Security and Identity

Relevant source files

This section provides an overview of the security architecture and identity management within the home-ops cluster. The security posture is built on a multi-layered defense strategy: centralized Identity and Access Management (IAM) via Authentik, granular Kubernetes policy enforcement, and eBPF-powered runtime observability.

Identity and Access Management

The cluster utilizes Authentik as the central Identity Provider (IdP). Authentik facilitates Single Sign-On (SSO) for internal and external applications using OAuth2, OIDC, and LDAP protocols. It is deployed as a high-availability HelmRelease and utilizes DragonflyDB as a high-performance Redis-compatible cache to ensure low-latency authentication flows.

Applications such as romm integrate directly with Authentik via OIDC kubernetes/apps/media/romm/app/helmrelease.yaml50-53 while other services are protected using the ext-auth pattern through Envoy Gateway.

Identity Flow Overview

The following diagram illustrates the relationship between the identity provider and application workloads.

[Flowchart Diagram]

Sources:

kubernetes/apps/security/authentik/app/helmrelease.yaml17-58 (Authentik deployment and Redis config)
kubernetes/apps/database/dragonfly-operator/cluster/cluster.yaml3-6 (DragonflyDB definition)
kubernetes/apps/media/romm/app/helmrelease.yaml50-53 (Application OIDC integration)

For details, see Authentik Identity Provider.

Kubernetes Security Tooling

The cluster employs a suite of tools to ensure the integrity of the runtime environment and compliance with security policies. These tools provide visibility from the container image level down to the Linux kernel syscall level.

Policy Enforcement and Vulnerability Scanning

Kyverno: Acts as the policy engine to enforce best practices (e.g., disallowing privileged containers or requiring specific labels).
Trivy Operator: Performs continuous vulnerability scanning of container images and Kubernetes resources. It uses the trivy-operator-polr-adapter to convert findings into standard PolicyReport resources kubernetes/apps/security/trivy-operator-polr-adapter/app/helmrelease.yaml17-36
Tetragon: Provides eBPF-based security observability and runtime enforcement. It monitors process execution, network activity, and file access using TracingPolicieskubernetes/apps/security/tetragon/app/helmrelease.yaml32-37

Security Observability Stack

[Flowchart Diagram]

Sources:

kubernetes/apps/security/trivy-operator-polr-adapter/app/helmrelease.yaml17-36 (Trivy Adapter)
kubernetes/apps/security/tetragon/app/helmrelease.yaml17-37 (Tetragon deployment)
kubernetes/apps/kube-system/cilium/app/helmrelease.yaml91-110 (Cilium SecurityContext and capabilities)

For details, see Kubernetes Security Tooling.

Network Security and Ingress

Security is also enforced at the networking layer through Cilium. The CNI is configured with kubeProxyReplacement and utilizes eBPF for efficient packet filtering kubernetes/apps/kube-system/cilium/app/helmrelease.yaml58-64 Cilium’s securityContext is tightly scoped to include only necessary capabilities such as NET_ADMIN, SYS_ADMIN, and BPFkubernetes/apps/kube-system/cilium/app/helmrelease.yaml91-106

Access to internal management UIs, such as Hubble, is restricted via HTTPRoute resources that reference internal gateways kubernetes/apps/kube-system/cilium/app/httproute.yaml1-23

Sources:

kubernetes/apps/kube-system/cilium/app/helmrelease.yaml2-117 (Cilium configuration)
kubernetes/apps/kube-system/cilium/app/httproute.yaml3-23 (Hubble Ingress)
kubernetes/apps/security/authentik/app/kustomization.yaml2-9 (Authentik resources)

For details on how networking integrates with security, see Cilium CNI and Network Policies.

Cloudjur

Explorer

Security-and-Identity

Security and Identity

Identity and Access Management

Identity Flow Overview

Kubernetes Security Tooling

Policy Enforcement and Vulnerability Scanning

Security Observability Stack

Network Security and Ingress

Graph View

Table of Contents

Backlinks