No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi, I'm deploying linkerd on a pulumi-provisioned cluster (gke) but need to set an annotation to the kube-system namespace to ensure linkerd never runs there.  Since I dont own or maintain the namespace or any resources inside it, I dont really want to import it into pulumi; I just want to ensure an annotation exists. is there any straightforward way of doing this?

not trivially, not without importing it into pulumi's state.

You could create a dynamic provider that doesn't have a delete mechanism if you're using our typescript or python sdks

This is a common problem with managed Kubernetes mechanisms that populate already existing resources outside of the state..

The easiest thing to do though is provision linkerd into a new namespace you've managed with Pulumi

i did that, but linkerd in ha specifically expects an ~annotation~ label to disable it there <https://linkerd.io/2.11/features/ha/#exclude-the-kube-system-namespace>

Guess I'll import it and see what happens, i hope google doesnt touch it too much