privilegedescalation/org
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Tighten Kubernetes policy: kubectl is read-only, Flux is the only write path

Browse Source 
- POLICIES.md: explicitly list kubectl as read-only, enumerate banned
  mutating commands (apply, delete, edit, patch, create)
- Groom Book TECH_STACK.md: fixed "read/write access" to "read-only"
  and removed language implying manual kubectl apply is acceptable

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Chris Farhood
2026-03-20 23:37:30 -04:00
parent 10935a9acc
commit d4b984b283
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
POLICIES.md
+3 -3
View File
@@ -20,9 +20,9 @@ All releases use **SemVer** (semantic versioning). ArtifactHub requires SemVer f
All infrastructure changes deploy via **Flux GitOps**. Flux reconciles the org's `infra` repo to the cluster automatically.
- **Never `kubectl apply` manually** — commit changes to the infra repo and let Flux reconcile
- **Never modify cluster resources directly** — manual changes will be reverted by Flux on the next reconciliation cycle
- If you need an infrastructure change, create a PR against the infra repo (or create a Paperclip issue for the agent who owns infra)
- **The only way to change Kubernetes resources is through the infra repo.** Commit manifests, push, and Flux deploys. There is no other path.
- **`kubectl` is read-only.** You may use `kubectl get`, `kubectl describe`, `kubectl logs`, etc. for troubleshooting and verification. You may NEVER use `kubectl apply`, `kubectl delete`, `kubectl edit`, `kubectl patch`, `kubectl create`, or any other mutating command. Flux will revert any manual changes.
- If you need an infrastructure change, create a PR against the infra repo (or create a Paperclip issue for the agent who owns infra).
## Git Workflow