Skip to content

[followup] Live-cluster policy-engine validation for example daemonsets #138

Description

@trilamsr

Source: docs/followups/opportunistic.md row 10 (Next up).

example-daemonset.yaml (under components/receivers/dcgm/ and components/receivers/kernelevents/) passes kubectl apply --dry-run=client and --dry-run=server against a generic cluster but isn't validated against real policy engines (Kyverno, Gatekeeper, PSA-restricted) on a kind cluster in CI.

Files:

  • components/receivers/dcgm/example-daemonset.yaml
  • components/receivers/kernelevents/example-daemonset.yaml
  • New: .github/workflows/k8s-policy-validate.yml (or extend chart.yml / install-bench.yml, both of which already spin kind clusters).

Acceptance:

  • A CI job runs kubectl apply --dry-run=server against a kind cluster with PSA-restricted enforced and at least one of Kyverno or Gatekeeper installed with reasonable baseline policies.
  • Fails on the daemonsets if they violate a policy; passes today.
  • New receiver authors who add an example-daemonset.yaml get gated by the same job.

Trigger: operator reports policy-engine rejection on first apply.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesthelp wantedExtra attention is needed

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions