infra

Viktor Barzin 7e1ecaf74c kyverno: codify aggregated ClusterRole for keel mutate-existing The previous commit (`bc714755`) added mutateExistingOnPolicyUpdate=true to the inject-keel-annotations ClusterPolicy but Kyverno's validate webhook rejected it: the background-controller SA needs update/patch on apps/v1 Deployment/StatefulSet/DaemonSet. Created live via kubectl + now in TF so the next apply is idempotent. The ClusterRole aggregates into kyverno:background-controller via the rbac.kyverno.io/aggregate-to-background-controller label. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-22 14:16:55 +00:00
..
kyverno	kyverno: codify aggregated ClusterRole for keel mutate-existing	2026-05-22 14:16:55 +00:00

Viktor Barzin 7e1ecaf74c kyverno: codify aggregated ClusterRole for keel mutate-existing

The previous commit (bc714755) added mutateExistingOnPolicyUpdate=true
to the inject-keel-annotations ClusterPolicy but Kyverno's validate
webhook rejected it: the background-controller SA needs update/patch
on apps/v1 Deployment/StatefulSet/DaemonSet.

Created live via kubectl + now in TF so the next apply is idempotent.
The ClusterRole aggregates into kyverno:background-controller via the
rbac.kyverno.io/aggregate-to-background-controller label.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-22 14:16:55 +00:00

kyverno kyverno: codify aggregated ClusterRole for keel mutate-existing 2026-05-22 14:16:55 +00:00