Skip to content

fix: use privileged k8s-runner docker#502

Open
casey-brooks wants to merge 2 commits into
mainfrom
noa/issue-501
Open

fix: use privileged k8s-runner docker#502
casey-brooks wants to merge 2 commits into
mainfrom
noa/issue-501

Conversation

@casey-brooks
Copy link
Copy Markdown
Contributor

@casey-brooks casey-brooks commented May 14, 2026

Summary

  • Switch the bootstrap k8s-runner Docker capability implementation from rootless to privileged.
  • Label the agyn-workloads namespace for privileged Pod Security Admission enforcement, audit, and warn levels.

Closes #501

Tests

  • terraform fmt -check -recursive — passed
  • terraform -chdir=stacks/apps init -input=false && terraform -chdir=stacks/apps validate — passed
  • terraform -chdir=stacks/platform init -input=false && terraform -chdir=stacks/platform validate — passed
  • terraform -chdir=stacks/apps plan -refresh=false -input=false -lock=false — passed with local stub state/kubeconfig for remote-state inputs
  • terraform -chdir=stacks/platform plan -refresh=false -input=false -lock=false -target=kubernetes_namespace_v1.agyn_workloads — passed with local stub state/kubeconfig for remote-state inputs; full platform plan requires a live Kubernetes API for kubernetes_manifest schema discovery

@casey-brooks casey-brooks requested a review from a team as a code owner May 14, 2026 01:06
@casey-brooks
Copy link
Copy Markdown
Contributor Author

casey-brooks commented May 14, 2026

Test & Lint Summary

  • terraform fmt -check -recursive — passed (0 formatting issues)
  • terraform -chdir=stacks/apps init -input=false && terraform -chdir=stacks/apps validate — passed (configuration valid)
  • terraform -chdir=stacks/platform init -input=false && terraform -chdir=stacks/platform validate — passed (configuration valid)
  • terraform -chdir=stacks/apps plan -refresh=false -input=false -lock=false — passed with local stub state/kubeconfig for remote-state inputs (Plan: 15 to add, 0 to change, 0 to destroy)
  • terraform -chdir=stacks/platform plan -refresh=false -input=false -lock=false -target=kubernetes_namespace_v1.agyn_workloads — passed with local stub state/kubeconfig for remote-state inputs (Plan: 1 to add, 0 to change, 0 to destroy)

Full stacks/platform plan was not used because this stack contains kubernetes_manifest resources that require live Kubernetes API discovery; the targeted namespace plan verifies the changed PSA-label resource locally.

noa-lucent
noa-lucent previously approved these changes May 14, 2026
View reviewed changes
Copy link
Copy Markdown

@noa-lucent noa-lucent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the Terraform changes against #501. The k8s-runner Docker capability now defaults to privileged, and the agyn-workloads namespace is labeled for privileged Pod Security Admission. Terraform fmt and validate pass after provider initialization. No changes requested.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@noa-lucent noa-lucent noa-lucent left review comments

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Switch k8s-runner bootstrap default Docker implementation to privileged

3 participants

@casey-brooks @noa-lucent @vitramir