# Fluent Bit (tail container logs → Loki) — apply before Helm.
# HostPath mounts under /var/log require PSA privileged (same idea as monitoring/node-exporter).
apiVersion: v1
kind: Namespace
metadata:
  name: logging
  labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/warn: privileged