container lifecycle management

deploy/k8s/dev/admission-policy-patch.yaml

@@ -0,0 +1,97 @@
+# Dev admission policy: allow local registry images
+# In dev, we also allow images from localhost/minikube registry
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: dexorder-agent-image-policy
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    namespaceSelector:
+      matchLabels:
+        dexorder.io/type: agents
+    resourceRules:
+      - apiGroups: ["apps"]
+        apiVersions: ["v1"]
+        resources: ["deployments"]
+        operations: ["CREATE", "UPDATE"]
+  validations:
+    # Allow local dev images in addition to production registry
+    - expression: |
+        object.spec.template.spec.containers.all(c,
+          c.image.startsWith('ghcr.io/dexorder/agent:') ||
+          c.image.startsWith('ghcr.io/dexorder/agent-') ||
+          c.image.startsWith('localhost:5000/dexorder/agent') ||
+          c.image.startsWith('dexorder/agent'))
+      message: "Only approved dexorder agent images are allowed"
+      reason: Forbidden
+
+    # No privileged containers
+    - expression: |
+        object.spec.template.spec.containers.all(c,
+          !has(c.securityContext) ||
+          !has(c.securityContext.privileged) ||
+          c.securityContext.privileged == false)
+      message: "Privileged containers are not allowed"
+      reason: Forbidden
+
+    # No hostPath volumes
+    - expression: |
+        !has(object.spec.template.spec.volumes) ||
+        object.spec.template.spec.volumes.all(v,
+          !has(v.hostPath))
+      message: "hostPath volumes are not allowed"
+      reason: Forbidden
+
+    # No hostNetwork
+    - expression: |
+        !has(object.spec.template.spec.hostNetwork) ||
+        object.spec.template.spec.hostNetwork == false
+      message: "hostNetwork is not allowed"
+      reason: Forbidden
+
+    # No hostPID
+    - expression: |
+        !has(object.spec.template.spec.hostPID) ||
+        object.spec.template.spec.hostPID == false
+      message: "hostPID is not allowed"
+      reason: Forbidden
+
+    # Containers must run as non-root
+    - expression: |
+        object.spec.template.spec.containers.all(c,
+          has(c.securityContext) &&
+          has(c.securityContext.runAsNonRoot) &&
+          c.securityContext.runAsNonRoot == true)
+      message: "Containers must run as non-root"
+      reason: Forbidden
+
+    # Must drop all capabilities
+    - expression: |
+        object.spec.template.spec.containers.all(c,
+          has(c.securityContext) &&
+          has(c.securityContext.capabilities) &&
+          has(c.securityContext.capabilities.drop) &&
+          c.securityContext.capabilities.drop.exists(cap, cap == 'ALL'))
+      message: "Containers must drop all capabilities"
+      reason: Forbidden
+
+    # Read-only root filesystem
+    - expression: |
+        object.spec.template.spec.containers.all(c,
+          has(c.securityContext) &&
+          has(c.securityContext.readOnlyRootFilesystem) &&
+          c.securityContext.readOnlyRootFilesystem == true)
+      message: "Containers must have read-only root filesystem"
+      reason: Forbidden
+
+    # Resource limits must be set
+    - expression: |
+        object.spec.template.spec.containers.all(c,
+          has(c.resources) &&
+          has(c.resources.limits) &&
+          has(c.resources.limits.memory) &&
+          has(c.resources.limits.cpu))
+      message: "Containers must have resource limits set"
+      reason: Forbidden

deploy/k8s/dev/agent-quotas-patch.yaml

@@ -0,0 +1,19 @@
+# Dev/minikube resource quota overrides
+# Smaller limits appropriate for local development
+---
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: agent-quota
+  namespace: dexorder-agents
+spec:
+  hard:
+    # Reduced for minikube
+    requests.cpu: "4"
+    requests.memory: "8Gi"
+    limits.cpu: "8"
+    limits.memory: "16Gi"
+    pods: "20"
+    persistentvolumeclaims: "20"
+    services: "20"
+    requests.storage: "50Gi"

deploy/k8s/dev/kustomization.yaml

@@ -1,16 +1,20 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
-namespace: default
+# Note: namespaces are defined in base; workloads go to dexorder-system
+namespace: dexorder-system
 
-# Base resources
+# Base resources (includes security policies)
 resources:
   - ../base
   - infrastructure.yaml
 
-# No patches needed currently
-patches: []
-  # ingress-dev.yaml - removed until we have services to expose
+# Dev-specific patches
+patches:
+  # Reduced resource quotas for minikube
+  - path: agent-quotas-patch.yaml
+  # Allow local registry images
+  - path: admission-policy-patch.yaml
 
 # ConfigMaps for service configs
 configMapGenerator: