cluster/kube: configure k0 for sourcegraph
Change-Id: I8ac3ca1269527faa98ce6949da066eb74f299c2c
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1770
Reviewed-by: implr <implr@hackerspace.pl>
diff --git a/cluster/kube/k0.libsonnet b/cluster/kube/k0.libsonnet
index e829180..71731a4 100644
--- a/cluster/kube/k0.libsonnet
+++ b/cluster/kube/k0.libsonnet
@@ -302,6 +302,8 @@
policies.AllowNamespaceInsecure("internet"),
# TODO(implr): restricted policy with CAP_NET_ADMIN and tuntap, but no full root
policies.AllowNamespaceInsecure("implr-vpn"),
+ // For SourceGraph's tini container mess.
+ policies.AllowNamespaceMostlySecure("sourcegraph"),
],
# Admission controller that permits non-privileged users to manage
@@ -333,6 +335,7 @@
{ namespace: "walne", dns: "walne.hackerspace.pl" },
{ namespace: "devtools-prod", dns: "hackdoc.hackerspace.pl" },
{ namespace: "devtools-prod", dns: "cs.hackerspace.pl" },
+ { namespace: "sourcegraph", dns: "cs.hackerspace.pl" },
{ namespace: "codehosting-prod", dns: "git.hackerspace.pl" },
{ namespace: "codehosting-prod", dns: "code.hackerspace.pl" },
{ namespace: "engelsystem-prod", dns: "engelsystem.hackerspace.pl" },
@@ -378,6 +381,7 @@
anything_goes_namespace: [
// sourcegraph ingress wants a config snippet to set a header.
"devtools-prod",
+ "sourcegraph",
],
},
},