Hi, I'm deploying linkerd on a pulumi-provisioned cluster (gke) but need to set an annotation to the kube-system namespace to ensure linkerd never runs there. Since I dont own or maintain the namespace or any resources inside it, I dont really want to import it into pulumi; I just want to ensure an annotation exists. is there any straightforward way of doing this?

not trivially, not without importing it into pulumi's state. You could create a dynamic provider that doesn't have a delete mechanism if you're using our typescript or python sdks This is a common problem with managed Kubernetes mechanisms that populate already existing resources outside of the state.. The easiest thing to do though is provision linkerd into a new namespace you've managed with Pulumi

i did that, but linkerd in ha specifically expects an annotation label to disable it there https://linkerd.io/2.11/features/ha/#exclude-the-kube-system-namespace

oh wow, fun

Guess I'll import it and see what happens, i hope google doesnt touch it too much