Skip to content

Tenant RGD parity gap: skeleton Kustomization's C-0017 hardening patches are not expressible in a Tenant CR #2489

Description

@devantler

🤖 Generated by the Daily AI Assistant

Part of #1932 — found while implementing Phase A (#2486/#2488); blocks Phase B (the swap), feeds the pilot's parity check (#2487).

Problem

The live ascoachingogvaner skeleton's Flux Kustomization (k8s/bases/apps/ascoachingogvaner/flux-kustomization.yaml) carries a spec.patches block hardening the app Deployment to readOnlyRootFilesystem: true with writable emptyDirs (Kubescape C-0017, landed via #2455). The Tenant RGD's Kustomization templates have no patches field and the Tenant schema has no way to express it — so the skeleton→CR swap would silently drop the hardening and regress the C-0017 posture.

Proposed direction (decide one before Phase B)

  1. Move the hardening into the tenant's own artifact (ascoachingogvaner repo deploy/ manifests set the securityContext + volumes directly) — keeps the RGD lean; platform-side patch was chosen originally because the OCI artifact is env-agnostic, but a universal security control arguably belongs in the app spec itself.
  2. Add an optional kustomizationPatches passthrough to the Tenant schema — preserves platform-side control; grows the RGD API surface (KRO schema supports string/structural passthrough awkwardly — needs a spike).

Rough size: S–M once decided (either a tenant-repo PR + skeleton cleanup, or an RGD schema increment + pilot re-validation).

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    ✅ Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions