[08:31:42] <brouberol>	 FYI I've started to work on a way to get alerted when un-applied admin_ng changes are pending https://gerrit.wikimedia.org/r/c/operations/puppet/+/1040992
[09:08:58] <jayme>	 btullis: are you planning to work on datahub for T359423, T362978, T346638 anythime "soon"? It will become a blocker at the point where it's the last chart not being updated
[09:09:58] <btullis>	 jayme: Yes. Will do.
[09:10:07] <klausman>	 Do we have a guide some guide somewhere on how to plumb secretes from the private repo throught the deployment server so that they become visible as env vars to a service? I tried following along the path of AWS_SECRET_ACCESS_KEY but it seems very kserve-specific and that chart is not exactly easy to understand.
[09:10:10] <jayme>	 cool! <3
[09:10:43] <jayme>	 klausman: https://wikitech.wikimedia.org/wiki/Kubernetes/Add_a_new_service#Add_private_data/secrets_(optional)
[09:11:01] <klausman>	 oh! how did I not find that.... thanks a ton!
[09:13:37] <brouberol1>	 btullis: If you're busy, i can take these datahub changes off your hands
[09:22:54] <btullis>	 brouberol1: Oh thanks so much, yes that would be great.
[09:36:11] <brouberol1>	 np, on it
[09:37:49] <brouberol1>	 https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/1041036
[10:00:50] <brouberol1>	 jayme: do we need to have the securityContext stanza on every pod, even the ones created by Job and CronJob resources?
[10:01:06] <jayme>	 yes
[10:01:26] <jayme>	 on every container
[10:01:29] <brouberol1>	 ack, thanks
[11:40:07] <brouberol>	 jayme: all datahub releases have been redeployed with the container securityContext block
[11:40:26] <jayme>	 brouberol: ah, great! Thanks a ton
[11:41:11] <brouberol>	 my pleasure. I'll work on similar updates for all our apps: superset and spark-history
[11:41:31] <jayme>	 sweet
[13:49:56] <brouberol>	 every DPE app on dse-k8s-eqiad now run with a restricted security context
[13:52:19] <brouberol>	 ah actually, no, I missed 2.
[14:19:41] <brouberol>	 *this time* we're all done
[14:46:23] <jayme>	 eheh
[14:46:34] <jayme>	 nice!
[14:54:31] <jayme>	 brouberol: you can validate your statement via the audit log https://logstash.wikimedia.org/goto/a1ee78695b87ffdc262d63bbc34879c8
[14:55:35] <jayme>	 create pod actions will trigger an audit log with annotations.pod-security.kubernetes.io/audit-violations annotatioin set, if it would fail validation
[14:55:40] <jayme>	 (if enforced)
[14:57:35] <jayme>	 ofc. stuff will only be logged on new container creations
[15:00:26] <brouberol>	 beautiful. I'll keep an eye on it