Security Overview

This slice covers the security control-plane applications declared under lumie-infra/security/**. These workloads provide operator access, SSO, admission policy, runtime detection, and cluster scanning. They are managed as a separate ArgoCD app-of-apps from the operator-facing applications under lumie-infra/applications/**.

Scope and ownership

Source paths

Path	Role
`lumie-infra/security/application.yaml`	ArgoCD app-of-apps entrypoint for the security slice
`lumie-infra/security/kustomization.yaml`	Enumerates the security applications
`lumie-infra/security/teleport/**`	Access plane and Teleport app proxying
`lumie-infra/security/keycloak/**`	Identity provider and realm sync
`lumie-infra/security/kyverno/**`	Admission and audit policies
`lumie-infra/security/falco/**`	Runtime threat detection
`lumie-infra/security/trivy/**`	Vulnerability and config scanning

Boundaries

This slice owns the security applications only; Vault and cert-manager are called out in security/kustomization.yaml as moved elsewhere.
External Secrets is no longer part of this slice; the repo uses Vault Secrets Operator instead.
Teleport app access is part of the security slice even when it exposes tools documented under Operations Applications or other platform areas.

Runtime map

Security roles in the platform

Teleport is the operator access plane for browser apps and Kubernetes access.
Keycloak is the OIDC provider for infrastructure-facing clients.
Kyverno applies admission-time mutation and audit-time policy checks.
Falco detects node and container runtime behavior and forwards events to Loki.
Trivy performs vulnerability and config-audit scans for deployed workloads.

Common operational patterns

Every security Application enables automated sync, pruning, and self-healing.
The namespaces are labeled for Goldilocks/VPA recommendations through ArgoCD namespace metadata.
Several components rely on external upstream charts, with Lumie-specific contracts expressed only in local values and manifest overlays.
The most important cross-slice dependencies are Vault Static Secrets, the shared infra-db cluster, and Teleport access paths declared for non-security apps.

Common failure modes

The ArgoCD app stays healthy while a cross-slice dependency is broken, such as a missing Vault secret or bad database credential.
Upstream chart upgrades can change security defaults or generated object names without a visible diff in local manifests.
Some security controls are intentionally audit-only, so policy violations remain possible even when the control plane is healthy.
Comments in checked-in manifests can drift from live objects or current data files; this slice includes at least one documented example in Keycloak.

Verification

kubectl get applications.argoproj.io -n argocd keycloak teleport teleport-agent kyverno falco trivy
kubectl get pods -n keycloak
kubectl get pods -n teleport
kubectl get pods -n kyverno
kubectl get pods -n falco
kubectl get pods -n trivy-system

Pages in this slice

Kyverno
Falco
Trivy
Teleport
Keycloak
Applications overview for the non-security tools exposed through Teleport

Scope and ownership​

Source paths​

Boundaries​

Runtime map​

Security roles in the platform​

Common operational patterns​

Common failure modes​

Verification​

Pages in this slice​