Templatize KubeVirt namespace #61
Conversation
| kubectl label namespace {{ .Release.Namespace }} kubevirt.io=""; | ||
| kubectl label namespace {{ .Release.Namespace }} pod-security.kubernetes.io/enforce="privileged"; |
There was a problem hiding this comment.
These are labels which the upstream manifests are shipped with. Unfortunately, there wasn't an easier way to do this than a pre-install hook... helm/helm#3503 (comment)
There was a problem hiding this comment.
My only concern is that everything related to this is a leftover that will live in the cluster for no reason. Honestly I don't know how to fix it but maybe the container can remove "everything" after the namespace is labeled? I mean, running kubectl delete role kubevirt-namespace-modifier, etc.
There was a problem hiding this comment.
They won't live forever, the delete policy drops them all immediately.
root@atanas:~/charts/charts# helm install kubevirt kubevirt/0.2.0 -n kubevirt --create-namespace --debug
install.go:192: [debug] Original chart version: ""
install.go:209: [debug] CHART PATH: /root/charts/charts/kubevirt/0.2.0
client.go:128: [debug] creating 1 resource(s)
install.go:151: [debug] CRD kubevirts.kubevirt.io is already present. Skipping.
client.go:128: [debug] creating 1 resource(s)
client.go:128: [debug] creating 1 resource(s)
client.go:128: [debug] creating 1 resource(s)
client.go:128: [debug] creating 1 resource(s)
client.go:128: [debug] creating 1 resource(s)
client.go:540: [debug] Watching for changes to Job kubevirt-namespace-modifier with timeout of 5m0s
client.go:568: [debug] Add/Modify event for kubevirt-namespace-modifier: ADDED
client.go:607: [debug] kubevirt-namespace-modifier: Jobs active: 0, jobs failed: 0, jobs succeeded: 0
client.go:568: [debug] Add/Modify event for kubevirt-namespace-modifier: MODIFIED
client.go:607: [debug] kubevirt-namespace-modifier: Jobs active: 1, jobs failed: 0, jobs succeeded: 0
client.go:568: [debug] Add/Modify event for kubevirt-namespace-modifier: MODIFIED
client.go:607: [debug] kubevirt-namespace-modifier: Jobs active: 0, jobs failed: 0, jobs succeeded: 0
client.go:568: [debug] Add/Modify event for kubevirt-namespace-modifier: MODIFIED
client.go:310: [debug] Starting delete for "kubevirt-namespace-modifier" ServiceAccount
client.go:310: [debug] Starting delete for "kubevirt-namespace-modifier" Role
client.go:310: [debug] Starting delete for "kubevirt-namespace-modifier" RoleBinding
client.go:310: [debug] Starting delete for "kubevirt-namespace-modifier" Job
There was a problem hiding this comment.
You can ignore my comment then :D Sorry for the noise.
There was a problem hiding this comment.
Changes look solid, I have concerns about the security implications that come with labelling a full namespace as pod-security.kubernetes.io/enforce="privileged" though..
Taking into account that this is something that comes from the upstream manifests, I'll approve this.
helm install kubevirt <chart-repo> -n <namespace> --create-namespacekubevirtnamespace was specified but it was already part of the chart itself