Open source Kubernetes security platform — Star on GitHub

Enterprise-Grade Kubernetes Security for NGOs

The same security infrastructure used by Fortune 500 companies — free, open source, and deployed in a single command. Built for journalists, activists, and human rights organizations.

Get Started View on GitHub
$ git clone https://github.com/JoseLorenzana272/fortress-in-a-box.git && ./install.sh

4 Layers of Protection

Defense in depth — every layer catches what the previous one might miss.

🔍

CI/CD Scanning

Every container image is scanned with Trivy for known CVEs. The pipeline fails before vulnerable code reaches your cluster.

🚧

Admission Control

Kyverno enforces 6 security policies at the API level. Insecure deployments are rejected before they ever start.

🛡

Runtime Detection

Falco monitors every running container. Shell access, privilege escalation, or suspicious behavior triggers instant alerts.

🔄

GitOps Recovery

ArgoCD uses Git as the source of truth. Deleted policies or modified deployments are auto-restored within minutes.

Why This Exists

NGOs get hacked constantly. This is not theoretical.

Breach · 2022

Red Cross

515,000+ vulnerable people's data stolen. The "Restoring Family Links" program shut down. Real people couldn't find missing relatives.

Breach · 2022

Amnesty International

Breached by state-sponsored attackers. An organization that protects human rights was itself being surveilled.

Ongoing

Bellingcat

The investigative group that exposed war crimes is constantly targeted by state actors trying to destroy evidence.

Small team, critical data, zero security budget. Fortress in a Box changes that.

What It Protects You From

ThreatHow Fortress Stops It
Attacker opens a shell in your container Falco detects it in seconds and alerts on Discord
App deployed running as root Kyverno blocks it before it reaches the cluster
Image with known vulnerabilities Trivy scans in CI/CD — pipeline fails automatically
Security policies deleted ArgoCD detects drift and restores from Git
:latest image tag used Kyverno blocks it — only pinned versions allowed
Container privilege escalation Policies enforce non-root, non-privileged, read-only filesystem

Architecture

From code push to full protection — fully automated.

GitHub Repository (Source of Truth) GitHub Actions CI/CD ├── docker build ├── trivy scan ──── FAIL if CVEs found ├── docker push to GHCR └── update deployment image tag ArgoCD (watches repo every 3 min) └── kubectl apply (automatic) Kubernetes Cluster ├── Kyverno ──── blocks bad deployments ├── Falco ───── detects runtime threats │ └── Falcosidekick │ ├── Discord alerts │ └── Loki (log storage) └── Grafana ─── security dashboard

6 Security Policies

Enforced by Kyverno at the cluster level. No insecure deployment gets through.

disallow-root-user

Blocks containers running as root — prevents container escape via root privileges.

disallow-privileged

Prevents host kernel access — blocks full host takeover.

disallow-latest-tag

Blocks mutable :latest tags — prevents supply chain attacks.

require-resource-limits

Enforces CPU and memory limits — stops denial of service.

require-readonly-rootfs

Forces read-only root filesystem — prevents malware installation.

disallow-host-network

Prevents direct host network access — stops traffic sniffing.

Install in 5 Minutes

One command. Full cluster protection.

  • Prerequisites A Kubernetes cluster, kubectl, and helm v3+ installed.
  • Clone & Run Clone the repo and run the interactive installer script.
  • Configure Enter your GitHub repo URL, Discord webhook (optional), and Grafana password.
  • Done Fortress is active. 4 layers of security are now protecting your cluster.
# Clone the repository $ git clone https://github.com/JoseLorenzana272/fortress-in-a-box.git $ cd fortress-in-a-box # Run the installer $ chmod +x install.sh $ ./install.sh # Fortress is now active.

Your Security Dashboards

Three web interfaces to monitor and manage your cluster.

Grafana

localhost:3000

Security dashboard with Falco event visualization and log aggregation via Loki.

kubectl port-forward svc/grafana -n monitoring 3000:80

ArgoCD

localhost:8080

GitOps control plane. Sync status, app health, and drift correction.

kubectl port-forward svc/argocd-server -n argocd 8080:443

Falcosidekick UI

localhost:2802

Real-time alert viewer for runtime security events across all containers.

kubectl port-forward svc/falco-falcosidekick-ui -n falco 2802:2802

Built for the people who protect others.

Free, open source, and ready to deploy. Protect your organization today.

Get Started on GitHub