privilegedescalation/org
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: privilegedescalation/org:main
Branches Tags
privilegedescalation/org:main privilegedescalation/org:fix/remove-plugin-release-workflow privilegedescalation/org:pri-1741-delete-shared-workflows privilegedescalation/org:ceo/restore-plugin-release-workflow privilegedescalation/org:ceo/merge-pr-67-plugin-release privilegedescalation/org:gandalf/restore-github-release-workflow privilegedescalation/org:fix/pri-1630-runner-labels privilegedescalation/org:gandalf/add-uat-skill privilegedescalation/org:nancy/sdlc-two-pipeline-routing privilegedescalation/org:master privilegedescalation/org:onboard-kubectl-karen privilegedescalation/org:chore/add-funding-yml privilegedescalation/org:cmo/kubecon-eu-2026-live-coverage privilegedescalation/org:docs/kubecon-prep-2026-03-14 privilegedescalation/org:docs/2026-03-13-status-report privilegedescalation/org:social/2026-03-12-industry-commentary privilegedescalation/org:social/kubecon-eu-2026
..
pull from: privilegedescalation/org:docs/kubecon-prep-2026-03-14
Branches Tags
privilegedescalation/org:main privilegedescalation/org:fix/remove-plugin-release-workflow privilegedescalation/org:pri-1741-delete-shared-workflows privilegedescalation/org:ceo/restore-plugin-release-workflow privilegedescalation/org:ceo/merge-pr-67-plugin-release privilegedescalation/org:gandalf/restore-github-release-workflow privilegedescalation/org:fix/pri-1630-runner-labels privilegedescalation/org:gandalf/add-uat-skill privilegedescalation/org:nancy/sdlc-two-pipeline-routing privilegedescalation/org:master privilegedescalation/org:onboard-kubectl-karen privilegedescalation/org:chore/add-funding-yml privilegedescalation/org:cmo/kubecon-eu-2026-live-coverage privilegedescalation/org:docs/kubecon-prep-2026-03-14 privilegedescalation/org:docs/2026-03-13-status-report privilegedescalation/org:social/2026-03-12-industry-commentary privilegedescalation/org:social/kubecon-eu-2026

8 Commits
main .. docs/kubecon-prep-2026-03-14

Author SHA1 Message Date
Samuel 4406908fbe [docs] KubeCon prep: Response templates and operator FAQ 
- KUBECON_RESPONSE_TEMPLATES.md: 8 platform-specific response templates with trigger conditions
  * Pre-conference, main event, post-event coverage
  * Twitter/X, Bluesky, Mastodon, LinkedIn platforms
  * Timing guidance for day-of monitoring and engagement

- FAQ_OBSERVABILITY_OPERATORS.md: 20+ real operator questions with honest answers
  * Plugin-specific guidance (when to use, when not to)
  * Vulnerability acknowledgment (we're young, not enterprise-grade yet)
  * Serves as reference for KubeCon conversations and post-conference follow-up

These assets reduce day-of friction during the conference March 23-26. All responses
are pre-approved tone and strategy, ready to deploy as conversation patterns appear.
 2026-03-14 06:27:32 +00:00
gandalf-the-greybeard[bot] b00be78af9 [social] batch: Why We Built These — problem-solution narrative for 6 plugins 2026-03-10 13:15:51 +00:00
Chris Farhood ba88471869 Merge pull request #2 from privilegedescalation/content/intro-blog-post 
[content] blog: Six Headlamp Plugins Nobody Asked For
 2026-03-07 11:15:28 -05:00
Chris Farhood 7b8947332a Merge pull request #1 from privilegedescalation/social/first-batch 
[social] batch: first posts - zero stars era + sealed secrets fork
 2026-03-07 11:15:20 -05:00
shitposting-samuel[bot] 1fce9cfc7a content: draft intro blog post 2026-03-07 16:12:06 +00:00
Chris Farhood 57a9865c18 Add files via upload 2026-03-07 09:54:48 -05:00
Chris Farhood 7b526c83c0 [social] batch: first social posts - zero stars era 2026-03-07 08:51:58 -05:00
Chris Farhood 3f34f8e1c8 chore: initialize org repo 2026-03-07 08:50:38 -05:00
20 changed files with 692 additions and 857 deletions
Expand all files Collapse all files
.gitea/workflows/ci.yaml
-56
View File
@@ -1,56 +0,0 @@
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install linters
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends shellcheck yamllint
- name: Lint Markdown
uses: DavidAnson/markdownlint-cli2-action@v19
with:
globs: "**/*.md"
- name: Lint YAML
run: yamllint .
- name: Shellcheck
run: shellcheck scripts/*.sh
- name: Validate skill frontmatter
run: |
set -e
fail=0
for f in skills/*/SKILL.md; do
fm=$(awk 'BEGIN{c=0} /^---$/{c++; next} c==1{print} c>=2{exit}' "$f")
for key in name description; do
if ! printf '%s\n' "$fm" | grep -qE "^${key}:[[:space:]]"; then
echo "::error file=${f}::missing '${key}' in YAML frontmatter"
fail=1
fi
done
done
exit $fail
ci:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Validate JSON files
run: |
find . -name "*.json" -not -path "./.git/*" | while read -r f; do
python3 -m json.tool "$f" > /dev/null || { echo "::error file=$f::Invalid JSON"; exit 1; }
done
echo "All JSON files valid"
.gitea/workflows/promotion-gate.yaml
-24
View File
@@ -1,24 +0,0 @@
name: Promotion Gate
on:
pull_request:
branches: [main]
jobs:
promotion_gate:
name: Promotion Gate
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Validate skills directory structure
run: |
set -e
fail=0
for dir in skills/*/; do
if [ ! -f "${dir}SKILL.md" ]; then
echo "::error::Missing SKILL.md in ${dir}"
fail=1
fi
done
exit $fail
.markdownlint.yaml
-15
View File
@@ -1,15 +0,0 @@
# Markdownlint configuration for the org repo.
# Skill files intentionally use longer lines and emphasis-as-headings.
# Allow these patterns for skills directory.
# Line length is disabled for skill documentation
MD013: false
# Emphasis used as headings is allowed in skill files
MD036: false
# Compact table style is allowed
MD060: false
# Unordered list style (dash vs asterisk) is flexible
MD004: false
.yamllint.yaml
-7
View File
@@ -1,7 +0,0 @@
extends: default
rules:
line-length: disable
document-start: disable
truthy:
check-keys: false
CLAUDE.md
-35
View File
@@ -1,35 +0,0 @@
# CLAUDE.md
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
## Repository Purpose
This is the **Privileged Escalation org-level repository**. It contains company-wide skills (instruction bundles) consumed by AI agents that run inside Paperclip and develop Headlamp plugins. There is no application code, build system, or test suite — only Markdown skill definitions.
## Structure
- `skills/` — Company skill definitions, each in its own directory with a `SKILL.md` file
- `skills/safety/SKILL.md` — Non-negotiable safety rules (secret handling, destructive action restrictions, sealed-secrets workflow, escalation protocol)
- `skills/sdlc/SKILL.md` — Software development lifecycle rules (GitHub auth, issue approval gates, branch strategy, PR review policy, handoff protocol, CI/CD)
- `skills/coding-standards/SKILL.md` — Headlamp plugin development conventions (stack, commands, registration API, shared libraries)
- `skills/product-context/SKILL.md` — Product context (plugin portfolio, target users, competitive landscape, evaluation framework, feature spec template)
## Skill File Format
Each skill is a Markdown file with YAML frontmatter containing `name` and `description` fields:
```markdown
---
name: skill-name
description: >
One-line description of what the skill covers.
---
# Skill Title
Content...
```
## Skill Loading Order
Skills are loaded by Paperclip in this order: `safety``sdlc``coding-standards``product-context`. Later skills can assume earlier ones are already loaded and should not duplicate their content.
README.md
+3
View File
@@ -0,0 +1,3 @@
# Privileged Escalation
Org-level content, social media queue, and community responses.
content/drafts/2026-03-07-six-headlamp-plugins-nobody-asked-for.md
+55
View File
@@ -0,0 +1,55 @@
---
title: "Six Headlamp Plugins Nobody Asked For"
date: 2026-03-07
author: Privileged Escalation
type: blog
status: draft
---
# Six Headlamp Plugins Nobody Asked For
There's a particular kind of optimism that only exists in open source. It's the belief that if you build something genuinely useful, put it on GitHub, list it on Artifact Hub, write actual documentation, and then wait — someone will eventually find it.
We're currently in the "wait" phase.
## What We Actually Built
Privileged Escalation makes [Headlamp](https://headlamp.dev/) plugins. If you don't know what Headlamp is: it's a CNCF-listed Kubernetes dashboard that was designed to be extended. If you don't know what Kubernetes is, this blog post is going to be a rough ride.
We have six plugins. Each one takes something you'd normally do with `kubectl`, a terminal, and quiet desperation, and puts it in a web UI that your teammates might actually use.
**[headlamp-polaris-plugin](https://github.com/privilegedescalation/headlamp-polaris-plugin)** — Surfaces Fairwinds Polaris audit results directly in Headlamp. Cluster score in the app bar, per-namespace breakdowns, exemption management from the UI instead of annotation YAML editing. Recently hit v0.6.0 with dark mode support, because apparently that's what it takes to be taken seriously in 2026.
**[headlamp-tns-csi-plugin](https://github.com/privilegedescalation/headlamp-tns-csi-plugin)** — TrueNAS CSI driver visibility and storage benchmarking via kbench. If you've ever wondered whether your NFS share is actually performing the way iX Systems promised, this is the plugin that tells you the uncomfortable truth.
**[headlamp-rook-plugin](https://github.com/privilegedescalation/headlamp-rook-plugin)** — Rook-Ceph cluster health, pool status, and CSI driver monitoring. For people who chose distributed storage and now live with the consequences.
**[headlamp-sealed-secrets-plugin](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin)** — Bitnami Sealed Secrets management with client-side RSA-OAEP and AES-256-GCM encryption. Your plaintext never leaves the browser. We're fairly proud of this one, which is why it hurts that it has zero stars.
**[headlamp-intel-gpu-plugin](https://github.com/privilegedescalation/headlamp-intel-gpu-plugin)** — Intel GPU device visibility and resource monitoring. For the subset of people running Intel GPUs in Kubernetes, which is a smaller group than Intel's marketing department would like.
**[headlamp-kube-vip-plugin](https://github.com/privilegedescalation/headlamp-kube-vip-plugin)** — kube-vip virtual IP and load balancer visibility. Because sometimes you just need to know if the VIP is actually where it's supposed to be.
## Why Headlamp Plugins
The Kubernetes dashboard space is... let's call it "stratified." There are expensive commercial options that do everything. There are free options that do almost nothing. And then there's Headlamp, which does a reasonable amount and lets you extend it.
We chose the extension path. Every plugin installs through Headlamp's native plugin system — no separate deployments, no new URLs to bookmark, no "please also install this sidecar that needs its own RBAC." You add a plugin and it appears in the sidebar. That's it.
This matters because the alternative is what most teams actually do: they `kubectl` their way through everything, pipe JSON through `jq`, and call it observability. It works. It's also miserable if you're trying to onboard anyone who doesn't have muscle memory for `kubectl get pods -n rook-ceph -o jsonpath='{.items[*].status.phase}'`.
## The Honest Part
We launched all six plugins in the same week. Combined star count across all repos: zero. Combined fork count: one, and we're not entirely sure it was intentional.
Our CI is sometimes in a state that could charitably be described as "aspirational." We filed a bug against ourselves about E2E tests that have never passed because we haven't set up the test infrastructure yet. We committed LICENSE badges to READMEs before we committed the actual LICENSE files.
This is normal. This is what early open source looks like before the narrative gets cleaned up. We'd rather be honest about it than pretend we emerged fully formed with 200 stars and a contributor covenant.
## What's Next
We're working on getting every plugin listed on Artifact Hub with proper metadata, fixing the CI pipelines that are currently failing for reasons ranging from "missing secrets" to "format check disagreements," and writing the kind of documentation that makes people confident enough to actually install something.
If you run Headlamp and any of these plugins sound useful, try one. If something breaks, file an issue. If it works and you like it, a star would be nice. We're not above admitting that.
All plugins are Apache-2.0 licensed. All repos are at [github.com/privilegedescalation](https://github.com/privilegedescalation).
kubecon-prep/FAQ_OBSERVABILITY_OPERATORS.md
+236
View File
@@ -0,0 +1,236 @@
# FAQ: Headlamp Plugins for Kubernetes Operators
**Context**: For operators who are thinking about observability, visibility, and management during/after KubeCon. Answer real questions with real context, not marketing language.
---
## Observability & Visibility
### Q: I have a Prometheus stack already. Why do I need Headlamp plugins?
A: You probably don't need them. Prometheus is good at what it does: metrics. But Prometheus is not a dashboard. You still need to *see* your cluster in human terms — what's running, where, and why it matters.
Headlamp plugins show you the cluster state in the UI. Your Prometheus metrics live somewhere else. They're complementary, not competitive.
If you're happy with kubectl and Prometheus graphs, keep going. If you find yourself switching between tools, Headlamp might fit.
---
### Q: Is this "observability"? I thought we needed traces, metrics, logs...
A: You're thinking of the marketing definition. In practice, operators need:
1. To see what's running (cluster state)
2. To understand if it's healthy (metrics)
3. To know what went wrong (logs, events)
Headlamp handles #1. Your existing stack handles #2 and #3. The magic is in integrating them, not replacing them.
Our plugins sit in the UI where you're already looking. That's the whole point.
---
## Individual Plugins
### Q: When should I use the Rook plugin?
A: When you're running Rook/Ceph and you're tired of bouncing between Ceph's CLI tools and Kubernetes dashboards to understand cluster health.
The Rook plugin shows:
- Cluster status (capacity, degradation, health warnings)
- Pool health (replication status, PG states)
- OSD states (up/down, full/nearfull)
- Filesystem status
Instead of `ceph osd tree`, `ceph df`, `rook ceph osd status`... you look at one place.
**Not for**: Teams that want deep Ceph debugging. For that, you still need Ceph's native tools.
---
### Q: What's the GPU plugin actually for?
A: Seeing which nodes have GPUs, how much capacity you have, and which workloads are using them.
If you're running ML workloads, inference servers, or anything with accelerators, you need to know:
- Which nodes have what hardware
- What's currently running on those nodes
- Whether utilization is balanced
Kubectl doesn't show you that easily. Prometheus might have the metrics if you instrument everything correctly. The GPU plugin shows it at a glance.
**Not for**: Teams not using GPUs. This is a specialized tool.
---
### Q: Why a sealed-secrets plugin? Isn't that a security risk — showing secrets in a UI?
A: The plugin doesn't show the secret *values*. It shows:
- Which secrets exist
- Which workloads reference them
- Where they're mounted
- Rotation status (if you implement that)
That's visibility without exposure. It answers "what secrets are in my cluster?" not "what are the passwords?"
Teams using sealed-secrets are usually the ones who care about secret governance. This plugin gives you governance visibility without breaking the security model.
---
### Q: What's the difference between your plugins and Rancher/Lens/other dashboards?
A: They're trying to be the entire dashboard. We're building plugins for the gaps.
If you like Headlamp's design but want specific functionality (Rook management, GPU visibility, sealed-secrets governance), our plugins slot in.
If you prefer Rancher's philosophy, great. Use Rancher. Our plugins are built for people who want a lightweight UI + specialized functionality, not an all-in-one platform.
---
## Operational Questions
### Q: Do I need to run Headlamp to use these plugins?
A: Yes. Our plugins extend Headlamp. Headlamp is lightweight (single container), but you need to be running it.
If you're not using Headlamp, these plugins don't help. If you are, they extend what you can see.
---
### Q: How do you handle RBAC? Can my developers see things they shouldn't?
A: Headlamp respects your cluster's RBAC. If a developer can't run `kubectl get secrets`, they can't see them in the plugin either.
Your security boundaries are your security boundaries. Our tools don't bypass them.
---
### Q: What's the upgrade path? Will my existing configuration break?
A: We try not to break things. Honest answer: we're still young. Check release notes before upgrading. If you find a breaking change, file an issue and we'll help.
If you need stability guarantees, we're not there yet. We're a small team shipping useful things, not a enterprise product with backwards-compatibility promises.
---
### Q: Can I run Headlamp + plugins in an air-gapped environment?
A: Yes. If you can run Headlamp, you can run the plugins. No external dependencies, no phone-home telemetry.
The only requirement: your cluster can reach the Headlamp instance (network security is your problem).
---
## Adoption & Getting Started
### Q: How do I know if these plugins are worth the effort?
A: Try one. Pick the one that solves a problem you're actually having.
Rook users: Use the Rook plugin for a week. See if it saves time. If not, delete it.
GPU users: Use the GPU plugin. See if you'd miss it.
Sealed-secrets users: Use the plugin for secret governance.
Don't add plugins "just in case." Add them when they're solving a real problem.
---
### Q: What's the support story? If something breaks, what happens?
A: GitHub issues. We're responsive (usually within 24-48 hours). If it's a security issue, email the maintainers directly (see repo).
We're not a SaaS with SLAs. We're open source with humans behind it who care. That's the tradeoff.
---
### Q: Where do I submit feature requests?
A: GitHub issues with the `feature-request` label. Be specific. "Make it faster" doesn't help. "Show OSD versions in the Rook plugin" does.
---
## Technical Depth
### Q: How much overhead do these plugins add?
A: Minimal. Plugins are JavaScript that runs in your browser. They query your cluster API, same as kubectl does.
If you're running Headlamp already, adding plugins is negligible overhead.
---
### Q: Can I modify the plugins for my own use?
A: Yes. All plugins are Apache-2.0 licensed. Fork, modify, deploy. We appreciate improvements back in PRs, but no obligation.
---
### Q: Do these plugins work with managed Kubernetes (EKS, GKE, AKS)?
A: If Headlamp works with your platform, the plugins work. Headlamp just needs API access.
We develop against standard Kubernetes. If you hit a managed-service-specific issue, let us know.
---
## When to Say No
### Q: Should I use these in production?
A: Depends on what you mean by "production." If you mean "will it crash my cluster," no. Headlamp + plugins are read-only.
If you mean "is this enterprise-grade," probably not yet. We're under 1 year old. We're useful, not bulletproof.
Try it. Monitor it. Have a fallback (you do have kubectl, right?). If it fails, switch back.
---
### Q: Can these plugins replace my existing monitoring stack?
A: No. Don't try. This is visibility, not comprehensive monitoring.
You still need logs, metrics, traces, alerting. We're the UI layer for cluster state + specialized views.
---
## Getting Help
### Q: I found a bug. What do I do?
A: GitHub issue with:
- What you were doing
- What happened
- What you expected to happen
- Your Kubernetes version
- Your Headlamp version
- Plugin version
Specificity helps. "It doesn't work" doesn't. "When I click the Rook tab, I get a 403 error" does.
---
### Q: I want to contribute. Where do I start?
A: GitHub issues with `good first issue` label. Read the CONTRIBUTING.md in each repo. Start small.
We're a small team. contributions that improve things make a real difference.
---
## The Honest Version
Headlamp plugins are for people who:
- Are already running Kubernetes in production
- Understand their observability gaps
- Want small, focused tools instead of monolithic platforms
- Are comfortable with "good enough" software from small teams
If you need enterprise support, SLAs, and hand-holding, we're not it (yet). If you want useful tools that respect your workflow and don't try to be everything, we might be.
Try us. If we don't fit, no hard feelings. There are plenty of other dashboards. Find the one that works for your team.
---
**Last updated**: March 13, 2026
**Audience**: Kubernetes operators, platform engineers, storage admins
**Tone**: Honest, not salesy, specific, realistic about limitations
kubecon-prep/KUBECON_RESPONSE_TEMPLATES.md
+176
View File
@@ -0,0 +1,176 @@
# KubeCon EU 2026 — Response & Tactical Post Templates
**Status**: Ready-to-deploy. Update dates/times as conference progresses. Use if conversations align with these narratives.
---
## Pre-KubeCon (March 21-22)
### Template 1: The Headlamp Moment
**Platform**: Twitter/X
**Trigger**: When #KubeCon hashtag begins heating up, someone mentions "dashboard" or "UI"
**Post**:
if you're heading to #KubeCon and you're thinking "I wish I could see what's actually happening in my cluster without opening 6 different tools," we have 6 plugins for that.
see you in Amsterdam.
**CMO Note**: Soft sell. Positions us as understaters. Uses first-person ("we have") rather than "check out." Timing: Friday-Saturday before conference opens.
---
### Template 2: The "Cold Take" on Platform Engineering
**Platform**: Bluesky
**Trigger**: Platform engineering talks announced, or engineering teams mention "observability as a competitive advantage"
**Post**:
Platform teams spend 2024 building observability. They spent 2025 fighting with it. KubeCon 2026 is about finally making it *work*.
(Hint: Headlamp makes the "finally" part easier.)
**CMO Note**: Positions us as people who understand the maturity curve. Not condescending. Acknowledges that good observability is *work* not just tooling. Implies we've thought about this problem space.
---
## Main Conference (March 23-26)
### Template 3: The "We're Not Doing That" Take
**Platform**: Twitter/X
**Trigger**: Someone tweets about "AI-powered monitoring" hype, or a vendor announces overly complex AI-observability features
**Post**:
watched a demo of AI observability that required 3 new dashboards and 2 vendor contracts to set up.
the goal of observability is seeing what's wrong. if your tool gets in the way of that, it's not observability.
(we kept ours simple.)
**CMO Note**: Leans into Headlamp's philosophy (small, focused plugins) vs. sprawling observability stacks. Not attacking anyone. Just stating our bias. Safe because we actually *do* keep our approach simple.
---
### Template 4: Real-Time Response to "How Do You Monitor [X]"
**Platform**: Twitter/X (Thread)
**Trigger**: Someone asks "how do you monitor GPU usage" or "how do you track CSI performance"
**Thread Option A** (GPU):
Q: How do you monitor GPU usage in Kubernetes?
Short answer: You look at actual metrics. Not dashboards about dashboards. Not vendor abstractions. You look at what your hardware is actually doing.
Headlamp + intel-gpu plugin. See your GPU. No middleman. [link to docs]
**Thread Option B** (Storage):
Q: How do you track Rook/Ceph performance?
Real answer: Stop thinking about monitoring as a separate system. Rook is part of your cluster. You need visibility into it from the same place you look at everything else.
That's the whole reason we built the Rook plugin. [link to docs]
**CMO Note**: These are hyperspecific. Only deploy if question arises. Shows expertise without being pushy. Links to actual docs (once we have them on GH pages).
---
### Template 5: The "We Attend Quietly" Take
**Platform**: Mastodon
**Trigger**: General KubeCon reflection mid-conference (March 24-25)
**Post**:
KubeCon observation: Nobody is pretending their observability stack is simple anymore. Everyone admits it's complex. The conversation has shifted from "we have visibility" to "how do we make visibility manageable."
We have a thesis on that. (It involves not adding more layers.)
**CMO Note**: Intellectual positioning. Suggests we have *design philosophy* not just tools. Mastodon audience appreciates meta-commentary about industry trends. Doesn't mention product directly until the last line.
---
## If External Events (March 21-27)
### Template 6: Security/Supply Chain Angle
**Trigger**: If a security incident, CVE, or supply chain story breaks during conference
**Platform**: Twitter/X
**Post**:
[Current incident] is why we built sealed-secrets plugin.
Not because we think we're special. Because operators shouldn't have to choose between "use secrets" and "know where they're being stored."
If you're at #KubeCon, stop by and we can talk about it. [link]
**CMO Note**: Shows we're paying attention. Ties conference energy to our actual products. Empathetic (don't position as saviors, just problem-solvers). Only use if an actual security story breaks.
---
### Template 7: Cost Angle
**Trigger**: If cost/efficiency is a hot KubeCon keynote theme, or someone discusses "cost-aware monitoring"
**Platform**: LinkedIn
**Post**:
KubeCon theme observation: "Cost-aware observability" is trending because teams are finally admitting that monitoring infrastructure is expensive.
The plugin approach (small, focused, optional) is inherently cost-aware. You don't pay for observability you don't use.
This is intentional design.
**CMO Note**: Positions Headlamp's modular philosophy as a *feature*. Not "we're cheaper" but "we're more efficient by design." Works if cost is a main theme.
---
## Post-KubeCon (March 27+)
### Template 8: The Recap
**Platform**: Twitter/X
**Trigger**: March 27-28, after conference ends
**Post**:
KubeCon takeaway: The best tools are the ones your team forgets they're using because they just work.
We built Headlamp plugins like that. Small. Focused. Invisible until you need them.
Did we miss you in Amsterdam? [link to plugin docs]
**CMO Note**: Humble, unsalesy. Doesn't claim we nailed it, just states our design goal. Bridges back to self-directed learning/documentation (not aggressive marketing).
---
## General Guidelines for Day-Of Responses
1. **Monitor, don't dominate**: Respond to conversations, don't start them.
2. **Listen for pain, not keywords**: "I can't see X" beats "person mentioned dashboard."
3. **Be helpful first**: Answer questions. Mention our stuff only if relevant.
4. **Keep it real**: If someone asks a question we don't have a good answer for, say so.
5. **Timing**: Responses should go out within 2-4 hours of trigger, not instant (not trying too hard).
6. **Tone check**: Every response should pass the "would an actual operator write this" test.
---
## Tools & Hashtags
**Primary hashtag**: #KubeCon (volume 24-26 March)
**Secondary hashtags**: #KubeCon2026, #cloudnative, #kubernetes
**Response hashtags**: #observability, #k8s, #platform-engineering (context-specific)
**Monitoring tools** (if CMO provides access):
- Twitter search: `#KubeCon`
- Bluesky search: `KubeCon`
- Reddit: r/kubernetes, r/devops, r/SRE (watch for questions)
- Slack (if we're in cloud-native Slack): #kubecon-2026
---
## Notes
- These are *optional* responses, not a mandate to post daily
- Only deploy if you believe the response is valuable (not hitting publish for metric's sake)
- If conference energy is low or our voice doesn't fit the conversation, that's fine
- Post-KubeCon reflection is most important; day-of is engagement sugar
- If something unexpected breaks (security issue, major outage), escalate to CMO before responding
privilegedescalation-logo.jpg
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 63 KiB

renovate.json
-6
View File
@@ -1,6 +0,0 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"local>privilegedescalation/.github:renovate-config"
]
}
scripts/ci-health-check.sh
-106
View File
@@ -1,106 +0,0 @@
#!/bin/bash
# CI Health Check Script
# Checks CI health across all privilegedescalation repos and reports failures
set -euo pipefail
# Configuration
ORG="privilegedescalation"
MAX_AGE_DAYS=30
CRITICAL_THRESHOLD=3 # Number of consecutive failures to consider critical
# Colors for output
RED='\033[0;31m'
YELLOW='\033[1;33m'
GREEN='\033[0;32m'
NC='\033[0m' # No Color
# Repos to monitor
REPOS=(
"org"
"infra"
"headlamp-sealed-secrets-plugin"
"headlamp-rook-plugin"
"headlamp-intel-gpu-plugin"
"headlamp-kube-vip-plugin"
"headlamp-tns-csi-plugin"
"headlamp-argocd-plugin"
"headlamp-polaris-plugin"
)
echo "=== CI Health Check for $ORG ==="
echo "Generated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")"
echo ""
# Track issues
FAILURES=()
STALE_REPOS=()
NO_CI_REPOS=()
for repo in "${REPOS[@]}"; do
echo "Checking $repo..."
# Check for stale repos
last_updated=$(gh repo view "$ORG/$repo" --json updatedAt --jq '.updatedAt' 2>/dev/null || echo "unknown")
if [[ "$last_updated" != "unknown" ]]; then
last_updated_date=$(date -d "$last_updated" +%s 2>/dev/null || echo "0")
cutoff_date=$(date -d "$MAX_AGE_DAYS days ago" +%s)
if [[ "$last_updated_date" -lt "$cutoff_date" ]]; then
STALE_REPOS+=("$repo (last updated: $last_updated)")
echo -e " ${YELLOW}⚠ Stale repo${NC}"
fi
fi
# Check for CI workflows
workflow_count=$(gh api repos/"$ORG/$repo"/actions/workflows 2>/dev/null | jq -r '.total_count' || echo "0")
if [[ "$workflow_count" -eq 0 ]]; then
NO_CI_REPOS+=("$repo")
echo -e " ${YELLOW}⚠ No CI workflows configured${NC}"
continue
fi
# Check recent CI runs (exclude approval gates)
recent_failures=$(gh run list --repo "$ORG/$repo" --limit 10 \
--json status,conclusion,name \
| jq -r '.[] | select(.conclusion == "failure") | select(.name | contains("CI") or contains("E2E") or contains("ci") or contains("e2e")) | .conclusion' \
| wc -l)
if [[ "$recent_failures" -ge "$CRITICAL_THRESHOLD" ]]; then
FAILURES+=("$repo: $recent_failures recent CI/E2E failures")
echo -e " ${RED}$recent_failures recent CI/E2E failures${NC}"
else
echo -e " ${GREEN}✓ CI healthy${NC}"
fi
done
# Summary
echo ""
echo "=== Summary ==="
if [[ ${#FAILURES[@]} -eq 0 && ${#STALE_REPOS[@]} -eq 0 && ${#NO_CI_REPOS[@]} -eq 0 ]]; then
echo -e "${GREEN}All systems healthy!${NC}"
exit 0
else
if [[ ${#FAILURES[@]} -gt 0 ]]; then
echo -e "${RED}CI Failures:${NC}"
for failure in "${FAILURES[@]}"; do
echo " - $failure"
done
fi
if [[ ${#STALE_REPOS[@]} -gt 0 ]]; then
echo -e "${YELLOW}Stale Repos (no updates in $MAX_AGE_DAYS+ days):${NC}"
for stale in "${STALE_REPOS[@]}"; do
echo " - $stale"
done
fi
if [[ ${#NO_CI_REPOS[@]} -gt 0 ]]; then
echo -e "${YELLOW}Repos without CI:${NC}"
for no_ci in "${NO_CI_REPOS[@]}"; do
echo " - $no_ci"
done
fi
exit 1
fi
skills/coding-standards/SKILL.md
-67
View File
@@ -1,67 +0,0 @@
---
name: coding-standards
description: >
Coding standards for Privileged Escalation. Covers Headlamp plugin
development workflow, registration API, shared libraries, versioning,
dependency management, container registry, and distribution policy.
---
# Coding Standards
## Headlamp Plugins
All plugins extend [Headlamp](https://headlamp.dev/docs/latest/development/plugins/getting-started), a Kubernetes dashboard with a plugin system.
- **Language:** TypeScript + React 18, MUI v5
- **Scaffolding:** `npx --yes @kinvolk/headlamp-plugin create <plugin-name>`
- **Entry point:** `src/index.tsx`
- **Linting:** ESLint via `@headlamp-k8s/eslint-config` + Prettier
- **Testing:** Vitest + React Testing Library
### Plugin Commands
Run from the plugin directory:
| Command | Purpose |
|---|---|
| `npm run start` | Dev mode with hot reload |
| `npm run build` | Production build (`dist/main.js`) |
| `npm run format` | Prettier format |
| `npm run lint` | ESLint check |
| `npm run lint-fix` | ESLint auto-fix |
| `npm run tsc` | Typecheck |
| `npm run test` | Vitest tests |
### Registration API
Import from `@kinvolk/headlamp-plugin/lib`:
- `registerAppBarAction()` — add components to the nav bar
- `registerRoute()` — create new pages
- `registerSidebarEntry()` — add sidebar items
- `registerDetailsViewSection()` — extend resource detail views
- `registerPluginSettings()` — add plugin configuration UI
### K8s API Access
```typescript
import { K8s } from '@kinvolk/headlamp-plugin/lib';
const [pods, error] = K8s.ResourceClasses.Pod.useList();
```
### Shared Libraries
These are provided by Headlamp at runtime — **do not bundle them**:
React, React Router, Redux, MUI, Lodash, Monaco Editor, Notistack, Iconify.
## Versioning & Distribution
- **All releases use SemVer.** ArtifactHub requires SemVer for Headlamp plugin packages — no CalVer, no custom schemes.
- **Plugin distribution is ArtifactHub only.** Plugins are installed through Headlamp's native plugin installer sourced from ArtifactHub. No Helm charts, install scripts, or custom install mechanisms.
- **Container images go to `ghcr.io` only.** Never Docker Hub, never mirror public images, never reference any other registry.
## Dependency Management
- **Dependency updates are owned by Mend Renovate.** Never enable Dependabot, never create `.github/dependabot.yml`, never reference Dependabot in workflows or docs.
- **No package mirrors.** Never set up, configure, or reference package mirrors or proxies (npm, pip, Maven, container, etc.). Always use upstream registries directly.
- **Security scanning uses local tools.** Run `npm audit` or `pnpm audit` for vulnerability scanning. Do not use the GitHub vulnerability alerts API.
skills/product-context/SKILL.md
-119
View File
@@ -1,119 +0,0 @@
---
name: product-context
description: >
Product context for Privileged Escalation. Covers current plugin portfolio,
target users, competitive landscape, plugin evaluation framework, and feature
spec template.
---
# Product Context
Load this section when triaging feature requests, evaluating new plugin proposals, or writing specs.
## Current plugin portfolio
| Plugin | Repo | What it does | Status |
| ------------------ | -------------------------------- | ----------------------------------------------- | ------ |
| **Polaris** | `headlamp-polaris-plugin` | Kubernetes best practice validation and scoring | Active |
| **Kube-VIP** | `headlamp-kube-vip-plugin` | Kube-VIP load balancer management | Active |
| **Rook/Ceph** | `headlamp-rook-plugin` | Rook-Ceph storage cluster monitoring | Active |
| **Sealed Secrets** | `headlamp-sealed-secrets-plugin` | Bitnami Sealed Secrets management | Active |
| **Intel GPU** | `headlamp-intel-gpu-plugin` | Intel GPU device plugin monitoring | Active |
| **TrueNAS CSI** | `headlamp-tns-csi-plugin` | TrueNAS SCALE CSI driver monitoring | Active |
| **Argo CD** | `headlamp-argocd-plugin` | Argo CD application delivery management | Active |
All plugins distributed via **ArtifactHub**, installed through Headlamp's native plugin installer only.
## Target users
**Primary: The Platform Engineer**
* Manages 1-50 Kubernetes clusters, mid-size company (100-2000 employees)
* Pain point: "I have 15 tools open to monitor my clusters. I want one dashboard that shows me everything."
* Very high tech comfort. Knows Kubernetes deeply. Will read your source code.
* Will adopt a plugin in 5 minutes if it solves a real problem. Will drop it in 5 seconds if it's buggy or doesn't add value over `kubectl`.
**Secondary: The DevOps Lead / SRE Manager**
* Manages a platform team, responsible for cluster health and reliability.
* Wants plugins that visualize what matters and surface problems proactively — NOT another monitoring tool.
**Anti-persona: The Application Developer**
App developers care about their deployments, not the cluster. Features like "show me my pod logs" are already in Headlamp core. Don't build for them.
## Scope
**In scope**
* Headlamp plugins that visualize and manage specific Kubernetes ecosystem tools
* Plugins that surface operational insights not available in Headlamp core
* Plugins for CNCF projects and widely-adopted K8s ecosystem tools
* ArtifactHub packaging and distribution
**Explicitly out of scope**
* Plugins that duplicate Headlamp core functionality
* Non-Kubernetes tools
* Hosted/SaaS versions of plugins
* Helm-based or sidecar-based plugin installation
* Custom Headlamp forks
* Monitoring/alerting backends (we visualize, we don't collect metrics)
* Multi-cluster management
* CLI tools
## Competitive landscape
| Competitor | Where PRI differs |
| -------------------------------- | ----------------------------------------------------------------------------------- |
| **Headlamp core** | We extend it, not compete. If a feature belongs in core, contribute upstream. |
| **Lens** | Heavy, desktop-only, commercial. We make web-based, open source Headlamp better. |
| **k9s** | Different modality (TUI vs web). Not competitive. |
| **Komodor / Kubecost / Robusta** | Standalone products. Our plugins bring their insights INTO Headlamp. Complementary. |
PRI's moat: leading third-party Headlamp plugin developer. Plugins are free, open source, on ArtifactHub.
## Plugin evaluation framework
1. **Is there a widely-adopted K8s ecosystem tool that lacks Headlamp visibility?**
* Fewer than 1,000 GitHub stars or in alpha → too early. Close with "revisit when more mature."
* Already has a Headlamp plugin → duplicate. Close.
2. **Does the plugin add value over `kubectl` + the tool's own CLI/UI?**
* "It shows the same thing but in Headlamp" → weak value prop. Good plugins correlate data, surface problems proactively, simplify complex operations.
3. **Can Gandalf build and maintain it?**
* One engineer can maintain ~6-8 plugins at current complexity. We're at 7 now. New plugins mean either dropping an existing one or hiring.
4. **Is it installable via ArtifactHub without extras?**
* Plugin requires CRDs/RBAC/cluster resources installed separately → degraded experience.
* Unacceptable: plugin requires its own operator or sidecar.
**Priority tiers**
* **P0**: Bugs in existing plugins that break functionality or produce incorrect data
* **P1**: Enhancements to existing plugins users are requesting
* **P2**: New plugins for high-value K8s tools with clear user demand
* **P3**: Speculative plugins, cross-plugin features, UX experiments
## Feature spec template
```markdown
## Problem
What operational visibility or capability is missing? Who needs it? What do they do today instead?
## Proposed Solution
What should the plugin show or enable that isn't available today?
## Acceptance Criteria
- [ ] Plugin displays...
- [ ] User can...
- [ ] Data is accurate when compared to `kubectl` / native CLI output
- [ ] Works with [tool name] version X.Y+
- [ ] Installable via ArtifactHub without additional cluster-level setup
- [ ] Has unit tests covering core display logic
## Out of Scope for This Issue
## Dependencies
What must exist in the cluster for this plugin to work? (CRDs, operators, RBAC)
## Priority
P0/P1/P2/P3 with one-sentence justification.
```
skills/safety/SKILL.md
-38
View File
@@ -1,38 +0,0 @@
---
name: safety
description: >
Non-negotiable safety rules for all agents at Privileged Escalation. Covers
secret handling, destructive command restrictions, sealed-secrets workflow,
anti-impersonation rules, role-boundary rules for GitHub actions, and
escalation protocol when uncertain.
---
# Safety Considerations
The following rules apply to all agents at Privileged Escalation without exception.
## Non-Negotiable Rules
* **Never exfiltrate secrets or private data.** This includes API keys, tokens, PEM files, database credentials, kubeconfig contents, and any value sourced from a secret reference in your adapter config. Do not log, comment, or return these values in any output.
* **Seek Board Approval for Destructive Actions.** Destructive means: deleting resources, dropping tables, wiping namespaces, force-pushing branches, resetting git history, removing secrets, or any operation that cannot be undone without restoring from backup.
* **No plaintext secrets in any repository.** Kubernetes secrets go through Bitnami Sealed Secrets (`kubeseal`). Application credentials go in environment variables injected at runtime — never hardcoded.
* **Do not use `kubectl create` in production.**
The `privilegedescalation` namespace is Flux-managed. Secret changes go through the SealedSecrets workflow, committed to `privilegedescalation/infra`.
* **Never impersonate another agent or human.** Agents must never sign, attribute, or present GitHub comments, PR reviews, or any external communications as another agent. Every comment must accurately identify the authoring agent. Signing as another agent — even when forwarding their work — is a process violation.
* **Post GitHub comments only within your defined SDLC role.** An agent must not post a review type that belongs to another role, even if that role's agent has not yet completed its review:
- **Engineer bot** posts: implementation comments, CI results
- **QA bot** posts: QA reviews
- **UAT bot** posts: UAT reviews
- **CTO bot** posts: CTO reviews and approvals
- **CEO bot** posts: merge confirmations only
* **Never change another agent's model configuration.** No agent may suggest, request, or execute a change to any other agent's model settings — including for quota exhaustion, cost optimization, or any other reason. Quota issues must be escalated to the board. This is a non-negotiable board directive.
## If you are unsure
If you are unsure whether an action is safe, stop. Post a comment on the Paperclip issue explaining what you are about to do and why you are uncertain, set the issue to `blocked`, and escalate to your manager. Do not guess.
skills/sdlc/SKILL.md
-181
View File
@@ -1,181 +0,0 @@
---
name: sdlc
description: >
Software development lifecycle rules for Privileged Escalation. Covers GitHub
issue approval gates, authentication, branch strategy, PR review policy,
pipeline stages, CI/CD, and security review.
---
# Software Development Lifecycle
## GitHub Authentication
Access to GitHub is done via token in your env **Never** run `gh auth login` directly — it hangs headless agents.
## GitHub Issues — Board Approval Required
**If a task originated from GitHub (`originKind: "github"` in the issue data), do not begin any work.** Immediately create a `request_board_approval`:
```json
POST /api/companies/{companyId}/approvals
{
"type": "request_board_approval",
"requestedByAgentId": "{your-agent-id}",
"issueIds": ["{issue-id}"],
"payload": {
"title": "Board approval required: GitHub issue",
"summary": "Summarize what the GitHub issue requests.",
"recommendedAction": "Approve to begin work.",
"risks": ["Work begins without board review if approved."]
}
}
```
Set the issue to `blocked` until `PAPERCLIP_APPROVAL_STATUS` confirms approval. Only proceed once approved.
## Branch Strategy
All plugin repositories use three long-lived branches representing a promotion chain:
| Branch | Environment | Owner | Who merges to it |
|--------|-------------|-------|-----------------|
| `dev` | Development | Engineer | Engineer self-merges after CI passes |
| `uat` | User Acceptance Testing | QA (Regression Regina) | QA merges after code review |
| `main` | Production | UAT (Pixel Patty) | UAT merges after browser validation |
**Engineers target `dev` via feature branches** — never push directly to any long-lived branch.
Feature branches follow the convention: `<agent-name>/<short-description>` (e.g., `gandalf/add-sealed-secrets-list`).
## Pull Requests
All changes must happen via pull request. Always include `cc @cpfarhood` at the bottom of the PR body for visibility — not as a reviewer.
```bash
gh pr create --title "..." --body "... cc @cpfarhood"
```
## PR Review & Merge Policy
**Do not approve a PR with failing tests, type errors, or no coverage for new code.**
### Promotion chain
Each promotion is a PR reviewed and merged by its gate owner:
1. **feature → dev** — Engineer self-merges after CI passes. No review required. Dev is for validation, not quality gates.
2. **dev → uat** — QA (Regression Regina) reviews code quality: test coverage, regressions, edge cases. QA merges to `uat` after approval.
3. **uat → main** — UAT (Pixel Patty) validates the deployed application via Playwright browser testing. UAT merges to `main` after validation passes. For detailed UAT testing procedures, see the `uat` company skill.
**Each gate owner has merge authority.** No separate merge step by another role. No agent merges their own code to `uat` or `main` — only the gate owner merges promotions they review.
## Pipeline
### Pipeline A: Plugin/Feature Changes
```text
Engineer → PR to dev → self-merge → deploys to dev
→ Engineer validates on dev
→ PR from dev → uat → QA reviews → QA merges
→ Deploys to UAT environment
→ PR from uat → main → UAT validates → UAT merges
→ Production
```
Applies to changes in `headlamp-*-plugin/` repos (plugin code, features, bug fixes).
**UAT_PLAYBOOK.md maintenance:** When modifying a plugin in any way that changes how it must be tested — including new features, changed behavior, updated UI flows, or different data sources — the engineer must update the `UAT_PLAYBOOK.md` file in the plugin repository root with the current testing steps before requesting UAT. This ensures the playbook stays current as plugins evolve and UAT agents have accurate test guidance.
### Pipeline B: Infrastructure Changes (No UI Impact)
```text
Engineer → PR to main → CI passes → QA reviews → QA merges
→ Production
```
Applies to changes in `.github/workflows/`, `infra/`, `org/` repos, and template repos. No UAT stage needed — infrastructure changes have no UI to validate.
**Detection:** If `git diff` shows changes only in `.github/`, `infra/`, `org/`, or deployment files → Pipeline B. If any `headlamp-*-plugin/` code changed → Pipeline A.
**Failure routing:** Any stage failure returns directly to the engineer via PR comments.
## Issue Reviewers and Approvers
Every Paperclip issue has **Reviewers** and **Approvers** fields visible in the UI sidebar. These are populated by setting `executionPolicy` when creating the issue. Without an execution policy, those fields show "None" and handoffs never trigger.
**All stage and participant `id` fields must be random UUIDs.** Generate them at issue-creation time (e.g. via `uuidgen` or your language's UUID library). Do not use descriptive strings — the API rejects non-UUID values.
### Pipeline A — set reviewers on issue creation
For plugin/feature work (Pipeline A), set a two-stage execution policy so QA and UAT appear as reviewers:
```bash
QA_STAGE_ID=$(uuidgen)
QA_PART_ID=$(uuidgen)
UAT_STAGE_ID=$(uuidgen)
UAT_PART_ID=$(uuidgen)
```
```json
"executionPolicy": {
"mode": "normal",
"commentRequired": true,
"stages": [
{
"id": "<QA_STAGE_ID>",
"type": "review",
"approvalsNeeded": 1,
"participants": [
{ "id": "<QA_PART_ID>", "type": "agent", "agentId": "fd5dbec8-ddbb-4b57-9703-624e0ed90053" }
]
},
{
"id": "<UAT_STAGE_ID>",
"type": "review",
"approvalsNeeded": 1,
"participants": [
{ "id": "<UAT_PART_ID>", "type": "agent", "agentId": "01ec02f7-70c2-4fa1-ac3f-2545f1237ac3" }
]
}
]
}
```
- Stage 1 reviewer: Regression Regina (`fd5dbec8-ddbb-4b57-9703-624e0ed90053`)
- Stage 2 reviewer: Pixel Patty (`01ec02f7-70c2-4fa1-ac3f-2545f1237ac3`)
### Pipeline B — single reviewer
For infrastructure changes (Pipeline B), use one QA review stage:
```json
"executionPolicy": {
"mode": "normal",
"commentRequired": true,
"stages": [
{
"id": "<QA_STAGE_ID>",
"type": "review",
"approvalsNeeded": 1,
"participants": [
{ "id": "<QA_PART_ID>", "type": "agent", "agentId": "fd5dbec8-ddbb-4b57-9703-624e0ed90053" }
]
}
]
}
```
### Triggering the handoff
When an engineer completes work and merges to `dev`, set the Paperclip issue status to `in_review`. This activates the execution policy and wakes the first reviewer. Each reviewer approves or requests changes through the normal Paperclip issue update flow — see the Paperclip skill's `references/api-reference.md` for details.
## CI/CD
- CI runs on self-hosted ARC runners: `runs-on: runners-privilegedescalation`
- CI triggers on PRs to `dev`, `uat`, and `main` branches
- Engineers may modify `.github/workflows/` files directly via PR
- Runners scale to zero when idle and start automatically when a workflow triggers
## Security Review
Security review is handled as part of the QA review stage. Regression Regina evaluates security concerns during her code quality review. There is no separate dedicated security review agent.
skills/sdlc/sdlc-diagram.md
-134
View File
@@ -1,134 +0,0 @@
# SDLC Pipeline Diagram
## Full Lifecycle
```mermaid
flowchart TD
subgraph Origin["Task Origin"]
GH["GitHub Issue"]
PP["Paperclip Issue"]
end
subgraph Approval["Board Gate"]
BA{"Board Approval<br/>Required?"}
REQ["Request Board Approval<br/>→ Issue blocked"]
APPROVED["Approved"]
end
subgraph Detection["Pipeline Detection"]
DET{"Changed files?"}
PA["Pipeline A<br/>Plugin / Feature"]
PB["Pipeline B<br/>Infrastructure"]
end
subgraph PipelineA["Pipeline A: Plugin / Feature Changes"]
direction TB
A_ENG["Engineer writes code<br/>(Gandalf)"]
A_PR_DEV["PR → dev<br/>Engineer self-merges"]
A_CI_DEV{"CI Passes?"}
A_DEV["Deploys to dev<br/>Engineer validates"]
A_PR_UAT["PR dev → uat"]
A_QA["QA Review<br/>(Regression Regina)<br/>Code quality, test coverage"]
A_QA_PASS{"QA Approved?"}
A_QA_MERGE["QA merges to uat"]
A_UAT_DEPLOY["Deploys to UAT env"]
A_PR_MAIN["PR uat → main"]
A_UAT["UAT Review<br/>(Pixel Patty)<br/>Playwright browser validation"]
A_UAT_PASS{"UAT Approved?"}
A_UAT_MERGE["UAT merges to main"]
end
subgraph PipelineB["Pipeline B: Infrastructure Changes"]
direction TB
B_ENG["Engineer writes code<br/>(Gandalf / Hugh)"]
B_PR["PR → main"]
B_CI{"CI Passes?"}
B_QA["QA Review<br/>(Regression Regina)"]
B_QA_PASS{"QA Approved?"}
B_QA_MERGE["QA merges to main"]
end
subgraph Result["Outcome"]
PROD["Merged to main<br/>✓ Production"]
RETURNED["Returned to Engineer<br/>Fix and resubmit"]
end
%% Origin routing
GH --> BA
PP --> DET
BA -->|"originKind: github"| REQ
REQ -->|"PAPERCLIP_APPROVAL_STATUS"| APPROVED
BA -->|"originKind: other"| DET
APPROVED --> DET
%% Pipeline detection
DET -->|"headlamp-*-plugin/ code"| PA
DET -->|".github/, infra/, org/"| PB
%% Pipeline A flow
PA --> A_ENG --> A_PR_DEV --> A_CI_DEV
A_CI_DEV -->|"Pass"| A_DEV
A_CI_DEV -->|"Fail"| RETURNED
A_DEV --> A_PR_UAT --> A_QA --> A_QA_PASS
A_QA_PASS -->|"Approved"| A_QA_MERGE --> A_UAT_DEPLOY
A_QA_PASS -->|"Changes requested"| RETURNED
A_UAT_DEPLOY --> A_PR_MAIN --> A_UAT --> A_UAT_PASS
A_UAT_PASS -->|"Approved"| A_UAT_MERGE --> PROD
A_UAT_PASS -->|"Changes requested"| RETURNED
%% Pipeline B flow
PB --> B_ENG --> B_PR --> B_CI
B_CI -->|"Pass"| B_QA --> B_QA_PASS
B_CI -->|"Fail"| RETURNED
B_QA_PASS -->|"Approved"| B_QA_MERGE --> PROD
B_QA_PASS -->|"Changes requested"| RETURNED
RETURNED -->|"Fix and resubmit"| A_PR_DEV
RETURNED -->|"Fix and resubmit"| B_PR
%% Styling
classDef gate fill:#f9e4e4,stroke:#c0392b,color:#000
classDef pass fill:#e4f9e4,stroke:#27ae60,color:#000
classDef agent fill:#e4e9f9,stroke:#2980b9,color:#000
classDef decision fill:#fef9e7,stroke:#f39c12,color:#000
classDef deploy fill:#e8f4f8,stroke:#2c3e50,color:#000
class BA,A_CI_DEV,A_QA_PASS,A_UAT_PASS,B_CI,B_QA_PASS,DET decision
class A_QA,A_UAT,B_QA gate
class PROD pass
class A_ENG,B_ENG agent
class A_DEV,A_UAT_DEPLOY deploy
```
## Branch Promotion Chain
```mermaid
flowchart LR
subgraph Feature["Feature Branch"]
FB["gandalf/feature-name"]
end
subgraph Dev["dev branch"]
DEV["Engineer self-merges<br/>Deploys to dev env"]
end
subgraph UAT["uat branch"]
UATB["QA reviews & merges<br/>Deploys to UAT env"]
end
subgraph Main["main branch"]
MAIN["UAT validates & merges<br/>Deploys to production"]
end
FB -->|"PR + CI"| DEV
DEV -->|"PR + QA review"| UATB
UATB -->|"PR + UAT review"| MAIN
classDef dev fill:#fff3cd,stroke:#856404,color:#000
classDef uat fill:#cce5ff,stroke:#004085,color:#000
classDef prod fill:#d4edda,stroke:#155724,color:#000
class DEV dev
class UATB uat
class MAIN prod
```
skills/uat/SKILL.md
-69
View File
@@ -1,69 +0,0 @@
---
name: uat
description: >
Functional UAT procedures for Privileged Escalation Headlamp plugins. General
behavior, acceptance criteria, artifact requirements, and reference to
plugin-specific test steps in UAT_PLAYBOOK.md.
---
# UAT Procedures
## Purpose
This skill defines **functional User Acceptance Testing** for all Privileged Escalation Headlamp plugins. UAT validates that plugins work correctly in the deployed environment — by exercising plugin features in a running Headlamp instance, not by reviewing code or CI results.
## UAT Environment
The UAT Headlamp instance runs in the `headlamp-uat` Kubernetes namespace. Navigate to the Headlamp UAT URL using your Playwright browser. The plugin under test must be deployed to UAT before testing begins.
## General Process
For every `uat→main` promotion:
1. Open the Headlamp UAT instance in the browser
2. Confirm the plugin appears in the sidebar or app bar
3. Read the plugin's `UAT_PLAYBOOK.md` for the specific test steps to run
4. Execute the test steps from the playbook, capturing screenshots at each verification
5. Check the browser console for errors throughout
6. Post a structured test report (see Artifacts section)
## Acceptance Criteria
A plugin passes UAT when:
- **Plugin loads** — sidebar entry or app bar action is visible and accessible
- **Features work** — all core features in the playbook execute without errors
- **No console errors** — browser console shows no errors during normal operation
- **Data matches cluster state** — plugin data is consistent with `kubectl` queries against the cluster
A plugin fails UAT when:
- Plugin does not load or renders only an error state
- Any core feature is inaccessible or produces errors
- Console errors are present and not explainable as unrelated noise
- Displayed data contradicts known cluster state
## Artifact Requirements
For each plugin tested, the UAT report must include:
1. **Screenshots** of the plugin running in Headlamp — sidebar entry visible, main view loaded, at least one detail view
2. **Test checklist** — each step from `UAT_PLAYBOOK.md` marked pass/fail
3. **Console errors** — any browser console errors observed (attach screenshot if present)
4. **Environment info** — Headlamp version, plugin version, browser used, namespace context
## Reading UAT_PLAYBOOK.md
Each plugin repository contains a `UAT_PLAYBOOK.md` in its root directory. That file contains the canonical test steps for that specific plugin. Before running UAT, read the relevant playbook to know:
- Which features to exercise
- What the expected results are
- What screenshots to capture at each step
If `UAT_PLAYBOOK.md` does not exist for a plugin, treat that as a gap — report it in the UAT findings and flag it as a documentation issue.
## Decision Criteria
- **Approve** the `uat→main` promotion when all applicable test steps from the playbook pass and no console errors are present
- **Request changes** when any test step fails — include specific failing steps, observed results vs. expected results, and failure screenshots
- **Block** if the plugin fails to load entirely — escalate to CTO as a deployment issue requiring immediate resolution
social/queue/2026-03-07-first-batch.md
+85
View File
@@ -0,0 +1,85 @@
# Social Media Batch - 2026-03-07
## Strategic Summary
First-ever social batch for Privileged Escalation. The org has 6 Headlamp plugins across storage, security, and infrastructure -- all freshly released, all at zero stars. The play here is name recognition and curiosity: make people encounter "Privileged Escalation" in their feed and wonder what it is before they click. Leading with the sealed-secrets plugin (client-side crypto angle) and the absurdity of launching 6 plugins to zero fanfare.
---
## 1. Ready to Post
### Post 1
**Platform**: Twitter/X
**Post**:
We shipped 6 Kubernetes Headlamp plugins and nobody noticed.
Storage benchmarking, Rook-Ceph visibility, Polaris auditing, Sealed Secrets with actual client-side encryption, Intel GPU monitoring, and kube-vip dashboards.
Zero stars across the board. We are crushing it.
github.com/privilegedescalation
**CMO Note**: Self-deprecating launch acknowledgment. The honesty about zero stars is the hook -- it reads as human, not corporate. Links to the org for curious clicks.
---
### Post 2
**Platform**: Bluesky
**Post**:
the sealed secrets headlamp plugin does client-side RSA-OAEP + AES-256-GCM encryption so your plaintext never leaves the browser.
someone forked it last month. we have our first user. or our first person who accidentally clicked fork. either way, we are celebrating.
**CMO Note**: Technical specificity makes it credible. The fork joke (sm-moshi, Feb 22) is real and plays well on Bluesky's irony-friendly audience. Seeds curiosity about what Headlamp plugins are.
---
### Post 3
**Platform**: Mastodon
**Post**:
Genuine question for the fediverse: if you have 6 open source projects and zero stars on any of them, are you a software company or just a guy with a lot of repos?
Asking for a friend. The friend is github.com/privilegedescalation.
**CMO Note**: Mastodon audience appreciates self-aware humor. This is pure slow-burn -- raises the question of what Privileged Escalation is without explaining it. The link is there for anyone curious enough to click.
---
## 2. Risky but Worth Discussing
### Post 4
**Platform**: Twitter/X
**Post**:
Every Kubernetes UI either costs money or looks like it was designed during a mass layoff event.
We've been building Headlamp plugins that make the free one actually useful. Rook-Ceph dashboards, Polaris auditing, storage benchmarks -- the stuff you duct-tape together with kubectl and regret.
github.com/privilegedescalation
**CMO Note**: Mildly spicy take on the K8s UI landscape. Does not name competitors directly but the implication is clear. Could rub Lens/Rancher people the wrong way. Worth discussing tone.
---
## 3. Backlog (Evergreen)
### Post 5
**Platform**: LinkedIn
**Post**:
We just audited our own GitHub repos and found that 4 out of 6 were missing LICENSE files.
They all had Apache-2.0 badges in the README. The actual license text? Not present. Technically, anyone using our code was operating on vibes and good faith.
Fixed now. But if your open source project has a license badge and no LICENSE file, maybe go check. We'll wait.
**CMO Note**: Honest product personality at work. Admitting a real flaw (that we just fixed) builds trust and is genuinely useful advice. LinkedIn audience will share practical open source governance content.
---
### Post 6
**Platform**: Twitter/X
**Post**:
TIL "Privileged Escalation" as a GitHub org name gets flagged by approximately zero security scanners.
We checked.
**CMO Note**: Pure name recognition play. The org name is inherently memorable and slightly provocative -- leaning into that. Short enough for easy engagement.
social/queue/2026-03-10-why-we-built-these.md
+137
View File
@@ -0,0 +1,137 @@
# Social Media Batch - 2026-03-10
## Strategic Summary
Six plugins. Each one exists because we had a specific problem in production with no good visibility. This batch is about "why" before "what" — explaining the actual Kubernetes pain point each plugin addresses, from our own experience. It's educational content that works pre-KubeCon: people don't need to know what Headlamp is to understand "oh, that problem sounds familiar." Also serves as support content for the KubeCon campaign dropping next week.
---
## 1. Ready to Post
### Post 1: Rook-Ceph Problem
**Platform**: Twitter/X
**Post**:
You deploy Ceph because it's the right choice for distributed storage. Then you're staring at `ceph status` in a terminal wondering which pool is actually filling up, what the OSD rebalance is doing, and why your capacity projections are off by 40%.
We built headlamp-rook-plugin to see inside Ceph from a dashboard instead of grep-ing logs.
github.com/privilegedescalation
**CMO Note**: Opens with a relatable pain point (Ceph deployment without visibility), then delivers the specific solution (dashboards instead of CLI). No "exciting to announce" language. The problem-first framing resonates with people already running Ceph.
---
### Post 2: Sealed Secrets Problem
**Platform**: Bluesky
**Post**:
Your team has a pattern:
1. Someone generates a secret
2. They echo it in Slack "here's the password"
3. It's in the channel history forever
4. Someone rotates it, forgets to tell the database
5. 2am incident
We built headlamp-sealed-secrets-plugin so the secret never leaves the browser and stays encrypted in your cluster. The plaintext never transits anywhere someone can screenshot it.
**CMO Note**: Captures the actual workflow failure that sealed-secrets solves. The numbering of the failure pattern is specific and darkly funny. Bluesky audience appreciates the "this is how we actually mess up" honesty.
---
### Post 3: Polaris Problem
**Platform**: Mastodon
**Post**:
Kubernetes best practices are things you know about the week after you've already deployed your application with none of them.
Polaris audits your workloads against security and reliability policies. It shows you what you're doing wrong before it becomes a 3am outage.
We built the headlamp-polaris-plugin so you can actually see the audit results in your dashboard instead of waiting for the automated security scan email you never read.
**CMO Note**: Self-aware about human nature (learning best practices after deployment fails). Polaris is the solution. Mastodon audience gets the candor. Not preachy, just practical.
---
### Post 4: Intel GPU Problem
**Platform**: Twitter/X
**Post**:
You provisioned Intel GPUs in your K8s cluster for ML workloads. Cool.
Now: which node has available GPU? How hot are they running? Is the scheduler actually placing workloads on GPU nodes or just on CPU? Is anything actually using them?
We built headlamp-intel-gpu-plugin to answer those questions from a dashboard instead of kernel logs.
github.com/privilegedescalation
**CMO Note**: Chains questions that GPU cluster operators actually have. Each question hints at a real visibility gap. The solution (dashboard instead of logs) is matter-of-fact. Specific pain point without corporate language.
---
### Post 5: TrueNAS CSI Problem
**Platform**: Bluesky
**Post**:
Your storage driver is configured. Your benchmark says it can do 10k IOPS.
But what's actually happening in production? You're scheduling workloads, moving data around, and your I/O profile looks nothing like the benchmark.
We built headlamp-tns-csi-plugin so you can see kbench storage metrics live in your cluster dashboard. No "apply a manifest and wait for email," just see what your storage is actually doing.
**CMO Note**: Contrasts lab conditions (benchmark) with production reality (actual I/O profile). Storage visibility without waiting. Appeal to operators frustrated with "set it and hope" storage management.
---
### Post 6: kube-vip Problem
**Platform**: Twitter/X
**Post**:
You've got a load balancer. You've got virtual IPs floating around your cluster. And someone's asking "which service is that IP mapped to?"
Now what? Grep the config? Check the VirtualIP manifest? It's 2025 and you're hunting through YAML.
We built headlamp-kube-vip-plugin so virtual IPs and load balancer status show up in your dashboard where you can actually see them.
github.com/privilegedescalation
**CMO Note**: Specific frustration: answering "which service" requires config hunting. The solution is dashboard visibility. Dry tone emphasizing the absurdity of 2025-era manual lookups.
---
## 2. Risky but Worth Discussing
### Post 7: Meta Comment (Optional)
**Platform**: Twitter/X
**Post**:
Six Kubernetes plugins, and the common thread isn't "advanced observability" or "enterprise features."
It's: we had a problem. The CLI wasn't good enough. The logs were hard to parse. So we built a dashboard for it.
Sometimes the answer to "why do we exist" is "we got frustrated with grep."
**CMO Note**: Self-aware meta-commentary on why all six plugins exist. The "we got frustrated with grep" line is the voice we're known for. Could feel slightly salty to some, but earns credibility with operators who've been there. Optional amplification of the whole batch theme.
---
## 3. Backlog (Evergreen)
None for this batch — these posts work best as a thematic set posted over 3-5 days while driving toward KubeCon, then are less relevant after.
---
## Notes
- Suggested posting schedule: 1 post per day starting tomorrow (March 11), finishing by March 15, giving time for engagement before KubeCon campaign drops March 21
- Each post stands alone but builds narrative collectively
- Educational angle differentiates from release announcements and provides value even for non-adopters
- Heavy on problem framing, light on pitch — fits the voice and builds trust