fix: move sandbox ResourceQuota/LimitRange to gooseek-sandbox namespace

Kustomize was overriding namespace to gooseek for all resources including ResourceQuota and LimitRange meant for gooseek-sandbox. This caused CPU quota exceeded errors blocking all new pod creation (used 26.3/16 cores). Split sandbox-scoped resources into opensandbox-sandbox-ns.yaml applied directly, and deploy.sh now cleans up misplaced quota from gooseek ns. Made-with: Cursor
2026-03-03 03:14:01 +03:00
parent 52134df4d1
commit 00adac3196
3 changed files with 94 additions and 85 deletions
--- a/backend/deploy/k8s/opensandbox.yaml
+++ b/backend/deploy/k8s/opensandbox.yaml
@@ -4,64 +4,6 @@ metadata:
  name: opensandbox-sa
  namespace: gooseek
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: opensandbox-role
-  namespace: gooseek-sandbox
-rules:
- apiGroups: [""]
-  resources: ["pods", "pods/exec", "pods/log"]
-  verbs: ["create", "get", "list", "watch", "delete"]
- apiGroups: ["batch"]
-  resources: ["jobs"]
-  verbs: ["create", "get", "list", "watch", "delete"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: opensandbox-binding
-  namespace: gooseek-sandbox
-subjects:
- kind: ServiceAccount
-  name: opensandbox-sa
-  namespace: gooseek
-roleRef:
-  kind: Role
-  name: opensandbox-role
-  apiGroup: rbac.authorization.k8s.io
---
-apiVersion: v1
-kind: ResourceQuota
-metadata:
-  name: sandbox-quota
-  namespace: gooseek-sandbox
-spec:
-  hard:
-    requests.cpu: "8"
-    requests.memory: "16Gi"
-    limits.cpu: "16"
-    limits.memory: "32Gi"
-    pods: "50"
---
-apiVersion: v1
-kind: LimitRange
-metadata:
-  name: sandbox-limits
-  namespace: gooseek-sandbox
-spec:
-  limits:
-  - default:
-      cpu: "500m"
-      memory: "512Mi"
-    defaultRequest:
-      cpu: "100m"
-      memory: "128Mi"
-    max:
-      cpu: "2"
-      memory: "2Gi"
-    type: Container
---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -128,30 +70,3 @@ spec:
  - port: 8080
    targetPort: 8080
    name: http
---
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: sandbox-isolation
-  namespace: gooseek-sandbox
-spec:
-  podSelector: {}
-  policyTypes:
-  - Ingress
-  - Egress
-  ingress:
-  - from:
-    - namespaceSelector:
-        matchLabels:
-          app.kubernetes.io/part-of: gooseek
-  egress:
-  - to:
-    - namespaceSelector:
-        matchLabels:
-          app.kubernetes.io/part-of: gooseek
-  - to: []
-    ports:
-    - protocol: TCP
-      port: 443
-    - protocol: TCP
-      port: 80