This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Portefaix reference documentation

Detailed reference documentation on various Portefaix components

1 - Components

The components used by Portefaix

Infrastructure management

  • Terraform: Bootstraps and manages the cloud provider infrastructure.
  • Crossplane: Kubernetes-native infrastructure management.

Cluster management

  • Argo CD: Reconciles kubernetes clusters with this repository.
  • Kyverno: Policy engine supporting validate, mutate, generate, and cleanup rules.
  • Renovate: Automatic updates for applications via pull requests.

Secrets

Networking

  • Cilium: eBPF-based CNI & service mesh.
  • Cert Manager: Automatic Let’s Encrypt certificates.

Security

  • Falco: The Cloud Native Runtime Security
  • Authentik: Identity Provider.
  • Trivy: Kubernetes and container vulnerability scanner.
  • Tetragon: eBPF-based security observability and runtime enforcement.

Observability

  • Grafana: Visualization platform.
  • Prometheus: Monitoring system.
  • Loki: Log aggregation system.
  • Tempo: High-scale distributed tracing backend
  • Mimir: Horizontally scalable TSDB for long-term storage for Prometheus
  • Alloy: The OpenTelemetry Distribution from Grafana

Storage

2 - Hub

The Portefaix Hub for Helm charts

Portefaix Hub

Portefaix Hub is the Helm charts repository of the Portefaix project.

All charts could be find on Artifact Hub

3 - Policies

The Portefaix policies

Portefaix Policies contains Kubernetes policies for Kyverno or Open Policy Agent.

Kyverno

  • PORTEFAIX-C0001 - Container must not use latest image tag
  • PORTEFAIX-C0002 - Container must set liveness probe
  • PORTEFAIX-C0003 - Container must set readiness probe
  • PORTEFAIX-C0004 - Container must mount secrets as volumes, not enviroment variables
  • PORTEFAIX-C0005 - Container must drop all capabilities
  • PORTEFAIX-C0006 - Container must not allow for privilege escalation
  • PORTEFAIX-C0008 - Container resource constraints must be specified
  • PORTEFAIX-M0001 - Metadata must set recommanded Kubernetes labels
  • PORTEFAIX-M0002 - Metadata should have a8r.io annotations
  • PORTEFAIX-M0003 - Metadata should have portefaix.xyz annotations
  • PORTEFAIX-P0002 - Pod must run without access to the host IPC
  • PORTEFAIX-P0003 - Pod must run without access to the host networking
  • PORTEFAIX-P0004 - Pod must run as non-root
  • PORTEFAIX-P0005 - Pod must run without access to the host PID

Open Policy Agent

  • PORTEFAIX-C0001: Container must not use latest image tag
  • PORTEFAIX-C0002: Container must set liveness probe
  • PORTEFAIX-C0003: Container must set readiness probe
  • PORTEFAIX-C0004: Container must mount secrets as volumes, not enviroment variables
  • PORTEFAIX-C0006: Container must not allow for privilege escalation
  • PORTEFAIX-C0008: Container must define resource contraintes
  • PORTEFAIX-M0001: Metadata should contain all recommanded Kubernetes labels
  • PORTEFAIX-M0002: Metadata should have a8r.io annotations
  • PORTEFAIX-M0003: Metadata should have portefaix.xyz annotations
  • PORTEFAIX-N0001: Disallow Default Namespace

4 - KRM

The Kubernetes Resources Model deployed into Portefaix

Kubernetes Resources Model

KRM could be use to deploy infrastructure on cloud providers.

GCP

Config Connector

AWS

AWS Controller for Kubernetes

Azure

Azure Service Operator

5 - Inspec

The Inspec profiles for Portefaix

GCP

AWS

Azure