Infrastructure Manifests
The infrastructure/base layer defines cluster-wide services that application workloads depend on. Kustomize assembles these resources from two subdirectories — monitoring and traefik — which Flux then applies to the cluster.
Monitoring
Section titled “Monitoring”Component: kube-prometheus-stack
Namespace: monitoring
Chart version: 82.15.0
Source: prometheus-community HelmRepository
Reconcile interval: 5 minutes
The HelmRelease is managed in flux-system with storageNamespace and targetNamespace both set to monitoring. It bundles Prometheus, Alertmanager, and Grafana into a single release.
Persistent storage
Section titled “Persistent storage”| Component | Access mode | Capacity |
|---|---|---|
| Prometheus | ReadWriteOnce | 20 Gi |
| Alertmanager | ReadWriteOnce | 2 Gi |
| Grafana | ReadWriteOnce | 10 Gi |
Each component uses a volumeClaimTemplate so Kubernetes provisions a dedicated PVC per replica.
Prometheus resource limits
Section titled “Prometheus resource limits”Prometheus requests 512 Mi of memory with a hard limit of 1 Gi. This keeps the pod schedulable on smaller nodes while preventing unbounded growth during high-cardinality scrapes.
Grafana credentials
Section titled “Grafana credentials”Grafana reads its admin credentials from an existing Secret named grafana-admin. The monitoring kustomization includes grafana-secret.yaml to provision that Secret before the HelmRelease runs.
Traefik
Section titled “Traefik”Component: traefik
Namespace: traefik
Chart version: 39.0.6
Source: traefik HelmRepository
Reconcile interval: 5 minutes
The HelmRelease targets the traefik namespace and sets install.createNamespace: true, so Flux creates the namespace on first deploy without requiring a separate manifest. No custom values are set in the base layer; overlays extend this release with environment-specific configuration such as TLS termination and entrypoint ports.
RBAC roles
Section titled “RBAC roles”Custom ClusterRoles live under infrastructure/base/1-rbac/1-role/. They extend the built-in RBAC tiers rather than replacing them.
namespace-admin
Section titled “namespace-admin”An aggregated ClusterRole that collects everything labeled rbac.authorization.k8s.io/aggregate-to-admin: "true". This matches the built-in admin role’s scope: full management of namespace-scoped resources including Roles and RoleBindings, but no access to cluster-scoped resources. The aggregation rule means CRD controllers automatically extend this role when they add new resource types — no manual updates required.
Kubernetes enforces privilege escalation prevention: a namespace-admin cannot grant permissions they do not already hold.
frontend-developer
Section titled “frontend-developer”A narrow write role for developers working on frontend services. It grants full CRUD on Deployments, ReplicaSets, and ConfigMaps, plus read/update access on Services. Pod and pod log access is read-only. The role excludes Secrets, PersistentVolumeClaims, ServiceAccounts, and network resources that the built-in edit role would otherwise allow.
| Resource | Verbs |
|---|---|
| Deployments, ReplicaSets | get, list, watch, create, update, patch, delete |
| ConfigMaps | get, list, watch, create, update, patch, delete |
| Services | get, list, watch, update, patch |
| Pods, pods/log | get, list, watch |
Pair this role with a view ClusterRoleBinding in target namespaces to give read access to all other resources.