# kube-prometheus-stack — apply before Helm (omit --create-namespace on install).
# prometheus-node-exporter uses hostNetwork, hostPID, and hostPath (/proc, /sys, /) — incompatible
# with PSA "baseline"; use "privileged" (same idea as longhorn-system / metallb-system).
apiVersion: v1
kind: Namespace
metadata:
  name: monitoring
  labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/warn: privileged