mirror of
https://github.com/holos-run/holos.git
synced 2026-03-22 02:05:00 +00:00
4501ceec05
Without this patch the arc controller fails to create a listener. The template for the listener doesn't appear to be configurable from the chart. Could patch the listener pod template with kustomize, do this as a follow up feature. With this patch we get the expected two pods in the runner system namespace: ``` ❯ k get pods NAME READY STATUS RESTARTS AGE gha-rs-7db9c9f7-listener 1/1 Running 0 43s gha-rs-controller-56bb9c77d9-6tjch 1/1 Running 0 8s ```
29 lines
1.2 KiB
CUE
29 lines
1.2 KiB
CUE
package holos
|
|
|
|
// Refer to https://kubernetes.io/docs/concepts/security/pod-security-standards/
|
|
let Restricted = {
|
|
labels: "pod-security.kubernetes.io/enforce": "restricted"
|
|
labels: "pod-security.kubernetes.io/enforce-version": "latest"
|
|
}
|
|
let Privileged = {
|
|
labels: "pod-security.kubernetes.io/enforce": "privileged"
|
|
labels: "pod-security.kubernetes.io/enforce-version": "latest"
|
|
}
|
|
|
|
// #PlatformNamespaces is the union of all namespaces across all cluster types. Namespaces are created in all clusters regardless of if they're
|
|
// used within the cluster or not. The is important for security and consistency with IAM, RBAC, and Secrets sync between clusters.
|
|
// Holos adopts the namespace sameness position of SIG Multicluster, refer to https://github.com/kubernetes/community/blob/dd4c8b704ef1c9c3bfd928c6fa9234276d61ad18/sig-multicluster/namespace-sameness-position-statement.md
|
|
#PlatformNamespaces: [
|
|
{name: "external-secrets"},
|
|
{name: "holos-system"},
|
|
{name: "flux-system"},
|
|
{name: "ceph-system"} & Privileged,
|
|
{name: "istio-system"} & Privileged,
|
|
{name: "istio-ingress"} & Restricted,
|
|
{name: "cert-manager"},
|
|
{name: "argocd"},
|
|
{name: "prod-iam-zitadel"},
|
|
{name: "arc-system"},
|
|
{name: "arc-runner"},
|
|
]
|