# Cluster Operations Practical knowledge for operating inside the GroomBook Kubernetes cluster as the CTO agent. ## kubectl / API Access - The kubeconfig at `/paperclip/.kube/config` has a stale token for user `flea-flicker` — **do not use it**. - Instead, use the **in-cluster service account token** directly via `curl`: ```bash TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) CA=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt curl -s --cacert "$CA" -H "Authorization: Bearer $TOKEN" "https://kubernetes.default.svc/..." ``` ## RBAC - **Read/write**: `groombook-dev`, `groombook-uat` namespaces (app resources, secrets, jobs, etc.) - **Read-only**: cluster-wide (including `groombook`, `flux-system`, `kube-system` namespaces) - **Cannot write**: Flux CRDs (Kustomization, GitRepository) in the `groombook` namespace — cannot force reconciliation via annotation. ## Flux UAT Reconciliation - Kustomization `groombook-uat` is in namespace `groombook`, watches GitRepository `groombook` (also in `groombook` namespace). - Reconciliation interval: **1h**, no `retryInterval` set. - Source: `groombook/infra` repo, branch `main`. - To unblock stuck reconciliation: delete stale completed Jobs that cause immutable-field dry-run failures. ## kubeseal - Sealed Secrets controller: `sealed-secrets-controller` in `kube-system`. - Fetch public cert via API proxy: ```bash curl -s --cacert "$CA" -H "Authorization: Bearer $TOKEN" \ "https://kubernetes.default.svc/api/v1/namespaces/kube-system/services/sealed-secrets-controller:http/proxy/v1/cert.pem" > /tmp/kubeseal-cert.pem ``` - Then seal: ```bash echo -n "plaintext" | kubeseal --raw --scope namespace-wide --namespace --name --cert /tmp/kubeseal-cert.pem ```