Skip to content

chore: remove experimental k8s/ deployment manifests#2107

Merged
ericksoa merged 8 commits intomainfrom
chore/remove-k8s-manifests
Apr 21, 2026
Merged

chore: remove experimental k8s/ deployment manifests#2107
ericksoa merged 8 commits intomainfrom
chore/remove-k8s-manifests

Conversation

@ericksoa
Copy link
Copy Markdown
Contributor

@ericksoa ericksoa commented Apr 20, 2026
edited by coderabbitai Bot
Loading

Summary

Remove the k8s/ directory containing the experimental DinD-based Kubernetes deployment sample. Nothing in src/, tests, CI, or docs depends on it.

What's removed

  • k8s/nemoclaw-k8s.yaml — sample manifest (privileged DinD pod with nested k3s)
  • k8s/README.md — usage instructions
  • Architecture table entries in CLAUDE.md / AGENTS.md

Why

  • Marked experimental, not production-ready
  • No code, CI, or doc references outside the directory itself
  • Reduces maintenance surface

Signed-off-by: Aaron Erickson aerickson@nvidia.com

Summary by CodeRabbit

  • Documentation
    • Removed Kubernetes deployment docs, quick-starts, configuration guidance, and example manifests.
  • Tests
    • Removed the test suite that validated Kubernetes deployment hardening and related checks.
  • Chores
    • Removed the CI workflow and the installer hash verification script that enforced a pinned installer checksum.

@ericksoa
chore: remove experimental k8s/ deployment manifests
3e784e3 
The k8s/ directory contained an experimental DinD-based Kubernetes
deployment sample. Nothing in src/, tests, CI, or docs depends on it.
Remove it to reduce maintenance surface.
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Apr 20, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 637644f2-d72c-42dc-8b75-a3427fac84c9

📥 Commits

Reviewing files that changed from the base of the PR and between e5d648f and 5c5d9c9.

📒 Files selected for processing (2)
  • .github/workflows/installer-hash-check.yaml
  • scripts/check-installer-hash.sh
💤 Files with no reviewable changes (2)
  • .github/workflows/installer-hash-check.yaml
  • scripts/check-installer-hash.sh
📝 Walkthrough

Walkthrough

Removed Kubernetes-related artifacts and automation: deleted k8s/README.md, k8s/nemoclaw-k8s.yaml, the k8s/ entry in AGENTS.md, a manifest-validating Vitest (test/security-configuration-hardening.test.js), the installer hash-check workflow (.github/workflows/installer-hash-check.yaml), and the installer hash script (scripts/check-installer-hash.sh).

Changes

Cohort / File(s) Summary
Project docs
AGENTS.md		 Removed the k8s/ entry from the project architecture table.
Kubernetes docs
k8s/README.md		 Deleted the entire Kubernetes README (quick-start, config/env table, troubleshooting, architecture notes).
Kubernetes manifest
k8s/nemoclaw-k8s.yaml		 Deleted the NemoClaw Pod manifest (DinD rootless daemon, workspace container install flow, initContainer, volumes, envs, and security contexts).
Tests
test/security-configuration-hardening.test.js		 Removed the Vitest suite that asserted hardening and manifest-specific expectations for the deleted k8s manifest.
CI workflow
.github/workflows/installer-hash-check.yaml		 Removed workflow that ran scripts/check-installer-hash.sh to validate a pinned installer SHA across PRs, pushes, and cron.
Scripts
scripts/check-installer-hash.sh		 Deleted the script that checked/updated the pinned NEMOCLAW_INSTALLER_SHA256 by fetching the upstream installer and comparing/updating the manifest.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I nudged the manifests, pages neat and small,
The k8s files hopped away beyond the wall.
Workflows and scripts took their sleepy leave,
The warren cleared — time to stretch and weave. 🌿

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'chore: remove experimental k8s/ deployment manifests' directly and clearly describes the main change—removal of the experimental Kubernetes deployment manifests in the k8s/ directory.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/remove-k8s-manifests

Comment @coderabbitai help to get the list of available commands and usage tips.

@ericksoa
Copy link
Copy Markdown
Contributor Author

ericksoa commented Apr 20, 2026

⚠️ Rebase note: PR #2045 migrated the security test from .js to .ts (test/security-configuration-hardening.test.ts). This branch only deletes the .js variant.

After #2045 lands, the rebase of this branch will need to also delete test/security-configuration-hardening.test.ts — otherwise it will readFileSync the removed manifest and break CI.

@jyaunches jyaunches mentioned this pull request Apr 20, 2026
Merged
4 tasks
@wscurran wscurran added CI/CD Use this label to identify issues with NemoClaw CI/CD pipeline or GitHub Actions. K8s Use this label to identify Kubernetes deployment issues with NemoClaw. dependencies Pull requests that update a dependency file labels Apr 21, 2026
@ericksoa ericksoa self-assigned this Apr 21, 2026
@ericksoa ericksoa merged commit 29b736d into main Apr 21, 2026
12 checks passed
ericksoa added a commit that referenced this pull request Apr 21, 2026
@ericksoa
merge: resolve conflicts with main after k8s/ removal (#2107)
aeb5961 
Keep k8s/README.md and k8s/nemoclaw-k8s.yaml from this branch (the
docker socket proxy changes). Accept all other deletions from #2107
(installer-hash-check workflow, check-installer-hash.sh, AGENTS.md
k8s row, .test.js file).
ericksoa added a commit that referenced this pull request Apr 21, 2026
@ericksoa
fix: remove k8s files already deleted by #2107
af9891e
ericksoa added a commit that referenced this pull request Apr 21, 2026
@ericksoa
fix: remove k8s security test (manifest deleted in #2107)
cd98cac 
The test asserted against k8s/nemoclaw-k8s.yaml which was removed
in #2107. The remaining change is the rootless DinD daemon.json
path fallback in preflight.ts.
@ericksoa ericksoa mentioned this pull request Apr 21, 2026
Merged
2 tasks
ericksoa added a commit that referenced this pull request Apr 21, 2026
@ericksoa
merge: resolve conflicts with main after k8s/ removal
ccfcc35 
The k8s/ directory and its associated hash-check script/workflow were
removed on main (#2107). This PR's versions of check-installer-hash.sh
and installer-hash-check.yaml are retained because they now serve the
Ollama installer hash verification. Removed the NemoClaw k8s installer
registry entry that referenced the deleted k8s/nemoclaw-k8s.yaml.

Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
ericksoa added a commit that referenced this pull request Apr 21, 2026
@ericksoa @claude
fix: add rootless DinD daemon.json path fallback in preflight (#2045)
d12fd60 
## Summary

After removing the experimental k8s manifests in #2107, this PR retains
the one non-k8s change from the original docker-socket-proxy work:
`readDockerDefaultCgroupnsMode()` in `preflight.ts` now checks both the
standard `/etc/docker/daemon.json` and the rootless DinD path
`/home/rootless/.config/docker/daemon.json` when reading the default
cgroupns mode.

Previously only `/etc/docker/daemon.json` was checked, so rootless DinD
setups would always report `"unknown"` for cgroupns mode.

## Changes

- **`src/lib/preflight.ts`**: `readDockerDefaultCgroupnsMode()` iterates
over both daemon.json paths, returning the first valid mode found.

## Test plan

- [x] `npm run typecheck:cli` passes
- [x] `npm test` passes

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Improved detection of Docker configuration settings by checking
multiple standard configuration locations, making the system more
resilient to different Docker installation types and setups. The tool
now gracefully falls back through multiple paths instead of failing
immediately if a configuration location is unavailable.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This was referenced Apr 23, 2026
Closed
Closed
Closed
@ryanzhang-oss
Copy link
Copy Markdown

ryanzhang-oss commented Apr 29, 2026

@ericksoa Now that NemoClaw has remove k8s support, I wonder if that means you officially don't want people to run NemoClaw on Kubernetes cluster?

@ericksoa
Copy link
Copy Markdown
Contributor Author

ericksoa commented Apr 30, 2026

@ryanzhang-oss not at all! Just means we are going to be handling that on the OpenShell layer, so it helps with any agent or system that operates within the sandbox. More to come there!

This was referenced May 1, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@ericksoa ericksoa

Labels

CI/CD Use this label to identify issues with NemoClaw CI/CD pipeline or GitHub Actions. dependencies Pull requests that update a dependency file K8s Use this label to identify Kubernetes deployment issues with NemoClaw.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ericksoa @ryanzhang-oss @wscurran