starred/holos
1
0
Fork 0
mirror of https://github.com/holos-run/holos.git synced 2026-03-19 00:37:45 +00:00
Code Issues Packages Projects Releases 10 Wiki Activity
Files
b86fee04fc5e6abeb4e3fa040b274069c19ca425
holos/docs/examples/platforms/reference/namespaces.cue
Jeff McCune a85db9cf5e (#42) Add KustomizeBuild holos component type to install pgo 
PGO uses plain yaml and kustomize as the recommended installation
method.  Holos supports upstream by adding a new PlainFiles component
kind, which simply copies files into place and lets kustomize handle the
generation of the api objects.

Cue is responsible for very little in this kind of component, basically
allowing overlay resources if needed and deferring everything else to
the holos cli.

The holos cli in turn is responsible for executing kubectl kustomize
build on the input directory to produce the rendered output, then writes
the rendered output into place.
2024-03-08 11:27:42 -08:00

31 lines
1.4 KiB
CUE
Raw Blame History

package holos
// Refer to https://kubernetes.io/docs/concepts/security/pod-security-standards/
let Restricted = {
labels: "pod-security.kubernetes.io/enforce": "restricted"
labels: "pod-security.kubernetes.io/enforce-version": "latest"
}
let Privileged = {
labels: "pod-security.kubernetes.io/enforce": "privileged"
labels: "pod-security.kubernetes.io/enforce-version": "latest"
}
// #PlatformNamespaces is the union of all namespaces across all cluster types. Namespaces are created in all clusters regardless of if they're
// used within the cluster or not. The is important for security and consistency with IAM, RBAC, and Secrets sync between clusters.
// Holos adopts the namespace sameness position of SIG Multicluster, refer to https://github.com/kubernetes/community/blob/dd4c8b704ef1c9c3bfd928c6fa9234276d61ad18/sig-multicluster/namespace-sameness-position-statement.md
#PlatformNamespaces: [
{name: "external-secrets"},
{name: "holos-system"},
{name: "flux-system"},
{name: "ceph-system"} & Privileged,
{name: "istio-system"} & Privileged,
{name: "istio-ingress"} & Restricted,
{name: "cert-manager"},
{name: "argocd"},
{name: "prod-iam-zitadel"},
{name: "arc-system"},
{name: "arc-runner"},
// https://github.com/CrunchyData/postgres-operator-examples/blob/main/kustomize/install/namespace/namespace.yaml
{name: "postgres-operator"},
]
Reference in New Issue View Git Blame Copy Permalink