dexorder/ai
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

prod deployment

Browse Source
This commit is contained in:
Tim Olson
2026-04-01 18:34:08 -04:00
parent ca44e68f64
commit eab581f8cb
62 changed files with 1922 additions and 286 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
deploy/k8s/base/lifecycle-sidecar-rbac.yaml
View File

@@ -5,15 +5,15 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: sandbox-lifecycle
namespace: dexorder-sandboxes
namespace: sandbox
---
# Role allowing deletion of deployments and PVCs
# This is scoped to the dexorder-sandboxes namespace
# This is scoped to the sandbox namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: sandbox-self-delete
namespace: dexorder-sandboxes
namespace: sandbox
rules:
# Allow getting and deleting deployments
- apiGroups: ["apps"]
@@ -34,11 +34,11 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: sandbox-self-delete
namespace: dexorder-sandboxes
namespace: sandbox
subjects:
- kind: ServiceAccount
name: sandbox-lifecycle
namespace: dexorder-sandboxes
namespace: sandbox
roleRef:
kind: Role
name: sandbox-self-delete
@@ -49,5 +49,5 @@ roleRef:
# Requires a validating webhook server (can be added later)
# For now, we rely on:
# 1. Sidecar only knowing its own deployment name (from env)
# 2. RBAC limiting to dexorder-sandboxes namespace
# 2. RBAC limiting to sandbox namespace
# 3. Admission policy restricting deployment creation (already defined)