[10:22:12] <jayme>	 Hello fellow k8s cluster maintainers! As promised, I left gifts for you all in https://phabricator.wikimedia.org/T369491 https://phabricator.wikimedia.org/T369492 https://phabricator.wikimedia.org/T369493
[10:23:32] <jayme>	 feel free to route clarifying questions to me, ask for help etc. In theory all helm charts should have already been updated to adhere to the new standards, but there might be things we missed
[10:30:02] <elukey>	 ack!
[12:57:02] <inflatador>	 Nice!
[13:32:36] <klausman>	 jayme: as far as I can tell making the edits mentioned in wikitech to the three ml-specific dirs (calico, knative-serving an kserve) do not yield a difference when using e.g. helmfile -e ml-staging-codfw diff --context=2 (same for ml-serve-codfw). I'm not sure I am reading the tech article right, but this is not a huge surprise, and assuming the Logstash dashboard does not show any
[13:32:38] <klausman>	 violations for ml-* we could proceed with the last step (editing hiera)
[13:34:37] <jayme>	 klausman: I'm not sure what you mean by "ml-specific dirs calico, knative-serving an kserve)"
[13:35:41] <jayme>	 or differently put: I'm not sure which edits you mean
[13:38:42] <klausman>	 Addint the PodSecurityStandard sections to the values.yaml files in calico/ knative-serving/ and kserve/ under admin_ng/
[13:38:46] <klausman>	 Adding*
[13:39:20] <klausman>	 Oh, I missed a bit
[13:39:35] <klausman>	 (specifically admin_ng/values/
[13:39:37] <klausman>	 )
[13:40:43] <klausman>	 Doping the edit in the right place actually yields a credible diff
[13:56:15] <elukey>	 klausman: one thing to check - we have added the securityContext config to all the charts, except knative/kserve IIUC.. We should figure out if we need to add it before proceeding with the PSS migration
[13:56:49] <klausman>	 Good point
[13:56:54] <elukey>	 more info in https://phabricator.wikimedia.org/T273507
[14:00:49] <klausman>	 While the charts in knative-serving have most of the secpolicy mentioned in that ticket, they miss the seccompprofile stanza
[14:03:01] <klausman>	 charts/kserve-inference/values.yaml has it, though
[14:03:24] <klausman>	 (I am aware kserve!=kserve-inference)
[14:05:38] <jayme>	 Yeah, the PodSecurityStandard will probably do nothing when added to particular charts...it's a thing in admin_ng's helmfile_namespaces.yaml really
[14:07:27] <klausman>	 Also am I ever glad vim has foldmethod=indent