Viktor Barzin 612a83f8ce security(wave1): W1.6 expand observation from recruiter-responder pilot → tier 3+4 (82 namespaces) ... ## Change - Replaced kubectl_manifest.wave1_egress_observe_recruiter_responder with kubectl_manifest.wave1_egress_observe_tier34 - namespaceSelector changed from `kubernetes.io/metadata.name == 'recruiter-responder'` to `tier in {"3-edge", "4-aux"}` — covers 82 namespaces (17 tier-3-edge + 65 tier-4-aux) - Legacy pilot GNP wave1-egress-observe-recruiter-responder kubectl-deleted (apply_only=true means TF rename does NOT destroy the live old resource; cleanup done manually) - Tier 0/1/2 namespaces explicitly out of wave 1 observation per locked plan (cluster infra + GPU workloads, deferred) ## Verification (live cluster, 2026-05-19) - 82 namespaces match `tier in (3-edge,4-aux)` - Felix translated the new policy into iptables LOG rule in cali-po-* chain - LogQL `{job="node-journal"} |~ "calico-packet"` returns real packet metadata from multiple namespaces with distinct destinations: - east-west pod-to-pod (10.10.108.48, 10.10.122.131) - in-cluster service VIP (10.96.0.10 — kube-dns) - external (149.154.166.110 — Telegram API from recruiter-responder) ## W1.7 next step (calendar-bound, ~1 week) - Let observation run for ~1 week - Aggregate distinct destinations per namespace via LogQL - Build per-namespace egress allowlist module `tier3_egress_baseline` - Flip GNP rules from `[Log, Allow]` to `[Allow <specific dests>, Deny]` - Phased per-namespace as originally planned Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>		2026-05-22 14:17:00 +00:00
..
main.tf	security(wave1): W1.6 expand observation from recruiter-responder pilot → tier 3+4 (82 namespaces)	2026-05-22 14:17:00 +00:00
secrets	[infra] Partial Calico adoption: namespaces only (Wave 5b)	2026-04-18 22:52:56 +00:00
terragrunt.hcl	[infra] Partial Calico adoption: namespaces only (Wave 5b)	2026-04-18 22:52:56 +00:00