[09:04:36] <jayme>	 klausman: elukey: there is a big external-services and PSA related diff for admin_ng on ml prod clusters. As the diff deletes what I think are early versions of external-services cassandra entries, please double check
[09:04:57] <klausman>	 Will do
[09:05:54] <jayme>	 I ran deploy for https://phabricator.wikimedia.org/T287491 - the certmanager networkpolicy changes that you'll see are safe to deploy 
[09:05:56] <jayme>	 thanks
[09:09:01] <klausman>	 The cass/ext service changes look fine to me as well. I think I didn't push them after the patch merge because Luca was in the process of switching our services to use k8s api-ro instead of the old non-k8s endpoints, and I wanted to avoid noise/possible sideeffects
[09:09:42] <klausman>	 Will push them later today (I want to give Luca a heads-up/chance to object).
[09:09:46] <jayme>	 ack
[09:10:12] <jayme>	 no rush for the certmanager stuff, I just wanted to avoid unrelated diffs and got some myself :)
[09:10:22] <klausman>	 Ack.
[09:10:39] <klausman>	 I generally prefer not to have lingering changes hang around
[09:25:46] <klausman>	 I also see (on all namespaces) the addition of `metadata.labels.pod-security.kubernetes.io/audit: restricted` I presume this is in the context/as a consequence of T273507
[09:35:34] <brouberol>	 I'm also going to perform an admin_ng deploy due to a small external-services change related to some analytics mariadb IPs 
[09:41:38] <brouberol>	 klausman: I'll let you redeploy the ml servers? The rest is done
[09:41:46] <klausman>	 yeah, will do
[09:51:20] <brouberol>	 thanks
[09:51:33] <arturo>	 FYI we will be migrating Toolforge kubernetes to use Kyverno as a replacement for the PSP deprecation. We also considered OPA Gatekeeper, but finally will be using Kyverno. cc jayme 
[09:52:21] <klausman>	 did you document the rationale for Kyverno somewhere? Just out of curiosity
[09:52:54] <jayme>	 klausman: yeah, that's right (re: namepace labels)
[09:53:00] <arturo>	 klausman: see https://phabricator.wikimedia.org/T362233
[09:53:07] <jayme>	 arturo: thanks! I'm following your tasks :)
[09:53:46] <klausman>	 merci!
[12:45:27] <elukey>	 klausman: not sure if you already done the admin_ng deploy but +1 from me
[12:45:36] <klausman>	 Ok, will do it then
[12:45:50] <klausman>	 Just wanted to make sure I'm not stomping on any changes you have
[12:46:20] <klausman>	 I'll push in codfw first, and if everything is not-explodey, will do eqiad tomorrow morning.
[12:54:54] <elukey>	 nono all done on my side