viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks/kyverno/modules/kyverno
History
Viktor Barzin 0f26bf030b kyverno: exclude postiz namespace from Keel auto-update injection 
Postiz was generating hourly Slack spam and a wedged rollout, both
Keel-driven:
- Bundled redis StatefulSets run docker.io/bitnamilegacy/redis; Keel
  tried 7.4.0->7.4.1/7.4.2 every poll but require-trusted-registries
  denies bitnamilegacy/* (only bitnami/* allowlisted) -> endless
  deny/retry/Slack-ping loop.
- Keel bumped postiz-app v2.21.7->v2.21.8 on 2026-05-26; the surge pod
  couldn't schedule under the 3Gi tier-4-aux quota, wedging the rollout
  for 3 days.

postiz Terraform state is heavily drifted (~2/30 resources tracked), so
per-workload opt-out can't be applied from the postiz stack. Durable
guard is here (clean kyverno state). Operational steps applied live via
kubectl (postiz stack can't apply): removed keel.sh/enrolled=true from
the namespace, set keel.sh/policy=never (annotation+label) on all 4
workloads, rolled postiz back to the running v2.21.7. Keel restarted
(scale 0->1) to drop postiz-app from its in-memory tracker; confirmed it
no longer tracks postiz.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 19:16:58 +00:00
..
dependency-init-containers.tf kyverno(wave1): swap kubernetes_manifest → kubectl_manifest + flip 3 security policies to Enforce 2026-05-18 20:10:27 +00:00
keel-annotations.tf kyverno: exclude postiz namespace from Keel auto-update injection 2026-05-29 19:16:58 +00:00
main.tf kyverno(wave1): swap kubernetes_manifest → kubectl_manifest + flip 3 security policies to Enforce 2026-05-18 20:10:27 +00:00
registry-credentials.tf kyverno(wave1): swap kubernetes_manifest → kubectl_manifest + flip 3 security policies to Enforce 2026-05-18 20:10:27 +00:00
resource-governance.tf kyverno: GPU priority mutate uses add (was replace) — fixes silent skip 2026-05-26 09:04:51 +00:00
security-policies.tf keel: re-enable with policy=patch (semver-bounded) + fix CI deny-privileged 2026-05-26 19:06:51 +00:00
tls-secret-sync.tf kyverno(wave1): swap kubernetes_manifest → kubectl_manifest + flip 3 security policies to Enforce 2026-05-18 20:10:27 +00:00
versions.tf kyverno(wave1): swap kubernetes_manifest → kubectl_manifest + flip 3 security policies to Enforce 2026-05-18 20:10:27 +00:00