.
+
+- [terraform-aws-eks](https://github.com/gambol99/terraform-aws-eks) - This module provisions the EKS cluster, networking, iam roles and so on.
+- [terraform-kube-platform](https://github.com/gambol99/terraform-kube-platform) - This module provisions the platform components, such as ArgoCD and bootstraps the cluster with the platform.
diff --git a/docs/docs/platform/overview.md b/docs/docs/platform/overview.md
@@ -0,0 +1,17 @@
+# Platform Overview
+
+!!! note "Note"
+
+    This documentation is a work in progress and is subject to change. Please check back regularly for updates.
+
+---
+
+This section provides an overview of the core features and capabilities of the Kubernetes platform. The platform includes:
+
+- **Security Controls**: Built-in security policies and controls via Kyverno to enforce best practices
+- **Multi-Tenancy**: Namespace isolation and resource management for multiple teams/workloads
+- **GitOps Workflows**: Declarative application delivery and configuration management
+- **Observability**: Integrated monitoring, logging and tracing capabilities
+- **Developer Experience**: Streamlined workflows and tools for application teams
+
+The following sections detail the specific components and features available in the platform.
diff --git a/docs/docs/platform/security/kyverno.md b/docs/docs/platform/security/kyverno.md
@@ -0,0 +1,133 @@
+# Kyverno Policies
+
+## Overview
+
+Kyverno is a policy engine designed for Kubernetes that validates, mutates, and generates configurations using policies as Kubernetes resources. It provides key features like:
+
+- Policy validation and enforcement
+- Resource mutation and generation 
+- Image verification and security controls
+- Audit logging and reporting
+- Admission control webhooks
+
+The following policies are shipped by default in this platform to enforce security best practices, resource management, and operational standards.
+
+For detailed information about Kyverno's capabilities, refer to the [official documentation](https://kyverno.io/docs/) or [policy library](https://kyverno.io/policies/).
+
+---
+## :material-shield-lock: Rule: deny-empty-ingress-host
+
+**Category:** Best Practices | **Severity:** medium | **Scope:** Cluster-wide
+
+An ingress resource needs to define an actual host name in order to be valid. This policy ensures that there is a hostname for each rule defined.
+
+**Rules**
+
+- **disallow-empty-ingress-host** (Validation)
+
+---
+
+## :material-shield-lock: Rule: require-labels
+
+**Category:** Best Practices | **Severity:** medium | **Scope:** Cluster-wide
+
+Define and use labels that identify semantic attributes of your application or Deployment. A common set of labels allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the labels `app.kubernetes.io/name`, `app.kubernetes.io/version`, and `app.kubernetes.io/part-of` are specified with some value.
+
+**Rules**
+
+- **check-for-labels** (Validation)
+
+- **check-deployment-template-labels** (Validation)
+
+---
+
+## :material-shield-lock: Rule: deny-no-limits
+
+**Category:** Best Practices, EKS Best Practices | **Severity:** medium | **Scope:** Cluster-wide
+
+As application workloads share cluster resources, it is important to limit resources requested and consumed by each Pod. It is recommended to require resource requests and limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified, defaults will automatically be applied to each Pod based on the LimitRange configuration. This policy validates that all containers have something specified for memory and CPU requests and memory limits.
+
+**Rules**
+
+- **validate-resources** (Validation)
+
+---
+
+## :material-shield-lock: Rule: deny-external-secrets
+
+**Category:** Security | **Severity:** medium | **Scope:** Cluster-wide
+
+When provisioning ExternalSecrete, the key must be prefixed with the namespace name to ensure proper isolation and prevent unauthorized access.
+
+**Rules**
+
+- **namespace-prefix** (Validation)
+  - Applies to: ExternalSecret
+
+---
+
+## :material-shield-lock: Rule: deny-nodeport-service
+
+**Category:** Best Practices | **Severity:** medium | **Scope:** Cluster-wide
+
+A Kubernetes Service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy cannot be used to control traffic to host ports. Although NodePort Services can be useful, their use must be limited to Services with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type.
+
+**Rules**
+
+- **validate-nodeport** (Validation)
+
+---
+
+## :material-shield-lock: Rule: deny-default-namespace
+
+**Category:** Multi-Tenancy | **Severity:** medium | **Scope:** Cluster-wide
+
+Kubernetes Namespaces are an optional feature that provide a way to segment and isolate cluster resources across multiple applications and users. As a best practice, workloads should be isolated with Namespaces. Namespaces should be required and the default (empty) Namespace should not be used. This policy validates that Pods specify a Namespace name other than `default`. Rule auto-generation is disabled here due to Pod controllers need to specify the `namespace` field under the top-level `metadata` object and not at the Pod template level.
+
+**Rules**
+
+- **validate-namespace** (Validation)
+
+- **validate-podcontroller-namespace** (Validation)
+
+---
+
+## :material-shield-lock: Rule: deny-latest-image
+
+**Category:** Best Practices | **Severity:** medium | **Scope:** Cluster-wide
+
+The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`.
+
+**Rules**
+
+- **require-image-tag** (Validation)
+
+- **validate-image-tag** (Validation)
+
+---
+
+## :material-shield-lock: Rule: deny-no-pod-probes
+
+**Category:** Best Practices, EKS Best Practices | **Severity:** medium | **Scope:** Cluster-wide
+
+Liveness and readiness probes need to be configured to correctly manage a Pod's lifecycle during deployments, restarts, and upgrades. For each Pod, a periodic `livenessProbe` is performed by the kubelet to determine if the Pod's containers are running or need to be restarted. A `readinessProbe` is used by Services and Deployments to determine if the Pod is ready to receive network traffic. This policy validates that all containers have one of livenessProbe, readinessProbe, or startupProbe defined.
+
+**Rules**
+
+- **deny-no-pod-probes** (Validation)
+
+---
+
+## :material-shield-lock: Rule: deny-cap-net-raw
+
+**Category:** Best Practices | **Severity:** medium | **Scope:** Cluster-wide
+
+Capabilities permit privileged actions without giving full root access. The CAP_NET_RAW capability, enabled by default, allows processes in a container to forge packets and bind to any interface potentially leading to MitM attacks. This policy ensures that all containers explicitly drop the CAP_NET_RAW ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards.
+
+**Rules**
+
+- **require-drop-cap-net-raw** (Validation)
+
+---
+
+**Total Policies: 9**
diff --git a/docs/docs/platform/tenant/applications.md b/docs/docs/platform/tenant/applications.md
@@ -70,6 +70,9 @@ kustomize:
   path: kustomize
   # (Optional) Override the namespace to use for the deployment.
   namespace: override-namespace
+  # (Required) Details the revision to point; this is a revision within those repository and 
+  # is used to control a point in time of the manifests.
+  revision: <GIT+SHA>
   # (Optional) Patches to apply to the deployment.
   patches:
     - target:
@@ -89,3 +92,63 @@ kustomize:
           ## This is the default value to use if the value is not found.
           default: "1.21.3"
 ```
+
+Unlike Helm where versions are managed externally through chart repositories, Kustomize manifests are typically stored directly in your repository. While Kustomize overlays provide environment-specific customization, changes to shared base configurations could potentially affect all environments simultaneously.
+
+To provide better control and safety, the `revision` field is used to pin Kustomize deployments to a specific Git commit or branch in the tenant repository. This allows you to:
+
+- Make changes to manifests in the main branch without affecting production
+- Control the rollout of changes across environments by updating revisions
+- Roll back to previous versions by reverting to earlier commits
+- Test changes in lower environments before promoting to production
+
+**Example workflow:**
+
+1. Develop and commit Kustomize changes to main branch
+2. Test in dev environment by updating dev cluster's revision
+3. Promote to staging/prod by updating their revisions after validation
+4. Roll back if needed by reverting to previous commit SHA
+
+## :material-application-array-outline: Kustomize with External Source
+
+For teams that prefer to maintain their Kustomize manifests in a separate repository, you can reference external sources directly. This provides flexibility in managing deployment configurations and allows for independent versioning strategies. A typical example would be to use floating tags to represent the environments.
+
+1. Create a folder for your application (this becomes the namespace by default)
+2. Add the `CLUSTER_NAME.yaml` file with external repository configuration:
+
+```yaml
+kustomize:
+  # (Required) The URL to the kustomize repository
+  repository: GIT_URL
+  # (Required) The path inside the repository 
+  path: overlays/dev
+  # (Required) Use a floating tag 'dev' for the development cluster and similar for the prod
+  revision: dev
+```
+
+## :material-application-array-outline: Combinational Deployment
+
+You can combine both helm and kustomize deployments in a single file. This allows you to deploy applications that require both deployment methods.
+
+1. Create a folder for your application, e.g. `myapp`
+2. Add a `CLUSTER_NAME.yaml` file that contains both helm and kustomize configurations
+
+```yaml
+helm:
+  ## (Optional) The chart to use for the deployment.
+  chart: ./charts/platform
+  ## (Optional) The path inside a repository to the chart to use for the deployment.
+  path: ./charts/platform
+  ## (Required) The release name to use for the deployment.
+  release_name: platform
+  ## (Required) The version of the chart to use for the deployment.
+  version: 0.1.0
+
+kustomize:
+  # (Required) The path to the kustomize base.
+  path: kustomize
+  # (Optional) Override the namespace to use for the deployment.
+  namespace: override-namespace
+  # (Required) Git revision 
+  revision: git+sha
+```
diff --git a/docs/docs/platform/tenant/system.md b/docs/docs/platform/tenant/system.md
diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml
@@ -2,7 +2,7 @@ site_name: Kubernetes Platform
 repo_url: https://github.com/gambol99/kubernetes-platform
 
 nav:
-  - Platform: index.md
+  - Overview: index.md
   - Architecture:
       - Overview: architecture/overview.md
       - Platform Setup: architecture/setup.md
@@ -13,9 +13,13 @@ nav:
       - Local Development: getting-started/local-development.md
       - Standalone: getting-started/standalone.md
       - Hub & Spoke: getting-started/central.md
-  - Tenant Services:
-      - Tenant Applications: tenant/applications.md
-      - Tenant System: tenant/system.md
+  - Platform:
+      - Overview: platform/overview.md
+      - Workloads:
+          - Applications: platform/tenant/applications.md
+          - System: platform/tenant/system.md
+      - Security:
+          - Kyverno Policies: platform/security/kyverno.md
 
 theme:
   name: material
