prod deployment

2026-04-01 18:34:08 -04:00
parent ca44e68f64
commit eab581f8cb
62 changed files with 1922 additions and 286 deletions
--- a/deploy/k8s/base/admission-policy.yaml
+++ b/deploy/k8s/base/admission-policy.yaml
@@ -1,4 +1,4 @@
-# ValidatingAdmissionPolicy to restrict images in dexorder-sandboxes namespace
+# ValidatingAdmissionPolicy to restrict images in sandbox namespace
 # Requires Kubernetes 1.30+ (or 1.28+ with feature gate)
 # This is the critical security control that prevents arbitrary image execution
 # even if the gateway is compromised.
@@ -26,7 +26,9 @@ spec:
          c.image.startsWith('ghcr.io/dexorder/sandbox-') ||
          c.image.startsWith('ghcr.io/dexorder/lifecycle-sidecar:') ||
          c.image.startsWith('dexorder/ai-sandbox:') ||
-          c.image.startsWith('dexorder/ai-lifecycle-sidecar:'))
+          c.image.startsWith('dexorder/ai-lifecycle-sidecar:') ||
+          c.image.startsWith('git.dxod.org/dexorder/dexorder/ai-sandbox:') ||
+          c.image.startsWith('git.dxod.org/dexorder/dexorder/ai-lifecycle-sidecar:'))
      message: "Only approved dexorder sandbox images are allowed in the sandboxes namespace"
      reason: Forbidden