viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[ci skip] fix MySQL cluster RBAC, Kyverno policy bugs, Nextcloud memory

Browse source 
- dbaas: add mysql-sidecar-extra ClusterRole for namespaces/CRD
  list/watch needed by kopf framework in sidecar containers
- kyverno: restrict inject-priority-class-from-tier to CREATE
  operations only (was blocking pod patches with immutable spec error)
- kyverno: add resource-governance/custom-limitrange label opt-out
  to LimitRange generation policy (mirrors existing custom-quota)
- nextcloud: bump memory limit 4Gi -> 6Gi, add custom LimitRange
  with 8Gi max, opt out of Kyverno-managed LimitRange
This commit is contained in:
Viktor Barzin 2026-03-01 17:16:03 +00:00
parent f491073cca
commit f2678d3494
4 changed files with 131 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

70
stacks/platform/modules/kyverno/resource-governance.tf
View file

@ -82,7 +82,7 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
name = "generate-limitrange-by-tier"
annotations = {
"policies.kyverno.io/title" = "Generate LimitRange by Tier"
"policies.kyverno.io/description" = "Creates tier-appropriate LimitRange defaults in namespaces based on their tier label. Only affects containers without explicit resource specifications."
"policies.kyverno.io/description" = "Creates tier-appropriate LimitRange defaults in namespaces based on their tier label. Only affects containers without explicit resource specifications. Excludes namespaces with resource-governance/custom-limitrange label."
}
}
spec = {
@ -105,6 +105,19 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
}
]
}
exclude = {
any = [
{
resources = {
selector = {
matchLabels = {
"resource-governance/custom-limitrange" = "true"
}
}
}
}
]
}
generate = {
synchronize = true
apiVersion = "v1"
@ -151,6 +164,19 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
}
]
}
exclude = {
any = [
{
resources = {
selector = {
matchLabels = {
"resource-governance/custom-limitrange" = "true"
}
}
}
}
]
}
generate = {
synchronize = true
apiVersion = "v1"
@ -197,6 +223,19 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
}
]
}
exclude = {
any = [
{
resources = {
selector = {
matchLabels = {
"resource-governance/custom-limitrange" = "true"
}
}
}
}
]
}
generate = {
synchronize = true
apiVersion = "v1"
@ -243,6 +282,19 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
}
]
}
exclude = {
any = [
{
resources = {
selector = {
matchLabels = {
"resource-governance/custom-limitrange" = "true"
}
}
}
}
]
}
generate = {
synchronize = true
apiVersion = "v1"
@ -289,6 +341,19 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
}
]
}
exclude = {
any = [
{
resources = {
selector = {
matchLabels = {
"resource-governance/custom-limitrange" = "true"
}
}
}
}
]
}
generate = {
synchronize = true
apiVersion = "v1"
@ -686,7 +751,8 @@ resource "kubernetes_manifest" "mutate_priority_from_tier" {
any = [
{
resources = {
kinds = ["Pod"]
kinds = ["Pod"]
operations = ["CREATE"]
namespaceSelector = {
matchLabels = {
tier = tier