@pleri/olam-cli 0.1.160 → 0.1.162
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -0
- package/dist/agent-stream/agent-sdk-to-chunks.js +20 -2
- package/dist/commands/bootstrap.d.ts +15 -0
- package/dist/commands/bootstrap.d.ts.map +1 -1
- package/dist/commands/bootstrap.js +58 -5
- package/dist/commands/bootstrap.js.map +1 -1
- package/dist/commands/flywheel/migrate-overlays.d.ts +1 -0
- package/dist/commands/flywheel/migrate-overlays.d.ts.map +1 -1
- package/dist/commands/flywheel/migrate-overlays.js +29 -3
- package/dist/commands/flywheel/migrate-overlays.js.map +1 -1
- package/dist/commands/skills-source.d.ts.map +1 -1
- package/dist/commands/skills-source.js +57 -2
- package/dist/commands/skills-source.js.map +1 -1
- package/dist/commands/skills.d.ts.map +1 -1
- package/dist/commands/skills.js +14 -0
- package/dist/commands/skills.js.map +1 -1
- package/dist/image-digests.json +7 -7
- package/dist/index.js +2424 -1781
- package/dist/lib/bootstrap-kubernetes.d.ts +42 -0
- package/dist/lib/bootstrap-kubernetes.d.ts.map +1 -0
- package/dist/lib/bootstrap-kubernetes.js +367 -0
- package/dist/lib/bootstrap-kubernetes.js.map +1 -0
- package/dist/lib/config.d.ts.map +1 -1
- package/dist/lib/config.js +6 -1
- package/dist/lib/config.js.map +1 -1
- package/dist/mcp-server.js +568 -368
- package/hermes-bundle/version.json +1 -1
- package/host-cp/k8s/manifests/50-deployment.yaml +1 -1
- package/host-cp/k8s/manifests/auth-service/50-deployment.yaml +1 -1
- package/host-cp/k8s/manifests/kg-service/50-deployment.yaml +1 -1
- package/host-cp/k8s/manifests/mcp-auth-service/50-deployment.yaml +1 -1
- package/host-cp/k8s/manifests/memory-service/50-deployment.yaml +1 -1
- package/host-cp/observability/grafana-port-forward.sh +283 -0
- package/host-cp/observability/kyverno-cardinality-mutate.sh +462 -0
- package/host-cp/observability/loki-ingest.sh +253 -0
- package/host-cp/observability/prom-no-double-grafana.sh +311 -0
- package/host-cp/peripheral-services/helm-values/grafana-values.yaml +159 -0
- package/host-cp/peripheral-services/helm-values/kube-prom-stack-values.yaml +229 -0
- package/host-cp/peripheral-services/helm-values/kyverno-values.yaml +85 -0
- package/host-cp/peripheral-services/helm-values/loki-values.yaml +166 -0
- package/host-cp/peripheral-services/helm-values/promtail-staging.yaml +92 -0
- package/host-cp/peripheral-services/helm-values/promtail-values.yaml +102 -0
- package/host-cp/peripheral-services/helm-values/traefik-values.yaml +73 -0
- package/host-cp/peripheral-services/manifests/20-namespace.yaml +6 -0
- package/host-cp/peripheral-services/manifests/24-deploy-kg-service.yaml +245 -0
- package/host-cp/peripheral-services/manifests/30-traefik-ingressroute-host-cp.yaml +22 -0
- package/host-cp/peripheral-services/manifests/40-traefik-ingressroute-kg.yaml +29 -0
- package/host-cp/peripheral-services/manifests/50-traefik-ingressroute-agent-memory.yaml +29 -0
- package/host-cp/peripheral-services/manifests/60-networkpolicy-ingress.yaml +80 -0
- package/host-cp/peripheral-services/manifests/65-networkpolicy-loki-prom-deny.yaml +67 -0
- package/host-cp/peripheral-services/manifests/80-grafana-dashboard-configmap.yaml +1349 -0
- package/host-cp/peripheral-services/manifests/90-prom-alert-cardinality.yaml +50 -0
- package/host-cp/peripheral-services/manifests/91-servicemonitor-host-cp.yaml +70 -0
- package/host-cp/peripheral-services/manifests/92-servicemonitor-kg-service.yaml +70 -0
- package/host-cp/peripheral-services/manifests/93-servicemonitor-memory-service.yaml +87 -0
- package/host-cp/peripheral-services/manifests/95-prom-recording-rules.yaml +108 -0
- package/host-cp/peripheral-services/manifests/96-kyverno-cardinality-mutate.yaml +195 -0
- package/host-cp/src/plan-chat-service.mjs +147 -1
- package/package.json +1 -1
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
# NetworkPolicy — monitoring namespace default-deny + same-namespace allow
|
|
2
|
+
# (Phase A Task A9; companion to 60-networkpolicy-ingress.yaml)
|
|
3
|
+
#
|
|
4
|
+
# Loki + Prometheus + Grafana accept inbound ONLY from pods in the same
|
|
5
|
+
# `monitoring` namespace (intra-stack: Promtail → Loki, Grafana → Loki + Prom,
|
|
6
|
+
# kube-prometheus-stack scrape targets within the stack). Cross-namespace
|
|
7
|
+
# traffic — including from `olam` (host-cp, kg-service, agent-memory) and
|
|
8
|
+
# kube-system (Traefik) — is denied.
|
|
9
|
+
#
|
|
10
|
+
# Operator access pattern is `kubectl port-forward -n monitoring svc/grafana
|
|
11
|
+
# 3000` (Decision 16). port-forward uses the kube-apiserver's exec channel,
|
|
12
|
+
# NOT pod-to-pod networking, so it bypasses NetworkPolicy by design.
|
|
13
|
+
#
|
|
14
|
+
# Decision 17 forbids any IngressRoute / Ingress that exposes Loki / Prom /
|
|
15
|
+
# Grafana from outside the cluster; audit:no-ingress-route enforces that at
|
|
16
|
+
# commit time, and this NetworkPolicy is the runtime defense-in-depth layer
|
|
17
|
+
# (caught even if the audit is bypassed or a Helm chart renders a route).
|
|
18
|
+
#
|
|
19
|
+
# Forward-declaration note: Loki + Prometheus land in Phase B/C. Until those
|
|
20
|
+
# manifests add pods to the `monitoring` namespace, this policy applies to an
|
|
21
|
+
# empty pod set and is a no-op. Phase B/C must label their pods so this
|
|
22
|
+
# selector keeps matching (kube-prometheus-stack's default labels already
|
|
23
|
+
# satisfy `kubernetes.io/metadata.name: monitoring` via namespace metadata).
|
|
24
|
+
#
|
|
25
|
+
# Enforcement requires NetworkPolicy-capable CNI (see 60-* doc block).
|
|
26
|
+
# Threat mitigated: T7 (Grafana admin secret exfil) + secondary T6 mitigation.
|
|
27
|
+
---
|
|
28
|
+
# Forward-declare the monitoring namespace so the NetworkPolicy below has a
|
|
29
|
+
# valid target. Phase B/C kube-prometheus-stack installs into this namespace
|
|
30
|
+
# and may add labels — its install MUST NOT delete the namespace; Helm uses
|
|
31
|
+
# `--create-namespace=false` once this manifest seeds it.
|
|
32
|
+
apiVersion: v1
|
|
33
|
+
kind: Namespace
|
|
34
|
+
metadata:
|
|
35
|
+
name: monitoring
|
|
36
|
+
labels:
|
|
37
|
+
kubernetes.io/metadata.name: monitoring
|
|
38
|
+
app.kubernetes.io/part-of: olam-observability
|
|
39
|
+
olam.io/phase: a
|
|
40
|
+
olam.io/task: a9
|
|
41
|
+
---
|
|
42
|
+
apiVersion: networking.k8s.io/v1
|
|
43
|
+
kind: NetworkPolicy
|
|
44
|
+
metadata:
|
|
45
|
+
name: monitoring-default-deny
|
|
46
|
+
namespace: monitoring
|
|
47
|
+
labels:
|
|
48
|
+
app.kubernetes.io/part-of: olam-observability
|
|
49
|
+
app.kubernetes.io/component: security-fence
|
|
50
|
+
olam.io/phase: a
|
|
51
|
+
olam.io/task: a9
|
|
52
|
+
spec:
|
|
53
|
+
# Selects every pod in the monitoring namespace. Phase B/C pods (loki,
|
|
54
|
+
# prometheus, grafana, promtail, alertmanager — whatever the chart renders)
|
|
55
|
+
# all match this empty selector automatically.
|
|
56
|
+
podSelector: {}
|
|
57
|
+
policyTypes:
|
|
58
|
+
- Ingress
|
|
59
|
+
ingress:
|
|
60
|
+
# Allow inbound only from same-namespace pods. Cross-namespace traffic
|
|
61
|
+
# (olam services, kube-system Traefik, default ns) is denied — see header
|
|
62
|
+
# for why this is the correct posture (operator uses kubectl port-forward,
|
|
63
|
+
# which bypasses NetworkPolicy via the kube-apiserver exec channel).
|
|
64
|
+
- from:
|
|
65
|
+
- namespaceSelector:
|
|
66
|
+
matchLabels:
|
|
67
|
+
kubernetes.io/metadata.name: monitoring
|