Source: docs/followups/opportunistic.md row 10 (Next up).
example-daemonset.yaml (under components/receivers/dcgm/ and components/receivers/kernelevents/) passes kubectl apply --dry-run=client and --dry-run=server against a generic cluster but isn't validated against real policy engines (Kyverno, Gatekeeper, PSA-restricted) on a kind cluster in CI.
Files:
components/receivers/dcgm/example-daemonset.yaml
components/receivers/kernelevents/example-daemonset.yaml
- New:
.github/workflows/k8s-policy-validate.yml (or extend chart.yml / install-bench.yml, both of which already spin kind clusters).
Acceptance:
- A CI job runs
kubectl apply --dry-run=server against a kind cluster with PSA-restricted enforced and at least one of Kyverno or Gatekeeper installed with reasonable baseline policies.
- Fails on the daemonsets if they violate a policy; passes today.
- New receiver authors who add an
example-daemonset.yaml get gated by the same job.
Trigger: operator reports policy-engine rejection on first apply.
Source:
docs/followups/opportunistic.mdrow 10 (Next up).example-daemonset.yaml(undercomponents/receivers/dcgm/andcomponents/receivers/kernelevents/) passeskubectl apply --dry-run=clientand--dry-run=serveragainst a generic cluster but isn't validated against real policy engines (Kyverno, Gatekeeper, PSA-restricted) on a kind cluster in CI.Files:
components/receivers/dcgm/example-daemonset.yamlcomponents/receivers/kernelevents/example-daemonset.yaml.github/workflows/k8s-policy-validate.yml(or extendchart.yml/install-bench.yml, both of which already spin kind clusters).Acceptance:
kubectl apply --dry-run=serveragainst a kind cluster with PSA-restricted enforced and at least one of Kyverno or Gatekeeper installed with reasonable baseline policies.example-daemonset.yamlget gated by the same job.Trigger: operator reports policy-engine rejection on first apply.