privilegedescalation/org
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Add dev namespace access and kubectl to POLICIES.md and TOOLS.md

Browse Source 
Each org now has a -dev namespace where agents can freely use kubectl
for testing and iteration. Production namespaces remain Flux-only.

Access model:
- Cluster-wide: read-only
- Production namespace: read-write (Flux-managed, no manual kubectl)
- Dev namespace: read-write (agents may use kubectl freely)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Chris Farhood
2026-03-21 11:05:32 -04:00
parent c0298d3052
commit 2fd9f0691d
2 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
POLICIES.md
+7 -2
View File
@@ -36,8 +36,13 @@ The following services are available in the cluster. Use them via their operator
All infrastructure changes deploy via **Flux GitOps**. Flux reconciles the org's `infra` repo to the cluster automatically.
- **The only way to change Kubernetes resources is through the infra repo.** Commit manifests, push, and Flux deploys. There is no other path.
- **`kubectl` is read-only.** You may use `kubectl get`, `kubectl describe`, `kubectl logs`, etc. for troubleshooting and verification. You may NEVER use `kubectl apply`, `kubectl delete`, `kubectl edit`, `kubectl patch`, `kubectl create`, or any other mutating command. Flux will revert any manual changes.
- If you need an infrastructure change, create a PR against the infra repo (or create a Paperclip issue for the agent who owns infra).
- **`kubectl` is available** and agents have the following access:
- **Cluster-wide**: read-only (`get`, `list`, `watch`) across all namespaces
- **`privilegedescalation` namespace**: read-write (production — changes MUST go through Flux, not kubectl)
- **`privilegedescalation-dev` namespace**: read-write (development — agents may use kubectl freely for testing, debugging, and iteration)
- **Production (`privilegedescalation`)**: All changes go through the infra repo and Flux. Do not `kubectl apply` to production. Flux will revert manual changes.
- **Development (`privilegedescalation-dev`)**: Agents may `kubectl apply`, `kubectl delete`, and use any mutating commands freely. This namespace is for testing and validation before committing to the infra repo.
- If you need a production infrastructure change, create a PR against the infra repo (or create a Paperclip issue for the agent who owns infra).
## Git Workflow
TOOLS.md
+1
View File
@@ -25,6 +25,7 @@ Auto-injected env vars:
| `node` / `npm` / `pnpm` / `npx` | Node.js runtime and package management |
| `python3` | Python scripting |
| `pnpm paperclipai` | Paperclip CLI — issue/agent operations |
| `kubectl` | Kubernetes CLI — read-only cluster-wide, read-write in `privilegedescalation` and `privilegedescalation-dev` |
## Repos