Skip to content

fix: add pod-security enforce labels to namespaces for A2A/SPIFFE support#104

Draft
usize wants to merge 1 commit intosallyom:mainfrom
usize:fix/pod-security-enforce-label
Draft

fix: add pod-security enforce labels to namespaces for A2A/SPIFFE support#104
usize wants to merge 1 commit intosallyom:mainfrom
usize:fix/pod-security-enforce-label

Conversation

@usize
Copy link
Copy Markdown

@usize usize commented Apr 6, 2026

Summary

  • Adds pod-security.kubernetes.io/enforce: privileged labels to namespaces created for A2A/SPIFFE support in k8s-a2a.ts and the OpenShift deployer
  • Without these labels, pods requiring elevated privileges (e.g. SPIRE agents) are rejected by the Pod Security Admission controller
  • Adds test coverage verifying the labels are present in rendered namespace manifests

Fixes #94

Test plan

  • npm run build passes
  • npm test passes (282/282, including 2 new tests)

Generated with agent.sh

@usize @claude
fix: add pod-security enforce labels to namespaces for A2A/SPIFFE sup…
127d324 
…port (sallyom#94)

When Kagenti A2A is enabled with SPIFFE CSI volumes, pods are rejected
because the namespace lacks the pod-security.kubernetes.io/enforce=privileged
label. Add enforce and enforce-version labels to the A2A namespace patch
(used by the K8s deployer) and to the OpenShift deployer's inline namespace
creation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OpenShift deployer sets audit/warn but not enforce for privileged pod security

1 participant

@usize