Infrastructure
securek8s.de runs on my homelab Kubernetes cluster. The static HTML produced by Astro is baked into a container image, which an nginx-unprivileged process serves from a read-only root filesystem.
Request flow
flowchart LR
U[Browser] -->|HTTPS| LB[Cluster Ingress<br/>Traefik/Nginx]
LB -->|HTTP/1.1| SVC[Service]
SVC --> POD1[Pod: securek8s/web-1]
SVC --> POD2[Pod: securek8s/web-2]
POD1 -.->|DNS only| DNS[(kube-dns)]
POD2 -.->|DNS only| DNS
Hardening summary
- Namespace enforces Pod Security Standards
restricted. - Container runs as uid 101,
readOnlyRootFilesystem: true, all capabilities dropped. - NetworkPolicy: ingress only from the ingress controller, egress only to kube-dns.
- Two replicas behind a PodDisruptionBudget with
minAvailable: 1. - TLS via cert-manager; HSTS preloaded.
What's not here
No database, no tracking, no third-party fonts. Content is in git; git is the backup.