Skip to main content

Workload Guardrails

This page is the reference for Lumie's application-layer workload guardrails. It covers the checked-in safety rails that sit between a Helm values file and a running workload: PodDisruptionBudgets, namespace-level NetworkPolicies, audit-mode Kyverno policies, and the Goldilocks-adjacent labels that still appear in manifests.

Source Paths

PathRole
lumie-infra/charts/common/values.yamlShared workload defaults, including resource shape, security context, rollout strategy, and optional PDB settings
lumie-infra/charts/common/templates/pdb.yamlShared PDB rendering contract
lumie-infra/applications/lumie/backend/common-values.yamlBackend opt-in for PDB, resource requests, and security context
lumie-infra/applications/lumie/frontend/common-values.yamlFrontend opt-in for PDB, resource requests, and security context
lumie-infra/applications/lumie/worker/grading-svc/common-values.yamlWorker opt-in for PDB, resource requests, and security context
lumie-infra/applications/lumie/{backend,frontend,worker/grading-svc,develop}/manifests/network-policy.yamlDefault-deny plus explicit-allow NetworkPolicy sets
lumie-infra/security/kyverno/argocd.yamlArgoCD application for the Kyverno controller and local policy set
lumie-infra/security/kyverno/manifests/policies/*.yamlChecked-in validation and mutate policies
lumie-infra/security/kyverno/manifests/policy-exceptions.yamlExplicit exceptions for bootstrap, Falco, Tekton DinD, and CNPG
lumie-infra/observability/goldilocks/argocd.yamlGoldilocks application definition kept in repo
lumie-infra/observability/kustomization.yamlActive observability root that currently leaves Goldilocks disabled

Guardrail Layers

LayerWhere it livesWhat it does today
Shared chart defaultscharts/common/values.yamlDefines the baseline shape for resources, security context, rollout strategy, affinity, and optional PDBs
Per-application opt-inapplications/lumie/**/common-values.yamlTurns individual guardrails on or tunes them per workload
Namespace NetworkPolicyapplications/lumie/**/manifests/network-policy.yamlEnforces default-deny plus explicit dependency allows
Admission policysecurity/kyverno/manifests/**Audits image registry, security context, and resource policy; mutates CPU limits away at admission
Recommendation labelsgoldilocks.fairwinds.com/enabled labels in ArgoCD manifestsPresent in manifests, but Goldilocks itself is not in the active observability root

PodDisruptionBudget Contract

The shared PDB template is intentionally maxUnavailable-based.

Representative excerpt:

spec:
maxUnavailable: {{ $comp.podDisruptionBudget.maxUnavailable | default 1 }}

The template comment explains why: minAvailable: 1 can deadlock node drains when a KEDA-managed workload is down to one replica.

Current opt-in is narrow and explicit:

WorkloadPDB stateSource
lumie-backendenabled, maxUnavailable: 1applications/lumie/backend/common-values.yaml
lumie-frontendenabled, maxUnavailable: 1applications/lumie/frontend/common-values.yaml
grading-svcenabled, maxUnavailable: 1applications/lumie/worker/grading-svc/common-values.yaml

Do not assume every workload inherits a PDB. The common chart only renders one when the application values opt in.

NetworkPolicy Contract

Lumie uses namespace-level default-deny policies with explicit allow lists.

The active checked-in coverage is:

  • lumie-dev: shared dev namespace guardrails
  • lumie-backend: default-deny plus explicit ingress and egress for Postgres, RabbitMQ, Redis, MinIO, Vault, workers, DNS, HTTPS, Traefik, cert-manager, and frontend
  • lumie-frontend: default-deny plus backend, Vault, DNS, HTTPS, Traefik, and cert-manager
  • lumie-worker: namespace-wide worker guardrail anchored in grading-svc, using podSelector: {} so it covers every worker pod in lumie-worker

Important current-state details:

  • production Traefik is expected in kube-system, not a dedicated traefik namespace
  • the worker policy is intentionally a union of every worker dependency
  • HTTPS egress still uses 0.0.0.0/0 because the checked-in policy model does not have FQDN-aware egress

That last point is design, not omission. Do not rewrite it in docs as a hidden allow-list.

Kyverno Contract

Kyverno is part of the workload guardrail story, but it is not the primary blocking layer today.

The active checked-in policies are:

PolicyCurrent modeEffect
require-zot-registryAuditFlags container or init-container images outside zot.lumie-infra.com
require-security-contextAuditFlags missing runAsNonRoot, privileged containers, and privilege escalation
require-resource-limitsAuditFlags missing memory requests or limits, missing CPU requests, and the presence of CPU limits
remove-cpu-limitsmutate on admission onlyRemoves CPU limits from admitted pods

Policy exceptions are checked in and broad enough to matter operationally:

  • bootstrap namespaces such as argocd, cert-manager, external-secrets, vault, and zot
  • Falco pods
  • Tekton DinD springboot-test task pods
  • CNPG cluster and pooler pods

Goldilocks-Adjacent State

The manifest labels still advertise goldilocks.fairwinds.com/enabled: 'true' on many ArgoCD-managed namespaces and applications, but the active observability root comments out:

  • goldilocks/argocd.yaml
  • vpa/argocd.yaml
  • blackbox-exporter/argocd.yaml

Treat that label as dormant metadata today, not as proof that recommendation or VPA guardrails are active in-cluster.

Operational Failure Modes

Failure modeWhat usually drifts
Drains evict too much or too littleapplication values forgot to opt into the shared PDB template, or a rollout strategy change conflicts with the expected maxUnavailable behavior
A workload is Healthy in ArgoCD but cannot reach a dependencythe NetworkPolicy allow list is incomplete for the namespace even though the pod spec itself is valid
Admission logs show violations but deploys still succeedthe policy is intentionally Audit and does not block creation
A label suggests autosizing advice exists but no recommendations appearGoldilocks is disabled in the active observability root
CPU limits keep disappearingthat is the expected mutate behavior from remove-cpu-limits, not arbitrary chart drift

Verification

cd /Users/bluemayne/Projects/Lumie
rg -n "podDisruptionBudget:|maxUnavailable: 1" \
lumie-infra/applications/lumie/*/common-values.yaml
rg -n "default-deny-all|allow-egress-postgres|allow-egress-rabbitmq|allow-egress-vault|allow-egress-https|allow-ingress-from-traefik" \
lumie-infra/applications/lumie/{backend,frontend,worker/grading-svc,develop}/manifests/network-policy.yaml
rg -n "validationFailureAction|require-zot-registry|require-security-context|require-resource-limits|remove-cpu-limits" \
lumie-infra/security/kyverno/manifests
kubectl get poddisruptionbudgets -A
kubectl get networkpolicy -A
kubectl get clusterpolicy
kubectl get policyexception -n kyverno

Success means the checked-in PDB opt-ins match the live objects, default-deny policies exist in the guarded namespaces, and Kyverno still exposes the documented audit-mode policy set and exceptions.