From d4b984b2839690482eb29a3b939760688be0f54e Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Fri, 20 Mar 2026 23:37:30 -0400 Subject: [PATCH] Tighten Kubernetes policy: kubectl is read-only, Flux is the only write path - POLICIES.md: explicitly list kubectl as read-only, enumerate banned mutating commands (apply, delete, edit, patch, create) - Groom Book TECH_STACK.md: fixed "read/write access" to "read-only" and removed language implying manual kubectl apply is acceptable Co-Authored-By: Paperclip --- POLICIES.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/POLICIES.md b/POLICIES.md index c93dc4f..1da1568 100644 --- a/POLICIES.md +++ b/POLICIES.md @@ -20,9 +20,9 @@ All releases use **SemVer** (semantic versioning). ArtifactHub requires SemVer f All infrastructure changes deploy via **Flux GitOps**. Flux reconciles the org's `infra` repo to the cluster automatically. -- **Never `kubectl apply` manually** — commit changes to the infra repo and let Flux reconcile -- **Never modify cluster resources directly** — manual changes will be reverted by Flux on the next reconciliation cycle -- If you need an infrastructure change, create a PR against the infra repo (or create a Paperclip issue for the agent who owns infra) +- **The only way to change Kubernetes resources is through the infra repo.** Commit manifests, push, and Flux deploys. There is no other path. +- **`kubectl` is read-only.** You may use `kubectl get`, `kubectl describe`, `kubectl logs`, etc. for troubleshooting and verification. You may NEVER use `kubectl apply`, `kubectl delete`, `kubectl edit`, `kubectl patch`, `kubectl create`, or any other mutating command. Flux will revert any manual changes. +- If you need an infrastructure change, create a PR against the infra repo (or create a Paperclip issue for the agent who owns infra). ## Git Workflow