extract monitoring, nvidia, mailserver, cloudflared, kyverno from platform [ci skip]

Phase 2 of platform stack split. 5 more modules extracted into
independent stacks. All applied successfully with zero destroys.
Cloudflared now reads k8s_users from Vault directly to compute
user_domains. Woodpecker pipeline runs all 8 extracted stacks
in parallel. Memory bumped to 6Gi for 9 concurrent TF processes.
Platform reduced from 27 to 19 modules.

stacks/kyverno/modules/kyverno/dependency-init-containers.tf

@@ -0,0 +1,72 @@
+
+# =============================================================================
+# Pod Dependency Init Container Injection
+# =============================================================================
+# Reads the annotation dependency.kyverno.io/wait-for from pods and injects
+# init containers that wait for each listed dependency to be reachable.
+#
+# Usage:
+#   annotations:
+#     dependency.kyverno.io/wait-for: "postgresql.dbaas:5432,redis.redis:6379"
+#
+# Each comma-separated entry becomes a busybox init container that runs
+# `nc -z <host> <port>` in a loop until the dependency is reachable.
+# Existing init containers are preserved — Kyverno appends to the array.
+
+resource "kubernetes_manifest" "inject_dependency_init_containers" {
+  manifest = {
+    apiVersion = "kyverno.io/v1"
+    kind       = "ClusterPolicy"
+    metadata = {
+      name = "inject-dependency-init-containers"
+      annotations = {
+        "policies.kyverno.io/title"       = "Inject Dependency Init Containers"
+        "policies.kyverno.io/description" = "Injects wait-for init containers based on dependency.kyverno.io/wait-for pod annotation. Each comma-separated host:port entry becomes a busybox init container that blocks until the dependency is reachable via nc -z."
+      }
+    }
+    spec = {
+      rules = [
+        {
+          name = "wait-for-dependencies"
+          match = {
+            any = [
+              {
+                resources = {
+                  kinds      = ["Pod"]
+                  operations = ["CREATE"]
+                }
+              }
+            ]
+          }
+          preconditions = {
+            all = [
+              {
+                key      = "{{ request.object.metadata.annotations.\"dependency.kyverno.io/wait-for\" || '' }}"
+                operator = "NotEquals"
+                value    = ""
+              }
+            ]
+          }
+          mutate = {
+            foreach = [
+              {
+                list = "request.object.metadata.annotations.\"dependency.kyverno.io/wait-for\" | split(@, ',')"
+                patchStrategicMerge = {
+                  spec = {
+                    initContainers = [
+                      {
+                        name    = "wait-for-{{ element | split(@, ':') | [0] | replace_all(@, '.', '-') }}"
+                        image   = "busybox:1.37"
+                        command = ["sh", "-c", "until nc -z {{ element | split(@, ':') | [0] }} {{ element | split(@, ':') | [1] }}; do echo waiting for {{ element }}; sleep 2; done"]
+                      }
+                    ]
+                  }
+                }
+              }
+            ]
+          }
+        }
+      ]
+    }
+  }
+}

stacks/kyverno/modules/kyverno/main.tf

@@ -0,0 +1,216 @@
+
+resource "kubernetes_namespace" "kyverno" {
+  metadata {
+    name = "kyverno"
+    labels = {
+      "istio-injection" : "disabled"
+    }
+  }
+}
+
+resource "helm_release" "kyverno" {
+  namespace        = kubernetes_namespace.kyverno.metadata[0].name
+  create_namespace = false
+  name             = "kyverno"
+  atomic           = true
+
+  repository = "https://kyverno.github.io/kyverno/"
+  chart      = "kyverno"
+  version    = "3.6.1"
+
+  values = [yamlencode({
+    # When Kyverno is unavailable, allow pod creation to proceed without
+    # mutation/validation rather than blocking all admissions cluster-wide.
+    features = {
+      forceFailurePolicyIgnore = {
+        enabled = true
+      }
+      policyReports = {
+        enabled = false
+      }
+    }
+
+    reportsController = {
+      resources = {
+        limits = {
+          memory = "512Mi"
+        }
+        requests = {
+          cpu    = "100m"
+          memory = "384Mi"
+        }
+      }
+    }
+
+    backgroundController = {
+      resources = {
+        limits = {
+          memory = "384Mi"
+        }
+        requests = {
+          cpu    = "100m"
+          memory = "384Mi"
+        }
+      }
+    }
+
+    cleanupController = {
+      resources = {
+        limits = {
+          memory = "192Mi"
+        }
+        requests = {
+          cpu    = "100m"
+          memory = "192Mi"
+        }
+      }
+    }
+
+    admissionController = {
+      replicas = 2
+
+      updateStrategy = {
+        type = "RollingUpdate"
+        rollingUpdate = {
+          maxSurge       = 0
+          maxUnavailable = 1
+        }
+      }
+
+      container = {
+        resources = {
+          limits = {
+            memory = "256Mi"
+          }
+          requests = {
+            cpu    = "100m"
+            memory = "256Mi"
+          }
+        }
+      }
+
+      # More tolerant liveness probe — API server slowness shouldn't kill the pod
+      livenessProbe = {
+        httpGet = {
+          path   = "/health/liveness"
+          port   = 9443
+          scheme = "HTTPS"
+        }
+        initialDelaySeconds = 15
+        periodSeconds       = 30
+        timeoutSeconds      = 5
+        failureThreshold    = 4
+        successThreshold    = 1
+      }
+
+      # Spread replicas across nodes for HA
+      topologySpreadConstraints = [
+        {
+          maxSkew           = 1
+          topologyKey       = "kubernetes.io/hostname"
+          whenUnsatisfiable = "DoNotSchedule"
+          labelSelector = {
+            matchLabels = {
+              "app.kubernetes.io/component" = "admission-controller"
+              "app.kubernetes.io/instance"  = "kyverno"
+            }
+          }
+        }
+      ]
+    }
+  })]
+}
+
+# To unlabel all:
+# kubectl label deployment,statefulset,daemonset --all-namespaces -l tier tier-
+#
+# Uses namespaceSelector to match tiers — no API call needed.
+# One rule per tier so Kyverno resolves the tier value from its informer cache.
+resource "kubernetes_manifest" "mutate_tier_from_namespace" {
+  manifest = {
+    apiVersion = "kyverno.io/v1"
+    kind       = "ClusterPolicy"
+    metadata = {
+      name = "sync-tier-label-from-namespace"
+    }
+    spec = {
+      rules = [for tier in local.governance_tiers : {
+        name = "sync-tier-${tier}"
+        match = {
+          any = [
+            {
+              resources = {
+                kinds = ["Deployment", "StatefulSet", "DaemonSet"]
+                namespaceSelector = {
+                  matchLabels = {
+                    tier = tier
+                  }
+                }
+              }
+            }
+          ]
+        }
+        exclude = {
+          any = [
+            {
+              resources = {
+                namespaces = ["kube-system", "metallb-system", "n8n"]
+              }
+            }
+          ]
+        }
+        mutate = {
+          patchStrategicMerge = {
+            metadata = {
+              labels = {
+                "+(tier)" = tier
+              }
+            }
+          }
+        }
+      }]
+    }
+  }
+}
+
+# resource "kubernetes_manifest" "enforce_pod_tier_label" {
+#   manifest = {
+#     apiVersion = "kyverno.io/v1"
+#     kind       = "ClusterPolicy"
+#     metadata = {
+#       name = "enforce-pod-tier-label"
+#       annotations = {
+#         "policies.kyverno.io/description" = "Rejects any pod that does not have a tier label."
+#       }
+#     }
+#     spec = {
+#       # 'Enforce' blocks the creation. 'Audit' just reports it.
+#       validationFailureAction = "Enforce"
+#       background              = true
+#       rules = [
+#         {
+#           name = "check-for-tier-label"
+#           match = {
+#             any = [
+#               {
+#                 resources = {
+#                   kinds = ["Pod"]
+#                 }
+#               }
+#             ]
+#           }
+#           validate = {
+#             message = "The label 'tier' is required for all pods in this cluster."
+#             pattern = {
+#               metadata = {
+#                 labels = {
+#                   "tier" = "?*" # The "?*" syntax means the value must not be empty
+#                 }
+#               }
+#             }
+#           }
+#         }
+#       ]
+#     }
+#   }
+# }

stacks/kyverno/modules/kyverno/resource-governance.tf

@@ -0,0 +1,950 @@
+
+# =============================================================================
+# Tier-Based Resource Governance
+# =============================================================================
+# default (limit) = defaultRequest (request) to give Guaranteed QoS and prevent
+# memory overcommit. Changed 2026-03-14 after node2 OOM crash caused by 250%
+# memory overcommit (61GB limits on 24GB node).
+#
+# Four layers of protection against noisy neighbor issues:
+# 1. PriorityClasses - critical services survive resource pressure
+# 2. LimitRange defaults (Kyverno generate) - auto-inject defaults for containers without resources
+# 3. ResourceQuotas (Kyverno generate) - hard ceiling on namespace resource consumption
+# 4. Priority injection (Kyverno mutate) - set priorityClassName based on namespace tier label
+
+locals {
+  governance_tiers    = ["0-core", "1-cluster", "2-gpu", "3-edge", "4-aux"]
+  excluded_namespaces = ["kube-system", "metallb-system", "kyverno", "calico-system", "calico-apiserver"]
+}
+
+# -----------------------------------------------------------------------------
+# Layer 1: PriorityClasses
+# -----------------------------------------------------------------------------
+# Values stay well below system-cluster-critical (2,000,000,000)
+
+resource "kubernetes_priority_class" "tier_0_core" {
+  metadata {
+    name = "tier-0-core"
+  }
+  value             = 1000000
+  global_default    = false
+  preemption_policy = "PreemptLowerPriority"
+  description       = "Critical infrastructure: ingress, DNS, VPN, auth, monitoring"
+}
+
+resource "kubernetes_priority_class" "tier_1_cluster" {
+  metadata {
+    name = "tier-1-cluster"
+  }
+  value             = 800000
+  global_default    = false
+  preemption_policy = "PreemptLowerPriority"
+  description       = "Cluster services: Redis, metrics, security"
+}
+
+resource "kubernetes_priority_class" "tier_2_gpu" {
+  metadata {
+    name = "tier-2-gpu"
+  }
+  value             = 600000
+  global_default    = false
+  preemption_policy = "PreemptLowerPriority"
+  description       = "GPU workloads: Immich, Ollama, Frigate"
+}
+
+resource "kubernetes_priority_class" "gpu_workload" {
+  metadata {
+    name = "gpu-workload"
+  }
+  value             = 1200000
+  global_default    = false
+  preemption_policy = "PreemptLowerPriority"
+  description       = "GPU-pinned workloads. Higher than all user tiers. Auto-injected by Kyverno on pods requesting nvidia.com/gpu."
+}
+
+resource "kubernetes_priority_class" "tier_3_edge" {
+  metadata {
+    name = "tier-3-edge"
+  }
+  value             = 400000
+  global_default    = false
+  preemption_policy = "PreemptLowerPriority"
+  description       = "User-facing services: mail, file sync, dashboards"
+}
+
+resource "kubernetes_priority_class" "tier_4_aux" {
+  metadata {
+    name = "tier-4-aux"
+  }
+  value             = 200000
+  global_default    = false
+  preemption_policy = "Never"
+  description       = "Optional services: blogs, tools, experiments. Will not preempt other aux services."
+}
+
+# -----------------------------------------------------------------------------
+# Layer 2: LimitRange Defaults (Kyverno Generate)
+# -----------------------------------------------------------------------------
+# Creates a LimitRange in each namespace based on its tier label.
+# Only affects containers WITHOUT explicit resource requests/limits.
+
+resource "kubernetes_manifest" "generate_limitrange_by_tier" {
+  manifest = {
+    apiVersion = "kyverno.io/v1"
+    kind       = "ClusterPolicy"
+    metadata = {
+      name = "generate-limitrange-by-tier"
+      annotations = {
+        "policies.kyverno.io/title"       = "Generate LimitRange by Tier"
+        "policies.kyverno.io/description" = "Creates tier-appropriate LimitRange defaults in namespaces based on their tier label. Only affects containers without explicit resource specifications. Excludes namespaces with resource-governance/custom-limitrange label."
+      }
+    }
+    spec = {
+      generateExisting = true
+      rules = [
+        # Tier 0-core
+        {
+          name = "limitrange-tier-0-core"
+          match = {
+            any = [
+              {
+                resources = {
+                  kinds = ["Namespace"]
+                  selector = {
+                    matchLabels = {
+                      tier = "0-core"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  selector = {
+                    matchLabels = {
+                      "resource-governance/custom-limitrange" = "true"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          generate = {
+            synchronize = true
+            apiVersion  = "v1"
+            kind        = "LimitRange"
+            name        = "tier-defaults"
+            namespace   = "{{request.object.metadata.name}}"
+            data = {
+              spec = {
+                limits = [
+                  {
+                    type = "Container"
+                    default = {
+                      memory = "256Mi"
+                    }
+                    defaultRequest = {
+                      cpu    = "100m"
+                      memory = "256Mi"
+                    }
+                    max = {
+                      memory = "8Gi"
+                    }
+                  }
+                ]
+              }
+            }
+          }
+        },
+        # Tier 1-cluster
+        {
+          name = "limitrange-tier-1-cluster"
+          match = {
+            any = [
+              {
+                resources = {
+                  kinds = ["Namespace"]
+                  selector = {
+                    matchLabels = {
+                      tier = "1-cluster"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  selector = {
+                    matchLabels = {
+                      "resource-governance/custom-limitrange" = "true"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          generate = {
+            synchronize = true
+            apiVersion  = "v1"
+            kind        = "LimitRange"
+            name        = "tier-defaults"
+            namespace   = "{{request.object.metadata.name}}"
+            data = {
+              spec = {
+                limits = [
+                  {
+                    type = "Container"
+                    default = {
+                      memory = "256Mi"
+                    }
+                    defaultRequest = {
+                      cpu    = "100m"
+                      memory = "256Mi"
+                    }
+                    max = {
+                      memory = "4Gi"
+                    }
+                  }
+                ]
+              }
+            }
+          }
+        },
+        # Tier 2-gpu
+        {
+          name = "limitrange-tier-2-gpu"
+          match = {
+            any = [
+              {
+                resources = {
+                  kinds = ["Namespace"]
+                  selector = {
+                    matchLabels = {
+                      tier = "2-gpu"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  selector = {
+                    matchLabels = {
+                      "resource-governance/custom-limitrange" = "true"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          generate = {
+            synchronize = true
+            apiVersion  = "v1"
+            kind        = "LimitRange"
+            name        = "tier-defaults"
+            namespace   = "{{request.object.metadata.name}}"
+            data = {
+              spec = {
+                limits = [
+                  {
+                    type = "Container"
+                    default = {
+                      memory = "1Gi"
+                    }
+                    defaultRequest = {
+                      cpu    = "200m"
+                      memory = "1Gi"
+                    }
+                    max = {
+                      memory = "16Gi"
+                    }
+                  }
+                ]
+              }
+            }
+          }
+        },
+        # Tier 3-edge — Burstable QoS: request < limit to reduce scheduler pressure
+        {
+          name = "limitrange-tier-3-edge"
+          match = {
+            any = [
+              {
+                resources = {
+                  kinds = ["Namespace"]
+                  selector = {
+                    matchLabels = {
+                      tier = "3-edge"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  selector = {
+                    matchLabels = {
+                      "resource-governance/custom-limitrange" = "true"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          generate = {
+            synchronize = true
+            apiVersion  = "v1"
+            kind        = "LimitRange"
+            name        = "tier-defaults"
+            namespace   = "{{request.object.metadata.name}}"
+            data = {
+              spec = {
+                limits = [
+                  {
+                    type = "Container"
+                    default = {
+                      memory = "192Mi"
+                    }
+                    defaultRequest = {
+                      cpu    = "50m"
+                      memory = "96Mi"
+                    }
+                    max = {
+                      memory = "4Gi"
+                    }
+                  }
+                ]
+              }
+            }
+          }
+        },
+        # Tier 4-aux — Burstable QoS: request < limit to reduce scheduler pressure
+        {
+          name = "limitrange-tier-4-aux"
+          match = {
+            any = [
+              {
+                resources = {
+                  kinds = ["Namespace"]
+                  selector = {
+                    matchLabels = {
+                      tier = "4-aux"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  selector = {
+                    matchLabels = {
+                      "resource-governance/custom-limitrange" = "true"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          generate = {
+            synchronize = true
+            apiVersion  = "v1"
+            kind        = "LimitRange"
+            name        = "tier-defaults"
+            namespace   = "{{request.object.metadata.name}}"
+            data = {
+              spec = {
+                limits = [
+                  {
+                    type = "Container"
+                    default = {
+                      memory = "256Mi"
+                    }
+                    defaultRequest = {
+                      cpu    = "50m"
+                      memory = "64Mi"
+                    }
+                    max = {
+                      memory = "4Gi"
+                    }
+                  }
+                ]
+              }
+            }
+          }
+        },
+        # Fallback: namespaces without a tier label get aux-level defaults
+        # requests = limits to prevent memory overcommit (2026-03-14 node2 OOM incident)
+        {
+          name = "limitrange-no-tier-fallback"
+          match = {
+            any = [
+              {
+                resources = {
+                  kinds = ["Namespace"]
+                }
+              }
+            ]
+          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  selector = {
+                    matchExpressions = [
+                      {
+                        key      = "tier"
+                        operator = "Exists"
+                      }
+                    ]
+                  }
+                }
+              },
+              {
+                resources = {
+                  namespaces = ["kube-system", "metallb-system", "kyverno", "calico-system", "calico-apiserver"]
+                }
+              }
+            ]
+          }
+          generate = {
+            synchronize = true
+            apiVersion  = "v1"
+            kind        = "LimitRange"
+            name        = "tier-defaults"
+            namespace   = "{{request.object.metadata.name}}"
+            data = {
+              spec = {
+                limits = [
+                  {
+                    type = "Container"
+                    default = {
+                      memory = "128Mi"
+                    }
+                    defaultRequest = {
+                      cpu    = "50m"
+                      memory = "128Mi"
+                    }
+                    max = {
+                      memory = "2Gi"
+                    }
+                  }
+                ]
+              }
+            }
+          }
+        },
+      ]
+    }
+  }
+}
+
+# -----------------------------------------------------------------------------
+# Layer 3: ResourceQuotas (Kyverno Generate)
+# -----------------------------------------------------------------------------
+# Creates a ResourceQuota in each namespace based on its tier label.
+# Sets hard ceiling on total namespace resource consumption.
+# Namespaces with label resource-governance/custom-quota=true are excluded.
+#
+# IMPORTANT: LimitRange (Layer 2) must exist before ResourceQuota takes effect,
+# because ResourceQuota requires all pods to have resource requests set.
+
+resource "kubernetes_manifest" "generate_resourcequota_by_tier" {
+  depends_on = [kubernetes_manifest.generate_limitrange_by_tier]
+
+  manifest = {
+    apiVersion = "kyverno.io/v1"
+    kind       = "ClusterPolicy"
+    metadata = {
+      name = "generate-resourcequota-by-tier"
+      annotations = {
+        "policies.kyverno.io/title"       = "Generate ResourceQuota by Tier"
+        "policies.kyverno.io/description" = "Creates tier-appropriate ResourceQuota in namespaces based on their tier label. Excludes namespaces with resource-governance/custom-quota label."
+      }
+    }
+    spec = {
+      generateExisting = true
+      rules = [
+        # Tier 0-core
+        {
+          name = "quota-tier-0-core"
+          match = {
+            any = [
+              {
+                resources = {
+                  kinds = ["Namespace"]
+                  selector = {
+                    matchLabels = {
+                      tier = "0-core"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  selector = {
+                    matchLabels = {
+                      "resource-governance/custom-quota" = "true"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          generate = {
+            synchronize = true
+            apiVersion  = "v1"
+            kind        = "ResourceQuota"
+            name        = "tier-quota"
+            namespace   = "{{request.object.metadata.name}}"
+            data = {
+              spec = {
+                hard = {
+                  "requests.cpu"    = "8"
+                  "requests.memory" = "8Gi"
+                  "limits.memory"   = "64Gi"
+                  pods              = "100"
+                }
+              }
+            }
+          }
+        },
+        # Tier 1-cluster
+        {
+          name = "quota-tier-1-cluster"
+          match = {
+            any = [
+              {
+                resources = {
+                  kinds = ["Namespace"]
+                  selector = {
+                    matchLabels = {
+                      tier = "1-cluster"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  selector = {
+                    matchLabels = {
+                      "resource-governance/custom-quota" = "true"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          generate = {
+            synchronize = true
+            apiVersion  = "v1"
+            kind        = "ResourceQuota"
+            name        = "tier-quota"
+            namespace   = "{{request.object.metadata.name}}"
+            data = {
+              spec = {
+                hard = {
+                  "requests.cpu"    = "4"
+                  "requests.memory" = "4Gi"
+                  "limits.memory"   = "32Gi"
+                  pods              = "30"
+                }
+              }
+            }
+          }
+        },
+        # Tier 2-gpu
+        {
+          name = "quota-tier-2-gpu"
+          match = {
+            any = [
+              {
+                resources = {
+                  kinds = ["Namespace"]
+                  selector = {
+                    matchLabels = {
+                      tier = "2-gpu"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  selector = {
+                    matchLabels = {
+                      "resource-governance/custom-quota" = "true"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          generate = {
+            synchronize = true
+            apiVersion  = "v1"
+            kind        = "ResourceQuota"
+            name        = "tier-quota"
+            namespace   = "{{request.object.metadata.name}}"
+            data = {
+              spec = {
+                hard = {
+                  "requests.cpu"    = "8"
+                  "requests.memory" = "8Gi"
+                  "limits.memory"   = "32Gi"
+                  pods              = "40"
+                }
+              }
+            }
+          }
+        },
+        # Tier 3-edge
+        {
+          name = "quota-tier-3-edge"
+          match = {
+            any = [
+              {
+                resources = {
+                  kinds = ["Namespace"]
+                  selector = {
+                    matchLabels = {
+                      tier = "3-edge"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  selector = {
+                    matchLabels = {
+                      "resource-governance/custom-quota" = "true"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          generate = {
+            synchronize = true
+            apiVersion  = "v1"
+            kind        = "ResourceQuota"
+            name        = "tier-quota"
+            namespace   = "{{request.object.metadata.name}}"
+            data = {
+              spec = {
+                hard = {
+                  "requests.cpu"    = "4"
+                  "requests.memory" = "4Gi"
+                  "limits.memory"   = "32Gi"
+                  pods              = "30"
+                }
+              }
+            }
+          }
+        },
+        # Tier 4-aux
+        {
+          name = "quota-tier-4-aux"
+          match = {
+            any = [
+              {
+                resources = {
+                  kinds = ["Namespace"]
+                  selector = {
+                    matchLabels = {
+                      tier = "4-aux"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  selector = {
+                    matchLabels = {
+                      "resource-governance/custom-quota" = "true"
+                    }
+                  }
+                }
+              }
+            ]
+          }
+          generate = {
+            synchronize = true
+            apiVersion  = "v1"
+            kind        = "ResourceQuota"
+            name        = "tier-quota"
+            namespace   = "{{request.object.metadata.name}}"
+            data = {
+              spec = {
+                hard = {
+                  "requests.cpu"    = "2"
+                  "requests.memory" = "2Gi"
+                  "limits.memory"   = "16Gi"
+                  pods              = "20"
+                }
+              }
+            }
+          }
+        },
+      ]
+    }
+  }
+}
+
+# -----------------------------------------------------------------------------
+# Layer 4: PriorityClassName Injection (Kyverno Mutate)
+# -----------------------------------------------------------------------------
+# Automatically sets priorityClassName on Pods based on their namespace's tier label.
+# Skips pods that already have a priorityClassName set.
+# Uses namespaceSelector instead of API calls — no round-trip to the API server.
+
+resource "kubernetes_manifest" "mutate_priority_from_tier" {
+  manifest = {
+    apiVersion = "kyverno.io/v1"
+    kind       = "ClusterPolicy"
+    metadata = {
+      name = "inject-priority-class-from-tier"
+      annotations = {
+        "policies.kyverno.io/title"       = "Inject PriorityClass from Tier"
+        "policies.kyverno.io/description" = "Sets priorityClassName on Pods based on the namespace tier label. Skips pods that already have a priorityClassName."
+      }
+    }
+    spec = {
+      rules = [for tier in local.governance_tiers : {
+        name = "inject-priority-${tier}"
+        match = {
+          any = [
+            {
+              resources = {
+                kinds      = ["Pod"]
+                operations = ["CREATE"]
+                namespaceSelector = {
+                  matchLabels = {
+                    tier = tier
+                  }
+                }
+              }
+            }
+          ]
+        }
+        exclude = {
+          any = [
+            {
+              resources = {
+                namespaces = local.excluded_namespaces
+              }
+            }
+          ]
+        }
+        preconditions = {
+          all = [
+            {
+              key      = "{{request.object.spec.priorityClassName || ''}}"
+              operator = "Equals"
+              value    = ""
+            }
+          ]
+        }
+        mutate = {
+          patchesJson6902 = yamlencode([
+            {
+              op   = "remove"
+              path = "/spec/priority"
+            },
+            {
+              op   = "remove"
+              path = "/spec/preemptionPolicy"
+            },
+            {
+              op    = "add"
+              path  = "/spec/priorityClassName"
+              value = "tier-${tier}"
+            }
+          ])
+        }
+      }]
+    }
+  }
+}
+
+
+# --- ndots:2 injection ---
+# Kubernetes defaults to ndots:5, which causes 4 wasted NxDomain queries per
+# external DNS lookup (search domain expansion). This policy injects ndots:2
+# on all pods to reduce NxDomain flood while still allowing short-name service
+# resolution (e.g. "redis.redis" has 1 dot, so it still expands).
+resource "kubernetes_manifest" "mutate_ndots" {
+  manifest = {
+    apiVersion = "kyverno.io/v1"
+    kind       = "ClusterPolicy"
+    metadata = {
+      name = "inject-ndots"
+      annotations = {
+        "policies.kyverno.io/title"       = "Inject ndots:2 DNS Config"
+        "policies.kyverno.io/description" = "Sets ndots:2 on all Pods to reduce NxDomain query flood from search domain expansion. Skips pods that already have ndots configured."
+      }
+    }
+    spec = {
+      rules = [
+        {
+          name = "inject-ndots-2"
+          match = {
+            any = [
+              {
+                resources = {
+                  kinds = ["Pod"]
+                }
+              }
+            ]
+          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  namespaces = ["kube-system", "metallb-system", "kyverno", "calico-system", "calico-apiserver"]
+                }
+              }
+            ]
+          }
+          preconditions = {
+            all = [
+              {
+                key      = "{{ request.object.spec.dnsConfig.options || `[]` | [?name == 'ndots'] | length(@) }}"
+                operator = "Equals"
+                value    = "0"
+              }
+            ]
+          }
+          mutate = {
+            patchStrategicMerge = {
+              spec = {
+                dnsConfig = {
+                  options = [
+                    {
+                      name  = "ndots"
+                      value = "2"
+                    }
+                  ]
+                }
+              }
+            }
+          }
+        }
+      ]
+    }
+  }
+}
+
+# -----------------------------------------------------------------------------
+# Layer 5: GPU Workload Priority Override (Kyverno Mutate)
+# -----------------------------------------------------------------------------
+# Overrides the tier-based priorityClassName with gpu-workload for pods that
+# actually request nvidia.com/gpu resources. This ensures GPU pods can preempt
+# non-GPU pods on the GPU node, regardless of namespace tier.
+# Runs after Layer 4 (tier injection), so it overrides the tier-based priority.
+
+resource "kubernetes_manifest" "mutate_gpu_priority" {
+  manifest = {
+    apiVersion = "kyverno.io/v1"
+    kind       = "ClusterPolicy"
+    metadata = {
+      name = "inject-gpu-workload-priority"
+      annotations = {
+        "policies.kyverno.io/title"       = "Inject GPU Workload Priority"
+        "policies.kyverno.io/description" = "Overrides priorityClassName to gpu-workload for pods requesting nvidia.com/gpu resources. Runs after tier-based injection."
+      }
+    }
+    spec = {
+      rules = [
+        {
+          name = "gpu-priority-override"
+          match = {
+            any = [
+              {
+                resources = {
+                  kinds      = ["Pod"]
+                  operations = ["CREATE"]
+                }
+              }
+            ]
+          }
+          exclude = {
+            any = [
+              {
+                resources = {
+                  namespaces = local.excluded_namespaces
+                }
+              }
+            ]
+          }
+          preconditions = {
+            any = [
+              {
+                key      = "{{ request.object.spec.containers[].resources.requests.\"nvidia.com/gpu\" || '' }}"
+                operator = "NotEquals"
+                value    = ""
+              },
+              {
+                key      = "{{ request.object.spec.containers[].resources.limits.\"nvidia.com/gpu\" || '' }}"
+                operator = "NotEquals"
+                value    = ""
+              }
+            ]
+          }
+          mutate = {
+            patchesJson6902 = yamlencode([
+              {
+                op    = "replace"
+                path  = "/spec/priorityClassName"
+                value = "gpu-workload"
+              },
+              {
+                op    = "replace"
+                path  = "/spec/priority"
+                value = 1200000
+              },
+              {
+                op    = "replace"
+                path  = "/spec/preemptionPolicy"
+                value = "PreemptLowerPriority"
+              }
+            ])
+          }
+        }
+      ]
+    }
+  }
+}

stacks/kyverno/modules/kyverno/security-policies.tf

@@ -0,0 +1,294 @@
+# =============================================================================
+# Pod Security Policies (Audit Mode)
+# =============================================================================
+# Kyverno validate policies for pod security standards.
+# All policies start in Audit mode - violations are logged but not blocked.
+
+resource "kubernetes_manifest" "policy_deny_privileged" {
+  manifest = {
+    apiVersion = "kyverno.io/v1"
+    kind       = "ClusterPolicy"
+    metadata = {
+      name = "deny-privileged-containers"
+      annotations = {
+        "policies.kyverno.io/title"       = "Deny Privileged Containers"
+        "policies.kyverno.io/category"    = "Pod Security"
+        "policies.kyverno.io/severity"    = "high"
+        "policies.kyverno.io/description" = "Privileged containers have full host access. Deny unless explicitly exempted."
+      }
+    }
+    spec = {
+      validationFailureAction = "Audit"
+      background              = true
+      rules = [{
+        name = "deny-privileged"
+        match = {
+          any = [{
+            resources = {
+              kinds = ["Pod"]
+            }
+          }]
+        }
+        exclude = {
+          any = [{
+            resources = {
+              namespaces = ["frigate", "nvidia", "monitoring"]
+            }
+          }]
+        }
+        validate = {
+          message = "Privileged containers are not allowed. Use specific capabilities instead."
+          pattern = {
+            spec = {
+              containers = [{
+                "=(securityContext)" = {
+                  "=(privileged)" = false
+                }
+              }]
+              "=(initContainers)" = [{
+                "=(securityContext)" = {
+                  "=(privileged)" = false
+                }
+              }]
+            }
+          }
+        }
+      }]
+    }
+  }
+
+  depends_on = [helm_release.kyverno]
+}
+
+resource "kubernetes_manifest" "policy_deny_host_namespaces" {
+  manifest = {
+    apiVersion = "kyverno.io/v1"
+    kind       = "ClusterPolicy"
+    metadata = {
+      name = "deny-host-namespaces"
+      annotations = {
+        "policies.kyverno.io/title"       = "Deny Host Namespaces"
+        "policies.kyverno.io/category"    = "Pod Security"
+        "policies.kyverno.io/severity"    = "high"
+        "policies.kyverno.io/description" = "Sharing host namespaces enables container escapes. Deny hostNetwork, hostPID, hostIPC."
+      }
+    }
+    spec = {
+      validationFailureAction = "Audit"
+      background              = true
+      rules = [{
+        name = "deny-host-namespaces"
+        match = {
+          any = [{
+            resources = {
+              kinds = ["Pod"]
+            }
+          }]
+        }
+        exclude = {
+          any = [{
+            resources = {
+              namespaces = ["frigate", "monitoring"]
+            }
+          }]
+        }
+        validate = {
+          message = "Host namespaces (hostNetwork, hostPID, hostIPC) are not allowed."
+          pattern = {
+            spec = {
+              "=(hostNetwork)" = false
+              "=(hostPID)"     = false
+              "=(hostIPC)"     = false
+            }
+          }
+        }
+      }]
+    }
+  }
+
+  depends_on = [helm_release.kyverno]
+}
+
+resource "kubernetes_manifest" "policy_restrict_capabilities" {
+  manifest = {
+    apiVersion = "kyverno.io/v1"
+    kind       = "ClusterPolicy"
+    metadata = {
+      name = "restrict-sys-admin"
+      annotations = {
+        "policies.kyverno.io/title"       = "Restrict SYS_ADMIN Capability"
+        "policies.kyverno.io/category"    = "Pod Security"
+        "policies.kyverno.io/severity"    = "high"
+        "policies.kyverno.io/description" = "SYS_ADMIN is nearly equivalent to root. Restrict to explicitly exempted namespaces."
+      }
+    }
+    spec = {
+      validationFailureAction = "Audit"
+      background              = true
+      rules = [{
+        name = "restrict-sys-admin"
+        match = {
+          any = [{
+            resources = {
+              kinds = ["Pod"]
+            }
+          }]
+        }
+        exclude = {
+          any = [{
+            resources = {
+              namespaces = ["nvidia", "monitoring"]
+            }
+          }]
+        }
+        validate = {
+          message = "Adding SYS_ADMIN capability is not allowed."
+          deny = {
+            conditions = {
+              any = [{
+                key      = "{{ request.object.spec.containers[].securityContext.capabilities.add[] || `[]` }}"
+                operator = "AnyIn"
+                value    = ["SYS_ADMIN"]
+              }]
+            }
+          }
+        }
+      }]
+    }
+  }
+
+  depends_on = [helm_release.kyverno]
+}
+
+# =============================================================================
+# Image Pull Policy Governance
+# =============================================================================
+# Mutate imagePullPolicy to IfNotPresent for all containers with pinned tags
+# (non-:latest). This prevents pods from getting stuck in ImagePullBackOff
+# when the pull-through cache at 10.0.20.10 has transient failures.
+# For :latest or untagged images, set to Always so stale images don't persist.
+
+resource "kubernetes_manifest" "policy_set_image_pull_policy" {
+  manifest = {
+    apiVersion = "kyverno.io/v1"
+    kind       = "ClusterPolicy"
+    metadata = {
+      name = "set-image-pull-policy"
+      annotations = {
+        "policies.kyverno.io/title"       = "Set Image Pull Policy"
+        "policies.kyverno.io/category"    = "Best Practices"
+        "policies.kyverno.io/severity"    = "medium"
+        "policies.kyverno.io/description" = "Set imagePullPolicy to IfNotPresent for pinned tags and Always for :latest to prevent ImagePullBackOff from transient cache failures."
+      }
+    }
+    spec = {
+      background = false
+      rules = [
+        {
+          name = "set-ifnotpresent-for-pinned-tags"
+          match = {
+            any = [{
+              resources = {
+                kinds = ["Pod"]
+              }
+            }]
+          }
+          mutate = {
+            foreach = [{
+              list = "request.object.spec.containers"
+              preconditions = {
+                all = [{
+                  key      = "{{ ends_with(element.image, ':latest') || !contains(element.image, ':') }}"
+                  operator = "Equals"
+                  value    = false
+                }]
+              }
+              patchStrategicMerge = {
+                spec = {
+                  containers = [{
+                    name            = "{{ element.name }}"
+                    imagePullPolicy = "IfNotPresent"
+                  }]
+                }
+              }
+            }]
+          }
+        },
+        {
+          name = "set-always-for-latest"
+          match = {
+            any = [{
+              resources = {
+                kinds = ["Pod"]
+              }
+            }]
+          }
+          mutate = {
+            foreach = [{
+              list = "request.object.spec.containers"
+              preconditions = {
+                all = [{
+                  key      = "{{ ends_with(element.image, ':latest') || !contains(element.image, ':') }}"
+                  operator = "Equals"
+                  value    = true
+                }]
+              }
+              patchStrategicMerge = {
+                spec = {
+                  containers = [{
+                    name            = "{{ element.name }}"
+                    imagePullPolicy = "Always"
+                  }]
+                }
+              }
+            }]
+          }
+        }
+      ]
+    }
+  }
+
+  depends_on = [helm_release.kyverno]
+}
+
+resource "kubernetes_manifest" "policy_require_trusted_registries" {
+  manifest = {
+    apiVersion = "kyverno.io/v1"
+    kind       = "ClusterPolicy"
+    metadata = {
+      name = "require-trusted-registries"
+      annotations = {
+        "policies.kyverno.io/title"       = "Require Trusted Image Registries"
+        "policies.kyverno.io/category"    = "Pod Security"
+        "policies.kyverno.io/severity"    = "medium"
+        "policies.kyverno.io/description" = "Images must come from trusted registries to prevent supply chain attacks."
+      }
+    }
+    spec = {
+      validationFailureAction = "Audit"
+      background              = true
+      rules = [{
+        name = "validate-registries"
+        match = {
+          any = [{
+            resources = {
+              kinds = ["Pod"]
+            }
+          }]
+        }
+        validate = {
+          message = "Images must be from trusted registries (docker.io, ghcr.io, quay.io, registry.k8s.io, or local cache)."
+          pattern = {
+            spec = {
+              containers = [{
+                image = "docker.io/* | ghcr.io/* | quay.io/* | registry.k8s.io/* | 10.0.20.10* | */*"
+              }]
+            }
+          }
+        }
+      }]
+    }
+  }
+
+  depends_on = [helm_release.kyverno]
+}