Fix privileged pod security label removal in tailscale-examples namespace

rajsinghtech · claude · rajsinghtech · commit 46aec4dd4d3d · 2025-10-23T12:12:28.000-05:00
The tailscale-examples namespace's pod-security.kubernetes.io/enforce: privileged label was being removed shortly after Flux applied it. This was caused by the sandbox kustomization files having explicit 'namespace:' fields, which triggered kustomize to auto-generate a namespace resource. When Flux applied this with commonMetadata labels, it overwrote the namespace labels without the privileged setting. Fix: Remove 'namespace:' field from all sandbox kustomization.yaml files. The Flux Kustomization already sets targetNamespace: tailscale-examples, which will apply the correct namespace to all resources without auto-generating a namespace. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/clusters/common/apps/tailscale-examples/sandbox/ds/kustomization.yaml b/clusters/common/apps/tailscale-examples/sandbox/ds/kustomization.yaml
@@ -1,6 +1,5 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: tailscale-examples
 resources:
   - ./daemonset.yaml
diff --git a/clusters/common/apps/tailscale-examples/sandbox/golink/kustomization.yaml b/clusters/common/apps/tailscale-examples/sandbox/golink/kustomization.yaml
@@ -1,7 +1,6 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: tailscale-examples
 resources:
   - ./deployment.yaml
   - ./service.yaml
diff --git a/clusters/common/apps/tailscale-examples/sandbox/kustomization.yaml b/clusters/common/apps/tailscale-examples/sandbox/kustomization.yaml
@@ -1,7 +1,6 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: tailscale-examples
 resources:
   # - ./derper
   # - ./hello
diff --git a/clusters/common/apps/tailscale-examples/sandbox/proxyt/kustomization.yaml b/clusters/common/apps/tailscale-examples/sandbox/proxyt/kustomization.yaml
@@ -1,7 +1,6 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: tailscale-examples
 resources:
   - ./deployment.yaml
   - ./service.yaml
diff --git a/clusters/common/apps/tailscale-examples/sandbox/sidecar/kustomization.yaml b/clusters/common/apps/tailscale-examples/sandbox/sidecar/kustomization.yaml
@@ -1,7 +1,6 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: tailscale-examples
 resources:
   - ./ts-sidecar.yaml
   - ./ts-sidecar-userspace.yaml
diff --git a/clusters/common/apps/tailscale-examples/sandbox/tsdnsproxy/kustomization.yaml b/clusters/common/apps/tailscale-examples/sandbox/tsdnsproxy/kustomization.yaml
@@ -1,6 +1,5 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: tailscale-examples
 resources:
   - ./deployment.yaml
diff --git a/clusters/common/apps/tailscale-examples/sandbox/tsflow/kustomization.yaml b/clusters/common/apps/tailscale-examples/sandbox/tsflow/kustomization.yaml
@@ -1,7 +1,6 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: tailscale
 resources:
   - deployment.yaml
   - service.yaml
diff --git a/clusters/common/apps/tailscale-examples/sandbox/tsidp/kustomization.yaml b/clusters/common/apps/tailscale-examples/sandbox/tsidp/kustomization.yaml
@@ -1,7 +1,6 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: tailscale
 resources:
   - manifest.yaml
   - egress.yaml
