From 6094ec52479c5c1c81471e0e0dcd406396fbc640 Mon Sep 17 00:00:00 2001
From: Marco van Zijl <marco@mvzijl.nl>
Date: Sat, 8 Nov 2025 20:13:13 +0100
Subject: [PATCH] Add pod security labels to managed namespace for Rook-Ceph

---
 apps/ceph/operator/application.yaml |  5 +++++
 apps/ceph/operator/values.yaml      | 11 -----------
 2 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/apps/ceph/operator/application.yaml b/apps/ceph/operator/application.yaml
index 382f868..558f1cd 100644
--- a/apps/ceph/operator/application.yaml
+++ b/apps/ceph/operator/application.yaml
@@ -27,3 +27,8 @@ spec:
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true
+    managedNamespaceMetadata:
+      labels:
+        pod-security.kubernetes.io/enforce: privileged
+        pod-security.kubernetes.io/audit: privileged
+        pod-security.kubernetes.io/warn: privileged
diff --git a/apps/ceph/operator/values.yaml b/apps/ceph/operator/values.yaml
index d9bb765..acc6440 100644
--- a/apps/ceph/operator/values.yaml
+++ b/apps/ceph/operator/values.yaml
@@ -22,14 +22,3 @@ rook-ceph:
     limits:
       cpu: 500m
       memory: 512Mi
-
-  # Ensure namespace has proper labels for Talos
-  extraObjects:
-    - apiVersion: v1
-      kind: Namespace
-      metadata:
-        name: rook-ceph
-        labels:
-          pod-security.kubernetes.io/enforce: privileged
-          pod-security.kubernetes.io/audit: privileged
-          pod-security.kubernetes.io/warn: privileged