github.com/mmrajput/kubernetes-single-cluster

Kubernetes Single-Cluster Platform

Platform Engineering · Logical Architecture · All Phases Complete

Beelink SER5 Pro · AMD Ryzen 5 5500U

32GB RAM · 500GB NVMe

Virtualization Layer Phase 2 · Proxmox VE 8.x · LVM-thin · vmbr0

▾

control-plane-1

6GB RAM · 4 vCPU · Ubuntu 24.04
kube-apiserver · etcd · scheduler
controller-manager · cloud-init

192.168.178.34

worker-1

7GB RAM · 4 vCPU · Ubuntu 24.04
kubelet · kube-proxy · containerd
Calico CNI · local-path-provisioner

192.168.178.35

worker-2

7GB RAM · 4 vCPU · Ubuntu 24.04
kubelet · kube-proxy · containerd
Calico CNI · local-path-provisioner

192.168.178.36

GitOps Layer Phase 5 · namespace: platform · All changes via Git

▾

ArgoCD

App-of-Apps Pattern · Self-Managed
GitOps Engine · Zero manual kubectl apply

v3.2.3

nginx-ingress

NodePort 30080 / 30443
Hostname-based routing

IngressClass

Ansible + GitHub

Infrastructure as Code · Phase 3–4
Idempotent playbooks · cloud-init

IaC

Observability Layer Phase 6 · namespace: observability · Established before workload deployment

▾

Prometheus

Metrics · ServiceMonitor CRDs
kube-prometheus-stack

scrape

Grafana

Dashboards · Kubernetes Panels
Pre-built + custom dashboards

OIDC SSO

Loki + Promtail

Log Aggregation
Node-level collectors

DaemonSet

Alertmanager

Alert Routing
Notification integration

rules

Security Layer Phase 7 · Security baseline before stateful workloads · Default-deny posture

▾

cert-manager

Webhook TLS for CNPG & ESO
External TLS terminated at Cloudflare

Webhooks

NetworkPolicies

Default-Deny · Explicit Allow Rules
Calico enforcement

pre-DNAT

RBAC Hardening

Least-Privilege Service Accounts
Per-workload roles

ClusterRole

Pod Security Standards

Audit → Enforce · Per Namespace
restricted / baseline profiles

PSS

External Secrets Op.

Secrets Backend Integration
Vault KV v2 → K8s Secrets

ESO v2.1.0

Falco

Runtime Anomaly Detection
Syscall monitoring

DaemonSet

kube-bench

CIS Benchmark · Remediation Report
K8s hardening validation

CIS

☁ Cloudflare

Tunnel · Access · WAF · DNS-01
Zero Trust edge

Tunnel

Storage Layer Phase 8 · Validated before stateful workloads are deployed

▾

Longhorn

Distributed · Replication Factor 2
Production PVs across worker nodes

Default SC

MinIO

S3-Compatible Object Storage
Loki long-term storage · Velero backup target

local-path

local-path-provisioner

Dev / Cache workloads
Phase 4 · Fast local storage

Identity & Database Layer Phase 9 · namespace: identity, databases · OIDC SSO across all platform services

▾

Keycloak

Central OIDC Identity Provider
TLS · Resource Limits · Longhorn Storage
MFA · SSO · User Federation

v26.x

ArgoCD + SSO

OIDC Login via Keycloak
Group-based RBAC

OIDC client

CloudNativePG

PostgreSQL Lifecycle Management
Keycloak DB · TLS
Automated Failover · Longhorn PVs · Backups

WAL + PITR

HashiCorp Vault

KV v2 secrets backend
Longhorn PVC · Standalone mode
ESO ClusterSecretStore

Vault KV v2

Grafana + SSO

OIDC Login via Keycloak
Group membership mapper

OIDC client

Velero

Cluster backup & restore
MinIO S3 backend · Schedule CRDs

Backup

Application Layer Phase 10 · namespace: apps · Production workloads on hardened platform

▾

Homepage Dashboard

Service overview dashboard
Single pane of glass for the platform
jameswynn Helm chart · Cloudflare Access

apps ns

Nextcloud

Data Sovereignty Platform
PostgreSQL via CloudNativePG · TLS
Keycloak SSO · Longhorn · Velero backups

DSGVO

Ollama + LLMs

CPU-only LLM serving
Deployment + Longhorn PVC

Tested · Not Active

K8sGPT + HolmesGPT

AI-powered cluster analysis
Ollama backend integration

Tested · Not Active

CI/CD Layer Phase 10 · Staging: automated promotion · Production: manual Git tag gate

▾

↓ Staging · Automated

GH Actions Watch upstream image

→

Trivy Scan Block HIGH/CRITICAL

→

crane Promote image tag

→

Helm Update Tag → main branch commit

→

ArgoCD Sync → staging ns

↓ Production · Manual Gate

Validate Staging Human decision point

→

Git Tag e.g. v1.2.0 on main

→

Helm Update production-values.yaml

→

ArgoCD Sync → production ns

Staging deploys automatically on every clean image promotion to main | Production requires a deliberate Git tag — no automatic rollout to production | ARC v0.14.0 self-hosted runner runs as a Pod inside the cluster

// Phase Progression · Current Project

Ph.0Planning

Ph.1DevEnv

Ph.2Proxmox

Ph.3VMs

Ph.4Kubernetes

Ph.5GitOps

Ph.6Observability

Ph.7Security

Ph.8Storage

Ph.9Identity

Ph.10Apps + CI/CD

Ph.11AI / LLM

Next Project · Kubernetes Multi-Cluster Platform · Talos + ArgoCD Hub + vCluster + Cilium