{"id":30886860,"url":"https://github.com/cloudon-one/k8s-security-autoscaling","last_synced_at":"2026-05-18T09:31:52.815Z","repository":{"id":310353018,"uuid":"1039543934","full_name":"cloudon-one/k8s-security-autoscaling","owner":"cloudon-one","description":"Config samples for k8s security and autoscaling","archived":false,"fork":false,"pushed_at":"2025-08-22T15:30:13.000Z","size":30,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-08T13:58:35.442Z","etag":null,"topics":["autoscaling","k8s","karperner","keda","terraform"],"latest_commit_sha":null,"homepage":"https://cloudon-one.com","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudon-one.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security/README.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":null,"patreon":"yaarcloudon","open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"lfx_crowdfunding":null,"polar":null,"buy_me_a_coffee":null,"thanks_dev":null,"custom":null}},"created_at":"2025-08-17T13:21:05.000Z","updated_at":"2025-08-22T15:30:40.000Z","dependencies_parsed_at":"2025-08-17T15:27:06.645Z","dependency_job_id":"7a8a9426-b30b-41c9-b47d-b39aea7ae3ef","html_url":"https://github.com/cloudon-one/k8s-security-autoscaling","commit_stats":null,"previous_names":["cloudon-one/k8s-security-autoscling","cloudon-one/k8s-security-autoscaling"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/cloudon-one/k8s-security-autoscaling","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fk8s-security-autoscaling","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fk8s-security-autoscaling/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fk8s-security-autoscaling/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fk8s-security-autoscaling/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudon-one","download_url":"https://codeload.github.com/cloudon-one/k8s-security-autoscaling/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fk8s-security-autoscaling/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33172576,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-18T09:27:30.708Z","status":"ssl_error","status_checked_at":"2026-05-18T09:27:28.300Z","response_time":71,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["autoscaling","k8s","karperner","keda","terraform"],"created_at":"2025-09-08T13:51:48.210Z","updated_at":"2026-05-18T09:31:52.810Z","avatar_url":"https://github.com/cloudon-one.png","language":"HCL","funding_links":["https://patreon.com/yaarcloudon"],"categories":[],"sub_categories":[],"readme":"# Kubernetes Security \u0026 Auto-scaling on EKS\n\nComplete production-ready setup for secure, auto-scaling Kubernetes workloads on Amazon EKS with comprehensive security controls and event-driven scaling.\n\n## 🏗️ Architecture Overview\n\n```mermaid\ngraph TB\n    subgraph \"CI/CD Pipeline\"\n        A[Developer] --\u003e B[Git Push]\n        B --\u003e C[Trivy Scan]\n        C --\u003e D[Build \u0026 Deploy]\n    end\n    \n    subgraph \"EKS Cluster\"\n        E[Kyverno] --\u003e F[Pod Admission]\n        G[KEDA] --\u003e H[Workload Scaling]\n        I[Karpenter] --\u003e J[Node Provisioning]\n        K[Falco] --\u003e L[Runtime Security]\n    end\n    \n    subgraph \"Monitoring\"\n        M[Kube-bench] --\u003e N[CIS Compliance]\n        O[Kubescape] --\u003e P[Security Posture]\n        L --\u003e Q[Slack Alerts]\n    end\n    \n    D --\u003e F\n    H --\u003e J\n```\n\n## 📋 Components\n\n### Security Layer\n- **Trivy**: Container image and IaC vulnerability scanning\n- **Kyverno**: Policy-as-code admission controller\n- **Falco**: Runtime threat detection with Slack integration\n- **Kube-bench**: CIS Kubernetes benchmark compliance\n- **Kubescape**: NIST/MITRE security posture assessment\n\n### Auto-scaling Layer\n- **KEDA**: Event-driven horizontal pod autoscaling (SQS-based)\n- **Karpenter**: Just-in-time node provisioning with spot instances\n\n## 🚀 Quick Start\n\n### Prerequisites\n\n```bash\n# Required tools\naws --version        # AWS CLI v2\nkubectl version      # Kubernetes CLI\nterraform --version  # Terraform \u003e= 1.0\nhelm version         # Helm v3\npython3 --version    # Python 3 (for YAML validation)\n\n# EKS cluster with OIDC provider\naws eks describe-cluster --name \u003ccluster-name\u003e --query cluster.identity.oidc.issuer\n\n# Verify Helm repositories\nhelm repo add falcosecurity https://falcosecurity.github.io/charts\nhelm repo add kedacore https://kedacore.github.io/charts\nhelm repo update\n```\n\n### 1. Deploy Security Infrastructure\n\n```bash\ncd security\nkubectl apply -f rbac.yaml\nkubectl apply -f kyverno.yaml\n\n# Install Falco with Slack integration\nhelm repo add falcosecurity https://falcosecurity.github.io/charts\nhelm install falco falcosecurity/falco -n security -f falco-values.yaml\n\n# Schedule compliance scans\nkubectl apply -f kube-bench.yaml\nkubectl apply -f kubescape.yaml\n```\n\n### 2. Deploy Auto-scaling Infrastructure\n\n```bash\ncd ../autoscaling/terraform\n\n# Validate configuration first\nterraform fmt\nterraform validate\n\n# Configure variables\nexport TF_VAR_aws_region=\"eu-central-1\"\nexport TF_VAR_cluster_name=\"my-eks-cluster\"\n\n# Plan and deploy\nterraform init\nterraform plan\nterraform apply\n```\n\n### 3. Apply Scaling Manifests\n\n```bash\ncd ../manifests\n\n# Validate YAML syntax first\npython3 -c \"import yaml; [yaml.safe_load_all(open(f)) for f in ['karpenter-ec2nodeclass.yaml', 'karpenter-nodepool.yaml', 'keda-scaledobject-sqs.yaml']]\"\n\n# Apply in order (dependencies matter)\nkubectl apply -f karpenter-ec2nodeclass.yaml\nkubectl apply -f karpenter-nodepool.yaml\nkubectl apply -f keda-scaledobject-sqs.yaml\n```\n\n## 🔧 Configuration Details\n\n### Karpenter Node Provisioning\n\n**EC2NodeClass** (`workers-spot`):\n- **AMI**: Amazon Linux 2\n- **Instance types**: c5/c6i, m5/m6i (generation \u003e 5)\n- **Capacity**: Spot instances with 72h expiry\n- **Networking**: Auto-discovery via `karpenter: \"true\"` tags\n\n**NodePool** specifications:\n```yaml\nlimits:\n  cpu: 1000                    # Max 1000 vCPUs\ntaints:\n  - key: spot\n    effect: NoSchedule          # Isolate spot workloads\ndisruption:\n  consolidationPolicy: WhenUnderutilized\n  expireAfter: 72h             # Force refresh every 3 days\n```\n\n### KEDA Event-driven Scaling\n\n**ScaledObject** (`orders-consumer`):\n- **Trigger**: AWS SQS queue depth\n- **Scaling range**: 0-200 replicas\n- **Threshold**: 100 messages per replica\n- **Cooldown**: 60 seconds between scale events\n\n```yaml\ntriggers:\n  - type: aws-sqs-queue\n    metadata:\n      queueURL: https://sqs.eu-central-1.amazonaws.com/123456789012/orders  # Update with real queue URL\n      queueLength: \"100\"\n      awsRegion: eu-central-1\n```\n\n**⚠️ Configuration Update Required**: Replace the example SQS queue URL with your actual queue URL before deployment.\n\n### Security Policies\n\n**Kyverno admission rules**:\n- ❌ Privileged containers blocked\n- ✅ Non-root execution required\n- ❌ `:latest` image tags disallowed\n- ✅ Resource requests/limits mandatory\n\n**Falco runtime detection**:\n- Suspicious syscalls → Slack alerts\n- Container escapes → Immediate notification\n- Privilege escalation → Security team alert\n\n## 📊 Monitoring \u0026 Verification\n\n### Real-time Monitoring\n\n```bash\n# Watch node auto-provisioning\nkubectl get nodes -l karpenter.sh/nodepool=workers-spot -w\n\n# Monitor workload scaling\nkubectl get pods -l app=orders-consumer -w\n\n# Check SQS queue depth\naws sqs get-queue-attributes \\\n  --queue-url https://sqs.eu-central-1.amazonaws.com/123456789012/orders \\\n  --attribute-names ApproximateNumberOfMessages\n```\n\n### Security Validation\n\n```bash\n# Check policy violations\nkubectl get events --field-selector reason=PolicyViolation\n\n# View Falco alerts\nkubectl logs -n security -l app.kubernetes.io/name=falco -f\n\n# Compliance scan results\nkubectl logs -n security -l app=kube-bench\nkubectl logs -n security -l app=kubescape\n```\n\n### Scaling Metrics\n\n```bash\n# KEDA scaling status\nkubectl get scaledobject -A\nkubectl describe scaledobject orders-consumer\n\n# Karpenter provisioning\nkubectl get nodepool -n karpenter\nkubectl describe nodepool workers-spot\n```\n\n## 🔐 Security Best Practices\n\n### CI/CD Integration\n\nAdd to `.github/workflows/security.yml`:\n```yaml\n- name: Trivy vulnerability scan\n  uses: aquasecurity/trivy-action@master\n  with:\n    scan-type: config\n    severity: CRITICAL,HIGH\n```\n\n### Runtime Security\n\n**Falco configuration notes**:\n- Update Slack webhook URL in `security/falco-values.yaml`\n- Service account `security-tools` must exist before installation\n\n**Falco rules** detect:\n- Shell spawned in container\n- Sensitive file access\n- Network connections from containers\n- Privilege escalation attempts\n\n### Compliance Automation\n\n**Scheduled scans**:\n- Kube-bench: Daily CIS compliance check\n- Kubescape: NIST/MITRE posture assessment\n- Results exported to JSON for SIEM integration\n\n## 🛠️ Troubleshooting\n\n### Configuration Validation\n\n**Before deployment, validate all configurations**:\n```bash\n# Terraform validation\ncd autoscaling/terraform\nterraform fmt -check\nterraform validate\n\n# YAML syntax validation\npython3 -c \"\nimport yaml, os\nfor root, dirs, files in os.walk('.'):\n    for file in files:\n        if file.endswith(('.yaml', '.yml')):\n            with open(os.path.join(root, file)) as f:\n                yaml.safe_load_all(f)\nprint('All YAML valid')\n\"\n\n# Helm chart verification\nhelm show chart oci://public.ecr.aws/karpenter/karpenter --version 1.1.0\nhelm search repo kedacore/keda --version 2.17.2\n```\n\n### Common Issues\n\n**Terraform Provider Issues**:\n```bash\n# If Helm provider fails, ensure using v3.0+ syntax\n# providers.tf should use: kubernetes = { config_path = \"~/.kube/config\" }\n# NOT: kubernetes { config_path = \"~/.kube/config\" }\n\n# Re-initialize if provider issues\nterraform init -upgrade\n```\n\n**Karpenter nodes not provisioning**:\n```bash\n# Check IAM permissions\nkubectl logs -n karpenter -l app.kubernetes.io/name=karpenter\n\n# Verify subnet/SG tags\naws ec2 describe-subnets --filters \"Name=tag:karpenter,Values=true\"\n\n# Ensure role exists\naws iam get-role --role-name karpenter-node-role\n```\n\n**KEDA not scaling**:\n```bash\n# Check SQS permissions\nkubectl logs -n keda -l app.kubernetes.io/name=keda-operator\n\n# Verify queue URL and region (update placeholder values)\nkubectl describe scaledobject orders-consumer\n\n# Test queue access\naws sqs get-queue-attributes --queue-url \u003cyour-actual-queue-url\u003e --attribute-names ApproximateNumberOfMessages\n```\n\n**Security policy blocks**:\n```bash\n# Check Kyverno policy reports\nkubectl get policyreport -A\n\n# Review admission controller logs\nkubectl logs -n kyverno -l app.kubernetes.io/name=kyverno\n\n# Test policy with dry-run\nkubectl apply --dry-run=server -f \u003cyour-manifest\u003e\n```\n\n## 📚 Additional Resources\n\n- [Karpenter Best Practices](https://karpenter.sh/docs/concepts/)\n- [KEDA Scalers Documentation](https://keda.sh/docs/scalers/)\n- [Falco Rules Reference](https://falco.org/docs/rules/)\n- [Kyverno Policy Library](https://kyverno.io/policies/)\n\n## 🏷️ Tags \u0026 Labels\n\nAll resources use consistent labeling:\n```yaml\nlabels:\n  app.kubernetes.io/name: \u003ccomponent\u003e\n  app.kubernetes.io/version: \u003cversion\u003e\n  environment: production\n  team: platform\n```\n\n## ✅ Configuration Versions\n\n**Tested with:**\n- Terraform: \u003e= 1.0\n- Helm: v3.0+\n- Karpenter: v1.1.0 (OCI registry)\n- KEDA: v2.17.2\n- Falco: v6.2.5\n- Kyverno: Latest (via manifest)\n\n**Important Notes:**\n- Helm provider v3.0+ requires object syntax: `kubernetes = {}` not `kubernetes {}`\n- Karpenter uses v1 API (not v1beta1)\n- All configurations validated for syntax and compatibility\n\n## 📄 License\n\nMIT License - see [LICENSE](LICENSE) file for details.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudon-one%2Fk8s-security-autoscaling","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudon-one%2Fk8s-security-autoscaling","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudon-one%2Fk8s-security-autoscaling/lists"}