Skip to content

Commit 1cf7e16

Browse files
kvapsclaude
andcommitted
fix(stand): label blockstor-system as privileged PSA namespace
Without this label kube-apiserver's default Restricted PodSecurity profile rejected the satellite DaemonSet (privileged + hostPath + hostPort + hostNetwork). The test stand had this set out of band so it Just Worked there; new stands need it explicit. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
1 parent 5f098dc commit 1cf7e16

1 file changed

Lines changed: 8 additions & 0 deletions

File tree

stand/blockstor-deploy.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,14 @@ apiVersion: v1
77
kind: Namespace
88
metadata:
99
name: blockstor-system
10+
labels:
11+
# The satellite is privileged + hostNetwork + hostPID + hostPath —
12+
# required for drbdadm / losetup / cryptsetup against the kernel.
13+
# The default PodSecurity Restricted profile rejects all of these,
14+
# so explicitly opt this namespace into the privileged profile.
15+
pod-security.kubernetes.io/enforce: privileged
16+
pod-security.kubernetes.io/audit: privileged
17+
pod-security.kubernetes.io/warn: privileged
1018
---
1119
apiVersion: v1
1220
kind: ServiceAccount

0 commit comments

Comments
 (0)